The Looming DSAR & RTBF Storm – reviewing the potential risks and how to mitigate them
There is a perfect storm looming on the horizon for companies that collect and process Personally Identifiable Information (PII). Five vastly different contributing factors and conditions are driving this bombardment. Circumstances are ripe for organizations to be flooded with exponential growth in Data Subject Access Requests (DSAR) and Right or Erasure or Right To Be Forgotten (RTBF) petitions. Most are not prepared for the onslaught!
What are the factors driving this sea change?
- GDPR and CCPA are making people more aware of their rights. This enlightenment manifests itself as more people starting to care more, and submit more, DSARs, exercising their RTBF and looking for ways to streamline and automate the process. This is just the beginning . . .
- Startups focused on serving the needs of these consumers (Data Subjects), not companies (Data Controllers and Processors), are emerging. Companies like SayMine (Saymine.com) or Jumbo Privacy (www.JumboPrivacy.com) are well funded and will rapidly change the velocity and volume of DSARs and RTBF requests. These SaaS services typically crawl through your emails and browser history discovering companies or organizations you have shared PII with. They then automate bulk submission and distribution of DSARs sending out dozens of detailed DSARs with a few mouse clicks. Contrast that with having to go to each individual company or web site, find their link or form for submitting a DSAR or RTBF request, or calling or emailing each company.
- Companies like DeleteMe also help get your PII removed from Data Brokers like Whitepages, MyLife and Spokeo for a nominal fee, but at least for now do not help with individual retailers and other B2C sites. These businesses will make it increasingly difficult for any PII aggregators or data brokers and will quickly expand the scope of their services if there is money in it.
- Claims Management Companies (CMC) now regularly submit bulk DSARs on behalf of their clients – often in response to data breaches. These class action style requests often cannot be ignored or challenged by a company already reeling from even the smallest data breach. Hundreds of systems may be impacted by just one of these.
- The false sense of security many organizations get from the plethora of data privacy compliance software they have implemented. Some do a great job of managing consent (Opt-In/Opt-Out) preferences and tracking Data Subject Access Requests (DSAR) they receive from consumers (Data Subjects) interacting with the business On-Line or through other communication channels. Many of these tools provide great looking dashboards, scorecards and reports tracking privacy compliance, consent and DSARs misleading organizations into thinking they are ready and prepared to fully comply with all data privacy regulations. Capturing these requests is only one piece of the puzzle and the easiest part.
There are many different Consent and Preference Management software vendors offering excellent solutions for collecting and managing DSARs. There is obviously more money in selling B2B solutions (for now). These include companies like OneTrust, TrustArc, WireWheel, Exterro, Mandatly, Osano and many others singularly focused on this. Unfortunately, most only help manage, visualize and report on these requests. Few offer actual policy enforcement or ensure compliance.
While not their primary focus, many other data discovery, data governance and data catalog vendors like BigID, Collibra, Alation, LogicGate, IBM, Microsoft and Informatica also provide DSAR and Consent tracking capabilities. Core data discovery, data classification and data cataloging functionality are also important in this process as described below.
Compliance is more complicated than most organizations realize
Large complex on-line marketplaces and retailers like Amazon, eBay, Etsy, Walmart, Alibaba, Google Express and many others combined, collect, process, store and analyze petabytes of Personally Identifiable Information (PII) every month. This PII ends up in countless different Databases, Data Lakes, Data Warehouses and other Data Repositories.
The first challenge is discovering, classifying and cataloging all the PII within the organization’s infrastructure On-Prem and in the Cloud, electronic and paper media. Imagine a DSAR requesting an inventory of all PII on a Data Subject, what it is used for, who it has been shared with, when, and why.
The final challenge is actually enforcing compliance in accordance with these DSAR and RTBF requests and conflicting data retention regulations. Implementing the actual changes, providing fine-grained access controls, accountability, audit trail, de-identification, anonymization, records of processing, filtering, logical deletion, and eventual physical deletion.
การพัฒนาของบุคลลากรทั้งทีม โดยไม่ขัดแย้งกันและมีเป้าหมายเดียวกันนั้น จะต้องใช้เวลาและแนวทางที่เหมาะสม แรกเริ่มนั้น ฝ่ายไอทีควรจะต้องพิจารณาถึงปัญหาที่ระบบแอปพลิเคชันควรจะแก้ไข และพิจารณาว่าผู้ที่อยู่ในฝ่ายธุรกิจคนใดสามารถช่วยเหลือเกี่ยวกับขั้นตอนการทำงานและผลลัพธ์ที่เกี่ยวข้องได้ จากนั้นจึงค่อยสร้างทีมงาน Agile ขึ้นมาซึ่งต้องไม่ได้มีเพียงเจ้าของผลิตภัณฑ์ (Product Owner) และทีมงานจากฝ่ายธุรกิจอยู่ในทีมเท่านั้น แต่ในทุกขั้นตอนต้องให้ทุกคนได้มีส่วนเกี่ยวข้องอยู่ตลอด
What are the implications of all this?
GDPR, CCPA, PIPEDA, PDPB, PDPA, POPI, TPA, KVKK and many more national or industry specific privacy regulations are raising awareness and triggering a flood of additional risk with few companies appreciating the impact this will have on their business if not addressed. Risk from non-compliance includes increased operating costs, growing financial penalties and brand or reputational damage.
Few organizations are adequately prepared, actual compliance enforcement is often a very labor-intensive process. This can involve manual intervention by DBAs, System Admins and Developers, code changes to hundreds of Applications, analytics, reporting and records processing on dozens of Databases and Data Repositories. Lack of enforcement of privacy regulations results in loss of trust and fines for non-compliance.
What must be done to manage the associated risks
Leverage the valuable data discovery, data governance, data catalog, consent and preference management information collected and stored in existing tools described above.
Extend the value of these tools by utilizing the data inventory or catalog and data classification information. Track all data flows and access to PII. Implement Purpose Based Access Controls (PBAC) that control access based on all relevant User or Data attributes including job function, geo-location, application used to access the data and apply these rules consistently across the enterprise regardless of where the data is stored or processed.
Enhance consent and preference management tools by automatically enforcing consumer Opt-In/Opt-Out preferences and RTBF requests. Leverage Logical Deletion capability to provide full life cycle management and PBAC for all PII from initial collection through to final Physical Deletion from the last system. This must be achieved without breaking critical business processes while still complying with conflicting data retention requirements by government regulators, legal holds and more.
This is where SecuPi comes in. SecuPi leverages all this foundational information to provide a fully automated, flexible, seamlessly integrated, transparent and comprehensive solution ensuring full compliance and data mobility On-Prem or in the Cloud.
The author, Les McMonagle has over 25 years’ experience in Information Security and Data Privacy in Europe and North America which includes CISO for a credit card company and ILC bank, establishing multiple InfoSec consulting practices and senior product strategy roles at multiple security solution providers including Chief Security Strategist at SecuPi.
Want to learn more about how SecuPi is helping numerous global companies prepare for this looming storm with a comprehensive solution for privacy compliance and enforcement? Less than an hour of your time is all it takes to see how to protect your company from privacy non-compliance risk associated with DSAR, RTBF, Restriction of Use, Records of Processing, Consent (Opt-In/Opt-Out) Preference Management, conflicting Data Retention requirement, Geo-Fencing and more.
Written by: Les McMonagle, SecuPi Chief Security Strategist