Although we are just past the midpoint of the year 2020, it has already proven to be a time of significant change. We find ourselves doing many things we had never imagined, like evaluating body temperatures as people enter the workplace, the retail store or the school. But even before the advent of the coronavirus, we were in the midst of a sea change, from how we interact with each other to how we pay for goods, how we target customers and how we collect data – all of which are key drivers of privacy regulation. This blog, which recaps a recent webinar we conducted, reviews the current state of data privacy regulations and what companies are doing to cover the ever-changing landscape that defines data privacy today.
A Scalable, Comprehensive Framework
A quick scan of U.S. and global data privacy regulations, both historically and including regulations going into effect or being considered by voters this year, reinforces that privacy evolution is a constant, making it is more important than ever for organizations to have an agile privacy program in place, giving that organization the flexibility to adapt to new regulations that may be introduced one, three, five or even ten years from now. Organizations that operate at a national level also need to comply with all regulations applicable to states in which they operate. This will continue to be a moving target for those organizations until such time as we might see regulations consistently implemented at a national level.
All this change means that companies cannot look at just one privacy regulation; it is imperative to consider the impact of all and develop a framework that gives the organization the latitude needed to address all. We have developed this sample framework that includes four compliance domains and 13 control areas. What is important to note, at a 30,000-foot view, is that this framework is really about organizations being good stewards of their data. Those that do a comprehensive data protection strategy may even start recognizing economies of scale. For example, if the data subject access request (DSAR) process is hitting the highest watermark, it is likely the organization will meet those requirements across multiple regulations.
Trust and Transparency
The magnitude of what needs to be considered in data protection and privacy continues to expand. During our webinar, Erin Hughes of SAP discussed the four pillars shown below, elaborating on why it is important to build trust and relationships, optimize data management and governance process, perform continuous assessments and establish a modernized, scalable foundation for data protection and privacy.
First, building trusted relationships involves developing a customer-centered approach to data privacy, empowering customer control, preference and consent. Organizations should facilitate a privacy-by-design, identity and consent capture process that includes establishing policies and procedures to obtain consent for processing personal data and presenting an accurate service and privacy policy for processing that data. It is important to facilitate a centralized self-service preference and consent process that enable customers to independently access updates and correct their personal data, be able to store proof of their consent and maintain procedures for how customers’ personal data may be transferred to third-parties.
Privacy governance protects the business and establishes a framework to mitigate compliance risks. As we have seen time and again, this is no small task, since many organizations today are attempting to manually manage their data privacy processes. When it comes to privacy governance and operationalizing the privacy management process, automation must be a key component, in order to scale and adapt to the ever-changing privacy regulations. Organizations should evaluate their readiness to identify security and privacy risks and develop remediation plans to both meet the company’s objectives and comply with regulatory requirements. Organizations should also automate data control and compliance reporting processes, as well as managing the data subject request lifecycle, tasks that are traditionally handled manually in most organizations.
Understanding the data privacy landscape also includes data management capabilities such as discovery and categorization. Can the organization identify the data it has, where that data is, who owns it and how it is managed on an ongoing basis? While our webinar focused on personal data, it is important to consider all types of sensitive data, including intellectual property, financial data, trade secrets and more.
The final pillar is data security, including access control, identity management, data masking and breach detection. Organizations must have technology in place to appropriately manage data security to protect the business and its customers – building and maintaining trust and transparency.
SAP Data Mapping and Protection by BigID
SAP solutions from BigID provide a unique privacy-centric data discovery and insight platform so organizations can identify and leverage personal and sensitive data across the entire enterprise information landscape. With this tool, privacy, security, and data governance can benefit from one source of data truth, ensuring consistent and compatible decisions. That single source of data truth ultimately drives revenue growth, reduces cost and helps manage risk.
The BigID discovery platform is the “secret sauce” which includes:
- The capability to connect to more than a hundred data sources out-of-the box leveraging APIs. These data sources can be SAP or non-SAP applications, message servers, unstructured file shares, and more.
- Leveraging NextGen discovery technologies like advanced machine learning to automatically discover dark data; identify and map both sensitive and personal data to include Personally Identifiable Information (PII) and contextual Personal Information (PI), as required for many of the evolving global privacy regulations (CCPA, GDPR, etc.)
- Correlating data via machine learning to know who (or what) the data belongs to
- Discovering, understanding and inventorying all sensitive and enterprise data to effectively govern, catalog and steward the entire data landscape.
The SAP solution by BigID leverages a modern, scalable container-based (Docker/Kubernetes) architecture to support multi-petabyte infrastructure requirements. Additionally, the open API based development environment enables integration and the building of customer-specific and technology partner applications. Specifically, the solution helps organizations across three areas of the business:
- Privacy – Help compliance with CCPA, GDPR and other emerging regulations
- Security – Identify sensitive ‘crown jewel’ data residing in many systems (e.g. patents, health data, etc.); understand data protection risk factors
- Data Governance/Perspective – Discover, inventory and catalog all data and gain insight into metadata.
Conclusion
As privacy and compliance challenges continue to evolve, it becomes almost impossible for any organization to effectively manage their data using traditional manual processes. We encourage everyone to consider how to incorporate an end-to-end platform that addresses the four major pillars detailed above. This blog, recapping our recent webinar, just skims the surface of today’s privacy governance challenges. SAP solutions from BigID is one important tool we suggest to provide a single source of truth: an integrated platform to manage privacy, compliance and regulatory needs now and well into the future.
To learn more about our SAP capabilities, contact us or visit Protiviti’s SAP consulting services.