In today’s digital age, businesses have more ways than ever to collect data about their customers and potential customers. Oftentimes, this information is gathered online without the individual even realizing it. For example, when you visit a company’s website you may unknowingly be providing that company with your IP address, browsing history and/or the other pages you are viewing.
The reason companies collect this information is simple: it benefits and informs their marketing efforts. It can also benefit consumers by providing a customized browsing experience, created from the data collected. But, as consumers have come to realize what they are giving up in order to receive that customized experience, they have raised significant concerns around their personal privacy.
Fortunately, the consumer privacy landscape is evolving and regulations such as the EU’s General Data Protection Regulation (GDPR) and the pending California Consumer Privacy Act (CCPA) give consumers more rights over their data. In light of this—and because high-profile data breaches are becoming more frequent—organizations are being forced to change the way they do business in order to satisfy customer concerns around their personal data.
What is Data Subject Rights Management?
Prior to GDPR coming into effect in 2018, government regulations surrounding the collection and use of consumer data were virtually nonexistent. Now, one of the most important requirements covered by every major privacy law is data subject rights management. Under GDPR, CCPA and others, individuals have the right to discover what data an organization is holding about them, why the organization is holding that data and to whom their information has been disclosed.
Is your organization prepared to handle such requests?
The concerns for businesses collecting personal data from consumers are two-fold: compliance and data management. When it comes to compliance, in order to avoid hefty fines and penalties, your organization must consider how you manage your privacy program, use technology, locate personal data and create the required documentation.
On the data management side, there is an alphabet soup of new terms. Data subject access request (DSAR) is a term introduced by GDPR and is associated with a specific set of rights and obligations, but has since taken on the more general meaning above. It is often used interchangeably with subject rights request (SRR), individual rights request (IRR) and verified consumer request (VCR). And decoding the terminology is just the first step in knowing how to handle consumer data.
Consumer Privacy is a Compliance-Driven Data Management Issue
Managing data subject requests from consumers can quickly become a burden for organizations of all sizes. Even if your organization has already spent significant time and resources to build a secure infrastructure to store collected data, responding to a DSAR means that the data must be moved out of the encrypted data stores into something else—likely email or a custom application—to get it to your customers, or to whoever is asking for the information. This presents a significant security challenge.
Not only is the security of personal data while fulfilling a DSAR a concern, but the sheer number of requests an organization receives is only going to rise. With CCPA set to go into effect on January 1, 2020, both B2B and B2C organizations are facing a surge of DSARs from consumers and third parties.
CCPA is primarily targeted at large companies that buy, receive or sell personal data. Take, for example, a MarTech company whose business is to sell or resell data. Every single one of their customers must be able to manage a rights request from someone they have no direct relationship with. For organizations that will be impacted by CCPA, now is the time to prepare to securely and efficiently manage this surge. Platforms like WireWheel enable businesses to manage this process more efficiently—and with security and privacy enabled.
The Power of Layered Encryption
Encryption is not an explicit requirement for CCPA or GDPR compliance, but it is encouraged. Under CCPA, data that is encrypted may avoid fines in the event of a breach. This means that organizations must consider how to review data and deliver it back to the consumer in a safe and secure way.
For ultimate security, encryption should travel with the data so that it is protected end-to-end, regardless of where it is shared. In fact, consumers are probably better off not even making a DSAR in the first place if the organization they are requesting the data from doesn’t have data-centric encryption layered into their data management solution.
With layered data-centric encryption powered by Virtru, WireWheel ensures the privacy and security of personal data exchanged between companies and consumers. By encrypting personal information at every stage of the data supply chain, organizations can boost productivity while reducing their risk and remaining in compliance with CCPA and GDPR.
But, encryption on its own isn’t enough. Ease-of-use is equally important. WireWheel’s platform uses built-in two-factor authentication and single sign-on to establish an efficient, automated, secure, flexible and continuous process to handle the volume of DSARs most B2C companies experience. Using machine learning for data discovery and classification, WireWheel provides insight into an organization’s data management architecture, along with the context and control required to make privacy management decisions.
Virtru’s persistent protection, key management, access and discovery tools ensure only authorized users have access to data. With the Virtru Data Protection Platform embedded in the DSAR process, data is sent securely and encrypted from request to delivery
A Growing Need for Privacy Engineering
As compliance regulations and data privacy laws become increasingly more stringent and individuals’ expectations for how their personal data is collected, processed and shared rise, organizations need new solutions to protect personal information. WireWheel solves for this by integrating the Virtru Data Protection Platform to secure their existing infrastructure.
Innovative organizations—such as WireWheel—with a need for privacy engineering, no matter the application, can incorporate Virtru’s capabilities into their own technology, empowering developers to protect and ensure the privacy of sensitive data wherever it’s shared. Now, engineering teams can quickly add data protection and control to existing applications, no cryptographic expertise required.
Learn more about embedding data protection and control into your applications with just a few lines of code.