Corporate themes

Cross Border Data Privacy Compliance: A Distributed and Automated Approach

 
December 11, 2017

Data privacy has been a fast developing area from a regulatory point of view, and has organizations big and small watching closely for business and legal impact. As consumers, wittingly and unwittingly, allow businesses greater and greater access into their private data, regulatory agencies the world over are shifting the onus of keeping such data secure and its use controlled on to the businesses. Keeping up with these regulations can often be a legal minefield for companies, with nascent practices and technology limitations making compliance expensive and cumbersome.

In today’s times of borderless business, there is also challenge of cross border data privacy. Any company operating in the leading developed and emerging markets today has to contend with legal frameworks such as the EU-U.S. Privacy Shield, APEC Cross-Border Privacy Rules System (CBPR); legal agreements such as standard contractual clauses and binding corporate rules; geography specific privacy laws as well as industry oriented laws such as Personal Information Protection and Electronic Documents Act (PIPEDA), Computer Processed Personal Information Protection Act, and Health Insurance Portability and Accountability Act (HIPAA). In recent years, the European Union (EU) has come up with a new regulation called General Data Protection Regulation (GDPR), which is an evolution of its own existing Data Protection Act 1998 and is expected to be applicable from May 25, 2018. This regulation focuses on protecting EU residents’ personal data collected by businesses, regardless of the business’ physical location.

Global businesses face practical challenges in monitoring lawful use of data effectively. Regulatory laws vary across countries and sometimes even within states of those countries, and are evolving over time. As a result, organizations have to keep pace with changing regulatory landscape. These underlying uncertainties make it challenging to automate the data privacy process within the company’s digital boundary. This can hamper a company’s ability to comply with regulations; for example, the GDPR mandates that companies need to reveal any breach or unauthorized use of private data within 72 hours of discovery, making automated monitoring, incident flagging and notification a critical requirement.

Automated cross border data privacy management

The problem of automating the data privacy compliance with an organization’s digital boundary can be addressed by a centrally managed distributed data management solution that offers preventive and remedial measures. To enable comprehensive monitoring, the focus should be on defining data privacy policies in line with the organization’s mission and values, while also adhering to geography specific regulations. For effective implementation, data privacy policies should be digitized. However, since not all policies can be digitized, organizations should also have documented policies, and the compliance of such policies has to be monitored manually. To operationalize all this, the data management solution should be scalable to adapt to the changes in regulatory laws, and integrate with existing applications and databases for seamless data flow.

Centrally-Managed-Distributed Data-Management-Solution

Figure 1: Centrally Managed Distributed Data Management Solution

 

The solution should ideally address the following requirements:

Identification and access to personal data: The solution should effectively identify personal and sensitive data stored within the organization’s IT landscape. The solution also should provide a mechanism to restrict sharing of such data based on available consent.

Centralized definition and digitization of privacy policy: The data privacy policies governing the techniques for data anonymization should be defined and digitized at a central location. The policies should be managed and maintained centrally and should follow the automated workflow request and authorization mechanism.

The digital implementation of these policies should be in line with the data privacy policies defined by organization’s data privacy committee.

Consent management: Consent management capability should be deployed at respective geographies to get consent from individual and government organizations. These consents should be stored and managed centrally by a consent management and authorization module.

Data request management: All data requests and data provisioning should be routed through an automated, distributed data management system. This would ensure the application of relevant data privacy policies and audit recordings before data is shared.

Data privacy policy implementation: The data privacy policies should be implemented and executed in each country or geography as defined by their respective regulations. For instance, a geography specific policy can contain personally identifiable attributes in addition to common sensitive attributes. After sensitive data is anonymized, the solution should also verify the result against the stored consent before sharing it with data requestors.

Data breach notification: The existing data breach notification framework should be enhanced and extended to integrate with the distributed data management system.

Incident reporting: The distributed data management solution should include a mechanism to reconcile data against consent and purpose. Any mismatch with an organization’s data policy should be reported to the respective application owner in the form of an automated notification.

 

With data privacy regulations spanning geographical boundaries, organizations need to find suitable data management solutions to automate and effectively demonstrate compliance with them all. How is your organization handling the automation of personal data flow across borders in adherence with privacy laws? Tell us in the comments section below.

Jayant Dani is currently spearheading the conceptualization, architecture, design, and engineering of Tata Consultancy Services (TCS) proprietary integrated data management platform, MasterCraft Data Plus. Also, he is playing a leading role in setting up the Big Data practice in TCS. He has over 18 years of experience, and his area of expertise includes technical leadership of large solution teams, client relationships, and management of large scale implementations. Dani is passionate about architecting technology solutions across industry verticals and has many publications to his credit, including a paper on Big Data management presented at Institute of Electrical and Electronics Engineers (IEEE) conference.