Privacy-Grade data protection shows the way forward
In many enterprises around the world, the data tension is palpable. To keep data safe, governance controls assign data permission rights to authorized users while blocking everyone else, often without distinguishing trivial data (like a public events calendar) from highly sensitive information (such as an employee’s health record). As a result, line-of-business employees are frustrated by their inability to easily access the information they need to do their jobs effectively. Meanwhile, organizations, hesitant to fully leverage data over privacy concerns, lag in their digital transformation initiatives.
Personal data struggles abound
The statistics supporting this long-standing enterprise data rift are revealing. According to 451 Research, an overwhelming majority (78%) of line-of-business users experience frustration in their general, day-to-day attempts to access and use data.1 At the same time, organizations struggle to quickly identify, retrieve and remediate personal and sensitive personal data in response to growing volumes of Data Subject Access Requests. A recent 451 Research survey indicates that for 28% of large enterprises, it takes several days or longer to retrieve data and an equivalent number of days to remediate or take corrective action on data identified as sensitive or personally identifiable.2
The analyst firm reasons: “If the data privacy effort is unable to quickly identify and retrieve all relevant data related to a specific individual in response to a DSAR, it is quite unlikely that the marketing or engagement team is able to quickly get a complete 360° view of that same individual in their customer experience efforts.”
It’s no wonder then that 26% of organizations view “data privacy concerns as one of the most significant barriers their organization faces in attempting to be more data-driven.” 451 Research elaborates, “It is clear that the inability to consistently execute on data privacy creates a certain organizational hesitation around the leverage of data: hesitation that can directly slow down business progress and competitive viability.”3
Beyond data blocking and tackling
451 Research makes the case that the definition of data privacy software “generally needs to extend beyond technical data security mechanisms and support the persistent protection of data throughout an organization’s entire data estate: regardless of where data resides.”4
They suggest such valuable capabilities can include: “the ability to detect and discover potentially sensitive data, mechanisms for meaningful classification of data, and remediation capabilities that work in near-real-time – i.e., data is adequately protected as soon as it is defined as sensitive. Also, these privacy-supporting technologies generally need to augment the human and process-oriented elements of the data privacy effort, supporting workflows and management of responsibilities.”5
The National Institute of Standards and Technology (NIST) has also weighed in on the issue declaring, “Deriving benefits from data while simultaneously managing risks to individuals’ privacy is not well-suited to one-size-fits-all solutions.”6 We couldn’t agree more, which is why we have introduced the concept of Privacy-Grade data protection.
What is Privacy-Grade data protection?
Privacy-Grade creates a baseline for privacy technology. The term defines a set of quality standards that facilitate better data protection practices. Data discovery, storage, and control form the core of Privacy-Grade.
Defining high-quality standards for the technologies and techniques that span data privacy management, privacy control, and security capabilities ensure personal data and intellectual property protections are persistently enforced throughout an enterprise.
Whereas data security solutions tend to focus on intrusion and data breaches at the network level, reactively protecting data in motion and perimeter processes, Privacy-Grade solutions address data at rest and proactively protect at the database, and individual data records level.
The end goal of Privacy-Grade is to facilitate better data protection practices associated with collecting, storing, and sharing sensitive, personal, and regulated data throughout the data life cycle.
3 must-have standards of Privacy-Grade data protection
A personal data protection solution is Privacy-Grade when it can automatically:
- Search every location where data resides
- Find every data type defined as personal, sensitive personal, or intellectual property
- Classify for context and risk
- Apply appropriate cures and controls
By supporting these critical requirements, the data protection solution meets the three “must-have” standards for Privacy-Grade protection, which include:
- Accurate discovery of any data, anywhere
- Purposeful classification of data based on purpose, process, and preferences
- Real-time remediation or response for handling vulnerable data
Let’s examine each “must-have” capability and how it contributes to the high-quality standard of Privacy-Grade data protection.
Accurate Privacy-Grade discovery
When it comes to protecting what matters most—your organization’s personal, sensitive, and regulated data—accuracy is everything. After all, you cannot secure what you cannot find. Privacy-Grade discovery describes a set of technologies used to accurately discover personal information anywhere. It also describes inspection techniques used to apply a policy dynamically, persistently tag, classify, relocate and apply third-party enterprise protections to personal data.
Essential Privacy-Grade Discovery capabilities include:
- Ability to discover personal information in unstructured objects (files), structured objects (relational databases), data stores (file server, cloud storage, object storage, etc.), as well as endpoints (via a host agent that runs locally).
- Advanced personal data detection using various techniques—from branching algorithms and vector analysis to supervised/unsupervised learning, regression analysis, and keyword matching.
- Advanced identity association to create associations between discovered data elements and their associated persons and identities.
- Techniques to reduce false positives, such as proximity rules. These are valued by larger organizations that have complex data ecosystems.
Purposeful Privacy-Grade classification
To effectively use and protect the discovered data, organizations must identify, classify, and tag each piece of data. Privacy-Grade classification technologies and techniques apply purposeful labels based on how data is collected, the associated purpose of the data collection, and the related data subject’s preferences.
Essential Privacy-Grade Classification capabilities include:
- Process-based data classification labels (such as HR records, PII for order processing, etc.).
- Purpose-based data classification labels identify data that can be used (or not used) for various activities.
- Preference-based data classification labels can restrict access to third-party apps and conform to portability restrictions.
Real-time Privacy-Grade remediation
Remediation solutions enable an organization to securely process personal data, including collection, retention, logging, generation, transformation, use, disclosure, sharing, and personal data disposal. Privacy-Grade Risk remediation technologies and techniques support the risk-based mitigation, transfer/sharing, avoidance, or acceptance of risk associated with vulnerable data in real-time.
Essential Privacy-Grade remediation capabilities include:
- Secure data erasure methods applied to the original location.
- Secure data relocation and containment via secure transmission methods, which support the ability to quarantine files to a highly secure location, encrypt data at rest and in use, and micro-segmentation to isolate workloads with personal data from one another and individually.
- Data anonymization and pseudonymization to remove identifiers that connect an individual to stored data using a variety of techniques, such as data masking by hiding data with altered values, homomorphic encryption to hide data with computer-generated ciphertext, and pseudonymization to replace private identifiers with fake identifiers or pseudonyms.
- Synthetic data and differential privacy that algorithmically manufactures data so that it has no connection to real data. A differentially private process is guaranteed to never attribute anything to a specific member of the original dataset. Instead, it only reveals information that is broadly knowable about a dataset.
Deliver effective personal data protection with 3 must-have standards
Data security alone does not equate to data privacy. Indeed, 451 Research emphasizes:
“While data security mechanisms are a critical component of achieving data privacy objectives, it is important to broaden the scope of efforts to ensure that data security measures are closely intertwined with perpetual data evaluation and stewardship initiatives. New data is constantly flowing into the organization. A comprehensive data privacy program will have methods to remediate or protect the data at the technical level and assess new data as it flows in and assign proper categorization and classifications.”7
In collaboration with 451 Research, we are excited to share our most recent white paper, Deliver Effective Sensitive Data Protection with Three Must-Have Standards. Based on 375 enterprise security professionals’ feedback, the paper explores real-world organizational dynamics and essential technologies of top data privacy practices.
1, 2, 4, 5, 7: Deliver Effective Sensitive Data Protection with Three Must-Have Standards, 451 Research and Spirion, March 2021
3: Voice of the Enterprise: Data & Analytics, Data Management & Analytics Study, 451 Research, 2H 2020
6: The National Institute of Standards and Technology NIST Privacy Framework