Automation of Data Privacy:
You have all this data available in your data stores or is available in third party services. Before you build out your business services, you should be familiar with what type of data you are allowed to store, share or use for your clients. Depending on your business' locale and or your clients locale, you will be required to understand the laws and regulations around data acquisition, use, and dissemination. Most of the rules that regulate data revolve around data privacy to protect individual, organizations and businesses.
For example, firms doing business in California have to follow CPRA (California Privacy Regulations Act) and US Privacy rules. You have equivalent counterparts in other geographical regions such as GDPR (General Data Protection Rules ) for the Europe Union.
Why should a business care about privacy and privacy rules? It is crucial for users to trust the parties they engage in business with to safeguard their information from bad players who engage in fraud and theft. This saves users or businesses from oversharing sensitive information that could lead to loss of assets or reputation.
Applying the rules:
It takes specialists in the regulatory law to understand all the regulations. And, business specialists to translate those regulations into business terms. Therefore, the rules being applied should apply to the data you have or want to acquire and the business you are engaged in.
Define your business requirements.
The process is iterative as rules and business requirements change. To kick start the process, you will need to start with very general business requirements such as type of business you are engaged in and location of your business and clients. You should understand how data will influence your business. Therefore, some technical savviness can bring success.
Data asset identification, categorization and classification.
Both business and technical professionals need to create a data catalog to identify data categories and business classification. What is the difference between data classification and categorization. Categorization refers to technical data attributes such as as id, url, IP address, name etc. Classification refers to the business use of the data such as audio, visual, PII, metadata etc.
For example media data categories can be graphical, audio-visual etc. And these can be classified further into human identifiable, protected or unprotected data. Some privacy rules and intellectual property rules may apply to human identifiable data and protected data respectively.
Transactional data often be classified into financial data, PII or other metadata. These may require different rules to use, store and share. For example, an organization may require auditors to have access to financial transactions, but Privacy laws may require PII to not be shared along with financial data to 3rd parties. Other jurisdictions may find certain attributes in metadata to be PII such as IP address or cookie information. Therefore metadata may need to be reclassification for different jurisdictions.
Documentation can be a data dictionary which maps data attributes to human readable description; their business classification; and location such as database or 3rd party API service.
Rule mapping.
Rules governing your data assets can be mapped to the catalogs’ classifications and subsequent categories. For example mapping potential jurisdiction overlaps and their PII or metadata (IP addresses or cookies).
Another example is mapping jurisdiction rules governing facial recognition in photographs or videos captured public areas.
Regulatory and Business professionals need to collaborate here to complete classification to rules mappings. Technical professionals can refine the rules mapping to the categories if needed.
You can use the data dictionary to construct a score attributed to a rule.
Impact assessment.
What impacts do the rules have on your business?
Also, what rules require special attention or resources in order to remain certifiable or trustworthy?
Impact assessment can be captured graphically as score or color code on data classifications. A summary or business-wide Impact Assessment can also be derived for each data privacy rule.
You can continue to refine the impact assessment by revising the rules, classifications and categories.
Prescription analysis:
Impact assessment can help drive the execution of the rules by narrowing down problem areas and prescribed solutions. Prescribed solutions are a continuous process as upstream processes and requirements continue to change.
How much change do you intend to make in each cycle? This happens to be dependent on how much is invested in each cycle and how many cycles or iterations you plan to have. Thus driven by business planning and by engineering capabilities.
Automating the rules:
Manual execution the rules can be done during analysis.
Automation may require some more planning and design from technology specialists. Some considerations for the technology stack are required. For example, PII may need to be abstracted at the data layer during persistence or upon request. Here, action identification or data stream processing can trigger a prescriptive action such as logging a warning, throwing an exception, or url redirection.
Authorization layers should be put in place to limit data visibility and augmentation.
Data filters can be inserted into API requets to limit certain columns and also limit data request volumes.
AI and ML filters can be implemented to supervise user behavior and detect unscrupulous requests..
No comments:
Post a Comment