“Stringent compliance laws and a boost in data analytics have made consent-based data management critical. With growing complexity in managing privacy policies, businesses need to ensure strict policy enforcement.”
- Swapnil Mehta, General Manager, Identity, Access and Security, Persistent Systems
With ever-increasing consumer awareness and mandates by regulators, businesses are seriously looking into the privacy of information. Customer data breaches and unauthorized leaks continue to raise awareness and expectations around data security and consumer privacy rights. In response, data protection regulations have raised the bar for the way companies protect personal data.
The push for consent-based storage and usage of information (PII and non-PII) has led to setting up of privacy policies by most businesses. According to Gartner, today, fewer than 50% of documented corporate strategies mention data and analytics as fundamental components for delivering enterprise value. By 2022, 90% of corporate strategies will explicitly mention information as a critical enterprise asset and analytics as an essential competency. Hence, it is a crucial time for businesses to set up data governance structures.
Challenges That Are Often Overlooked
We interacted with the attendees at IDENTIFY events. Below are our thoughts, gathered from multiple conversations, around how businesses are approaching data privacy and governance.
Most businesses have already set up governance structures and data privacy offices, but does that ensure enforcement of their policies? Our experience indicates that a lot of work is being done with regards to privacy office setup, policy definitions, data discovery, registry and classification, but the real switches and gates for enforcing governance and policy controls are missing. Also, companies need to ensure that these policies are being adopted and enforced throughout the technology stack of organizations.
Many organizations lack the know-how or the platforms to enable rich, policy-based controls that result from certain attributes and are influenced by contextual information. Externalization of such controls is the key to enabling real privacy gate-keeping while providing the stakeholders the ability to fine-tune their policies in an agile and business-friendly manner.
How to Tackle These Challenges
Businesses should focus on how to make privacy policies actionable. They should work on models and solutions that take the privacy mandates and policies and provide:
The tools and means to enforce the controls.
A watchtower to keep an eye on the controls.
An ability to simulate situations to understand the behavior of those controls.
Validation of the efficacy of the controls.
Businesses should also keep an eye on policy enforcement, which is critical to ensuring:
Automated discovery, classification and tagging of data held in enterprise repositories.
Creating a registry that contains an inventory of sensitive information.
Helping to review and audit access to personal data and manage consent through the privacy portal.
This will not only help businesses improve the management of data privacy and consent, but also take the burden off the developers. However, these are key focus areas for most of the data security decision-makers today.
Persistent Systems puts together solutions that make it easy to externalize the controls while giving the business the ability to tweak the privacy switches without having to go through a code change cycle. Additionally, the solution design should promulgate and facilitate concepts of Privacy by Design (PbD), thus making privacy an integral part of processes and the technology/application stack.
Nearly all privacy-focused regulations have two macro components: 1. consent capture, which is akin to modeling peer-to-peer entitlements, and 2. having a system of consent enforcement while providing accountability.
Ping Identity provides a highly scalable and flexible data store that is well suited to model and store consent data. It’s flexible schema, using JSON attributes, allows for a variety of data type representation. It comes with a specific base class for storing consent, which allows for multiple consent values for each user, where each value can be acted upon independently. Additionally, it is possible that other entitlements such as delegation may reside in systems outside of PingDirectory for legacy reasons, which may need to be acted upon, updated or taken into account.
PingDataSync, which comes with PingDirectory, can handle real-time bidirectional sync between these systems. For continuous monitoring and enforcement, Persistent leverages PingDataGovernance allowing for:
Decoupling of data access policy from each individual application, thus eliminating the risk of accidental exposure of data due to an errant API.
Consistent modeling and enforcement of policy, avoiding unforseen policy conflicts.
Up-to-date modeling of policy rules, as regulations change without impacting applications.
A central audit trail to prove compliance.
An easy-to-use, business-user-centric policy editor.
With these tools, Persistent helps clients better understand best practices around governance and data security measures and setting up data governance with a focus on compliance.