Let’s face it: Data privacy has become all about filling out forms. A lot of forms. Too many to list without boring you (Think data transfer, data minimization, anonymization … yawn). Company executives rarely care about these forms-it is just something that some poor privacy officer somewhere is forced to fill out and maintain for the sake of compliance. If we were to rank thankless jobs, this would fall somewhere toward the top of the list, for sure.
How did we get here? Most, if not all, of the forms today came about as a knee-jerk reaction to fast-evolving privacy regulations. For every regulatory fine imposed on an organization, there are multitudes of competitors that take warning and rush to create new forms to cover that specific issue. I made an observation to a friend of mine (the CMO at a data management company) that the prevailing approach to privacy seems to be to fill out a lot of forms and hope you never get in trouble with regulators. And he started laughing in agreement.
Let’s take a step back and look at the three components-data, privacy and automation-separately so we can better understand how the three fit together.
Data: You might have heard it said that we live in a data-rich/data-driven world. And the ubiquity of data might (and does) result in unwarranted access and exposure. Because even if you have access controls in place, people could share sensitive data on Slack, Jira, Zendesk, email, file repositories and so on. Of course, you make your staff go through security training. But-to use the autonomous vehicle analogy again-imagine, for a moment, a world where instead of putting controls like seat belts, airbags and traction control in place, you were just handed a number of forms to fill out when you got behind the wheel. That’s where we are with data privacy today.
Privacy: For whom? Privacy is a sine qua non to gaining customer trust. And customers are people. Privacy needs to evolve from being attribute-centric (“Look, I found a credit card!”) to being identity-centric (“What’s Jane Doe’s credit card number doing here on Slack?”). I can generate a million 16-digit numbers and I am sure many of them would be valid credit card numbers. But only when you link that number with an individual person does that become personally identifiable information (PII). Unfortunately, most of the tools used for privacy today are all about attribute detection, which is as useful as throwing 4,000 parts at a customer and asking them to build a car themselves.
Automation: Whack-a-mole: That’s what today’s data privacy management feels like. No wonder privacy officers are barely able to keep up with every process, every product and every person (customer). To make privacy your competitive advantage, your privacy officers should be able to specify policies and let automation take care of the rest. With automation on their side, they can and will think about seamless, frictionless and secure ways of providing their peers access to the data they need and their customers the control and confidence they deserve when doing business with your company. There you have it:
Data (Discover, catalog, access and sharing controls)
Privacy (Identity-centric to gain your customers’ trust)
Automation (Policy-centric, autonomous)
May the days of filling out countless forms be over soon. What are some examples of automation as it pertains to the data privacy world? That’s the topic of my next blog, based on what our customers have taught us.
Originally published at https://securityboulevard.com on April 7, 2022.