Integris’ unique set of capabilities enable regulatory hygiene while maintaining the productivity of your Hadoop data lake.

Data privacy tools typically focus on either the technical control of data, or the coordination of human processes. Often the ‘missing link’ is direct remediation of sensitive data once it is identified. Integris Software is betting on the use of automation to fill this gap, in an approach it calls ‘data privacy automation.

Government mandates, data sharing agreements and spreadsheets sow confusion amid an avalanche of private data

Companies are inundated with data. A single bank transaction might get replicated across a hundred data repositories. Companies are constantly purchasing data from third parties to build better customer profiles. In addition, as companies consolidate through mergers and acquisitions, they acquire completely unknown datasets and data transfer agreements between business partners. In this environment, it’s no wonder that respondents’ data privacy programs scored much lower on technical maturity than on organizational maturity.

Survey Demographics and Firmographics

258 respondents completed the survey, each of whom had to meet the following minimum criteria:

  • Reside in the USA
  • At least “Somewhat Knowledgeable” on how data privacy and data security are managed at their current company
  • Mid to senior level professionals and executives
  • 500 employees or more (62.4% had over 5,000 employees)
  • $25 million or more in annual revenue (69.38% had over $1 billion in annual revenue)
  • Functional roles/areas had to be in IT, general management, or risk and compliance

Key Findings:

Data privacy management overconfidence: 40% were Very or Extremely Confident in knowing exactly where sensitive data resides despite only taking inventory once a year or less, and; a mere 17%  of respondents are able to access sensitive data across five common data source types.

Data privacy impacts much more than regulatory compliance: Enforcing internal data handling policies like classification and retention was cited 69% of the time. Proving compliance with business obligations like data sharing agreements was cited by 63% of respondents. About one third of respondents cited the impact on M&A due diligence (34%) and data lake hygiene (32%). About a quarter of respondents (24%) viewed data privacy as impacting the delivery of AI / ML projects.

The proliferation of data sharing agreements: In the wake of the misuse of data sharing agreements like the one between Facebook and Cambridge Analytica, enterprises seem to be more aware of such agreements. 40% of respondents had 50 or more of these data sharing agreements in place. However, respondents reported being 43 percent more confident in their ability to be compliant compared to how they perceived their partners.

Data privacy management budgets reside in IT departments: About 50% of data privacy budgets are concentrated in IT departments.

Technology leaders are increasingly being tasked with operationalizing their companies’ data privacy management program. Why? At its core, data privacy is a data issue, and privacy is an outcome of a comprehensive data protection strategy.

Download the full report here

CCPA has frequently been compared with the EU’s GDPR. While the regulations are similar in ethos, they have fundamental differences that reflect subtly divergent cultural attitudes and approaches toward data privacy and consumer rights.

 

Both regulatory compliance and effective leverage of data share the common requirement of granular data control, which needs to be addressed at the architectural level.

GDPR Compliance Questions Answered

Q&A with Nick Brandreth, VP of Sales at Integris Software

This interview first appeared in the GDPR Report.

Nick Brandreth leverages over 16 years’ experience in the Information Security sector, having worked at firms including Safebreach, cyber-security firm Imperva, and Tripwire, where he was an early proponent of DevSecOps through the work of Gene Kim.

The GDPR report caught up with Nick at the Data Protection World Forum in London to find out more about how companies’ data privacy strategies need to adapt to modern demands and data structures.

What role do you think automation plays in the future of data privacy?

Nick Brandreth: Automation is fundamental to data privacy, especially when it comes to all the risks that come with bringing new data into your organisation.

Automation is even more crucial given how data creation has exploded over the last few years. Our handheld devices are constantly creating data, our tablets are continuously streaming, and our locations are always being tracked through our devices. The capacity for data storage has become very cost-effective, so it’s relatively cheap for organisations to store all their data indefinitely.

Companies collect this data and utilise it in innovative ways that help drive technological advances and offer better products and services to consumers, which in turn, increases revenue for the organisations themselves. However, with increasingly severe regulations, like GDPR and now CCPA, companies now need to view their data as both an asset and a liability.

In this new climate of regulation, understanding what data you have and where it resides has become increasingly difficult. Traditionally, organisations have dealt with this via a manual, survey-based process, which is prone to human error. With data constantly changing due to acquisitions, data sharing agreements, or marketing departments purchasing data, these manual based approaches are insufficient, and if anything, expose the company to more risk by creating a false sense of security about where and what data they actually have. Given, all of the innovation that has transpired with the way data is now collected and used, innovation is needed to understand what the data means to the company which is why an automated approach is now so crucial.

How have previous data privacy strategies been generally inadequate?

NB: Inadequate may not be the correct term for it, I think antiquated might be a better way to put it. It helps to think about this in terms of Gartner’s three Vs of big data: volume, velocity and variety. Any type of solution must handle these three Vs. A manual survey-based approach or trying to use tools not build with big data constructs can’t address the three V’s.

As an example, previously, data might have just been held in structural databases around which organisations wrapped tight controls. It was much easier for them to identify where sensitive data might be, how its being used and if data handling obligations such as retention, residency, etc. are being followed.

Today, the situation is very different. Data now constantly moves through an organisation, and customers and companies are constantly sharing data back and forth. Further, the definition of what is sensitive data has evolved where data such as diet preferences or personal days taken off can infer religion, and movies watched can infer behaviour.  Additionally, exact definitions of what is personal will only be born out in case law as time goes on, making compliance a moving target.

While privacy regulations have been around for a while, GDPR has given privacy real teeth and pushed the need for more organisations to find ways to have a comprehensive, defensible data privacy strategy.

What does it mean for automation technology to be scalable and flexible?

NB: We can point back to Gartner’s three Vs of big data: volume, velocity and variety. For data automation to be scalable and flexible, it needs to handle data at any scale. We’re not just talking about gigabytes or terabytes – in fact, we’re starting to talk about petabytes, exabytes and zettabytes. In essence, data privacy automation technology needs to be able to handle an extremely large volume of data at large scales from various internal and external sources.

Now this where we start the conversation around inter-flexibility. For instance, I have structured data, but I also have a lot of unstructured data sitting out in various sources. I may have a data lake and data streaming in and out of my organisation. I may use Workday, which holds my HR data, and then I may use Salesforce for my sales/marketing data. The bottom line? I need to be able to handle all those types of data.

In short, any type of automation needs to be able to look at scale and flexibility.

What do you predict for the US in terms of a national GDPR-style regulation?

NB: This is a very interesting question and one that is currently getting an increasing amount of attention in the U.S. The current administration does not favour regulations, so it’s hard to say whether there will be a national GPDR-style regulation. However, many tech giants have gotten ahead of the conversation and are already talking with policy people about what a national privacy framework would look like. These talks at some point will surely involve consumer advocacy rights, as you see leaders of large tech firms commenting that privacy and transparency is a right. Additionally, States have started to take the reins by driving their own privacy regulations. California gets the top headline as it’s a pretty stringent state, but many states have now passed regulations or have them in legislation. Many of these states are actually focused on ensuring that your data is de-identified as required.

When regulation is at a state-by-state level rather than at a federal level, regulatory complexity becomes exponential for organisations. This points back to the importance for data privacy automation technology to be scalable and flexible – the ability to scale to different rules and mandates and map that many-to-many relationship between the data and the obligations. The complexity of the data privacy challenge is constantly rising and won’t slow down anytime soon. Organisations need to be aware of this and future-proof any Data Privacy or Data Protection program.

How awake to the importance of data privacy are consumers in the US?

Consumers in the US are much more aware of data privacy regulations now; GDPR really opened a lot of eyes when companies became frenzied to comply in advance of the deadline.

Now that technology has enabled so much personalized consumer data to be discovered and aggregated, consumers are starting to wake up to the fact that data breaches are extremely difficult to prevent, and their focus has turned to the need for data privacy and to demand for more transparency from businesses on the issue.

What are the differences between data security and data privacy?

NB: Having spent so many years in Information Security, data privacy and security are really part of the same continuum. However, data security concerns “how” data is secure, and data privacy thinks about “what data and why?”

For a company to truly secure their data, they must know and understand what exact data they have in the first place. Once they have this they can then ensure security policies are being followed. For example, is all data that should be encrypted actually encrypted; or is sensitive data that should be located in only certain sources actually only in those sources or has it proliferated to other sources in the environment. Without automation, these questions can’t be accurately or sustainably answered.

Data Privacy Automation provides extra security within an organisation because ensures many of the data security policies you put in place are being followed. There is an asymmetrical war is being fought against companies, and while organisations can’t afford to fail, the attacker only needs to succeed once. Not having an empirical idea of exactly what data you have and here is yet another increase in risk to the organization.

Data Privacy Automation gives security teams the ability to come in and be very precise with securing the right data in the right way so that organisations can continue to innovate and serve their customers by using their most asset.

 

The team at Integris Software proudly supported the Hopper X1 Seattle Conference, supporting women pursuing careers and success in technology.  The Hopper X1 Seattle Conference is organized by AnitaB.org and modeled after the Grace Hopper Celebration which is the world’s largest gathering of women in technology.

One of our core people tenants at Integris is that we celebrate and continually foster our diverse and inclusive culture. It was an opportunity not only to learn from many great technologists, but also to make many meaningful connections with other women in engineering who are stepping up to not only close the gap we have for skilled workers in tech, but also the gender gap we have historically had in tech. Throughout the event, there were many stories of strength and testaments of overcoming adversity to achieve powerful successes, and inspiration was had by all. And wow – did we have a great time!

As a female-founded company, we are excited to be included in the AnitaB community and will continue to support ongoing efforts in Seattle to close gender gaps. And, to that end, we want to give one last shout out – to all the men and gender-neutral individuals who also chose to attend HopperX1. It was a poignant reminder that inclusion works both – or rather, all – ways.

Meredith Turner, our Head of People Experience led our participation in the event along with Software Engineer Elizabeth Williams.

More information is available on the Seattle AnitaB.org community from a series of fantastic blogs published here.