Attitudes about data privacy are changing. For one thing, consumers are increasingly vocal about how their data is used. For another, organizations are beginning to recognize that data privacy actually expands business opportunities. Of course, all of this is taking place against a more onerous backdrop: a spate of privacy regulations, including the likes of GDPR, CCPA and the Virginia Consumer Data Protection Act.
Dealing with today’s regulatory environment is a formidable challenge since it requires two distinct sets of capabilities: discovering sensitive consumer data stored in enterprise systems and tying it back to each individual to whom it belongs. While traditional methods of discovering and classifying data have been used to find personally identifiable information (PII), they were never designed to map all of this information back to its owner and address these evolving regulatory requirements.
It’s unsettling to consider the countless bits, bytes and shreds of private data that wind up scattered across various internal (on-premises, multicloud, hybrid) and third-party systems in structured and unstructured formats. Meanwhile, data privacy regulations are increasingly granting broad rights to consumers, who may file a request to obtain a copy of their personal data or have it deleted, restricted or updated. Not only is it difficult to track down all the data elements associated with one identity, ensuring that all the requested changes are implemented across an ecosystem that may include hundreds of repositories can prove daunting.
Additionally, consumers want full control over their data, who they share it with, and the ability to take back sharing privileges at any time. This requires companies to build consent preferences and data subject request solutions that are easy to understand, readily accessible and available via self-service options.
To achieve this granular level of data traceability and to know where a personal record or data element resides in systems at any given moment, organizations need to build a people-centric view of data.
However, building or mapping personal data to individuals across various data assets and systems is complex. Any attempt to reel in the complexity—and risks— by moving to this people-centric model of data privacy management at scale must involve artificial intelligence (AI).
For example, AI driven systems can be used to scan, discover and link structured and unstructured personal data to specific users. This information can then enable the creation of personal information (PI) maps across systems and geographies, which can be used to run more complex queries and searches that lead to deeper insights about personal data.
This approach is sometimes called a People Data Graph because it puts personal data at the center of all business and privacy compliance processes. This makes it possible to address numerous tasks, including data subject request (DSR) fulfilment, data mapping, data breach management, data retention policy management and tying consent back to users.
To implement a people-centric approach to data privacy, consider the following best practices:
Discovery – set-up scans to find customer data within your organization’s various data sources including applications, file shares and databases. Discovery needs to address hybrid and multicloud environments, including structured and unstructured data.
Classification – identify and locate privacy information as defined by specific privacy compliance standards. Note that personal data can extend beyond traditional definitions to include any information that may relate back to an individual, such as personal preferences.
Index – use hashes of privacy data to enable mapping and linking, rather than copying or moving data to avoid sprawl.
Mapping – Map and link all regulated privacy information data back to customer identities.
Using a people-centric approach to data privacy management can significantly reduce the costs associated with privacy compliance, and help organizations accelerate efficiency and speed to avoid regulatory penalties.