Consumer data privacy is experiencing a wave of concern and coverage over the last few years as nation-states and judicial entities continue to roll out new regulations to protect the privacy rights of Internet users. Numerous regulations are now in place across different geographies including the General Data Protection Regulation (GDPR) in the EU, California Consumer Privacy Act (CCPA), Virginia’s Consumer Data Privacy Act (CDPA), New York’s Department of Financial Services Cybersecurity Regulation (NYDFS), Brazil’s Lei Geral de Proteção de Dados Pessoais and others.
Data privacy is a complex problem, and the challenge is compounded by so many new regulations all coming into effect at once. Cloud data management systems offer a practical solution though a privacy-by-design approach which embraces the unifying concept that all these regulations share eight principles of consumer data privacy.
Right to be Forgotten
The right to be forgotten empowers consumers to request erasure from data processors who store their personal data.
This seemingly straightforward requirement is in fact not straightforward at all, as organizations must first be able to find the data requested within silos of enterprise data or even hidden as orphaned objects within database tables. Personally identifiable information (PII) may be found in databases, emails, spreadsheets or file servers and sensitive data discovery is a critical first step to erasure ensuring that all sensitive data may be subsequently deleted or purged.
Right to Access
The right to access involves data processors giving individuals access to their personal data stored in their systems. For example an individual may submit a Subject Rights Requests (SRR) form to obtain information about their personal data.
Requesting a SRR is simple, but responding to one is not. Data processors require a comprehensive ability to search and discover sensitive personal data across all data types. This would ensure that the SRR is thorough and the individual has full access to the personal data stored by the organization.
Right to Rectification
The right to rectification provides that individuals may request that errors found in their personal data be rectified including updates or missing fields.
A comprehensive search and discovery capability is once again an essential capability for data processors, but since the rectification process also requires that data be updated, processors require role based access control to limit privileged access to sensitive personal information.
Right to Object
The right to object empowers individuals to request that data processors stop processing their personal data at any time.
The right to object includes opt-in and opt-out methods for consumers to voice their concerns around how their data is being used for processing. Metadata management and data catalogues improve visibility and control for controllers and data processors to search multi-cloud landscapes for all instances of the data and remove it from processing.
Right to Data Minimization
Consumer data privacy requires that controllers and data processors limit the collection of personal data to only what is necessary. The right to data minimization principle requires that data collection must be relevant and sufficient only to fulfill the stated purpose.
Metadata management and data catalogs help administrators explore their data landscape to confirm the scope of data to be processed and Information Lifecycle Management (ILM) provides data retention policies to ensure that the data is purged (deleted) once it is no longer needed.
Right to Data Portability
The right to data portability involves individuals being able to obtain and reuse their own personal data for their own purposes. This obligation necessitates that processors be able to move, copy or transfer personal data easily from one IT environment to another in a safe and secure way without affecting its usability.
As organizations are storing more and more data in multi-cloud repositories, open source data management standards have emerged from the World Wide Web Consortium (W3C). Without data portability, a person’s data is accessible only through the platform where it is stored. Cloud native, W3C architecture ensures an individual’s personal data is stored in standard formats accessible to anyone.
Right to be Informed
The right to be informed provides assurance that consumers are informed about the personal data collected and how the data will be processed, including retention periods and disclosure of any data sharing agreements.
When organizations collect personal data directly from the individual, they are able to inform the individual directly regarding the collection and use of their personal data. When organizations collect data from third-party sources, they still need to take the ownership to inform individuals when the data is collected. Informing the individual can be done through layering, dashboards and just-in-time notices (emails / smart devices), no later than one month from when the data is collected.
Right to not be Profiled
The right to not be profiled involves an individual’s right not to be subject to solely automated decisions, including profiling, which restricts when you can carry out this type of processing and gives individuals specific rights in those cases.
Personal data about individuals is collected from a variety of sources and may be analyzed to classify people into different groups or categories using algorithms such as machine learning. Linkages between different behaviours and characteristics are identified to create profiles for individuals that are useful for sales and marketing when used responsibly. Data masking obfuscates the personal data, but still enables automated individual decision making and data profiling.
SOLIXCloud Consumer Data Privacy
Data privacy by design is an architected approach to cloud data management that ensures all data privacy regulations globally are met instead of requiring different solutions for different geographies and jurisdictions.
SOLIXCloud Consumer Data Privacy is a suite of three powerful tools that complement the W3C open standards based security, SOLIXCloud Common Data Platform and the Eight Principles of Consumer Data Privacy.
Sensitive Data Discovery: Sensitive data is prevalent in every organization, but not every organization is able to locate all instances of their sensitive data so it may be properly secured. Structured, semi-structured and unstructured sensitive data may be prevalent across multiple clouds and file server silos – and discovering where sensitive data is located is a crucial stepping stone towards enabling data privacy.
Data Masking: Static and dynamic data masking involves the obfuscation of sensitive data such as required by regulatory statutes so that the data’s syntax is maintained, but the actual data is masked, redacted, encrypted, or anonymized. Data masking is required for all non production instances of PCI, PHI and PII.
Data compliance: All sensitive and personally identifiable information must be governed by Information Lifecycle Management (ILM) policies and business rules across its lifecycle. These rules must be enforced by design and meet auditable standards of compliance.
SOLIXCloud data management solutions support the eight principles of consumer data privacy. Through privacy by design, W3C industry standard architecture and the SOLIXCloud Consumer Data privacy solution suite, controllers and data processors are better able to achieve regulatory compliance.