One of the thorniest operational issues privacy pros face is classifying data to assess risk. With reams of personal data stored in a plethora of different areas within an organization, identifying and mapping out what is stored, where, and assessing how sensitive it is can be a real challenge.
This was evident less than two years ago during an IAPP training session for CIPT in Brussels. At the time, GFT Technologies CPO Ernst-Oliver Wilhelm, CIPP/E, CIPM, said, “You have to explain that we need to always be reevaluating the existing assets and the existing threats.” KPMG Senior Manager Mark Thompson, CIPP/E, CIPM, CIPT, then added, “And, at the same time, constantly be reevaluating what is considered the most valuable or the vulnerable data.”
Assessing, mapping and classifying all of this data, on a virtually constant basis, is no small task.
Several tech startups are beginning to realize this need and are building technological tools to help organizations – and specifically privacy pros – with it. Last year, we reported on DataGravity’s data-aware storage, for unstructured data sets.
Now add a new startup focused on identifying privacy assets throughout the organization. Israeli-based BigID last month announced a $2.1 million seed round to bring to market what they call an enterprise privacy management platform.
“We were motivated by the level of massive PII breaches we were still seeing,” BigID co-founder Dimitri Sirota told Privacy Tech in a phone interview. “We were also reflecting on all the new privacy regulations – especially the EU’s General Data Protection Regulations – as well as the various enforcement actions in the U.S., particularly with the FTC and FCC.”
Sirota said they wanted to find a “big data solution that focused on governing PII.” The enterprise platform scans an organization’s databases to find exactly where PII is stored along with assessing the risk and usage of that PII. Sirota explained that such a system helps prevent breaches before they happen, and if they do happen, having a comprehensive map will prevent companies from scrambling when dealing with regulators. He said BigID also offers tools to deal with specific requirements from new laws – think GDPR.
BigID co-founder and Head of Products Nimrod Vax said the company takes a different approach than other more traditional services because they focus strictly on identifying PII. He said they locate the most sensitive data through a proprietary scanning technology. It also provides a score to measure data's identifiability. Vax said, after the scan, they can build a data inventory and determine the residency of the organization's identities to assure the correct regulations apply.
Vax also said if an organization does get breached, faces an audit or an investigation, they will know the impact and scope of what kinds of identities were affected. That way, companies can give more accurate information to a regulator or auditor. He pointed out that the scanning process is relatively quick and can give an organization a snapshot of their stored data. But companies can go further with BigID and build a more holistic map of stored data - what is being access and by whom, what is stored or shared and with whom, and for how long it's stored. Then a privacy officer can add the legal context that is needed to complete the data mapping process.
Sirota pointed out that BigID is not a consultancy. "We work with auditors," he said. "We are a products company and our software is used inside a company's data center." He said their software scans primary and secondary databases. "We mine your data as little or as much as you want," but he also pointed out that "the more data we get, the more analysis we can do" for the client.
BigID's scan can produce three different maps, Sirota explained. The identification map help users understand what data belongs to what user and what regulations would apply to that user. A second map - call it a risk map - provides a glimpse into the varying risk factors of stored data. "We do this because we want you to focus on high-risk data so you can respond and react" to the riskiest information. Finally, a third map demonstrates how stored data is used by various applications.
CPOs may be dealing, said Sirota, with a board of directors or outside counsel, and often have to depend on their IT teams to generate information on laying out where and what data is stored. "Think about our tool as equipping three groups to align and get the job done quicker, with no spreadsheet or word docs, whatsoever," he said.
In terms of security, BigID only uses its software on an organization's premises and does not duplicate any data. "We don't increase the amount of PII," Sirota stressed. He said their solution is also flexible for an organization's needs. So, for example, if a company only needs to scan where their data is, BigID can do that quickly as well as provide a risk map. But other organizations may want more analysis, and BigID can offer that solution as well.
"Privacy is still in its infancy," Sirota said. "If you look at our solution, it provides a degree of maturity so that organizations can deal with complex privacy issues. It's important that privacy departments receive the level of investment and maturity. Our tool can help."
If you want to comment on this post, you need to login.