Data privacy concerns are nothing new; ever since the Third Industrial Revolution, in which digital technology replaced analog, people have had concerns about the use and misuse of digitally collected, stored, processed, and shared data. By the 1990s, American computer scientist Pete J. Denning penned an article[i] about how "The rate and volume of information flow overwhelm our networks, storage devices and retrieval systems, as well as the human capacity for comprehension.” This was the precursor to what we now call “Big Data,” coined as a term circa 2005, in which companies started amassing data as a stated method for better understanding customer, potential customer, partner, and overall market needs and trends.
Certainly data privacy—especially when we’re referring to personal data privacy—has had its ups and downs. When it comes to using our favorite mobile apps and social media, ordinary citizens are not so concerned with the collection, use, and sharing of their data....if they even know the extent of what companies are doing with it. On the other hand, the Edward Snowden leaks were a wakeup call for many Americans who became outraged upon learning they were being surveilled.
As the mobile app explosion and controversy over Snowden were happening, there was, not surprisingly, a corresponding uptick in the number of very public data breaches exposing the personally identifiable information (PII) of consumers. While data security and data privacy are not the same thing, a breach of PII due to failures of security controls result in the same result: divulgence of private information and liability on the part of anyone who was entrusted to safeguard that private information.
As such, thousands of cyber security regulations and armfuls of data privacy laws have been enacted over the years, the two most well-known data privacy laws being the General Data Protection Regulation (GDPR) in the EU and the California Consumer Privacy Act (CCPA) in the US. Given the repercussions of violating these laws and angering customers, partners, and employees when or if a breach were to happen, enterprises have started to think more seriously about how to comply and how to use their tech to achieve both security and compliance.
One such security practitioner was Rehan Jalil, who, in 2018 when GDPR became enforceable, saw firsthand what was required to respond to GDPR requests from customers and recognized that the traditional tools for data governance were ill-equipped to handle these new challenges. Jalil recognized an opportunity and started SECURITI.ai, a data privacy and security automation firm based in Silicon Valley.
“Privacy has been brought to the forefront,” Jalil told me and Ed during a recent briefing, “and I wanted to look into privacy more deeply and see what I could apply from security. When SECURITI.ai was founded, I didn’t know of any classification products that could identify all data and tell you whose data it is then allow you to manage that data on a record by record basis. That’s what we built at SECURITI.ai: a platform that builds a people data graph and gives database administrators the ability to ask questions about data subjects, in plain English, and find all the records associated with a person.”
The SECURITI.ai product suite includes various modules which can be used like building blocks, depending on your organization’s needs, but altogether, the gist of the solutions is that marketers, database administrators, IT, privacy, and security professionals can use the tools to find data on each data subject by simply asking for it. SECURITI.ai integrates with 200+ database vendors, SaaS, technologies, and ticketing systems so that when a data subject’s records need to be identified, the requestor needs only input one search and all the relevant records will be aggregated into the people data graph so that the appropriate action can be taken.
The people data graph includes all the relevant information an admin would need: where/in what databases the data on the data subject is stored, the geography of the data subject, the category of found information (e.g., email address, Social Security Number, health-related information, phone number, etc.), and more, and it includes a link to all personal records for easy download or removal. A complete audit trail is recorded with every interaction so data protection officers and third-party auditors can see every action taken by the data processor as well as every inquiry by the data subject.
“Our platform reduces the effort of manually finding data across every enterprise system in use,” said Jalil, “and it works in every type of environment (on-prem, cloud) and for any data type, structured or unstructured.” From our short conversation, SECURITI.ai looks to have all the right elements to make PII data identification and management easy and efficient. One of the most important features, in this author’s estimation, is that, because of the integrations, SECURITI.ai can reduce the potential for human error. In other words, if a data subject requests their information be removed, all the admin has to do is push a single button and their PII is removed from every system of record—there is no manual removal process.
SECURITI.ai and platforms like it are also a great opportunity for enterprises to promote the idea of privacy as a differentiator; as privacy issues continue to be in the limelight, organizations that can prove to customers, partners, and employees that personal data is private and secure will have an upper hand in the years to come. The key for any company in this space will be automation and provability. While most enterprises are likely managing PII piecemeal today, we at TAG Cyber recommend putting together a strategy for streamlining data privacy processes that will remove any manual effort, ensure that records are being handled as requested, and can demonstrate all actions (or inaction) taken.