When companies manage how personal data is shared and transferred to third parties, much of the effort lately has been focused on bringing legal contracts in line with requirements under the EU General Data Protection Regulation and now, increasingly, the California Consumer Privacy Act.
How can organizations effectively ensure they have the requisite data knowledge to validate data flows and the purpose of processing, as well as monitor data transfers to flag when personal data is going where it shouldn’t?
This is a challenge for many enterprises working toward CCPA compliance, especially those with information technology and development teams embracing data-streaming technologies for continuous movement of data between third parties. In fact, data-streaming and pipelining technologies are often used with the specific purpose of moving personal data for digital transformation objectives. As a result, they require ongoing monitoring to ensure that data transparency efforts go beyond legal agreements.
Further complicating the picture is that enterprises not only require visibility into what data is shared or transferred to third parties, but also who the data belongs to. This is not simply because the CCPA and GDPR mandate that enterprises report on transfers as part of their records of processing and data access rights requirements. It’s because California residents will soon be able to “opt out” of data sharing under the CCPA, whether for sale or for transfer. The definition of “sale” is broadly construed to include any transfer that has value, which could mean affiliated companies using data streaming in order to supplement customer profiles could also run afoul of an individual “do not sell” decision.
So how do enterprises manage to stay on top of all of these complex compliance requirements and keep auditors at bay while not standing in the way of business initiatives? They can do so with an approach built on automated data knowledge with full visibility into whose data is shared or transferred, what the attributes are, as well as the specific protection obligations attached to the data.
Here’s a look at the key pieces required to make it work.
Continuous data mapping and validation
Having a clear and specific legal agreement in place to cover data transfers is a necessary step toward privacy compliance. In today’s increasingly continuous and real-time world, you have to be able to provide evidence that third-party data transfers are, in fact, consistent with the conditions of that legal contract. In other words, you need the ability to compare your actual business processes with the stated ones and validate that everything is in order at any given time.
This requires continuous, automated data discovery in order to support up-to-date flow mapping. More specifically, you need a model that can support documentation of third-party data transfers based on data insights, including the associated business process, third-party names and individual attributes, as well as their associated purpose of use.
Dynamic discovery for data pipelines
A growing number of app development teams are leveraging data streaming to continuously integrate data directly from digital interactions or other potential sources of personal information into analytics processes. That is problematic for privacy oversight, however, because you may not have visibility into whose data and what attributes are moving through the data pipeline until they become static, which doesn’t happen until the data hits the database and, in turn, may be provided by a third-party service.
This means that discovery for data at rest is only a partial answer to validating data sharing flows and serves as a baseline for determining what constitutes a sale, as well as assessing actual data transfers against the stated purpose of processing.
Under the CCPA, organizations will have to be able to assess, for example, whether a business unit using data from another business unit to perform customer profile augmentation as part of a marketing analytics or predictive modeling project constitutes as a sale under CCPA for reporting purposes. Equally, an organization that has monetized mobile app browsing history or internet-of-things device event streams will have to document which specific attributes it shares with third parties and the associated purpose of use.
However, with discovery enabled via application programming interfaces that monitor and cross-check data in motion, covered enterprises can directly report on and validate what attributes are moving, assess whether the flows are consistent with the legally defined purpose of processing and maintain a foundation for operationalizing “do not sell” requests when inevitably they materialize.
A personal context for data sharing
While we will have to wait and see how CCPA enforcement plays out, the right to opt out of the sale of personal data is shaping up to be a central concern for enterprises that embrace data-driven strategies. In all likelihood, much of the initial investment for compliance will focus on providing a “do not sell” link, a toll-free number and tools to manage user preference requests. However, to effectively act on a request, covered enterprises will have to correlate individual requests with data transfer flows and continue to monitor that the individual’s data is not included in future data transfers.
Having data flow mapping and third-party data sharing reporting informed by direct data insights, spanning both data at rest and in motion, serves as the baseline for determining the scope of action for operationalizing “do not sell” requests.
The next step, however, is correlating the request to a specific individual, their associated attributes and the data transfer processes involved. Organizations then must ensure ongoing policy-based monitoring via APIs of data streaming and other tools for data transfers are in place to validate that the request has been honored.
A system for closing the loop between insight and action
Taking into account the mapping, discovery and “do not sell” requirements in concert, and the context of the primacy of data-driven business strategies, there is a clear need for automating not only for the process of documenting, but also for the monitoring and validating of how data moves, what data is moving and whose data it is.
Not only does a data-driven approach allow organizations to avoid complex and error-prone manual steps, but it can also help to effectively balance business imperatives against privacy risk. Being able to automate monitoring and pinpoint specific individual compliance issues through policy-driven remediation workflows across functional roles can help to align stakeholder interests for the benefit of the enterprise as a whole.
A data-driven approach that has been integrated with tools to manage contractual terms, the data owner and with whom the data has been shared can provide the relevant technical information to enable the respective data or application owner to proactively remediate compliance issues.
Photo by Adrien Converse on Unsplash