Top Strategies to Stay Ahead of Changing Data Privacy Laws
Organizations are on a journey to unleash their most important asset—notwithstanding the innovators and data stewards who drive their business, of course. It’s the sensitive personal information about customers and other confidential data that is fueling digital transformation, delivering new analytic insights into consumer behavior, and unleashing new revenue streams.
There’s a push to democratize data use and today that often means migrating sensitive data to cloud-hosted environments with new cloud modernization programs, where improved scale and elasticity can enable quickly spinning up new products and services. But, is that data safe when operating outside of traditional on-premises environments? Or, are you increasing exposure unnecessarily?
Standing in the way of legacy on-premises data and cloud adoption alike are risks from insider data abuses as well as external data security breaches where an intelligent data privacy approach is needed to automate and scale data protection and transparency.
In fact, newer laws like General Data Protection Regulation (GDPR) and California Consumer Protection Act (CCPA) have only created more urgency to act now or suffer the consequences of brand reputation, let alone massive fines and remediation headaches.
Why should today’s enterprises care about personal data privacy?
To clarify, data privacy is not the same as data security, although both can operate in tandem. Simply put, for data use, security controls govern access to data, whereas data privacy governs the context of data exposure that creates risk. And, there are many variables to consider! (For a more detailed definition of data security vs data privacy, see my earlier blog post.)
Data privacy is more nuanced than only access rights security for data—with privacy, one person’s tolerance for personal data exposure may not align to another’s, such as when an organization wants to migrate application workloads using sensitive data to the cloud. If, for example, your marketing programs are now cloud-based, are you sure your customers approve of their data exposure moving away from your on-premises environment? You may need to disclose this new use to determine if customers wish to opt out under newer privacy laws.
Businesses that collect data need to enable trust assurance with customers that their data is handled responsibly. The increase in data privacy breaches that only seems to get worse has spawned increasing worldwide data privacy laws to increase responsible data governance.
So, what’s different today?
IIncreasing volumes of data, increasing data security breaches driving new privacy laws, and increasing data-hungry applications are too complex to manage without data privacy strategies that automate data protection and data transparency. Organizations simply don’t have enough human resources to keep up long-term without having flexibility to adjust to today’s dynamically changing data privacy regulations.
But, there’s good news. If you can operationalize and scale your data privacy strategy by implementing a reliable data governance framework, you’ll increase data intelligence and prioritize opportunities to reduce data risks—making data available for analytics, portable to the cloud, and safer for value-creation opportunities. Most importantly, build customer trust as a valued brand to leapfrog the competition and put risks in the rearview mirror.
Data privacy needs a data privacy governance framework for scale and flexibility
The lack of repeatable data governance best practices to enforce data privacy strategies have frustrated organizations that have the best intentions to preserve customer confidence and maintain brand equity, but can’t scale. Getting it right pays off, however. A few examples:
- Data that is identified using data discovery tools as being shared with partners can be protected using data anonymization techniques to limit personal data exposure.
- New applications being spun up in the cloud can automate cloud data security whenever data is transported outside on-premises applications and systems.
- Data typically locked up in the hands of a few data scientists can be safely democratized when access and use are monitored and controlled to comply with privacy policies.
- For healthcare data security, beyond simply locking down patient data with data encryption to instead limit use by the right people for legitimate purposes.
- When developing new applications (DevOps), applying data masking for test data management solutions that maintain usability of data sets, while lowering risk exposure.
These are just a few examples, but data privacy mandates are clear: Responsible data use with data privacy protection and transparency in place can unleash safe digital transformation.
5 strategies to stay ahead of changing data privacy laws
Data privacy is not a destination, but a journey toward reducing risks—while enabling appropriate data use, increasing data protection and transparency, and providing confidence to both the organization and its customers that personal information is used responsibly.
Although every organization is at a different stage of maturity, there is consistency with the ones that have installed best practices which help automate and scale their data privacy programs to keep up with the world of ever-changing privacy laws.
1. Translate data privacy laws into codified business policies
It’s not a coincidence that many chief privacy officers have a legal background or work in lockstep with legal teams to translate personal data privacy regulations into actionable policies over the organization’s sensitive data. The days of managing spreadsheets for policies and static employee handbooks is over—privacy mandates need to be digitized to map to electronic controls over systems and applications where data is stored, moved, transformed and used.
Privacy officers, working alongside legal teams, chief data officers, CISOs and others need to align data stewards on the purpose and intent of data use with codified policies that enforce appropriate use. For data privacy regulations such as GDPR compliance and the CCPA, regulatory compliance not only affects organizations but third-party partners where data may be shared. Your business policies need to align to the way personal data is retained and shared, processed and used, and protected and made transparent to maintain customer trust.
2. Understand and identify the personal data at risk and to whom it belongs
While it may be ambitious and noble to protect all your data, not all of it has the same value or suffers the same risks. Intelligent data privacy is required for efficiency to determine what you have as a first step to assessing risks and operationalizing data privacy governance.
Data discovery for privacy classification and mapping to identities answers the fundamental question, “Who has access to what data and should it be governed by privacy controls?” How you handle the personal data of your customers responsibly should be at the top of the list to prioritize—not just due to legal consequences, but it’s the right thing to do to preserve your brand value.
By building a data catalog and mapping identities into a data subject registry, you can automate one of the fundamental data transparency requirements under the GDPR, CCPA, and similar laws by accelerating data subject access requests (DSARs)—automating response to customer inquiries about their data access and use.
3. Assess data privacy risks by priority level to protect data for the best ROI
It may seem unusual to think of data privacy investments as a strategy to drive greater return on investment (ROI), but studies have demonstrated that for each privacy dollar spent, organizations can see a 2x return or more. How is that? Reducing risks, avoiding fines and destroyed brand reputations, and opening up safe data democratization to value-creation initiatives is the ideal state for chief data officers and line-of-business owners.
Intelligent data privacy means automating metadata-driven intelligence through applied AI and machine learning to determine risk exposure and ranking your top risk mitigation concerns using data privacy controls. Today’s modern data privacy risk analytics solutions can help you make intelligent guided decisions through dashboards and heat maps for where to spend your data privacy governance dollars more effectively, justifying plans to implement new safeguards and increase visibility, and helping seek investment from your C-level executives and boards of directors to reduce data privacy risks as business strategies evolve.
4. Orchestrate automated data protection and transparency
With digitized privacy policies in place, personal data classified and mapped to identities, and risk assessed and prioritized, the prerequisites are now in place to orchestrate data privacy controls that can solve for GDPR compliance, the CCPA and similar privacy mandates.
A next step is to apply data protection and increase transparency by orchestrating how risks are remediated or at least lowered to a reasonable level. Insights into privacy risks can help you determine whether data anonymization is required with solutions such as data masking or whether long-term data retention requires a data encryption approach. Or, during a customer inquiry into data use, you may need to generate a report and execute workflows to delete data (“right to be forgotten”) or provide details where and how personal data is used across applications and partner ecosystems. Privacy controls can also include alerts for data use anomalies that violate policies and run scripts that integrate with support systems. By applying automation with intelligence, your approach to data privacy can scale, while remaining flexible to future regulations and policy updates as they evolve.
An example of data anonymization for privacy governance to limit risk exposure
Today’s new class of personal data privacy laws are typically framed around protecting data to ensure proper use and increasing transparency to support consumer rights, such as data subject access requests (DSARs). By understanding data use and prioritizing risk impact, organizations can apply data anonymization to limit data exposure.
For most data sets, you can still maintain usability for analytics, such as tracking consumer aggregate trends—without exposing sensitive data that would compromise an individual’s identity—by using data anonymization techniques. If your marketing campaign manager wanted to know whether product users within a geographic region may be ideal candidates for a store-branded credit card, you could evaluate credit scores across zip codes in a population without revealing specific details about an individual to decide whether to advertise broadly within that region. Data anonymization can be highly selective how it’s applied, while leaving non-personal data attributes open for business
5. Report on gaps in data privacy controls and performance to improve and adapt
As mentioned earlier, data privacy is a journey rather than a destination, with perfect often being the enemy of good. Data privacy regulators often look kindlier on organizations that apply data governance best practices and act in good faith, rather than those that are negligent and suffer a data security breach due to apathy.
It benefits all organizations to make a best effort—the minimum expectation being lowered fines and remediation expenses, but the upside being richer insights into data that help drive the next wave of innovation while building consumer confidence. This last strategy is fundamental to continuous improvement to update data privacy controls based on evolving data risks, report to data stakeholders on new investments, and demonstrate to regulators and auditors how personal data is handled responsibly. A strategy every organization can support!
Conclusion: Data privacy strategies to get ahead of laws and unleash value
Data privacy is not simply a matter of having reliable data security in place, although that certainly is a key part. Data privacy governance enables a scalable, repeatable and adaptable approach to protecting privacy to reduce risk exposure and increase transparency to report on data use and gain intelligent insights.
With lower risk to data exposure that may violate personal data privacy rights (“subject rights”), organizations can open the door to value-creation programs with data use that enables the next generation of innovation, while maintaining trust.
Informatica’s metadata-driven intelligent data governance and privacy platform can help provide the key data privacy governance capabilities discussed here to accelerate your approach and stay ahead of the latest laws using a flexible, repeatable and scalable approach.
Download the Data Privacy for Dummies ebook to learn more about how you can take a smarter, automated approach to data privacy.
Also, check out these useful resources: