Companies large and small rely on hundreds of applications at any one time, and these applications contain customers’ personal information.
Along with stricter regulations around the world that govern how certain types of personal data can be collected and stored together with increased data subject rights, more and more users are gaining an understanding of how their data is used by apps and they are also demanding more control over that data.
DataGrail, a privacy technology company based in San Francisco, is hoping its upgraded privacy platform will provide companies with a scalable tool to automate data-subject requests for all the apps they employ through an integrated approach.
“Consumers really are looking for control of their information,” DataGrail CEO and founder Daniel Barber said. “But the reality is, the business probably has no idea what applications it's actually purchased. And second, that results in the business really (not knowing) what information is collected about you and this becomes a kind of privacy nightmare.”
“From day one, we've been an integrated-first business, meaning we believe the only way to solve this problem is with a truly integrated solution,” he added.
Barber said DataGrail has already fully integrated with more than 1,300 third-party software as a service applications, and it now works with internal data systems such as custom databases, data warehouses, unstructured data stores, and internally built apps. Customers would integrate their systems with DataGrail’s API+. It is currently listed as general availability in all markets, Barber said.
The way DataGrail works for customers, such as Salesforce, is when the company receives a data subject request from a user, the application programming interface is already integrated onto their website. Then, a web administrator can see all the DSRs made on a dashboard. For a specific user, the administrator can see what company applications store that user’s data, and through the dashboard, the administrator can fully process the DSR.
“The challenge that we saw (was) there really wasn't a systematic way to approach this problem,” Barber said. “Other businesses that have entered the market tried to build custom solutions that would actually expose the business to pretty significant security risk, versus what we've taken here is a method that can be scalable for companies.”
Compared with competitors, Barber said DataGrail does not seek to directly connect with a company’s production environments, which becomes engineering-intensive for a company to integrate.
Customers "can connect to our API in minutes,” Barber said. “And that then allows them to provide privacy rights to individuals that are looking to exercise those rights.”
And the demand for automating DSRs is only increasing. According to DataGrail’s own California Consumer Privacy Act Trend Report, DSR deletion requests have doubled from 2020 to 2021, and companies are now receiving requests from all 50 states.
Barber said that the API+ is built so when new privacy laws are passed in whatever jurisdiction, the system can accommodate new DSRs made under that specific law in a user-friendly and efficient manner.
“You can see these integrations are all very simple to do,” Barber said. “They are all API-based. They will come with (documents) that indicate, ‘Hey, this is how you do this.’ Once a person connects to this application, then that's it, they are not involved in the process anymore.”
Photo by Timothy Muza on Unsplash