A recent survey of 100 executives from Fortune 500 companies found more than half are struggling to balance easy access to company data with privacy and security compliance.
The survey was commissioned by software vendor Privacera and conducted by marketing agency Lead to Market. Among the findings, 58 percent of respondents said access restrictions were impacting the productivity of their analytic teams.
This issue is particularly thorny for companies that store personally identifiable information (PII) on cloud servers. Eighty-five percent of respondents said they used at least two cloud servers for data analytics and storage. Forty percent reported using five or more.
Privacy regulations like the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have increased the difficulty of cloud migration and analytics, with 7 of 10 survey respondents saying the effort has become more complex.
According to the GDPR, which took effect in 2018, any firm that targets or collects data related to people in the European Union must implement technical measures that protect PII from breaches, as well as limit access to personal data to only those employees in the organization who need it. If there is a data breach involving the PII of EU residents, companies have 72 hours to report it to their regulator or face penalties. Reporting to data subjects can be waived, however, if a company uses technological safeguards like encryption, which should render the data useless to a hacker.
“You don’t build the system for exceptions. You build it on the most common principles.”
Balaji Ganesan, CEO, Privacera
The CCPA took effect in 2020 and requires companies grant their customers in California with a number of rights regarding their PII. Under the CCPA, California consumers can request what information a company has collected on them and can have this information deleted or opt out of the sale of it.
In November, California voters approved the California Privacy Rights Act, while Virginia legislators recently passed the Consumer Data Protection Act. Both take effect in January 2023. These laws provide consumers in California and Virginia with additional rights regarding PII.
Ten states—Alabama, Alaska, Colorado, Connecticut, Illinois, Massachusetts, Minnesota, New Jersey, New York, and Texas—are currently considering comprehensive data privacy bills, according to the International Association of Privacy Professionals. Bills in several states, including Florida and Washington, stumbled at the finish line because of legislative disagreements about whether to include private right of action.
These data privacy laws place certain requirements on PII that can hinder companies’ ability to quickly and efficiently analyze their data, according to Privacera CEO Balaji Ganesan. The survey found four out of five companies (81 percent) were not confident that a request from a past customer to delete all information could be executed when stored in multiple cloud services.
On one hand, data needs to be centralized and accessible. On the other, privacy laws set certain use limitations to protect the privacy of the individuals whose data is being analyzed.
The optimum way to solve the two issues is to come at them simultaneously, Ganesan said.
“Most forward-looking organizations embed privacy and security controls in their system early on,” he said. IT departments want easy and quick access to the data in order to analyze it. Compliance departments want to make sure all privacy rules are followed.
Who is authorized to access which data sets should be determined at the beginning of a project, not as an afterthought, Ganesan said. If controls and rules are set up at the same time as the analysis, the data will be made available to only those who need it. There can be different controls for data that is considered sensitive and for data that is not. Doing it this way also distributes the responsibility for keeping data secure for all who access it, instead of concentrating access through one point.
“You can seamlessly implement controls in a way that is nonobtrusive, transparent, and secure,” Ganesan said. “It should be a shared responsibility with shared best practices.”
Starting the project without such controls inevitably leads to workarounds used by employees seeking to access the data and, potentially, “shadow access,” he said, which can open up an organization to privacy violations.
On the issue of individual state data privacy laws that are in effect in California and have passed in Virginia, Ganesan does not recommend creating different sets of controls for users in those states.
“You put a good foundation of controls in, and then you handle exceptions,” he said. “You don’t build the system for exceptions. You build it on the most common principles.”