Using technology to build a privacy program

Complying with data privacy laws has become so complicated that relying on dedicated technology for help is the only reasonable response.

The growing tangle of data privacy complications results from three distinct trends:

• The evolving splinternet of differing data privacy laws across both the U.S. and the world
• Widespread data sharing between different platforms, including Google, Facebook, online retailers, and everyone else
• The explosive growth of data in general, particularly unstructured data

Even if your company does business in only one U.S. state, subject to one data privacy law, the difficulties presented by ubiquitous data sharing and the exponential growth of unstructured data would still be so substantial that technology would be critical to making data privacy compliance manageable and cost-effective.

Of course, though, few companies fit this hypothetical scenario, instead operating across the entire U.S. and internationally. These companies must deal with the additional layer of complexity created by the varying legal regimes.

So what exactly are the complications caused by these three trends? 

During a recent Crownpeak webinar, “How to Build a Proactive Privacy Program in the Digital Era,” we examined these complications in greater detail, expanded on why data privacy compliance is a task best left to tireless software, and discussed the five requirements of an effective data privacy program. 

Patchwork quilt of data privacy laws presents challenging questions

Imagine a multinational e-commerce company headquartered in Toronto with offices in Palo Alto, London, and Rio De Janeiro. The company does business in 30 countries and all 50 U.S. States, collecting user data in each one.

How should it go about complying with the varying data privacy laws in each region it operates in?

Does it determine which data privacy law — whether Europe’s General Data Protection Regulation (GDPR), Brazil’s Lei Geral de Proteção de Dados (LGPD), or some other law — has the most stringent requirements and then comply with that one across all territories?

Unfortunately, it’s not so simple. For example, some provisions of the California Consumer Privacy Act of 2018 are more stringent than the GDPR and vice versa. 

Should the company instead analyze all the data privacy laws, pull out the most stringent provision for each provision class, and then stitch together those provisions from different laws into a kind of Frankenstein law that the company would follow?

Or should the company try to comply with each country’s or state’s law when operating within that area?

Once the company chose an option, then what? Does the company hire software developers to write custom software to execute its data privacy compliance plan? Or does it make more sense to just buy an off-the-shelf solution?

Of course, given sufficient time, the company’s legal and IT teams might very well be capable of sorting these issues out, but why not save time and resources by outsourcing the challenges to specialists who already have a solution?

Tracking thousands of instances of data sharing 

However complicated the legal landscape has become, it’s still not nearly as complex as the web of data sharing that has been growing over the last 20 years.

Webinar guest William Broadhead, Senior Director of Engineering at Crownpeak, illustrated the vastness of data sharing with a personal anecdote about his use of Facebook. He looked at how many websites and vendors outside of Facebook were sharing data about him with Facebook. 

Astonishingly, he found, “In the last six months, there were 955 applications and websites sending data to Facebook about me, including financial institutions, my health insurance, and other sites that I had no idea would be sharing data about me with Facebook.”

Of course, these companies are sharing your data not just with Facebook but also dozens of other sites, and these other sites (as well as Facebook) are then sharing your data with still other parties.

“So, user data goes far and wide very quickly,” Will explained. 

You can get a sense of the extensiveness of data sharing from this graphic from the webinar, which shows user data going from CNN’s website to other sites, which in turn share the data with additional sites.

Companies need to know with whom they are sharing user data because, under all data privacy laws that cover online activities, website users can ask website owners about how their data is being shared with others.

To help companies with this task, Crownpeak has a trackermap tool that helps website owners track where user data is going so that they can share that information in response to a user inquiry (also known as a data subject access request (DSAR)). 

Most data is unstructured

Further complicating company efforts to track the data they need to gather in response to user requests is the fact that most user data is now unstructured. In fact, surveys estimate that between 85 to 90% of company data is now unstructured data.

Examples of unstructured data include chat messages, email messages, and social media content. What makes this data unstructured is that it can’t be easily stored or searched in a traditional database or spreadsheet. 

As a result, when a company receives a DSAR, it’s harder for the company to find all of the unstructured data that relates to that individual and thereby comply with the request. 

Finding unstructured data is much easier with AI-driven data intelligence, explained webinar guest Vaibhav Mehrotra, the CEO of Secuvy, which provides a cloud-based platform to automate data security and privacy. 

An AI-driven data intelligence platform will help your company uncover all the unstructured data scattered across chat messages, social media posts, emails, and other sources.

Could staff instead handle this work?

Yes, a sufficient number of trained employees dedicated to the task of sifting through unstructured data might be capable of replicating the work of a dedicated software platform, if given sufficient time.

But before you task your staff with handling these requests, consider this:

To respond to a data access request using staff time, a small or medium-sized enterprise would need 172 hours of staff time (that’s 21 eight-hour days by one staffer), while a large enterprise would need 1,259 hours (that’s more than 31 days with a five-person team working exclusively on the data access request).

These troubling time commitments can be found on the below slide along with information about the explosion of unstructured data:

As you can see, while a human-powered approach is possible, it’s very time consuming and therefore costly.

In comparison, an AI-driven process can complete a personal data request in three to four hours.

Using staff to carry out data privacy processes makes about as much sense as a traveler spending countless hours calling different hotels and airlines to determine the best possible travel package, when there are dedicated travel booking sites that can quickly provide simultaneous comparisons of hotel and flight options.

In the same way, managing data privacy would involve so much labor-intensive drudgery as well as subtle nuances that it makes more sense to let technology and AI handle it.

Five requirements of a data privacy program

In looking for a technology solution or combination of software platforms to address your company’s data privacy needs, you should look for a solution or solutions that can handle the following five critical processes for data privacy:

1. Data Subject Access Requests 
2. Consent Management
3. Data Discovery
4. Data Classification & Intelligence
5. Data Protection Impact Assessments (DPIAs)

We’ll be exploring these processes further in upcoming webinars.

In the meantime, to learn more about how Crownpeak and Secuvy’s technology platforms can help with these processes, you can listen to the “How to Build a Proactive Privacy Program in the Digital Era” webinar on demand.