Data Privacy Management in a Digital Age

Transcription

1 Data Privacy Management in a Digital Age Abstract Stringent data protection regulations across the world require organizations to ensure adequate privacy of sensitive data residing within their organizational boundaries. The regulations mandate that organizations adopt a governed approach to data privacy management when they share data with stakeholders externally - within the country or across national borders. The need of the hour is a structured framework to ensure governance-based data privacy management and data sharing. Within an organization, an apex body comprising skilled data governance professionals can leverage a distributed data management solution to help the organization implement a centralized framework. This framework would be aimed at ensuring compliance with data privacy, consent collection, and governance requirements of international as well as national data protection regulations. This paper talks about effective data privacy governance framework and highlights the need for a distributed data management solution.

2 Stringent Data Privacy Regulations a Necessity Over the last decade, digital technologies have transformed the way enterprises work. However, the digital age has also been marked by cyber-attacks, causing massive reputational and nancial damage to organizations. The cybercrime report by Cybersecurity Ventures predicts that global cybercrime costs 1 will be USD 6 trillion annually by According to Gemalto, in rst half of 2017 alone, there were 918 data breaches that 2 compromised 1.9 billion records. These statistics highlight the fact that there is a need to ensure comprehensive data privacy and governance. With advancements in data analytics and smart technologies, most organizations today leverage insights from large volumes of varied data gathered from multiple sources to drive competitive advantage. At the same time, the non-compliance resulting from unauthorized data access forces organizations to nd more effective ways of protecting and governing the data - both at rest and in motion. To help organizations effectively prevent data breaches and safeguard sensitive data, various countries have established data privacy regulations. Some examples include Personal Information Protection and Electronic Documents Act (PIPEDA) of Canada, Personal Information Protection Act (PIPA) of South Korea, and the recently promulgated General Data Protection Regulation (GDPR) of the European Union. In addition, there are industry speci c regulations such as Health Insurance Portability and Accountability Act (HIPAA) and Payment Card Industry Data Security Standard (PCI DSS) of the US. Adhoc Operational and Support Strategic and Business Individual and Enterprise Figure 1: Evolution of Data Privacy Focus

3 Over the years, data protection regulations have become increasingly stringent. The focus has shifted from ad hoc data privacy measures to a highly individual-centric data privacy ideology. Figure 1 depicts the evolution of the focus of data privacy from the pre-digitization era (sensitive data access was physically controlled) to a digitized era (the need for data privacy is driven by individuals). GDPR is a good example of individual-focused data regulation that heavily penalizes 3 organizations in case of data breaches. Cross Border Data Flow Origin of Unique Data Protection Challenges With the world getting more digitally connected by the day, there is increasing demand for open data. While freely available data has the potential to create new business opportunities, the need to protect personal data cannot be understated. To protect individual data across borders, various countries have developed legal frameworks such as EU-US Privacy Shield, Asia-Paci c Economic Cooperation (APEC), and Cross-Border Privacy Rules (CBPR) System, as well as data transfer legal agreements including standard contractual clauses and binding corporate rules. Although there are various region and industry-speci c data privacy laws, there is no common framework for cross border data ow. This makes implementation and enforcement of the data privacy policies dif cult and complex. Effective Data Privacy Governance: Need for Distributed Data Management Solution The proposed distributed data management solution is described by centralized data privacy management and localized implementation of privacy regulations. The key components of the solution and recommended steps for its execution are described as under: Centralized data privacy governance council: Ideally, organizations should create a central data privacy governance council comprising subject matter experts from the areas of data security, data governance, legal and regulatory compliance, business continuity and risk management. Typically, this council will be headed by roles such as Chief Data Of cer (CDO) or Data Protection Of cer (DPO). This council is tasked with three important responsibilities:

4 - De ning data privacy policies while maintaining the right balance between privacy compliance and business bene ts. - Ensuring enforcement by periodically revisiting, standardizing, and monitoring existing data privacy policies, deploying risk identi cation and mitigation frameworks, and reviewing third party legal agreements with clients such as vendors. - Conducting continuous awareness sessions to ensure data privacy and accountability across the organization. Data discovery and classi cation: With huge volumes of data stored across various applications and data centers, it is essential to rst locate and classify the data as sensitive and non-sensitive. The data discovery, classi cation, and movement tracking features of a distributed data management solution can help locate and classify data, while metadata and data pattern matching drive data discovery. Consent collection and management: Ideally, consent management should be deployed at the regional level to collect the consent of individuals whose data is collected and stored. This consent should be stored and managed centrally by distributed data management solution. Data privacy policy digitization: A distributed data management solution requires the digitization of all data privacy policies as laid down by the data privacy governance council. Various data protection techniques such as anonymization, masking, pseudonymization, encryption, or tokenization can be applied during the digitization process. Much like an individual s consent, the policies should be implemented locally but managed centrally. Data request management: To manage data requests, it is essential that all data provisioning and modi cation requests follow a work ow-driven, maker-checker approach. Before sharing the data, organizations are required to enforce some of the aforesaid data protection techniques. In addition, they have to reconcile data requests against the central consent and purpose repository. Any mismatch can then be automatically reported and a log of the activities provided to the governing body for compliance. In essence, collection, sharing, and deletion of sensitive data should be monitored using the distributed data management solution.

5 Data breach management: To ensure automated noti cations in the event of data breaches, the existing data breach management framework should be enhanced and integrated with the distributed data management solution. Meeting Data Privacy Needs of the Future Heightened customer concern regarding data privacy and increasing regulatory mandates are realities that all organizations face today. According to a survey, 92 percent of US internet users are worried about their online privacy and 89 percent say that they would avoid companies that do not 4 protect their privacy. Effective data privacy governance demands digitization using appropriate tools and technologies. A distributed data management solution can co-exist with existing IT applications and also scale up to address the evolving needs of data privacy management. References [1] Cybersecurity Ventures, Cybercrime Report, October 2017, accessed December 2017, / [2] Information on Gemalto website, accessed December Gemalto N.V. All rights reserved. Gemalto, Gemalto logos and product and/or service names are trademarks of Gemalto N.V. or its af liates. Identity-Theft-and-Poor-Internal-Security-Practices-Take-a-Toll.aspx [3] TCS, GDPR Deadline is Approaching, Are You Ready?, August 2017, accessed December 2017, [4] TrustArc, 2016 TRUSTe/NCSA Consumer Privacy Infographic, 2016, accessed December 2017,

6 About The Authors Jayant Dani Jayant Dani is the Chief Architect and Principal Consultant of TCS MasterCraft DataPlus integrated data management platform. With over 20 years of experience in the IT industry, Dani played a leading role in setting up the Big Data practice at Tata Consultancy Services (TCS). He currently spearheads the conceptualization, architecture, design, and engineering of TCS MasterCraft DataPlus platform. His expertise spans technical leadership of large solution teams, client relationship management, and large scale implementations management. Dani is also actively involved in architecting technology solutions across industry verticals and has a number of publications and patents to his credit. He is a Data Security Council of India (DSCI) certified Privacy Lead Assessor and OpenGroup Certified Master Architect. Dani holds a Master of Engineering Degree in Software System from BITS Pilani in Contact Visit the Mastercraft page on mastercraft.sales@tcs.com Sameer Rane Sameer Rane is a Pre-Sales Consultant for TCS MasterCraft DataPlus platform. Rane has 14 years of experience in the IT industry. He has played a leading role in the maintenance, deployment, and management of banking products in the field of treasury and branch management. An expert in the technical leadership of solution delivery teams and customer relationship management, Rane holds a Master Of Science Degree in Electronics and Telecommunications from Mumbai University in Subscribe to TCS White Papers TCS.com RSS: Feedburner: About Tata Consultancy Services Ltd (TCS) Tata Consultancy Services is an IT services, consulting and business solutions organization that delivers real results to global business, ensuring a level of certainty no other firm can match. TCS offers a consulting-led, integrated portfolio of IT and IT-enabled, infrastructure, engineering and assurance services. This is delivered through its unique Global Network Delivery Model, recognized as the benchmark of excellence in software development. A part of the Tata Group, India s largest industrial conglomerate, TCS has a global footprint and is listed on the National Stock Exchange and Bombay Stock Exchange in India. For more information, visit us at All content / information present here is the exclusive property of Tata Consultancy Services Limited (TCS). The content / information contained here is correct at the time of publishing. No material from here may be copied, modified, reproduced, republished, uploaded, transmitted, posted or distributed in any form without prior written permission from TCS. Unauthorized use of the content / information appearing here may violate copyright, trademark and other applicable laws, and could result in criminal or civil penalties. Copyright 2018 Tata Consultancy Services Limited TCS Design Services I M I 01 I 18