Fine-grained API Access to User Data
APIs are everywhere, and they allow you to open your enterprise systems to internal apps and partners. But regulated and sensitive data such as healthcare records, IoT device data and banking transactions are also being exposed through APIs. It’s a major challenge for organizations to set up data governance policies, including granular approaches to specify exactly who’s authorized to do what with your APIs. Even more, you may need dynamic authorization based on real-time context like client privileges and the sensitivity of what’s being accessed.
Consumer Data Regulations
Increasingly, organizations must adhere to one or more consumer data protection regulations. They need a way to flexibly build and enforce policies to meet requirements, while also complying with future legislation. Here are some common regulations enterprises are dealing with today:
The EU’s General Data Protection Regulation (GDPR) requires a legal basis, including consent, for sharing and processing data of EU citizens. Stronger rules on data protection mean people have more control over their personal data, and businesses benefit from a level playing field.
The California Consumer Privacy Act (CCPA) gives consumers important new data privacy rights to take back control of their personal information. They have the right to know what information corporations are collecting about them, they can tell a business not to share or sell their data, and they’re protected against companies that are careless about data privacy.
Australia’s Consumer Data Right (CDR) is a competition and consumer reform that’s requiring several industries (banking, energy and telecommunications) to give consumers access to their own data through APIs. Consumers can require a company (e.g., their bank) to share their data with another service provider (e.g., a comparison site) in order to get more tailored, competitive services.
The Revised Payment Services Directive (PSD2) in the EU requires banks to provide open APIs so customers can securely access their own accounts through third parties. The directive seeks to open up payment markets to new entrants offering consumer-oriented services based on access to account information, leading to more competition, greater choice and better prices for consumers.
The Health Insurance Portability and Accountability Act (HIPAA) in the U.S. safeguards patient medical information. Recognizing that advances in electronic health technology could lead to an erosion of privacy of health information, the U.S. Department of Health and Human Services mandated the adoption of privacy, security, enforcement and breach notification rules.
Empower User Data Stakeholders
Businesses generate and collect valuable data about customers. Companies have recognized the value of this data beyond just user profile data in a directory. Business stakeholders who collect and own customer data must be responsible stewards, but they’re not all experts in regulatory compliance, data security or IT. Providing a user-friendly interface on top of fine-grained access controls can empower these stakeholders to get involved in data protection initiatives and author and test data access control policies in collaboration with other stakeholders.
Tackle the Era of PSD2 and Open Business
Open APIs are changing the face of banking, particularly with allowing customers to securely access their own account data and make direct payments through third-party apps. Beyond banking, companies in every industry are looking to open APIs to enable new digital business models. PingDataGovernance complements existing API gateways to provide fine-grained authorization for API controls, inspect the content of API requests and responses, check user preferences and other attributes, and ultimately allow, deny or sanitize the API data.