'Most Innovative Startup 2020' by RSA - Watch the video
Learn MoreBlogs
Published on January 9, 2020 AUTHOR Paige Bartley (Senior Analyst, 451 Research)
If you’re reading this, you care about data privacy. Maybe you care about it in the scope of your job responsibilities, or perhaps you care about it personally: in the scope of your own personal life and technology use. But more likely than not, it’s a mix of the two. This is why automation of privacy efforts – and PrivacyOps -- matters. Curious? Read on.
We didn’t get here by accident. Governments around the world have not enacted data-centric regulations such as GDPR and the California Consumer Privacy Act (CCPA) out of the pure goodness of their hearts. These laws are largely in response to growing public and awareness and outcry over-exploitation of sensitive personal information: personal information that individuals feel they often have little choice in providing or controlling if they are to participate in modern society. Pick your favorite headline about a breach or data privacy violation; data privacy awareness is high and growing.
The research done by 451 Research also corroborates this. In one of our consumer survey cycles, we asked individuals how concerned they were about data privacy. A full 90% reported they were either “very concerned” or “somewhat concerned.” Only 1% reported they were “not at all concerned.”
That type of awareness is hard to ignore, and in the US, individual states are rapidly enacting legislation for data privacy and protection: following in the footsteps of California. But for businesses looking to comply with these regulations, the landscape is treacherous. Not only does California’s law – CCPA – have extraterritorial reach, but all of the individual state proposals for laws are slightly different, leading to balkanization of data privacy and protection standards in the US. Interstate organizations in the US, then, cannot sustainably approach each new regulation with an ad hoc “Whack-a-Mole” approach. They need privacy programs that are adaptable, scalable, and that leverage automation to execute data management tasks common to multiple regulatory frameworks.
But what, exactly, is the common denominator across these increasingly diverse data protection and privacy mandates? It is often easier to get caught up in the individual nuances and “checkbox” requirements of each than it is to identify core underlying principles. Identifying differences can give the organization a deceivingly simple “to-do” list that misses the big picture. In reality, data privacy and data protection regulations fundamentally exist to protect the rights of individuals, and to protect the rights of individuals, organizations need full control of ALL the personal data in their possession.
Across data privacy and protection regulations, individuals are generally given the “right to know” and the “right to say no” with regard to their data. The right to delete personal data, the right to data portability, the right to reasonable security for personal data, and the right to be notified in the case of a data breach are also all very common. Again, organizations must have a very granular understanding of what personal data is in their possession and what is happening to it at all times if these basic rights are to be fulfilled. Not knowing is not an excuse.
Unfortunately for businesses, data is more difficult to control and understand than ever before. Once personal data is ingested into an organization, it propagates into countless internal systems and data silos, and can make its way to dozens or even hundreds of third-party vendor systems that the original organization has limited control over. A growing number of end users demanding data within organizations also complicates the management of appropriate access and permissions.
And the diversity of the average business IT environment is simply staggering. According to 451 Research’s enterprise practitioner survey results, 72% of organizations that use the public cloud use more than one public cloud vendor, and a total of 8% used more than three public cloud vendors: an impressive feat considering only three public cloud providers dominate the market in the US. For organizations with 1,000+ employees, a full third – 33% -- report having more than 50 distinct departmental data silos. That’s a lot of disparate data sources to manage.
These factors amount to a perfect storm. Growing public outrage and awareness, proliferating regulations, sprawling IT ecosystems, an expanding pool of self-service data consumers, and the intensifying enterprise pressure to extract maximum insight from all available informational resources.
We’re at the end of an era; gone are the days where “reactive” business functions such as compliance and data privacy could be at odds with more “proactive” enterprise insight initiatives such as analytics and data science. In an era of rapid disruption, organizations that want to survive must align their business objectives such that data privacy and protection is no longer a burden or cost center. Rather, it must be an accelerator for better data management architecture and practices which will benefit all stakeholders.
In this context, data privacy and protection efforts are deeply intertwined with the viability of the business and the ability to meet the needs and expectations of customers: particularly in the B2C space. So, it should go without saying that data privacy and data protection needs to be an ongoing, iterative, adaptable process rather than a project-based “checkbox” approach with a deadline. New regulations will always emerge; it is up to organizations to implement processes and technology that can support evolving needs rather than just the specifications of a single law.
Automation will be critical. There is no amount of human talent and effort sufficient to scale to the data management volume challenges within a typical modern organization. There is simply too much data to evaluate and protect. Capabilities such as automated detection of potentially-sensitive data sources, automated policy controls for data, automated control of data access rights, and automated fulfillment of data subject access requests (DSARs) are all possible and – increasingly – necessary.
The PrivacyOps concept and framework looks to operationalize data privacy practices across the organization, leveraging automation, so that not only compliance objectives can be met, but so that the friction of end user data access and leverage can be reduced. Better data management and data privacy controls, when implemented correctly, can actually free up data that was formerly locked away in silos. To the average business end user, such as a data analyst, an effective PrivacyOps program will be invisible and simply make access to appropriate data sources quicker and more seamless.
What does PrivacyOps look like? It is a framework, rather than a specific tool, that takes into account people, processes, and technology. Emphasis on automation of error-prone and high-scale tasks is a must. At its most rudimentary, it breaks down into the convergence of four basic “systems:”
It’s time to stop thinking of data privacy and data protection as a burden, a barrier, or a niche responsibility within the organization. Responsible use of data, and the data management practices that enable it, can benefit everyone: from those depending on high-quality information to those that depend on the trust of consumers to cultivate long-lasting, profitable relationships.
Yes, organizations will need to leverage automation and technology to achieve these objectives. But ultimately, the discussion needs to start with business stakeholders. Getting everyone in alignment should be the first step, and establishment of effective and adoptable processes should be next. Finally, appropriate technology tools should be considered, selected, and implemented.
Automate and manage the entire consent life cycle with efficiency for various cookie compliance regulations around the world.
Learn MoreDiscover granular insights into all aspects of your privacy and security functions while reducing security risks and lowering the overall costs
Learn MoreSimplify gathering information, dynamically update your data catalog, and automate assessments and reports
Learn MoreMeet Brian Lillie, Former CPO at Equinix as he discusses the potential challenges of CCPA and how the PrivacyOps framework can be the key to unlocking compliance.
Learn MoreWatch the 3-minute pitch presented by Rehan Jalil on SECURITI.ai in the RSAC Sandbox Competition
Learn More
[email protected]
PO Box 13039,
Coyote CA 95013
Find data assets, and discover personal and sensitive data in structured and unstructured data systems, across on-premises and multi-cloud.
Classify & label data to ensure appropriate security controls are enabled on most sensitive data in your organization
Collect, organize, enrich and build a data catalog to address privacy, security and governance solutions
Connect to structured and unstructured data sources and automatically discover and build a relationship map between personal data and its owner.
Assess risk scores for every data asset, asset location, or personal data category
Auto discover personal data in Snowflake and enforce access governance
Auto discover personal data in Snowflake and enforce access governance
Discover, classify, manage and protect sensitive data in Box. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Slack. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more
Discover, classify, manage and protect sensitive data in Workday. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Github. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Jira. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Dropbox. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in SAP Successfactors. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Servicenow. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Zendesk. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Apache Hive. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Apache Spark SQL. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Cassandra. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Discover, classify, manage and protect sensitive data in Couchbase. Automate data subject rights fulfillment and maintain compliance with regulations such as GDPR, CCPA, LGPD, PCI and more.
Maintain your Data Catalog with continuous automated updates
Automate data subject rights request fulfillment and maintain proof of compliance
Connect to structured and unstructured data sources and automatically discover and build a relationship map between personal data and its owner.
Audit once and comply with many regulations. Collaborate and track all internal assessments in one place.
Automation of privacy assessment collection from third parties, collaboration among stakeholders, follow-ups and compliance analytics.
Automate global cookie consent compliance.
Simplify and automate universal consent management.
Automate the incident response process by gathering incident details, identifying the scope and optimizing notifications to comply with global privacy regulations.
Keeping privacy notices up-to-date made easy
Operationalize GDPR compliance with the most comprehensive PrivacyOps platform
Operationalize CCPA compliance with the most comprehensive PrivacyOps platform
Revolutionize LGPD compliance through PrivacyOps
Enable privacy by design through the AI driven PrivacyOps platform
Discover data assets, detect & catalog sensitive data in it
Classify and label data to ensure appropriate security controls
Monitor data security posture and identify external and internals risks to data security
Policy based alerts and remediations to protect data from external and internal threats
Investigate data security issues and take remediation actions
Snowflake is a cloud based data warehouse that allows organizations to run large scale data analytics projects to uncover business insights, run or train machine learning models, and modernize their data infrastructure.
The Amazon S3 (Simple Storage Service) is a web-service which allows for scalable storage solutions for data archival, backup, and recovery purposes.
Microsoft O365 is the ubiquitous productivity suite for every business worker. Users rely on Office products such as OneDrive and SharePoint to collaborate with their co-workers.
Organizations want to migrate their on-premises data to cloud data stores to take advantage of scale and flexibility while reducing operational cost of managing on-premises infrastructure. However, due to privacy regulations such as GDPR, CCPA administrators have to ensure that data is migrated in compliance with these laws.
Protecting sensitive content is a priority for all organizations, however, due to volume of sensitive content and
While data aids in business decision making, global privacy regulations such as GDPR, CPRA require organization to identify personal & sensitive data & use only for its intended purpose and implement adequate protection.
The California Consumer Privacy Act (CCPA) was signed into law on June 28, 2018 and is scheduled to come into effect on January 01, 2020. Often compared to GDPR, CCPA protects consumers from mismanagement of their personal data and gives the consumer control over what data is collected, processed, shared or sold.
The EU General Data Protection Regulation (GDPR) came into effect on May 25, 2018 and changed the global privacy landscape. It has broadened the definition of processing activities and personal data, impacting companies worldwide, and has tightened the rules to obtain consent before processing information.
The Lei Geral de Proteção de Dados (LGPD) is modeled with similarities to the General European Data Protection Regulation (GDPR) and contains sixty-five articles. It was approved on August 14, 2018 and its validity has undergone several changes, the last relevant fact being MPV 959. LGPD is in effect since September 18, 2020. The sanctions by the ANPD (Brazilian Data Protection Authority) were postponed to August 2021. The LGPD allows people have more rights over their data and expects organizations to comply with their regulations or face heavy penalties or fines.
The government of New Zealand has recently replaced its long-existing Privacy Act of 1993 with a modernized version, the Privacy Act 2020. The New Zealand Privacy Act 2020 (NZPA) will take effect from December 1, 2020.
The Personal Data Protection Act, B.E. 2562 (2019) ('PDPA') is Thailand's first consolidated data protection law, which was published in the Thai Government Gazette on 27 May 2019. This law was said to go into effect on 27 May 2020. However, in May 2020, the Thai Cabinet through a Royal Decree has deferred the enforcement of certain data protection provisions of the PDPA until 31 May 2021.
In order to protect the data of individuals in South Africa, Parliament assented to the Protection of Personal Information Act (POPIA) on 19th November 2013. The commencement date of section 1, Part A of Chapter 5, section 112 and section 113 was 11 April 2014. The commencement date of the remaining sections (excluding section 110 and 114(4)) was 1st July 2020. As per the Regulator’s Operational Readiness Plan the Regulator will be able to take enforcement actions for the violation of POPIA by July 1st 2021.
The DIFC Data Protection Law, 2020 lays down regulations regarding the collection, disclosure and processing of personal data in the DIFC, a special economic zone in Dubai. It also gives rights to individuals whom the personal data relates to and provides power to the Commissioner of Data Protection to enforce the law, enact regulations and approve industry-wide Codes of Conduct.
The Australia Privacy Act 1988 (Privacy Act) was enacted to protect the privacy of data subjects and regulate how Australian agencies and organizations with an annual turnover of more than $3 million handle their customers’ personal information.
Singapore’s Personal Data Protection Act (PDPA) comprises various provisions governing the collection, disclosure, use, and care of personal data. It recognizes the rights of individuals to have more control over their personal data and the needs of organizations to collect, use, or disclose personal data for legitimate and reasonable purposes.
On April 13, 2000, the Personal Information Protection and Electronic Documents Act (PIPEDA) received Royal Assent. It came into force in stages, beginning on January 1, 2001. PIPEDA came fully into effect on January 1, 2004. The legislation applies to organizations that collect, use or disclose personal information in the course of commercial activities.
After the invalidation of Privacy Shield, many companies are relying on the SCCs in order to continue transferring data of EU citizens to companies based in countries who are not deemed adequate for data transfer.
After the CJEU judgement, it is clear that these companies have to conduct Risk Assessments with the data recipients in these countries in order to ensure they have enough controls to mitigate any potential data or regulatory risk.
On 2nd March, 2019, the Department of Health—Abu Dhabi (DoH), launched the Abu Dhabi Healthcare Information and Cyber Security (ADHICS) Standard. This is the first standard that aims to provide healthcare professionals and entities a comprehensive guide to the regulation of healthcare data in Abu Dhabi. This law ensures the highest levels of privacy and security of patients’ data, in line with international standards, is maintained.
On January 31, 2020, the government of Saudi Arabia issued the Executive Regulations to the Saudi E-Commerce Law 2019 (“ECL”) that was in effect since October 2019. The Executive Regulations together with the ECL (“Law”) aim to protect consumers’ personal data by requiring organizations to take appropriate technical and administrative measures.
Turkey was one of the first countries to start the trend of legislating data protection. Turkey published “Law on the Protection of Personal Data No. 6698 (LPPD) covering personal data protection on April 07, 2016.” The LPPD is based on the European Union Data Protection Directive 95/46/EC and has several similarities with the GDPR. It aims to give data subjects’ control over their personal data and outlines obligations that organizations and individuals dealing with personal data must comply with. The LPPD has also provided comprehensive guidelines for the transfer of personal data to the third parties.
In December 2019, India, following several other countries' footsteps on the privacy laws' developments, introduced the Personal Data Protection Bill (PDPB) to regulate the processing, collection, and storage of personal data.
On 13 October 2020, the National People's Congress of the Republic of China submitted the long awaited draft of the Personal Information Protection Law (Draft PIPL) to the Standing Committee meeting for preliminary review. This draft was officially released for the public consultation on 21 October, 2020. The consultation period will last until 19 November 2020.
The Irish Data Protection Act, 2018 (Irish DPA) implements the General Data Protection Regulation (GDPR) and transposes the European Union Law Enforcement Directive in Ireland. Since it incorporates most of the provisions from the GDPR and the Law Enforcement Directive with limited additions and deletions as per the national law, it is considered to be the principal data protection legislation in Ireland.
The Personal Data (Privacy) Ordinance (Cap. 486) as amended in 2012 (the “PDPO) is the primary legislation in Hong Kong which was enacted to protect the privacy of individuals’ personal data, and regulate the collection, holding, processing, disclosure, or use of personal data by the organizations.. The Data Protection Principles ( the “DPPs or DPP ''), which are contained in Schedule 1 to the PDPO, outline how entities should collect, handle, disclose, and use personal data.
In 2012, the Philippines passed the comprehensive privacy law, Data Privacy Act 2012 Republic Act. No, 10173 (the "DPA"). The DPA recognizes the rights of individuals to have more control over their personal data while ensuring a free flow of information to promote innovation and growth.
The United Arab Emirates (UAE) has a Federal Telecommunication Law ( Federal Law) which requires that a company must hold a license in order to provide public communications services and operate public telecommunication networks. Under this Federal Law, a Telecommunication Regulatory Authority (TRA) was established which regulates the telecommunication sector in the UAE.