In today’s world, consumer privacy is top of mind for any technology executive responsible for systems and processes. The advent of Europe’s General Data Protection Regulation (GDPR) in 2016 started a slow roll of privacy regulations being introduced around the world, including Brazil and South Africa. In the United States, California and Virginia currently have regulations in place or approved for implementation and no less than 13 other states have proposed regulations under consideration. The California Consumer Privacy Act (CCPA), in place for nearly a year, has already been amended. So, it is no surprise that our clients regularly ask us questions like, “how do I prepare for the unknown?” “How do I prepare for these additional 13 states?” “We do business in Brazil and have significant operations in the EU – how do we approach all of this?” Organizations are struggling to make sense of the disorganization driven by the sheer volume of new initiatives.
We recommend organizations focus on three “buckets,” including privacy obligations, individual rights and legal roles and recourses (see image, above). Within these buckets, there are a total of 11 baseline requirements that we believe cover the very broad spectrum of considerations an organization must consider when developing or refining personal data privacy protections and most have a relationship with digital identity management. We find that most organizations’ data protection processes were not strategically architected with privacy in mind or with the appropriate controls from an identity standpoint to be managed effectively. As a result, those processes are now not “fit for purpose,” which requires changes to processes and, potentially, technology as brittle older approaches evolve to fit a new reality where consumers expect to be able to manage more parts of their digital identity footprints. The shift taking place now at the intersection of privacy and digital identity is moving from tactical to strategic and for good reason: tactical doesn’t scale, it’s expensive, it’s complex and no one really wants to do it!
Honoring privacy – the need for new privacy processes
In most circumstances, data protection authorities, attorneys general and others will judge compliance in terms of how well an organization has honored the privacy rights that were extended to individuals through the new regulations. As a result, many organizations are realizing they need to develop new core competencies to meet these ever-evolving requirements. These competencies can range from:
- Determining who “owns” privacy within the organization (is privacy managed centrally or more generally across the organization?)
- Establishing a culture where the data and data context are recognized as being equally important (considering where personal information is everywhere, context and process matters when discussing data)
- Defining business processes and constructing corresponding infrastructure to support privacy management processes
To manifest these business processes, organizations must adopt a high-level process model for responding to data subject access requests (DSAR) (see image, below).
Identity is at the core of this model for good reason: the organization must honor the identity rights of the customer/consumer. To fulfill a valid request from a valid individual, questions such as “is an ID and password adequate?” and “do we need to consider identity proofing?” should be considered. And where in the organization does the data live?
It is likely that establishing workable new processes will require gathering data from across the organization, requiring appropriate buy-in from those areas. Most of our clients have a good understanding of what’s currently going on in their data management platform. They’ve invested a lot of money, have people on staff as well as additional third parties that assist with knowing where their data is. Yet, many discover that their systems were not built specifically for privacy use cases. So, what would happen if we started to leverage them for privacy use cases?
Privacy is intensely cross-functional. We have worked with organizations that had solid data governance in place but when considering CCPA requirements realized certain areas of the company had their own unique processes in place and were doing things that would be considered problematic under the new laws. And, IT had no visibility into those gaps.
Here are just some of the costly challenges we’ve seen:
- It’s all manual!
- Data discovery on client systems is highly manual and involves numerous system owners
- Product teams and stakeholders manually fulfill cumbersome, labor intensive and time-consuming requests
- Manually capturing systems and finding unknown record linkages in vast data sets creates uncertainty for compliance and completeness of DSAR responses
- DSAR fulfillment requires a custom-built application to act as a middle layer between the privacy management software and client data stores
- Each client data store requires individual fulfillment mechanisms taking client product teams weeks or months to build
Customer/consumer identity access management
Creating a custom set of architectural, infrastructure and process changes to meet the requirements outlined in each privacy regulation can be cumbersome and expensive. In a recent webinar we conducted, we spent some time reviewing how organizations can best work with the tools already in hand in order to meet current regulations and anticipate changes that some of the pending regulations we mentioned at the top of this blog will bring. We asked the audience if they were using Customer Identity and Access Management (CIAM) tools. A full majority, 68 percent, said no or that they didn’t know. Only 17 percent had dedicated CIAM capabilities.
Fortunately, we believe it is possible to implement a highly effective Identity and Access Management (IAM) solution using enterprise tools that provide the CIAM capabilities the regulations require, while giving the organization a system flexible enough to adapt to new laws coming in the future. We like to call IAM the “workhorse” of self-service. It is incredibly good at connecting disparate systems; this incredibly flexible tool gives consumers the capability to manage their own privacy, benefitting the beleaguered business units, data subjects and intent of the laws and regulations the organization is duty bound to uphold.
The image below provides an overview of how this might look in an “average” organization. The solution is designed to catalog, understand and manage “attributes” related to individuals and their identity. Common identity attributes managed in a typical CIAM system read like the “definition of PI” section from most privacy regulations. The IAM solution serves as a connective layer for enterprise systems and data, acting as a contextual center between people, data and systems, enabling connections for processes and integrations.
It is important to note that, when considering IAM, context matters. A comprehensive digital identity program provides the contextual controls and policy enforcement that will cover even the most complex and layered rulesets.
We would also argue that it is important to develop a system that assures trust between the organization and the consumer. Most privacy regulations require the identity of a data subject to be verified before fulfilling a request. Trust is at the core of privacy and privacy rights, and identity is the “trust engine” of most architectures. Remember that a governing body likely doesn’t care as much about the “how” in assessing compliance. What’s important is how well the consumer’s privacy rights have been honored.
Privacy is rapidly becoming an enterprise architecture function. The need for additional privacy requirements is coming, and without the ability to scale current processes and infrastructure, a company new to this is going to run out of runway pretty quickly. We know that:
- The complexity and expansion of privacy regulations will require new approaches
- Exercising rights will require contextual understanding of data, processes and individuals
- IAM provides the context and flexibility to bridge this requirements gap
- Consumer IAM can unburden process/data owners and empower individuals
Privacy regulations will continue to be a focus for the foreseeable future. Make “privacy by design” the mantra. Understand the capabilities currently in place, what needs to be put in place and solve for any gaps going forward.