Data Privacy

The Data Privacy Landscape

Data privacy is a broad and complex topic. Increasingly, we include ‘data privacy’ in the broader term of ‘data protection’, which includes data breaches, data loss prevention, information risk management and secure disposal. Activities may include identification and masking of sensitive data (test data, reports, PII, etc.) to mapping regulations for protected data, to prevention of unauthorized access, data breaches or hacks.

Any organization that collects information on individuals (entities such as Employees, Students, Patients, Vendors, Contractors, etc.) needs to be sensitive to data privacy and protection concerns. Any individual or organization that shares or sells sensitive data with other organizations needs to be confident that their data is secure and is used in the manner agreed to when the contract to share/sell data is established. Data privacy is increasingly relevant to just about any company that moves data within their walls or externally. And customers increasingly want to know how their data is being used and how it is being protected.

The volume of collected sensitive data is experiencing exponential growth and presents a host of challenges:

• Diversity in the form of structured, semi-structured, and unstructured data
• Proliferation as data moves around the globe from personal devices, data stores, including Hadoop nodes, cloud instances, file servers, and relational databases
• More users from more locations, functions, and geographies
• Exponential growth in onsite, remote, and mobile access points

Given the highly complex IT environments of today’s average enterprises, merely tracking where data travels and how it is stored throughout the data lifecycle is profoundly complex. Most industries are working to become increasingly data-driven, increasing pressure to innovate rapidly, often using personal data to create more meaningful experiences for direct and indirect customers. Business units often spin up hybrid/cloud-based analytics environments to answer specific business questions, develop predictive models or test theories. More and different types of business users want access to potentially sensitive data.

Clearly, data-driven organizations need to ramp up a holistic approach to finding, analyzing, monitoring, and protecting sensitive data. This requires people, processes and technology. Today’s complex IT landscape is very dynamic and protecting data that lives on multiple platforms and applications requires sophisticated technology that can trace large swaths of data and scale rapidly.

Data Privacy Considerations

1. Discover, Classify and Understand Personal and Sensitive Data

• Given the complexity of modern IT environments, it’s worth taking a step back from the day-to-day operational solutions and perform a risk-based analysis on the sensitivity of the data being used to answer the following questions:hat data is being collected? Why? What kind of risk does this introduce?
• How is it being used? Who is it being shared with? Are there internal/external controls?
• Can it be audited and tracked? Does it introduce ‘discoverability?”
• Who is it being shared with? What types of reports does it support?
• Does storing this data present other liabilities?
• Are there policies for archiving/purging or inactivating data over time?
• Are there mechanisms in place to detect data breaches?
• Is there a notification mechanism that alerts those accountable for risk remediation?
• Is the business value of data privacy results being measured?

First use the Enterprise Data Catalog (EDC) to scan repositories of data for meta-data about that data and integrate it into Axon, tying the Data Sets and Attributes from EDC to the Axon Glossary definitions created by the business.

Then reuse the EDC scans with Data Privacy Manager (DPM) to scan for sensitive data and how it is protected to build out risk dashboards. As DPM scans the data for protection information, it also creates an index of which subject/person data lives in which systems. This subject index can be used later to create a more detailed Subject Registry

2. Define and Manage Governance Policies

Evaluate the current policies and standards for:

• Regulatory compliance
• Consumer protection
• Data access
• Governance of app-sharing programs and file exchanges
• Security policies and programs
• Record retention schedules
• Cyber-security from hacks or data breaches

Use these findings to create Policies in Axon that can be integrated into DPM and develop a comprehensive plan to set up monitoring and control mechanisms. Align this plan with business initiatives that may be impacted and link the business value of protecting data against the risk of leaks, fines, or damage to the corporate image by connecting the Axon Policies to the Processes and Systems that support them.

3. Analyze Data Risk and Establish Protection Plans

An effective data protection program minimizes the use of sensitive data, reduces the risk associated with using sensitive data, and helps keep business-critical and regulated data secure and out of the hands of illegitimate users. The best way to develop and maintain such a program is to think of it as a long-term set of business processes, not a once-and-done project. Data protection and privacy practices will follow data over the course of its lifetime within the organization. Configure privacy policies, rules and domain requirements in DPM to identify what to look for when scanning repositories for protection information.  This information feeds the DPM Risk Dashboards and proliferation diagrams to assist with the ongoing monitoring that is a critical component of a Data Privacy plan.

Integrate the DPM risk information into Axon to use the results of the assessment to ensure that basic security guidelines are in place, including perimeter and end-point security. Analyze core business processes to identify sensitive and personal data, where it is created and how it is used. Prioritize the data that needs protection and classify it according to the type of risk it presents.

Define sensitive data in DPM. ‘Sensitive data is any data that if lost, stolen or exposed, could financially harm the organization, cause reputational damage, or be reason for termination.’ Develop a unique list of sensitive data that may include PCI, PHI, financial or other regulated data, as well as company-confidential data. Broad new consumer protection regulations such as GDPR, HIPAA, FINRA and CCPA will have a far-reaching and potentially costly impact on organizations who need to design new capabilities to track what consumer information is collected, where it is stored, whether it is accurate, and whether it can be purged upon request, among other provisions. Financial, geopolitical and other types of regulations will determine how legal/compliance teams define ‘sensitive’ data.

Develop visibility into the data lifecycle. Understand how sensitive or private data travels within the organization, across applications and for business purposes. Make sure that data stewards and data owners are aware of the risks this data presents and that policies and data protection mechanisms are developed to safeguard the data according to privacy regulations and company policy. Formalize and communicate privacy policies and standards to elevate awareness among the business and IT community. Policies or guidelines can be configured in DPM to identify where data should be and where it should not be.  When these policies are violated notifications via email or service management tickets can be created to trigger further investigation. Protection policies can also be configured in DPM.  When data is found to not be compliant with these protection policies, DPM can be configured to automatically remediate the non-compliance by masking/obscuring the data, removing it, or taking other actions as configured in the policy.

Establish accountability for data privacy. This should be a core component of a data governance program. Clear role authority for developing and monitoring adherence to data protection standards should be clearly designated. Data Stewards, business owners and security analysts will ideally work interactively to jointly develop data and business policies and processes to monitor against them. Deviation from privacy standards will be a key metric to track. These stakeholders are assigned to every facet in Axon, from Data Sets to Systems to Glossary definitions to Processes and Policies, and so on.

4. Locate and Map Personal Data

As personal and sensitive data is discovered, it's important to map or keep a registry of which Systems, Tables, Interfaces, Reports, and other repositories an individual's personal data is found in. This is extremely useful when complying with Data Subject Access Requests (DSAR) that are mandated by most regulations. Depending on what information the legal/compliance team has decided needs to be returned in a DSAR response, either DPM can be used to build the Subject Registry based on the subject index created during the scans, or if large amounts of transactional information is also returned in the DSAR response Customer 360 Insights (C360i) is another possible place a subject registry can be built.

Also consider linking individual subject identities to mastered person records and to mastered consent records found in Informatica’s Master Data Management (MDM) product to accelerate the locating of subject information and tying it to information in Axon such as the systems and processes it was used in, the categories of personal information used in the process, the business purposes for collecting and sharing/selling the information, and the categories of vendors it was obtained from or shared/sold to, etc.

5. Protect Data, Manage Rights Requests & Consents

Protect personal data in operations, not only in production environments, but also in development, test, and analytics environments based on the policies established above for encrypting, masking, obscuring, and obfuscating the data and for keeping up with record retention timeframes minus any legal holds using Test Data Management (TDM), Persistant Data Masking (PDM), and Dynamic Data Masking (DDM).

Consent policies require obtaining permission for collecting and using information for specific purposes and for sharing/selling personal information. Subjects need to be able to grant, rescind and re-grant permission over time, so it's important to establish a system using our MDM Consent Management accelerator that can track who has consented to what, when, for how long, and for what purposes.

6. Measure, Communicate and Audit Readiness

Every data governance council, business unit, Data Protection Officer (DPO), Chief Data Officer (CDO), Chief Information Officer (CIO), etc. needs to be able to measure the effectiveness of their data privacy programs by collecting metrics and creating dashboards and reports to enable them to communicate to not only internal departments, but to external auditors as well.  While individual products have their own dashboards;  Informatica Data Quality (IDQ) for profiling scorecards, EDC for meta-data and lineage, and DPM for protection/risk data, integrating the individual dashboard information into Axon provides the most comprehensive vision of the current state of data. 

Regardless of whether regulations require Reports of Processing Activity (ROPA) and Data Privacy Impact Assessments (DPIA), this is just good business information to know and to guide Enterprise planning efforts and day-to-day operations. Axon and DPM API calls can be orchestrated by IICS to provide consolidated data in consumable formats to 3rd party reporting tools such as Tableau, QlikView, PowerBI, etc. to create reports and provide more elegant formatting options.

In General

Automate where possible and identify tools that can support the following capabilities:

• Centralized data governance management that efficiently handles policy changes and compliance reports through Axon workflows.
• Standardized data definitions and security policies created in a collaborative community in Axon.
• Transactional repositories that record privacy related information about what the data was used for, to make privacy reporting easier in either the DPM Subject Registry or C360i.
• Continuous sensitive data monitoring and risk analysis that makes it easier to prioritize security programs and investments through DPM policy enforcement.
• Identity-based intelligence, which provides global and granular analytics of sensitive data based on identity to support data subject access requests and integration with consent management through the DPM Subject registry or C360i and the MDM Consent Management accelerator.
• Rich, interactive visualizations that provide a complete understanding of data movement both inside and outside the enterprise and between partner and client organizations through DPM Risk Dashboards, EDC metadata and lineage diagrams, IDQ profiling scorecards, or combined dashboards in Axon.
• Integrated protection that connects discovery, risk, and monitoring to automated remediation through DPM.

Finally, develop a phased approach to building the data privacy program. Start by prioritizing the most sensitive, high-risk data and develop processes and resources to protect this data. Or identify and prioritize high visibility privacy use cases (i.e., DSAR responses, ROPA reports, DPIA analysis, etc. ). Once demonstrable results are achieved and the process has been refined, increase the scope incrementally, ensuring that policies and monitoring are effective. As the scope increases, the nature of the data may also change, which may require different governance relationships, policies, and protection tactics. Allow the data protection, tracking, and consent management program to be flexible, but ensure that it is scalable so that ultimately a comprehensive approach to data protection and privacy is developed.