For a long time, security was primarily focused on controlling access to applications. Developers built authentication logic into their applications via simple HTML authentication dialogues, looked up the user in whatever user directory or database that was in use, and then decided what the user was allowed to do.
Over time, authentication and authorization decisions generally moved to web access management systems (WAM) such as PingAccess. These systems provided organizations with a centrally managed control plane for applications, ensuring enterprise-wide compliance with organizational security policies and providing vastly improved audit capabilities. With only a few exceptions, like PCI and HIPAA, the concern over access to data occurred mainly at the application and development team levels, with each team determining or implementing its own data policies.
Then, the General Data Protection Regulation (GDPR) came along and changed all of that. GDPR was the first generally applicable data privacy regulation that required both companies and SaaS providers to address the following questions on a consistent and enterprise-wide basis:
- What data is considered to be personally identifiable information (PII)?
- How is the data collected?
- Where is it stored?
- How long is it retained?
- Is there any way to delete it if requested?
A slew of privacy-focused regulations followed shortly after GDPR, including CCPA, NJ S2834 and the U.S. Data Care Act to name a few. But that was only the beginning. Next came regulations to secure democratization of valuable consumer financial data, like PSD2, Open Banking and various other open banking initiatives in the UK, Australia, Hong Kong and more.
These regulations, combined with digital transformation initiatives and API security standards, are causing global enterprises to think about their customer data in new ways and find answers to questions like:
- How could the data be exposed securely to third-party entities in a controlled manner?
- How can the enterprise be transparent about what data is being shared and why?
- How could users grant fine-grained consent over data they want exposed?
- How could the consent be enforced to actually control the dispersion of data?
The consumers themselves are also paying close attention to how these issues are being addressed. We’ve seen a number of high-profile data exposures and breaches, and we’ve had the unfortunate revelation that companies were disclosing—or, in some cases, selling—customer data without the customer’s knowledge. This has made customers wary about where their data is being collected and how it’s being used.
The impact of all these regulations and changing customer expectations is causing companies to focus intently on privacy, consent and compliance. But while these problems are pressing, the solutions are rarely simple.
Governing access to data is increasingly complex for a global enterprise. In addition to complying with data protection regulations and higher customer expectations, they also have internal obstacles to overcome—like the security teams, database administrators, API developers and business units that rely on customer data and consider themselves the authority on how it’s managed and by whom.
Yet, with challenge also comes opportunity. Consent can be leveraged as a mechanism for building consumer trust, and a balance can be struck between personalization and privacy.
Enterprises that are transparent about the data they would like to collect and why, and who give consumers an easy way to manage their privacy preferences, are positioned to take the lead. Furthermore, user data, once a loosely monitored byproduct of service and application offerings, can create competitive advantage when managed properly.