The Evolving Levels of Effort
GDPR, effort, sensitive data subjects, overview, database, management

Many years ago, in order to clean a used shirt, people would take a basket down to the river and let the flowing water soak through it. They would then hang it on a rock, and let the sun take care of the drying. At a later stage, when soap was invented, they would spread soap on the shirt before dunking it into the river. This was suddenly considered the best effort one could give to clean a shirt. As time went on, sinks were placed inside houses, and the revelation was great. People could finally do laundry in the comfort of their own home.  Throughout the years, washing and drying machines were invented, along with detergents and conditioners. Nowadays, it’s unheard of for someone to bring clothes down to a river and allow the natural elements to clean them for her.

Did the people back then not understand how dirty clothes are without ever washing them with soap? Were the people back then not making enough effort? I think if we could go back in time, each one of them would say they were giving their maximum effort. It’s important to remember when scanning any historical phenomenon, that we are exposed to much more information and technology today than they used to be.

As you can see from this example, maximum efforts are dynamic, changing over time. GDPR, CCPA, and all data compliance regulations require us to “make our best effort” to keep the data we store private. Companies want to make their best effort in order to toe the line with these regulations, while their main goal is to protect their customers’ privacy.

The Manual Approach to Data Privacy

The question for me is whether the manual approach that most data privacy companies take is still considered the “best effort”. The manual approach basically says to a company “Tell me where your databases and repositories are, and I’ll locate your PII (Personally Identifiable Information) within”. However, this approach has a few major flaws.

First, what about the data repositories you are unaware of? Repositories are constantly being created, whether on purpose or by accident, and there is no efficient way to track it all manually. Next, you will create major logistical challenges finding time and employees to organize each data asset’s information into one area. There are multiple repositories in every organization, and it is nearly impossible to track down every place each data asset’s PII may potentially be held. Lastly, and perhaps most importantly, is that the personal data we store is constantly in motion. Let’s say I somehow have the resources to pull this off, and I can figure out how to organize it all. Great, I had it all for that moment. What happens one second later when the database containing Jon Doe’s information gets moved from IP address to another, or when I create another duplicate repository without noticing?

From our interactions with customers, it is clear that the manual approach isn’t the answer. We can see that every company is interested in maximizing its maximum effort. The IAPP Report supports this, showing that 80% of organizations are looking to use a network approach for their personal data discovery. Already, more than two-thirds of organizations are employing Networking Activity Monitoring technologies to understand how personal data is traveling throughout the organization.

The Network Approach to Data Privacy

Only a network approach can track how your personal data is processed, stored, and shared in virtually real time, and give you a constantly updated view on where your personal data is being stored and shared within the enterprise. Additionally, it cuts out the logistical problem of wasting employees’ time, because it’s automatic. Another advantage is that is that a network approach can organize your personal data about each customer into a single area. This is especially important for dealing with DSAR and the right for erasure. How can you erase all personal data you are storing of a person if you can’t even keep track where it’s all being stored? Perhaps the biggest advantage of a network approach, however, is that it gives your company insight into your repositories that you didn’t even know existed.

 

With network-based approaches out there for personal data discovery, can we really still use a manual approach and call it our “best effort”? Are we the people from way back when that are 100% certain that a river is the best method for doing our laundry? Or are we the 2019 version of people, where we can make our maximum effort better? Get on the right team.

Share this post with your friends

Subscribe to our Newsletter

To be first to read our newest posts, subscribe to our newsletter here. Your information will not be shared with 3rd parties. We are a data privacy company after all.