The Need for Data Privacy Initiatives
Data Privacy is a growing concern for organizations worldwide, who are faced with an increasing number of Data Privacy regulations governing their collection, use, processing, storage, and disposition of personal information about their consumers and employees. Although the modern Data Privacy regulations started in Europe with the advent of GDPR, the trend is quickly catching up in North America and other locations around the world.
The US has seen many States coming up with their own Data Privacy regulations in recent years. Enforcement authorities for Data Privacy regulations could impose huge fines on those companies who do not comply with them. General Data Protection Regulation, for example, could impose up to 20 million EUR or four percent of worldwide turnover. Hence, large organizations are now increasing their IT budget toward Data privacy initiatives to avoid the penalties and other negative implications of non-compliance.
One of the important requirements of many Data Privacy regulations worldwide is that organizations need to provide their customers with the right to request access, correction, and deletion of personal information held by them. This requires organizations to build capable systems that could help review and respond to Data Privacy related requests from their consumers.
While embarking on these initiatives to comply with Data Privacy regulations, organizations are typically faced with two options. The first option is that they could choose to build the necessary systems from scratch by themselves leveraging existing enterprise-wide processes and systems.
The second option is that organizations could buy licenses for relevant commercial off-the-shelf tools available in the market and customize the tools for their specific organizational requirements and priorities.
Build Your Own Solution
This option is more popular among organizations looking to reach a minimum defensible position by a specific compliance deadline. This minimum defensible position may mean different goals for different organizations depending on their risk appetite and level of exposure to regulatory requirements.
One of the advantages of this approach is that this helps organizations to start with a lower-cost solution and then decide about investing in a full-fledged solution later depending on the volume of Consumer and data subject requests received by the organization. The “Build” option also allows these companies to leverage their existing IT capabilities to create their Data Privacy solution.
For example, if the organization is already using SharePoint, then the workflow capabilities within SharePoint could be used to build a data Subject and Consumer request management system. However, one of the disadvantages of this approach is its scalability.
This approach could end up consuming more time and efforts of internal IT departments in the long run, if and when the volume of consumer and data subject requests crosses a threshold and organizations find themselves needing to invest in a more sophisticated solution.
Commercial Off-the-Shelf Solution
This option is typically more suitable when an organization is looking at Data Privacy initiatives with a long-term view rather than just looking for a minimum defensible position to avoid the penalties for non-compliance.
This option involves buying a license for one of the commercial tools available in the market for Data Privacy and Data Governance. These external tools are typically more expensive than home-grown solutions but can seamlessly scale for a higher volume of consumer requests with maximum efficiency. These tools also typically provide end-to-end Data Privacy solutions covering consent management, consumer request, and record of processing.
The major disadvantage of the solution is the high annual license cost associated with using the tools, in addition to the maintenance costs.
One of the core principles of modern Data Privacy Regulation such as GDPR is the need for Data Minimization and Privacy by Design. It is expected that most regulations worldwide will evolve to include data minimization, and hence, it becomes a key area of interest for organizations embarking on Data Privacy initiatives even if the current regulatory requirements do not call for the same.
Data minimization requires organizations to collect only the minimum amount of personal information from their consumers, as needed for legitimate purposes for which they are required, and to store this information only for as long as they are necessary to fulfill legitimate business or legal requirements.
This in turn calls for organizations to design and implement data retention policies, which are appropriate to the nature of personal information and the purposes for which they are being processed.
Challenges in Implementing Data Retention Policies
Deletion of specific consumer information according to its retention policy schedule poses a great challenge because of the potential database integrity constraints and the impact on upstream and downstream applications. To mitigate this challenge, organizations are advised to craft a comprehensive data lineage of their IT architecture and assess the flow of personal information starting from the source to all downstream systems.
There are a lot of commercial Data Discovery tools available in the market that help in this exercise but they require that all the internal data sources to first be connected to these tools before they can provide data lineage reports. Yet, this does not solve the problem totally, as deletion of consumer information should also factor in the need for exceptions to retention schedule for various purposes, such as legal hold, regulatory requirements, business purposes, etc.
Scope for Automation in Solving Data Retention Puzzle
As a result of the complications involved in data retention, even the leading Data Privacy tools in the market have not been able to effectively design a data retention solution, which could seamlessly implement the enterprise-level data retention policies.
At this point, most organizations are, therefore, adopting a largely manual approach in assessing the data lineage and validating for database integrity constraints. Organizations are still trying to automate the process to the extent possible by creating deletion scripts that check for retention policies and carry out the deletion of personal information that is past the retention schedule.
Commercial tool vendors, on their part, are also trying to create solutions that could improve the efficiency in largely manual processes of implementing Data Retention. For example, once all data sources are connected, many commercial tools can catalog personal data into profiles that can be searched through a centralized interface.
Once the data retention schedules are also defined in the catalog, certain commercial tools could analyze the catalog and flag the candidate data for deletion to the respective business or system owners. The downside of the solution is the actual review and deletion of candidate data flagged for deletion which is a responsibility of the respective IT system owners and is largely a manual process. Naturally, there are still a lot of scopes to bring in more avenues for automation to solve the Data Retention Puzzle.