451 Research Analyst Report Says Integris Addresses the ‘Missing Link’: Automated Remediation and Control of Sensitive Data Once It Is Identified

As data privacy and data protection regulations around the world continue to proliferate – each with its own nuances and requirements – many enterprises are now struggling to identify data down to the data element level and create cohesive human processes to manage data and control workflow. Given escalating volumes of structured and unstructured data, the need for automation is a given.

No single software product can make an organization compliant with GDPR, CCPA or similar regulations, so the enterprise typically employs several solutions. However, there is often a gap in tooling when multiple products are in place: the step of automatically enacting appropriate policy on sensitive or personal data once it has been identified. This is the layer of control that Integris helps customers to implement, and it’s a critical one for continuous, defensible compliance. Integris makes extensive use of automation and machine learning, for both detection of sensitive data and assignment/execution of policy, which are necessary given escalating volumes of enterprise data that cannot be manually evaluated and assigned protective policies.

In a new report published in March 2019, the analyst firm 451 Research outlines how Integris Software helps companies achieve their comprehensive data control objectives through automation. We are pleased to make the full report, Integris Software leverages automation for continuous data privacy compliance, available for complimentary reading. Here are a few highlights from the report:

  • Integris Software is designed to help automatically detect sensitive and personal data, and importantly, automate remediation and policy execution once that data has been identified. The company calls its approach “data privacy automation”, and these capabilities ensure that data is automatically protected with appropriate measures once it has been identified.
  • At a high level, the Integris platform provides a data privacy hub for multiple stakeholders including CIOs, CTOs, CDOs, CISOs and CPOs, as well as various lower-level practitioners.
  • Tools for visibility into where sensitive data resides, and the ability to automate policy actions on that data, help ensure that data isn’t just discovered and documented, but that an appropriate control workflow is kicked off as well.
  • Integris’ capabilities can be leveraged as a data logic layer, so organizations can add and control any type of rule to any type of data, for any use case, not just regulatory mandates. Privacy is simply the ‘tip of the spear.’

Read more about what 451 Research has to say about Integris Software’s approach to data privacy automation here.

Government mandates, data sharing agreements and spreadsheets sow confusion amid an avalanche of private data

Companies are inundated with data. A single bank transaction might get replicated across a hundred data repositories. Companies are constantly purchasing data from third parties to build better customer profiles. In addition, as companies consolidate through mergers and acquisitions, they acquire completely unknown datasets and data transfer agreements between business partners. In this environment, it’s no wonder that respondents’ data privacy programs scored much lower on technical maturity than on organizational maturity.

Survey Demographics and Firmographics

258 respondents completed the survey, each of whom had to meet the following minimum criteria:

  • Reside in the USA
  • At least “Somewhat Knowledgeable” on how data privacy and data security are managed at their current company
  • Mid to senior level professionals and executives
  • 500 employees or more (62.4% had over 5,000 employees)
  • $25 million or more in annual revenue (69.38% had over $1 billion in annual revenue)
  • Functional roles/areas had to be in IT, general management, or risk and compliance

Key Findings:

Data privacy management overconfidence: 40% were Very or Extremely Confident in knowing exactly where sensitive data resides despite only taking inventory once a year or less, and; a mere 17%  of respondents are able to access sensitive data across five common data source types.

Data privacy impacts much more than regulatory compliance: Enforcing internal data handling policies like classification and retention was cited 69% of the time. Proving compliance with business obligations like data sharing agreements was cited by 63% of respondents. About one third of respondents cited the impact on M&A due diligence (34%) and data lake hygiene (32%). About a quarter of respondents (24%) viewed data privacy as impacting the delivery of AI / ML projects.

The proliferation of data sharing agreements: In the wake of the misuse of data sharing agreements like the one between Facebook and Cambridge Analytica, enterprises seem to be more aware of such agreements. 40% of respondents had 50 or more of these data sharing agreements in place. However, respondents reported being 43 percent more confident in their ability to be compliant compared to how they perceived their partners.

Data privacy management budgets reside in IT departments: About 50% of data privacy budgets are concentrated in IT departments.

Technology leaders are increasingly being tasked with operationalizing their companies’ data privacy management program. Why? At its core, data privacy is a data issue, and privacy is an outcome of a comprehensive data protection strategy.

Download the full report here

Do you conduct interstate business in the US? Prepare now for CCPA.

The California Consumer Privacy Act was passed in June 2018 and goes into effect in January 2020. Although it’s ostensibly a state law, CCPA is trying to forge a de facto standard for data privacy in the US in the absence of federal legislation. CCPA is similar to GDPR in that it uses economic presence to urge other regions – US states – to adopt similarly high standards. But GDPR and CCPA do have their own requirements and nuances, and a compliance program specifically architected to address GDPR will not necessarily translate. Businesses with interstate operations will need to take a more holistic and less regulation-specific approach to data management and compliance to remain competitively viable.

The analyst firm 451 Research published the report The California Consumer Privacy Act: not just ‘America’s GDPR’ in March 2019. Integris Software is pleased to offer complimentary access to the report to help companies understand and prepare for the requirements of CCPA. Here are a few highlights of the report:

  • Data privacy and data protection around the world has reached a tipping point. The EU’s GDPR, in effect since May 2018, has been a model for other countries concerned about consumer privacy protections. Moreover, individuals are becoming more aware and more educated regarding the value and sensitivity of their data. 
  • How companies handle individuals’ personal data affects consumer trust and confidence in those companies. A recent 451 Research survey shows that 26% of US consumers are less trusting of US businesses than they were one year ago. Significantly, 90% of the survey respondents expressed concern about the ability of the companies they do business with to adequately protect their personal data. 
  • Most large businesses in the US have California residents as customers, thus pressing the adoption of CCPA’s standards elsewhere in the nation. Other states are in the process of developing their own privacy laws. What could result, in the absence of a federal standard, is disparate privacy requirements in the US, with each state having different protections for its residents. 
  • GDPR and CCPA have much in common in their core principles, but they also differ significantly in the details. It’s key for organizations is to tackle core, shared requirements at the architectural data management level and address individual nuances of each regulation with tools higher in the stack only as necessary. Such an approach allows for flexibility amid evolving regulations, and ultimately, cost savings. 
  • Data privacy and data protection regulations are largely more process-oriented than they are technology-oriented. Investment in platforms that help coordinate processes across various data protection and data privacy stakeholders can especially benefit the business, even when these platforms do not exert direct control on data themselves.

Learn how GDPR and CCPA are similar as well as how they differ. Read the full 451 Research report here.

Nine industry experts provide sage advice on how to protect your customers’ sensitive data in 2019, as well as some things you should NEVER do

C-suite execs have a lot on their plates when it comes to protecting their customers’ sensitive data in 2019. Please tell us:

1)  What’s one sage piece of data privacy management advice or tip to help them in 2019?

2)  What’s one thing they should never do, or a pitfall to try to avoid in 2019?


David Hoffman

Associate General Counsel and Global Privacy Officer, Intel, Inc.

@hofftechpolicy

1)  As we move towards a more data-centric economy, understanding what data an organization has, and how it is be used, is critical for both shareholder value and protecting privacy. Organizations need to build the right processes to map where their data is, how they can make innovative use of it, and how they will show they are accountable to the individuals to whom the data pertains.

2)  An organization should never rely solely upon third parties to have access to data without showing they will be accountable for how it is used. Upstream and downstream data inventory management will be critical in 2019.


Cameron Etezadi

Deputy CTO, SAP Concur

@cetezadi

1) Modern enterprises move data through streaming pipelines, where it can be hard to protect provenance and canonicity. Tracing where the data ends up is as essential as protecting the data itself. Once you publish data internally, it can be very hard to control where it goes or how it’s used. Enterprises should implement strong controls and good hygiene in establishing trust and access – and then verify the results.

2) Avoid playing “catch up”; many organizations end up “compliant” at a point in time but gradually fall apart as new software is written or deployed, new people join the organization, etc. Protection is a process that many organizations fail to bake into the upfront architecture of their projects and then scramble towards when it’s too late. It’s too easy to leave holes, pay too much, or find yourself in an impossible situation if privacy is always a bandage applied at the end.


Jennifer Leggio

Chief Marketing Officer & VP Operations, Flashpoint

@mediaphyter

1)  Engage in external collaboration and information sharing. There are a number of secure, trusted communities that facilitate these activities among security and privacy practitioners, so if your company isn’t already a member, join one. These communities range from large and industry-specific, such as the various ISACs, to small and vendor-specific, but all exist for the same reasons: to provide like-minded experts with the means to quickly and easily share relevant information with, and seek guidance from, other like-minded experts. Doing so can expose your company to greater resources and expertise that can help you to better protect your customers’ data.

2)  Never conflate compliance with security. GDPR, for example, has fueled great progress in how companies address the privacy of customer data, but the standards it enforces are by no means sufficient for securing customer data. This is largely because there are many critical areas of security that GDPR does not regulate, including encryption, security awareness and education, business continuity and penetration testing, and technical and policy controls, to name a few. The same goes for similar compliance bodies such as PCI DSS and HIPAA. Just because a company is deemed compliant does not mean that its customers’ data is fully immune to compromise. Compliant businesses can and do experience data breaches, which is why achieving compliance should be never be viewed as an end goal—but rather as one of many essential components of a comprehensive security strategy.


Kristina Bergman

Founder, CEO at Integris Software

@KristinaKerr

1)  Know where your data is. When I was working in venture capital five years ago and first started researching the data privacy space for investment purposes, I found that the biggest glaring problem was that no one knew what data was where, let alone if they were in compliance with any laws, contracts, or other business obligations. The foundation to complying with any law, whether it’s GDPR or CCPA or any of the other new bills being considered, is to know what data you have.

2)  Never assume that your work is done just because you’ve got great policies and procedures in place. A key component to ensuring compliance, or at least defensibility, is the operationalization of those policies and procedures. Being able to audit your data sources to prove compliance with the law is critical to protecting your brand and reputation.


Marc Groman

former Senior Advisor for Privacy in the Obama White House
former Chief Privacy Officer of the Federal Trade Commission
Principal, Groman Consulting Group LLC
Adjunct Professor, Georgetown University Law Center

@MarcGroman

1)  Today, data often is a company’s most strategic and valuable asset. Companies must treat it that way, by implementing a comprehensive, enterprise-wide, continuous and risk-based privacy and security program. Step one – know what data you have.

2)  Never make assumptions about the data your organization collects, creates and stores. Rely on facts, evidence, and documentation.


Barbara Cosgrove

Chief Privacy Officer, Workday

@cosgrove_barb

1)  Privacy will be center stage in 2019, so be proactive and reevaluate your processes to ensure that you not only remain GDPR compliant but also anticipate any future U.S. and global privacy legislation that could be coming in 2019. Start by establishing a cross-functional taskforce to perform an assessment of your current state of compliance. During this process, take the time to understand what’s been successful and where there have been challenges from a business perspective prior to introducing new processes. Once you’ve done that, map new laws and regulations to your existing controls and processes, and determine where you may be required to implement changes. Once implemented, be sure to set a regular cadence for the taskforce to regroup to assess compliance.

2)  With new regulations like the California Consumer Privacy Act (CCPA) in the pipeline, be sure you don’t evaluate them in isolation. Build a comprehensive privacy governance framework, which enables you to continually re-assess your compliance with existing privacy regulation like GDPR and emerging ones.


Mark Kraynak

Entrepreneur, Venture Partner, Aspect Ventures

@AspectVC

1)  Get a handle on employee/contractor off-boarding. Latent privileges are a big, unnecessary risk. Also, automate your process of understanding what sensitive data you have. Most organizations have too much data in too many places for human processes to be reliable or consistent enough to be effective.

2)  Don’t stop at Encryption. The most common pitfall I see is when I hear someone’s answer about data security is, “We encrypted our data, so we don’t need to do anything else.” Encryption is good for mostly bulk, mostly static use cases, but tends to fail for data in use.


Paige Bartley

Senior Analyst – Data, AI & Analytics at 451 Research

PaigeBartley
@451Research

1)  View data protection and data privacy as an opportunity, rather than a burden. There’s a pervasive enterprise perception that consumer controls for data will result in less analysis and insight, or that privacy controls somehow “lock down” data. This misses the bigger picture. Data-driven regulation, such as GDPR and similar mandates, all share the same common requirement of strong, granular control of data at the architectural level. Strong control of data, in turn, has downstream benefits for other proactive data-driven initiatives within the organization. A robust data protection and privacy program, implemented enterprise-wide, has benefits for data quality, coordination of self-service access rights, and building consumer trust. At a high level, data privacy and data protection requirements are a golden opportunity to reconsider and optimize data management architecture and practices.

2) We’ve officially entered the data protection and privacy era, and the enterprise can no longer have a combative attitude towards compliance if it wishes to remain competitively viable. The biggest pitfall is viewing data privacy or data protection requirements as a list of burdensome technical “checkboxes” that need to be ticked off one by one for each new regulation. This view of the individual trees misses the broader forest: the core principles that are shared across regulatory frameworks. Implementing new siloed tools and new processes for each new regulation is not sustainable, economical, or scalable. Instead, organizations need to focus on optimizing underlying data management architecture and workflows from the ground up. Focus on the core commonalities, rather than the differences, between regulations. From there, implement highly-specialized point solutions higher in the stack only when necessary.


Craig Speizle

Managing Director, Agelight Digital Trust Advisory Group
Founder & Chairman Emeritus, Online Trust Alliance

@craigspi
@onlineintegrity

1)  2018 will likely go down as the year of questionable ethics. From the data sharing and mining practices of Facebook, Google and most recently the Weather Channel’s app, to the abuse of social networks, we all need to be concerned. All too often these entities who were supposedly “stewards of our privacy and trust” appear to have acted unethically. While executives need to be held accountable, one has to also question employees who failed to come forward and follow their own moral compasses. Our industry is at the center of a seismic change with the convergence of big data and artificial intelligence (AI). The oceans of digital information and low-cost computing power are providing endless marketing opportunities. At the same time, we are being confronted with ethical dilemmas challenging users’ digital dignity and redefining privacy norms.

My big focus for 2019 is Data Ethics: the convergence of big data, AI and Ethics. I have been steadfast on the need to move from compliance to stewardship. Ethics is an extension to this in light of the practices and what I call “data laundering,” which is occurring.

The question at hand is: Can industry and governments be trusted to responsibly regulate AI? Second, how can ethical guardrails be developed to help prevent abuse? There is no question AI will have a profound effect on how marketers engage consumers. Done right, consumers will get better and more relevant ads, content and services. This can be a win-win, but only if we get it right and address the ethical unintended consequences in advance.

2)  The one thing executives should avoid is remaining silent. They need to question their business and data strategy and not fall silent like so many employees at offending companies have. The question is, are they willing to follow their moral compass and rise above compliance?

Feel like data privacy and protection requirements are a chore? Turn them into a business advantage.

Most organizations view data privacy and data protection regulation such as GDPR and CCPA as a costly and time-consuming burden. However, the core data management capability required for compliance – granular data control – is also necessary for proactive leveraging of data for business purposes. Companies should view data control and architectural optimization as a strategic opportunity to uncover hidden insight and benefit their data-driven business initiatives.

The analyst firm 451 Research published the report Architectural data control: turning privacy requirements into a blessing, not a curse in January 2019. Integris Software is excited to make the report available help companies see the dual-sided benefits they can derive from holistic data control. Here are a few highlights of the report:

Both regulatory compliance and effective leverage of data share the common requirement of granular data control. Today’s data privacy and data protection requirements, then, should be viewed by the enterprise as an opportunity to optimize data management architecture from the ground up.

  • Organizations cannot protect or provide privacy controls for data if they cannot quickly and consistently locate data, identify and resolve duplicates, accurately associate personal information with identities, and enforce policies. Both structured and unstructured data must be controlled with the same rigor.
  • With strong data control capabilities, the effects of silos are minimized, resulting in the ability to aggregate and analyze diverse data sources in a more contextual way. Data privacy and data protection mandates effectively shift the balance of power back from data quantity to data quality.
  • When consumers or data subjects are given more choices over the use of their data, trust is fostered. When a trusting relationship is built, consumers voluntarily provide more accurate information over time. Consumer trust, in turn, is correlated with more profitable lifetime relationships, lower churn, and more positive word-of-mouth presence in the market.

In summary, data control is the common requirement for both reactive compliance and proactive data leverage capabilities. It is also essential to building trust with consumers that drive long-term profitability. If the enterprise is to strategically fulfill compliance requirements while maintaining the ability to competitively maximize the insight it derives from data, it must optimize its data management architecture and strive toward a unified view of data.

Learn more about the myriad benefits of architectural data control in this complimentary 451 Research report here.

5 Ways to Ensure Your Data Storage Systems Protect Customer Data

This article first appeared in TheNewStack.

Five-hundred million. That’s how many individuals recently found themselves getting a notice that their personal information had been compromised in the recent Marriott data leak. The seemingly endless disclosure of major breaches (another 100 million from Quora was announced as I started writing this article) are causing an awakening among consumers and regulators.

While Marriott’s database had been hacked and malicious actors had unfettered access to its data, many companies struggle to maintain control of the private data that their employees, partners and customers entrust them with. The sad fact is that customers no longer trust organizations to protect their data and therefore are very concerned about the type and volume of private data that organizations hold. It’s not enough to claim security best practices. Customers want to know what and why companies have their private data.

Data protection is the responsibility of all of the technical teams at a company. But data storage administration and configuration are crucial in ensuring that the private data is protected, whether it be customer PII or your research team’s IP. Here are five tips to help ensure that data is handled responsibly.

1)  Know What, Where, and How Much Private and Sensitive Data Is Held by the Organization

This is often easier said than done. Traditional solutions like Data Loss Prevention have promised to find and classify our data, but scalability issues, the inability to identify data in motion and lack of accuracy continue to plague DLP offerings.

Modern technologies such as Docker containers and Kubernetes clusters running in auto-scaling cloud platforms such as AWS, Azure and GCP, can eliminate scalability issues. We often find the largest volume and highest rate of data collection to be in big data lakes. It can be very useful to make use of the compute power built into such data lakes in the form of map reduce jobs to scan, label and classify data at scale.

Data knows no boundaries. Private and sensitive data can be anywhere. Efficiency means having visibility into your data — whether it’s structured or unstructured, in a traditional DBMS or big data lake, out in the cloud or in your data center.

So, while you’re in the process of discovering data, it’s not enough to look only where it should be. You must have the capability to search, discover and classify data everywhere it resides.

2)  Map the Data Journey

Data is often the currency of business today, which means that data is constantly moving throughout the customer or product journey. Data is either a byproduct of customer activity or is actively requested and collected. Data is bought and sold to other organizations. And as a result of this data in motion, private data can be exposed in channels that aren’t designed to hold it.

While I wouldn’t ever put my private details such as account number or password into the chat box that seems to pop up on every website offering to help, my mother does this all the time. While providing such a service is important and valuable to the business, monitoring data traveling through these channels is critical to ensuring that private and sensitive data is kept in the proper location and scrubbed from areas such as chat logs.

It’s imperative to identify all the places that data moves in or out of your systems. Watching data as it moves across all touch points can provide verification that data is flowing in compliance with regulations, policy, contracts, or other obligation. Monitoring data in motion can help you stay ahead of any problems.

3)  Check to See That the Data That Should Be Encrypted Actually Is

Encryption is certainly not a panacea for all sensitive data issues. But at the same time, encryption can be a powerful mitigating control — but only if the data that should be encrypted is encrypted. If all social security numbers (SSNs) in a table are meant to be encrypted, are they actually? You have to check to make sure.

This should start with checking the accuracy of the initial discovery and classification effort. If it’s just assumed that all SSNs in a table are in the correct column and that column is encrypted, can you be sure all SSN’s are encrypted? Data often finds its way into unexpected places. This leads not just to problems of encryption, but also mis-classification and mis-categorization. And this can be the data most vulnerable, as it’s often not watched as closely, leading to the next point.

4)  Don’t Stop with Users

Sensitive data is not always attached to users, so, don’t limit your search to user-based data. Also, consider derived sensitive data as seemingly innocent data points can lead to very private information.

Organizations generally focus on user accounts and the data associated to those accounts. But as discussed earlier, data is often misplaced. Is an SSN any less sensitive because it’s not linked in the database to a first and last name? Of course not. On the other hand, seemingly non-sensitive data can become sensitive when it is linked to a user.

For example, it’s unlikely you have religion listed with employee names in your HR database. But you probably do have requested days off. It’s often easy to derive a religious preference from the PTO days an employee requests. And while this data might not be used or even understood by the employer, it will certainly be understood and used by a third party who might have access to this seemingly innocent data. Sensitive data is sensitive data and should be treated as such.

5)  Know Your Data Obligations

Private and sensitive data comes with obligations from regulations, external requirements and internal policies. How do you know if you’re meeting all of these?

You’re most likely familiar with obligations in the form of internal policies. These policy obligations might be regarding which data elements should be encrypted, what data should be backed up, and the service level agreements on the restoration of such data.

And you might also be familiar with regulatory obligations like General Data Protection Regulation (GDPR), Health Insurance Portability and Accountability Act (HIPPA), Sarbanes Oxley (SOX), Payment Card Industry Data Security Standard (PCI-DSS) and others.

However, obligations can also be contractual. Are you buying, selling, or otherwise transacting data with other third parties or partners? There are typically contracts in effect that place obligations on that data. Obligations can also be public statements, such as a privacy statement made on the company’s website. A data privacy strategy should include visibility into such obligations and evidence that they are being met. Knowing the relationship of data to the obligations on that data can certainly make life easier when questions arise.

Conclusion

Building a system that protects private data is crucial. Whether you’re spinning up a new development environment for a new venture or simply conducting an audit to ensure compliance with the shifting regulations and privacy laws, how you structure your data storage and management technologies can have a significant impact on your company’s success. Making sure you’re protecting all of your data from various sources at all times is essential — and failing to do so can be costly.

The current regulatory environment is driving urgency to meet modern enterprise data handling challenges

At their core, data privacy regulations like GDPR and the California Consumer Privacy Act (CCPA) require good data handling practices. Continuous defensibility to meet compliance requirements boils down to doing two things well:

1)  Understanding where sensitive data resides across all data source types.

This should include structured, unstructured, semi-structured, data in motion, at rest, on-premise or in the cloud. The ability to scale up and down is critical.

 

2)  Mapping data back to existing data handling obligations.

Not just regulations, but also contracts and internal policies, as well as the ability to take action within your data ecosystem, such as encrypting files, or processing a consumer’s data access request.

Seven data handling best practices

Having visibility into where sensitive data resides and tying it back to obligations is critical to enabling these seven data handling best practices:

1)  Implement data security controls.

Documenting policies are important, but to be defensible you need to be able to show that you can identify different types of sensitive data across your enterprise, and that you have compensating controls in place to keep it encrypted, hashed, or masked. Be cautious about solutions that simply map IDs to pre-existing metadata. You’ll run the risk of creating a false sense of security about the data you have, which security parameters are being applied, and whether they’re in compliance with regulatory mandates. Metadata can be misleading. Integris operates at the data element level to inform you exactly what personal information is in your dataset, not just what the metadata implies. By using a combination of contextual awareness, natural language processing, and machine learning, Integris maps all sensitive data elements so as to assess privacy, integrity, and handling violations.

2)  Establish and enforce a data retention policy.

You probably have different retention policies for different types of data. Make sure you’re calculating retention in a consistent way such as creation date, date of last transaction or another metric. Of course, to be defensible, you’ll need to be able to identify your sensitive data, and show that you’re adhering to your own retention policy.

3)  Identify mislabeled data.

Data handling policies only work if your data has the right labels. For example, it’s not uncommon to find databases backing webforms to have mislabeled data. For instance, a customer accidentally typing in their credit card number in a phone number field could put you in violation of a regulation, because you’re not encrypting the phone number column in your database.

4)  Identify misclassified data.

Much like mislabeled data, misclassified data poses a significant risk. For example, SSN’s found in a phone number column will not have a high enough classification tied to the data set. Don’t rely on manual data mapping efforts, which can be riddled with errors. Integris automates the identification of misclassified and mislabeled data, then surfaces issues for human intervention or kicks off automated remediations.

5)  Tackle data proliferation, including data in motion.

You probably have data handling policies that restrict where sensitive data resides. For example, it must sit in Oracle or Hadoop, but not in network file storage or Dropbox. For data streaming into an organization from places like Facebook, Instagram, or business partners, data in motion can be a big blind spot. Identify and monitor your data streams to ensure you know what is entering and leaving your organization and that you are adhering to all data handling policies. Integris’ ability to handle data in motion is key to helping you understand which data is entering or leaving your organization via data sharing agreements, and the streams and feeds your company relies on for continuous innovation.

6)  Residency-based policy-making.

Both GDPR and the California Consumer Privacy Act (CCPA) indicate that data handling policies apply differently depending on a person’s residency or citizenship. Track data against residency policies to ensure effectiveness. Integris can infer residency from geospatial data, a country code, or phone number.

7)  Handle what GDPR calls data subject access requests (DSAR).

Under both GDPR and CCPA, individuals have the right to inquire about their personal data, what data companies collect about them, how it’s being used or shared, and to exercise their right to “be forgotten.” In order to address DSAR, you must understand where all personal data resides and be able to map it back to your users.

GDPR Compliance Questions Answered

Q&A with Nick Brandreth, VP of Sales at Integris Software

This interview first appeared in the GDPR Report.

Nick Brandreth leverages over 16 years’ experience in the Information Security sector, having worked at firms including Safebreach, cyber-security firm Imperva, and Tripwire, where he was an early proponent of DevSecOps through the work of Gene Kim.

The GDPR report caught up with Nick at the Data Protection World Forum in London to find out more about how companies’ data privacy strategies need to adapt to modern demands and data structures.

What role do you think automation plays in the future of data privacy?

Nick Brandreth: Automation is fundamental to data privacy, especially when it comes to all the risks that come with bringing new data into your organisation.

Automation is even more crucial given how data creation has exploded over the last few years. Our handheld devices are constantly creating data, our tablets are continuously streaming, and our locations are always being tracked through our devices. The capacity for data storage has become very cost-effective, so it’s relatively cheap for organisations to store all their data indefinitely.

Companies collect this data and utilise it in innovative ways that help drive technological advances and offer better products and services to consumers, which in turn, increases revenue for the organisations themselves. However, with increasingly severe regulations, like GDPR and now CCPA, companies now need to view their data as both an asset and a liability.

In this new climate of regulation, understanding what data you have and where it resides has become increasingly difficult. Traditionally, organisations have dealt with this via a manual, survey-based process, which is prone to human error. With data constantly changing due to acquisitions, data sharing agreements, or marketing departments purchasing data, these manual based approaches are insufficient, and if anything, expose the company to more risk by creating a false sense of security about where and what data they actually have. Given, all of the innovation that has transpired with the way data is now collected and used, innovation is needed to understand what the data means to the company which is why an automated approach is now so crucial.

How have previous data privacy strategies been generally inadequate?

NB: Inadequate may not be the correct term for it, I think antiquated might be a better way to put it. It helps to think about this in terms of Gartner’s three Vs of big data: volume, velocity and variety. Any type of solution must handle these three Vs. A manual survey-based approach or trying to use tools not build with big data constructs can’t address the three V’s.

As an example, previously, data might have just been held in structural databases around which organisations wrapped tight controls. It was much easier for them to identify where sensitive data might be, how its being used and if data handling obligations such as retention, residency, etc. are being followed.

Today, the situation is very different. Data now constantly moves through an organisation, and customers and companies are constantly sharing data back and forth. Further, the definition of what is sensitive data has evolved where data such as diet preferences or personal days taken off can infer religion, and movies watched can infer behaviour.  Additionally, exact definitions of what is personal will only be born out in case law as time goes on, making compliance a moving target.

While privacy regulations have been around for a while, GDPR has given privacy real teeth and pushed the need for more organisations to find ways to have a comprehensive, defensible data privacy strategy.

What does it mean for automation technology to be scalable and flexible?

NB: We can point back to Gartner’s three Vs of big data: volume, velocity and variety. For data automation to be scalable and flexible, it needs to handle data at any scale. We’re not just talking about gigabytes or terabytes – in fact, we’re starting to talk about petabytes, exabytes and zettabytes. In essence, data privacy automation technology needs to be able to handle an extremely large volume of data at large scales from various internal and external sources.

Now this where we start the conversation around inter-flexibility. For instance, I have structured data, but I also have a lot of unstructured data sitting out in various sources. I may have a data lake and data streaming in and out of my organisation. I may use Workday, which holds my HR data, and then I may use Salesforce for my sales/marketing data. The bottom line? I need to be able to handle all those types of data.

In short, any type of automation needs to be able to look at scale and flexibility.

What do you predict for the US in terms of a national GDPR-style regulation?

NB: This is a very interesting question and one that is currently getting an increasing amount of attention in the U.S. The current administration does not favour regulations, so it’s hard to say whether there will be a national GPDR-style regulation. However, many tech giants have gotten ahead of the conversation and are already talking with policy people about what a national privacy framework would look like. These talks at some point will surely involve consumer advocacy rights, as you see leaders of large tech firms commenting that privacy and transparency is a right. Additionally, States have started to take the reins by driving their own privacy regulations. California gets the top headline as it’s a pretty stringent state, but many states have now passed regulations or have them in legislation. Many of these states are actually focused on ensuring that your data is de-identified as required.

When regulation is at a state-by-state level rather than at a federal level, regulatory complexity becomes exponential for organisations. This points back to the importance for data privacy automation technology to be scalable and flexible – the ability to scale to different rules and mandates and map that many-to-many relationship between the data and the obligations. The complexity of the data privacy challenge is constantly rising and won’t slow down anytime soon. Organisations need to be aware of this and future-proof any Data Privacy or Data Protection program.

How awake to the importance of data privacy are consumers in the US?

Consumers in the US are much more aware of data privacy regulations now; GDPR really opened a lot of eyes when companies became frenzied to comply in advance of the deadline.

Now that technology has enabled so much personalized consumer data to be discovered and aggregated, consumers are starting to wake up to the fact that data breaches are extremely difficult to prevent, and their focus has turned to the need for data privacy and to demand for more transparency from businesses on the issue.

What are the differences between data security and data privacy?

NB: Having spent so many years in Information Security, data privacy and security are really part of the same continuum. However, data security concerns “how” data is secure, and data privacy thinks about “what data and why?”

For a company to truly secure their data, they must know and understand what exact data they have in the first place. Once they have this they can then ensure security policies are being followed. For example, is all data that should be encrypted actually encrypted; or is sensitive data that should be located in only certain sources actually only in those sources or has it proliferated to other sources in the environment. Without automation, these questions can’t be accurately or sustainably answered.

Data Privacy Automation provides extra security within an organisation because ensures many of the data security policies you put in place are being followed. There is an asymmetrical war is being fought against companies, and while organisations can’t afford to fail, the attacker only needs to succeed once. Not having an empirical idea of exactly what data you have and here is yet another increase in risk to the organization.

Data Privacy Automation gives security teams the ability to come in and be very precise with securing the right data in the right way so that organisations can continue to innovate and serve their customers by using their most asset.

 

The team at Integris Software proudly supported the Hopper X1 Seattle Conference, supporting women pursuing careers and success in technology.  The Hopper X1 Seattle Conference is organized by AnitaB.org and modeled after the Grace Hopper Celebration which is the world’s largest gathering of women in technology.

One of our core people tenants at Integris is that we celebrate and continually foster our diverse and inclusive culture. It was an opportunity not only to learn from many great technologists, but also to make many meaningful connections with other women in engineering who are stepping up to not only close the gap we have for skilled workers in tech, but also the gender gap we have historically had in tech. Throughout the event, there were many stories of strength and testaments of overcoming adversity to achieve powerful successes, and inspiration was had by all. And wow – did we have a great time!

As a female-founded company, we are excited to be included in the AnitaB community and will continue to support ongoing efforts in Seattle to close gender gaps. And, to that end, we want to give one last shout out – to all the men and gender-neutral individuals who also chose to attend HopperX1. It was a poignant reminder that inclusion works both – or rather, all – ways.

Meredith Turner, our Head of People Experience led our participation in the event along with Software Engineer Elizabeth Williams.

More information is available on the Seattle AnitaB.org community from a series of fantastic blogs published here.

 

A Values-Driven Commitment to Data Privacy

The values of Integris Software are the building blocks of who we are and how we operate. Transparency is vitally important to us, and we want to make it known that the values we believe in most inform our everyday decisions.

Integris wasn’t created to just solve data privacy concerns, but rather, to work toward something much more important: transform and foster the data privacy environment we believe the world wants – and most importantly, deserves.

Our world is rapidly evolving, and technology advancements continue to drive the exponential growth of data. Increasing demands for personal, on-demand experiences have required large amounts of personal information to be stored and used. The speed of change has created difficulty with how to regulate, collect and use data.

Companies in charge of our data must operate with unwavering integrity

Not taking data privacy seriously is gambling with the wellbeing of people’s lives and organizational success versus failure. A lack of data privacy has real-world consequences: drained bank accounts, damaged credit, and even stolen identities.

Making data privacy a priority sets the precedent that it is critically important. The business world follows trends, and organizations that live their truths can make lasting impacts on the world around us.

At our core, Integris is an organization backed by the highest commitment to integrity. It lives in our name and is central to our operations, partners and solutions – day in and day out. We respect each other and the collective power that is achieved when the team goes all in.

There isn’t always consensus on what is right and wrong. Around the world, people value privacy, and more importantly, history shows us the consequences when privacy is compromised.

Privacy is a right, not a privilege

Integris was founded on the belief that the right to data privacy is absolute. A lack of privacy isn’t just an inconvenience; it’s a possible nightmare for consumers and businesses alike. Privacy keeps our intellectual property and personal information just that — private.

Laptops, smartphones, watches, televisions and even kitchen appliances capture data constantly in our everyday lives. This has normalized data collection, with consumers trusting that their data is being handled discreetly. Unfortunately, that is often not true due to the enormity and complexity of data, and the manual nature of most data privacy programs these days.

Together, we must bring our collective commitment to the values we share and embody to the forefront.

Integris will never back down from doing what is right. We will always stand with those willing to go out on a limb, trust their instinct and challenge the status quo. We have a vision of what we believe the world can be when you focus on doing what is right as the rule, not the exception.

Privacy is a continuum

The future is coming fast and will require data privacy solutions that are flexible, continuous and devoted to excellence. Simply being reactive isn’t enough anymore. A data privacy solution that works today may not work tomorrow. We must keep innovating – pushing the boundaries, uncovering the unknown and stepping up to take smart, calculated risks.

Setbacks are inevitable, but perseverance, resourcefulness and a commitment to excellence ultimately prevail. Sometimes it requires taking the road less traveled to get where you want to go. At Integris, we believe there is a better, clearer path to data privacy, and our solutions will get organizations to that outcome. The future of data privacy should make consumers feel safe, knowing their privacy is protected.

A lifetime commitment

I founded Integris Software in 2016 to create a product and culture we take great pride in – as a company, a team and as global citizens. Leveraging our values has brought us to a new phase in the data privacy arena and drives what we do going forward. We keep our values close and apply the knowledge we gather every day to create a safer today and a more private tomorrow.