February 4, 2020
Are Your DLM and ILM Practices Out of Sync with New Data Privacy Laws? Enter Purposeful Processing
Data lifecycle management (DLM) and information lifecycle management (ILM) are common practices within today’s enterprises. Organizations deploy them for a variety of reasons, including faster data processing and stronger data protection.
While data lifecycle management and information lifecycle management are valuable processes, there is one significant problem — traditional practices are out of sync with today’s stricter new data privacy compliance regulations, like the California Compliance Privacy Act (CCPA) and the General Data Protection Regulation (GDPR). This creates significant challenges for companies working to meet these rules and avoid incurring costly penalties.
To overcome this challenge, organizations need to bring their DLM and ILM practices in sync with the new compliance directives by adding “purposeful processing” to all six stages of the data lifecycle — including creation, storage, use, sharing, archiving, and destroying.
Data lifecycle management and information lifecycle management are two sides of the same coin. Simply stated, DLM is a policy-driven approach to managing the flow of data throughout the six stages of the data lifecycle. ILM seeks to ensure every piece of data included in a record is accurate for its useful life. In other words, while DLM deals with the flow of data files and speed of access, ILM is concerned with what’s in each file and how the data should be managed and protected.
How to Modernize DLM and ILM with Purposeful Processing
To protect sensitive personal data requires understanding exactly where the data lives in the six stages of the data lifecycle. This determines what policies organizations need to apply to keep the data private and secure. Here’s how purposeful processing modernizes each of six stages in the data lifecycle — and brings traditional DLM and ILM practices in sync with new data privacy regulations.
Stage 1 — Creating Data — Add Data Classification
A common scenario for data creation occurs when Company X sells a product or service to Customer A, such as Widget 1. Invariably, data changes hands to execute the transaction. The customer must share some personal and financial information at the very least, such as name, address, phone number, and a creadit card number. All of this data is personally identifiable information (PII) and, therefore, falls under one or more compliance regulations, such as Payment Card Industry Data Security Standard (PCI-DSS) for credit card information. Another common way that Company X attains consumer data is by purchasing it from another company, usually for marketing purposes. By whatever means companies acquire consumer data, they must adhere to all relevant compliance laws that impact that data.
Purposeful Processing Solution — To meet the intensifying privacy and security regulations around personal data, companies can enhance their DRM and IRM systems to include automated data classification. Advanced classification processes persistently tag incoming data according to all appropriate compliance regulations, for example, credit card information will be tagged to meet all PCI-DSS compliance rules. This ensures that each piece of data is properly processed in the next five stages of the data lifecycle.
Stage 2 — Storing Data — Deploy Data Discovery
In an ideal scenario for data storage management, companies would store one single copy of each piece of data in a central repository from which it’s extracted and used, and then deleted. But that does not typically happen. Instead, various departments across organizations access the data for a variety of purposes, such as account management and financial processing. As a result, the same data ends up residing in multiple locations across the enterprise in multiple documents, such as Excel spreadsheets, PDFs, Word documents, images, emails, and more, and on a variety of devices and endpoints. This enhances the risks of data exposure and compounds the challenge of complying with privacy regulations.
Purposeful Processing Solution — Data should not live in multiple locations across an organization. Ideally, it should live in one central depository where it can be secured and accessed according to strict rules. To ensure DLM and ILM systems support this advanced practice, organizations can update their systems by deploying automated data discovery processes to persistently locate any data anywhere across the enterprise — from emails to endpoints — so they can reduce their data footprint and maintain tighter security controls.
Stage 3 — Using Data — Locate Consumers’ Data
One common way that an organization uses existing consumer data beyond the initial transaction is to conduct buying-behavior analysis. This gives companies insight that fuels their marketing campaigns. However, while this was a common process in the past, in today’s intensifying privacy compliance world, consumers have more control over who has their data and how it’s used — and they often do not want their data used to identify them for marketing purposes.
Purposeful Processing Solution — A hallmark of some new compliance regulations, like the CCPA and GDPR, is giving consumers more control over their personal data. Most notably, they can request that companies delete their personal information entirely. To ensure DLM and ILM systems support this new compliance rule, organizations must set up a data discovery process that can rapidly locate an individual consumer’s personal data across the enterprise, so that the PII can be rapidly located wherever it lives and deleted upon request.
Stage 4 — Sharing Data — Execute Differential Privacy
Along with widespread data sharing internally, it’s been a common practice for companies to share consumer data externally with other companies, such as business partners. What’s more, some companies sell packages of consumer data to other businesses to, for example, target people who share similar buying behaviors. But this practice is now facing a huge hurdle as compliance regulations toughen up, and as consumers gain more control over their personal data collection and use.
Purposeful Processing Solution — Because many companies, such as eCommerce organizations, have grown accustomed to using customer data in marketing, they are reluctant to give up this sales advantage. As a fix, they’ve created a new practice called “differential privacy” to make personal data anonymous, so they can retain the business value of data without increasing their privacy risks. The practice involves removing all identifiable personal data, like names, addresses, social security numbers, and credit card information. The catch is that the companies must ensure that they find all of the personal data about each customer, so that the identifying characteristics can be removed before the data is shared. DRM and IRM systems must be updated to include the ability to discover all PII across the enterprise, so that it can be made anonymous using differential privacy techniques.
Stage 5 — Archiving Data — Maintain Access Controls
After a customer’s data is used in a transaction, it often has to be retained for a period of time for a variety of reasons, such as legal, fiscal, research, or for historical value. Most companies maintain data archives where data can only be accessed by assigned parties. But to maintain data privacy and security of all archived data organizations must install airtight controls to uphold internal and compliance access rules.
Purposeful Processing Solution — Maintaining access controls over sensitive data is difficult. To ensure DLM and ILM systems support this stage of the data lifecycle, organizations must identify all sensitive personal data and install strict access controls, including who can access the data, under what circumstances, and when. This ensures optimized policing of data, so that only authorized users gain access, while restricting unauthorized access, thereby, supporting robust data security and compliance.
Stage 6 — Permanently Destroy Data — Discover All PII
Along with being in compliance in the first five stages of the data lifecycle, organizations must also be in compliance with data remediation rules. With regards to an individual’s request to remove data, all of his or her PII must be permanently destroyed. Also, when data no longer fulfills a purpose within a company, it should be destroyed.
Purposeful Processing Solution — To ensure this critical data remediation step is executed within DLM and ILM practices, companies must find every instance of an individual’s PII. An advanced automated data discovery application ensures this step is completed with utmost accuracy.
No business exists to process personal data. They process personal data to be in business. In today’s much more rigorous world of data compliance, this means that organizations also need to be in the business of personal data security and privacy. This means rethinking their traditional DLM and ILM processes — and bringing them in sync with the modern world of data privacy and security compliance using purposeful processing practices, like data discovery, data classification, differential privacy, and strict access controls.