SaaS and cloud have already transformed the way businesses use and leverage technology. Organizations of all sizes are outsourcing many of their non-core business functions to specialty providers. Whether it is CRM, HR, recruiting, marketing, project management, payroll, or accounting, there are plenty of SaaS providers to choose from. In fact, Divebell even provides data monitoring of sensitive and personal data as a SaaS service.
So what's wrong with this picture? After all, focusing on core-competency and outsourcing other functions using software-as-a-service to generate efficiency can only be good for the business.
While that is definitely largely true, engaging vendors and sub vendors (referred to as “processors” and “sub-processors” in the world of data privacy), entails sharing data with them. But it is the responsibility of the company doing the sharing (referred to as the “controller” under GDPR), to keep a track of where their data is and what is being done with it.
Especially given the Schrems ruling invalidating the Privacy Shield agreement between the U.S. and the EU, even the exact geographical location of the data is an important variable to track from a compliance perspective, regardless of whether the recently announced framework for transfers between the EU and U.S. comes to fruition. If EU-based personal data is transferred to the U.S. without the proper consent and conditions in place, it can potentially be deemed an illegal cross-border data transfer under GDPR, with the possibility of attracting huge fines and loss of reputation.
The boundaries for custodians of an asset, though, are not just geographical. It is anything that’s “outside” of the company infrastructure. As businesses strive to meet revenue goals and keep up with the competition, and teams are stretched thin in this fast-moving business and tech environment, it is easy to see how you can lose track of where important sensitive and personal data is going and with whom it is being shared outside of the organization. That’s where it’s helpful to have some automation in place, to help IT and compliance departments do their jobs. Having appropriate safeguards in place to ensure you know where data is, and that it stays compliant, safe, and protected is key to remaining compliant and preventing data breaches.
Involve the Right Teams in Early
One of the most common things companies overlook as they put safeguards in place to track and monitor their data, is the early involvement of privacy and security teams.
Earlier in my career, I was part of an organization where the marketing department decided to switch its SaaS marketing vendor from Hubspot to Salesforce Marketing Cloud. Since no privacy or compliance officers were involved early on, no one realized that included in the data being sent to these vendors for marketing was some very sensitive personal customer data. Thankfully, that situation was corrected at a later stage, and we managed to narrowly avoid running afoul of the compliance laws. The details of how this crisis was averted are messy and painful and something I am unable to share in detail, but let me assure you it’s not an experience I wish on anyone!
Monitoring at the Speed of the Business
So what does an organization do? How do you ensure that business keeps moving at the required pace, yet, at the same time, there is proactive monitoring/alerting in place to ensure appropriate diligence is done when the data is seen leaving the company boundaries? Quite simply: Deep automation.
We built Divebell with this scenario of continuous monitoring in mind. It’s nearly impossible for stretched privacy departments to keep track of all the changes in sensitive personal data being stored across the organization's data stores. Our technology is quickly able to find and track this personal data within databases, file shares, and also SaaS applications without putting a burden on your application and data teams. Divebell maintains an accurate inventory of all the sensitive data and proactively sends an alert if it finds an anomaly, based on the rules defined.
Divebell can also detect new temporary data repositories that might have been created for tactical situations like cloud migrations. Too often personal data ends up in such repositories. If not brought to attention, these repositories are never cleaned up and deleted, further exposing the organizations to risk. Divebell proactively sends out an alert that lets you know when personal data changes locations, giving you that extra peace of mind.
Continuous Privacy Impact Assessment (PIA)
You can now configure the rules in Divebell to trigger a Privacy Impact Assessment (PIA) automatically, in case certain sensitive data is discovered. We are very excited about our rapidly expanding features that enable us to offer ‘Continuous PIA’. I will continue to share more information about this in the coming weeks.
To learn more about our Continuous PIA and how we can help with data transfers, send me a quick note at firstname.lastname@example.org
Any opinions expressed here and statements made are not legal advice, nor representations or warranties, and are intended to promote discussion around technology and data protection.