Why everyone needs to be speaking the same language on data privacy [Q&A]
Today is Data Privacy Day and with CCPA coming into force at the start of this month, the focus is very much on personal data, how it's used and how it needs to be protected.
One of the issues is that there are lots of definitions and terms involved which means it’s vital that everyone understands what they’re dealing with.
We spoke to Kristina Bergman the CEO of Integris Software about the introduction of CCPA and about the company's launch of a Privacy Dictionary to help businesses understand and communicate effectively on privacy issues.
BN: Why have you created a privacy dictionary?
KB: We've been talking to a number of number of customers and prospective clients and what we've heard from one of them is that so far they've already had about 500 data subject access requests, for either deletion or right to know, coming into their organization. This is quite a few, especially in the first two weeks and so it'll be interesting to see how many requests companies get over the next six months prior to enforcement coming into a fact.
As part of that, what we thought would be helpful is if we created a data privacy dictionary to ensure that all of the various stakeholders in the organization are speaking the same language. What we found is that dealing with data privacy is a multi discipline challenge that involves both privacy, as well as data governance and info security, as well as a few other groups within the organization. By creating a dictionary that had a single definition for each of the terms that we work with on a regular basis it ensures that everybody is speaking the same language and communicating effectively around what's needed in the organization to be compliant with CCPA.
CCPA has some very vague descriptions of things. For instance, household data is one of the categories covered but it’s yet to be determined what is considered household data. And considering that that definition of PII is expanding and will continue to expand rapidly under CCPA it's going to make it a bit of more of a challenge to stay in compliance. Also most organizations think they know what sensitive data they hold, but are typically surprised by the PII they receive from data sharing agreements or through acquisitions. So just being on top of what that PII is and how people define it will help folks stay in compliance.
BN: The obvious comparison is with GDPR which has had the effect of sort of raising awareness of of data privacy issues, will the same happen with CCPA?
KB: I think the level of awareness within the United States really expanded during the whole Edward Snowden revelations, and it continued to gain awareness through incidents like the Facebook/Cambridge Analytica scandal. It's really become a hot button issue as more people become aware of the amount of information that's out there about them, how it's being used and who's using it. This has implications for everything from our democracy to how private our lives are and how effective are the products or services we get. I think there's definitely a seriously increased awareness around personal information the value of it and the importance of it to us in or in our day-to-day lives and CCPA is being the legislative instantiation of everybody's concern around how our personal information is being used.
BN: Are we going to see this echoed in all states and maybe even at a national level with with similar legislation?
KB: I would think so. I think we all know, anecdotally at least, a handful of people in our own social circles who've deleted their Facebook account because of the Cambridge Analytica scandal. There's also an equal number of people who have got strong affinity towards Apple, because of their strong vocal commitment to privacy and the things they're doing to promote privacy publicly. So I think this is an issue where companies are either differentiating themselves based on privacy and standing out as as companies that consumers want to do business with or they're falling behind and becoming companies that people really don't want to do business with. Certainly, our customers are are starting to use it in some of their marketing and messaging around their commitment to privacy because they think it is really differentiating, and it's important to consumers.
BN: What do companies need to do to show that they are getting on the right track, presumably it starts with an audit of the data that they hold?
KB: Step one is really getting a handle on what data you have where it is, what format it's in, is it encrypted is it not? How long have you had it? What geographic location is it sitting in relative to the individual it's about? Then going deeper and really understanding what kind of toxic combinations might exist within a data set.
So for instance, a lot of organizations will anonymize data in order to use it in marketing campaigns. Well the challenge with anonymization is that companies might anonymize the data and then make it more easily accessible to people in their organization for analytics and they might think that's a safer thing to do because it is not is anonymized. The challenge with that is that, something as innocuous as gender, zip code and date of birth, individually are not toxic but in combination they can uniquely identify 87 percent of the US population. So, without having a strong handle on what data you have where it is, what those toxic combinations are companies might be exposing themselves and their consumers to more risks than they think they are.
Number two is getting a handle on what data is entering and leaving the organisation on a regular basis. In a previous study we did we found that the majority of companies have at least 50 data sharing agreements with third parties. And those might be for very legitimate reasons, but that means there's data that's constantly moving in and out of an organization on a regular basis.
The third thing is tying it back to business obligations, whether they're regulatory obligations like CCPA or GDPR or contracts they have with their customers and partners, tying it back to their privacy statement, and then any internal policies that they have. That's really the next step to making sure that people are in compliance and understanding their data.
The final step is tying it into remediation systems like automatically sending issues to encryption tools to auto encrypt specific data or tying that information into a ticketing system for them be resolved on an ongoing basis because it's that ongoing monitoring and maintenance of the data as it's constantly changing that will help companies stay in compliance and stay on top of any kind of issues that might arise.
BN: That's going to feed into digital transformation projects, isn't it because companies are going to need to know that their suppliers or customer companies are also being compliant?
KB: Exactly, because under GDPR companies are jointly and severally liable for those violations if they're sharing data back and forth.
One of the scenarios that we see people doing privacy assessments for is moving data to the cloud. A lot of companies now are looking at ways to move their data sets from on premise systems to the cloud for all of the efficiencies that come with that. But before they do that they want to know exactly what they're moving. And so using a tool like Integris to scan that data, prior to moving into the cloud, gives them a good sense of what they're migrating and where they're putting it so that they can better manage their, their risk associated with that.
The other scenario we are starting to see more of is pre-scanning data prior to an acquisition. So if a company is looking to acquire a smaller company that smaller company will make statements about what data they hold, what data they don't hold, and so doing a quick scan of that data prior to acquisition helps the acquirer understand and better assess the value of the company that they're buying based on their data and their data practices.