Massive data stores, a rapidly changing regulatory landscape, and the potential for catastrophic damage to brand and bottom line have made privacy the top concern for companies across the globe. Concern about the accelerating pace of data privacy regulation headed the list of Gartner’s 2019 Emerging Risks Monitor, and depending on the industry, between 64 percent and 70 percent of executives consider it a key risk. Concerns are no longer just focused on the European Union’s General Data Protection Regulation (GDPR) but on global compliance with rapidly changing regulations.
GDPR Puts ‘Teeth’ into Regulations
Although it may seem like a new topic with all the focus these days, regulations and guidelines regarding privacy have been in place for more than forty years. That’s according to Sovan Bin, founder and CEO of Odaseva, who recently spoke with DATAVERSITY®. In many fields, privacy policies were considered “nice to have,” but not essential, especially when fines for violations were minimal. A growing number of data breaches and a need to create more trust between consumers and companies managing their data led to GDPR which was the first international privacy regulation that brought fines at such a large scale that large companies considered it a risk, Sovan Bin said. Suddenly fines for non-compliance became large enough to be unacceptable.
Risking the Brand
The stakes were raised even further when Facebook was called to the US Senate to answer for their personal data practices, and the topic moved from paying a fine to defending a brand. The increased risk of a large fine along with the threat of jeopardizing the brand has forced companies to become highly motivated to focus on managing personal information in a way that respects the rights of the consumer. Sovan Bin said, “Personal information now belongs to the consumer, not the company who buys it.” Consumers now have the right to ask a company what kind of personal information the company has about them, the right to ask that it be erased, and the right to change the decision to allow a company to use personal information or not. Sovan commented:
“Suddenly it has become a brand aspect where you want to prove to your consumers that you respect their rights and are managing their personal information the right way.”
Regulations Expand and Evolve
GDPR shifted the focus of protection from the location of the company to the residency of the consumer, and other countries and regions appear to be following GDPR’s lead. Thailand’s Personal Data Protection Act (PDPA) goes into effect in May, 2020. Brazil’s Lei Geral de Proteçao de Dados (LGPD) takes effect February, 2020. Bin said Canada and Australia will soon follow.
California’s Consumer Privacy Act (CCPA) went into effect January 1, 2020, and as of October, 2019, new privacy protection regulations in Nevada and Maine have also been signed. The International Association of Privacy Professionals (IAPP) reports that thirteen more states are working on privacy and security regulations of some kind, and Bin said the short-term trend appears to be a separate set of regulations created by each state in the US.
Managing Regulatory Change
When HIPAA took effect in the US healthcare industry, companies initially managed manually. Then they transitioned to automated compliance by building their own IT projects internally, hiring lawyers and developers to attempt in-house automation, Bin said. Now companies have to comply with a multitude of different new regulations across the globe that are emerging every few months as well as managing updates to existing regulations – all while data stores continue to increase and with them the potential for risk.
And these are formidable regulations. GDPR weighs in at 88 pages, for example, and CCPA at 20 pages, Bin said, placing stress on in-house legal teams who struggle to keep up.
Privacy by Design
Before founding Odaseva, Sovan Bin was a lead architect at Salesforce where he saw that customers usually waited until the end of a project to consider how to manage consumer information. The Gartner study highlights the need for consumer rights automation from the beginning, Bin said. “Privacy by design” should be built into every part of the project and not just added as a specific step at the end. This concept is just a reminder that every part of the organization, from the developer to the manager to HR, is responsible for privacy, he said, “because the company is not just about the lawyers. It’s everyone in the company.” Every process should embrace this new “privacy by design” thinking instead of trying to patch it in at the end.
Solving the Problem
Remy Claret, CMO at Odaseva, said that the key concepts or “factors” to keep in mind when considering a solution are trust, insurance, and acceleration. It’s important to build trust not just with customers, he said, but with regulators as well – whether regulations are geographic or industry-specific. Ensure that your assets are protected with backup, restore, archiving, and availability. The acceleration piece is about enabling deployments and projects with use cases around synchronizing, test environments, comparing, transporting, and all things related to making sure the data can be pulled up and transferred from one environment to another, Claret said, “with all the security, the consistency, and the monitoring that goes with it.”
When companies talk to vendors about buying software now, Bin said, they demand that those vendors be compliant with GDPR, along with any other privacy regulation in force where they do business. As executives come to realize the potential for catastrophic loss, however, it’s no longer enough to simply select a vendor that is compliant – companies also want to be compliant with their own internal processes. They need to be able to respond to changes quickly to avoid fines, Sovan Bin said. “The key metric has become ‘time-to-compliance,’ because for the first time, regulation is moving faster than technology.” This accelerated pace has driven Bin’s customers to demand the ability to go beyond homemade, in-house compliance.
Odaseva was created to solve the compliance problem with a managed solution for businesses using Salesforce, removing the need for homemade compliance and its resultant infrastructure. Odaseva allows customers to automatically get overarching regulations like GDPR and CCPA compliance managed, with customized additions for location-specific regulation compliance.
Claret added that Odaseva’s focus is on three pillars:
- Data Privacy Compliance Automation: Including built-in compliance for data entry in SalesForce.
- Data Protection: Including integrated backup, restore, and archiving processes.
- DataOps: To accelerate project deployment.
Bin said a typical response to increased regulation is to charge the data architect with creating a solution. The architect’s perspective is usually to attack the problem, system by system and regulation after regulation, by attempting to centralize management in the specific code. “I think this approach is going to fail because even though regulations share some common DNA, they are very different,” and responses should be highly customized based on location. He believes that a regulation should be “installed” rather than “developed” by trying to solve it with a single piece of code.
Customized Compliance via App
Inspired by Apple’s easy-to-install iPhone apps, Bin said, Odaseva acts like an operating system for Data Governance, with a variety of apps that can be installed based on the needs of the company. Without spending years in development and countless resources keeping a legal team busy with updates, it’s possible to add an app that manages a “right to be forgotten” under GDPR, for example. Odaseva’s team of lawyers monitor changes in regulations and their developers update apps as needed, removing the need for their customers to dedicate teams to those processes in house.
The CIA of Security
Additional app-based features include backup, restore, archiving, cloud emulation, and enhanced security measures. Although concern about data privacy is a top priority, new regulations also address data security. The philosophy behind GDPR and CCPA is that data should be handled as a critical asset. Sovan Bin sums up the key components of data security – what he has termed the CIA Triad: Confidentiality, Integrity, and Availability. Bin noted that “every company in the world knows how to protect their assets, so apply the same methodologies you use to protect your most precious assets to your data.”
Future Trends in Data Privacy Regulation
Although it may take years to happen, Sovan Bin predicts that the drive toward separate state-by-state privacy regulations will eventually converge toward a unified set of regulations throughout the United States. Odaseva Co-CEO, Keith Block, has also called for a federal standard. Over time, as regulations evolve worldwide, he said, they will share more DNA, which will support the evolution to a more unified set of policies across nations and territories throughout the world. “These consumer rights, it’s quite interesting. Personal information belongs to the people now.”
Image used under license from Shutterstock.com