Programmer writing code on computer showing API security and data governance

How an API-first Strategy Can Drive Better Data Governance

To remain relevant and competitive in today’s market, modern businesses are leveraging the data generated across a variety of solutions to continuously refine how they connect to customers and suppliers. An organization’s ability to iterate its technology based on fact-driven data more effectively than its competitors is a strategic advantage that can lead to expedited business and economic success. Further, with rapid development delivered by API-first strategies, a business can dramatically improve developer performance in the creation and deployment of new and innovative services and products.

Leveraging APIs to connect pre-built services is probably the fastest and most cost-effective method to build and deploy value-adding solutions that maximizes the utilization of current resources, but also results in the generation of data with greater value as an output of the application. This data can also be collected, analyzed, and used in even more meaningful ways. However, there are some challenges associated with using and generating data, especially regulatory obligations such as the owner’s authorization to use and utilize  their data in an agreed upon manner for its intended purpose. This could include how one uses their data to perform some activity such as processing an insurance claim, storing the output decision of the claim, and for keeping all pertinent data in records for compliance purposes. All of the necessary data to process the data and its output results must be surrounded by an Information Security Management System (ISMS), which includes a data privacy and protection framework of technology based systems and controls that delivers an adequate level of protection and management oversight.

In the drive towards automation, compliance with data regulatory control obligations can be overlooked as an organization focuses on the development and deployment of a new, more efficient solution. However, as the implementation matures the ramifications of failing to meet the data regulatory obligations start to surface and in many cases innovation stalls as executive management realizes the risks associated with the potential misuse of the data in terms of how certain data types can be used. To mitigate risk of falling foul of data regulatory obligations, a well-managed API strategy needs to include a robust data governance program that provides management with data oversight capabilities. Organizations need to know what data is being used, where it is used, who is using it, where it is stored and processed, and if they are using the data in a manner commensurate with the agreed upon purpose. Failure to integrate an effective data governance strategy in your API strategy can result in a significant loss of data which may distill into business reputational loss and fines, and personal liabilities for executive officers and senior management of the company

An “API-first” technology strategy

Combining an API-first strategy with a robust and resilient Information Security and Data Privacy initiative is challenging. Determining how restrictive the data governance “ring fence” should be, depends on the businesses’ risk tolerance. To determine the business risk, you need to know what data you have or are using, your API inventory and the regulatory frameworks that apply to the data types the business is working with, for example, are you working with Personal Identifiable Information (PII) and is that data classified as “special category data”?

The following example of an insurance claim data flow for a vehicle accident/incident is easy to define and you intuitively recognize the data flow between the operational steps, and how with each step one can leverag an API to interact with resources that can be either internal or external resources to the organization.

  • When the accident first happens, the claimant would log onto their insurance company app, requiring authentication of Personally Identifiable Information (PII).
  • Then the claimant would take photos of the damage, which would likely be sent to a 3rd party image recognition system, now with restricted info like the license plate number included.
  • The insurance company system would then query the users’ location data to send out a tow truck or identify local auto body shops.
  • The system would need to access the other driver’s insurance information to verify coverage and vehicle registration, so now operational, PII and Restricted/Confidential data is being shared and confirmed between multiple parties.
  • Finally, information on the claim needs to go into the insurance company’s record management system for future reference.

In reality, this process is complex, but with the power of APIs, these data transfers, queries and updates take place automatically, in real-time if needed. By leveraging APIs, companies can reuse the data they capture in one step as a resource later in the process. The ability to leverage reusable resources in this way saves an organization time and money in delivering innovation.

However, there are risks that need to be considered as the APIs transfer data to internal or external resources, and the services where these resources reside may not have the appropriate security or data privacy controls in place to meet the regulatory requirements associated with the data, therefore an organization’s data flow may “fluctuate” between compliance and non-compliance. To ensure that an organization remains in compliance, the Information Security, Privacy, and Legal teams must have a program in place that is both scalable and flexible to keep the organization in compliance with different regulatory requirements such as the EU’s GDPR article 5(1)(f) that states personal data shall be:

“…processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’)…”

In this case we are assuming that all parties involved in the incident have agreed to their personal data being processed, however, what happens if the photo taken of the incident includes the image of an innocent bystander watching the incident?

Furthermore, Article 5(2) adds that, “the controller shall be responsible for, and be able to demonstrate compliance with paragraph 1 (‘accountability.’)” Accountability is one of the core data protection principles – it makes you responsible for complying with GDPR and says that you must be able to demonstrate your compliance. You need to implement appropriate technical and organizational measures to meet accountability requirements by taking the following steps.

  • Adopting and implementing data protection policies
  • Taking a ‘data protection by design and default’ approach
  • Putting written contracts in place with organizations that process personal data on your behalf
  • Maintaining documentation of your processing activities
  • Implementing appropriate security measures
  • Recording and, where necessary, reporting personal data breaches
  • Carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests
  • Appointing a data protection officer
  • Adhering to relevant codes of conduct and signing up to certification schemes

Accountability obligations are not something you can address once and move on – this is an ongoing responsibility. You must review and, where necessary, update the measures you put in place. Implementing a privacy management framework can help you embed your accountability measures and create a culture of privacy across your organization. And being accountable can help you to build trust with individuals and may help you mitigate enforcement action if needed.

So, how does a company show that in the processes they have designed, developed and deployed that data transferred to internal or external resources complies with the requirements of privacy regulatory obligations such as GDPR?

The following are some of the considerations I have found to be essential for our own ISMS and Data Privacy program.

  • Knowing what data types we were working with when the data is transferred to resources and returned to the processes. Ask if the data type changed to a data type where regulatory obligations might apply.
  • The security and privacy profiles of the resources where the data has been transferred for processing
  • Asking if we have the necessary legal authority to use the data from the data subject?
  • Checking if our internal processes and systems enable us to address potential data breaches from external or internal resources. If external or partner resources are being leveraged, asking what mechanisms are in place to ensure that the security and data privacy chain of custody is maintained?
  • Examining what type of due diligence did we perform in regards to the security and privacy of the leveraged resources where data is being transferred, and did we determine adequacy?
  • Confirming we have agreed upon legal mechanisms to move the data.

In conclusion, the benefits of leveraging an API-first strategy can be a competitive game changer for many businesses, but ensuring businesses stay within data security and governance requirements is critical. No organization wants to be found negligent in their fiduciary responsibility in data security and privacy. To that end, companies need to adopt API security and governance programs and ensure that the APIs they bring into their systems have been tested and are managed effectively. Combining awareness and governance for APIs can be a winning strategy that helps businesses stay ahead of the competition while reducing security and data privacy regulatory risks.