Privacy Automation and Orchestration for Personal Data

There is no stealth on the internet. Even with all the right precautions—Tor, VPNs, aliases, etc.—a highly skilled forensic investigator can find anyone, given enough time and the right tools. But obfuscation is for the stealthiest—or most deviant—among us. Most of us give up our privacy readily every day. We browse/search the internet using Chrome. We shop online. We are members of online groups. We use social media. Our ISPs have datastores of our texts. Our driving directions app knows every place we go. Some of you might sign up to receive newsletters. Suffice it to say, people give up privacy for myriad reasons and mostly don’t think twice about it.

In recent years, privacy regulations like GDPR and CCPA have put in place greater privacy precautions for individuals/consumers. But a privacy purist would say neither these, nor the dozens more in individual U.S. states, go far enough to truly protect consumers’ privacy. Yet, any company doing business with EU citizens or California residents know that it is incumbent upon them to make certain they can meet the demands of the legislation, including identifying and (potentially) definitively removing consumer personal data from the entirety of their databases (DBs) when asked to do so. While some corporations might say, “the heck with it” and risk facing fines (they’re essentially betting that consumers, especially in the U.S., don’t care), more and more businesses are seeing the need and the risk reduction associated with complying.

These conscientious companies have a special place in this author’s heart—and likely the hearts of many a security practitioner. Regardless of best intentions, even the most meticulous businesses have a hard time orchestrating identification of and action on personal data requests. The process of locating every record related to a person, in every database—the company’s CRM, marketing DBs, order systems—and then acting on the record is significantly tedious, time consuming, and incomplete. This is due to the disparate nature of how applications/databases are added and used across companies.

Nonetheless, by letter of the law, companies are required to have these capabilities—for some consumer records, at least. Forward-thinking and privacy-conscious companies are going above and beyond, understanding that it is in their best interest to attend to privacy concerns, lest increase the risk of breach (hoarding personal data isn’t a good look on anyone) or public shame (we’re lookin’ at you, Facebook). Yet, the undertaking is hard, and companies spend tons of people hours chasing records. The head of security at a major enterprise recently told me and Ed that it took the company nearly six weeks to chase down the entirety of one customer’s records across their systems. Now multiply that work across hundreds or thousands of requests.

The aforementioned incident happened before GDPR was officially law and CCPA was written.

Online behaviors and privacy

During that same period, Ben Brook and his future co-founder Mike Farrell were studying computer science at Harvard and working on projects around the statistical trends of personal behaviors. One thing led to another and Ben and Mike ended up calling companies’ support teams to try to get themselves removed from their databases. At the time, they didn’t have any rights to access their personal data or request deletion or removal. This struck them as significantly wrong—personal data is personal, and even when it’s provided to a company for a specific use, a person should have the right to see or claw their data back upon request.

However, businesses had (and some still have) a different perspective, as was (is) exemplified in the interminable pages of their privacy policies (which few people read, and even if they did/do, felt/feel they had/have no recourse against if they want to exist in modern society where auto enrollment and data sharing were/are more commonplace than GDPR- and CCPA-compliant policies).

It was a lightbulb moment for Ben and Mike, even if big regulations were only on the horizon at that time. They founded Transcend (transcend.io, so as not to be confused with the many other companies with a similar name) with a goal of making it easier for companies to find consumers’ personal data across their numerous and scattered systems. Transcend calls its platform data privacy infrastructure, but it's probably better described as privacy automation and orchestration (PAO).

Centralizing and simplifying visibility and control

Transcend’s PAO technology allows companies to centralize and simplify the effort it takes for businesses (data controllers) to locate individuals’ (data subjects’) personal data and act on it. As noted above, most companies' personal data identification/action processes today are highly manual, consuming unnecessary, cross-functional resources. Yet, even with the effort, these companies are rarely completely effective when asked to respond to a data request. The core problem is that companies have been receiving personal data and have been putting it in dozens of data systems, data warehouses, data lakes—a huge gamut of vendors—without any data mapping or ability to connect records.

Transcend makes this all possible through its privacy automation and orchestration platform—so-called data privacy infrastructure. On the front end, Transcend provides the business with a white labeled user interface that looks like a normal portion of their website. From there, users can make data requests directly to the company. A few points about the front-end privacy center that are important.

First, the privacy center simplifies the company’s privacy policies (vs. the typical 27+ pages to which we’ve grown accustomed), highlighting the salient points and making it easy for consumers to understand their rights and the company’s obligations. From that privacy center/web page, consumers can click a “take control” button to securely submit requests. Which leads to the second point; the privacy center eliminates the need for consumers to email the company (the traditional method) to make requests, which can further expose personal data to data leak or theft. Third, the front-end privacy center is tied to the back-end portal, which means that employees of the company receiving requests don’t have to manually take the consumer’s personal data from email and manually find its locations across multiple, disparate systems before being able to provide the data or evidence of removal to the requestor.

The features/functionalities listed above create a better customer experience, thus elevating consumers’ perceptions of the brand, i.e., “they care about my privacy.” These capabilities also start to demonstrate how Transcend eases the privacy compliance process for businesses and reduces the risk of company employees fumbling consumers’ data and ending up in legal hot water.

Ease of integration

On the back end, Transcend is a simple portal where administrators can connect all databases which contain personal data. The platform comes pre-populated with dozens of common applications/DBs, what Brook calls “every logical silo,” making it easy for admins to deploy and start using. It’s not just for vendor solutions, any manner of “homegrown” DBs can also be connected. From here, admins can centrally view all instances of an individual’s data and apply controls—privacy choices requested, redaction, restriction, erasure, etc.—across every silo or system used by the company. In the past, a company’s marketing person, for example, would need to look up the record in Marketo while the IT admin looked in Zendesk, the finance person searched in PayPal, the project manager handled Asana, and the salesperson administered Salesforce. With Transcend deployed, admins have one central location from which to pull up records and manage them uniformly at once. Unlike traditional workflow software, Transcend can be configured for automation; received requests can be processed and responded to automatically, without any manual intervention, thereby removing any potential for human error. This allows companies to process thousands of requests daily, and end users can instantly receive a copy of their data and gain confidence in the process.

From a security perspective, Brook was bullish on building a "totally secure-by-design architecture.” The platform uses end-to-end encryption such that Transcend and its employees can’t see any of the data—either the company’s (Transcend’s customer) or the data subject's (the customer’s end user). “Transcend is the pipes and infrastructure,” Brook told us, “but the architecture is built to make our platform operate through a gateway that is hosted by the customer, and the data is proxied through the gateway.” As such, he continued, if a cyber criminal were to consider Transcend a goldmine of major companies’ databases and somehow exploit Transcend, the attacker couldn’t retrieve the data of Transcend’s customers, who are major retailers, financial services companies, hospitality groups, and more.

The future of privacy risk

We at TAG Cyber believe that privacy automation and orchestration is going to be a critically important space for businesses, not just in terms of data governance and compliance. The opportunity from a privacy and security perspective is to demonstrate to customers, business partners, and other third parties that all data, and especially personal data, are protected and managed correctly, complete with appropriate access controls and secure removal/erasure. One requirement for doing so will be the efficacy with which businesses can locate data, set controls for data records, and act upon data records when called to do so, either by law or by request.

On the other hand, one obstacle to growth in the PAO space will be the extent to which consumers care about their privacy (although the sentiment—especially in the U.S.—is growing, it is still in its infancy, being shoved along by regulation rather than market demand). However, from the business perspective, the workflow optimization advantages of PAO are crystal clear, the ability to easily meet compliance requirements is obvious, and the downstream security advantages are marked.

Even if your company does not currently have any data records for consumers in California or the EU, Transcend is a privacy platform to evaluate. For one thing, if your employer is anything but a very local business, you do have records subject to GDPR, CCPA, and other state regulations. For another, broader privacy regulation is coming. And last but certainly not least, every company is subject to numerous data security and breach laws. Data governance is a foundational element of data security, and Transcend makes data governance over personal data simple through privacy automation and orchestration.