Protecting your organization’s or business’s IT system against cyber attacks and possible breaches is of the utmost of importance.
Clarip, Inc. provides technology that assists in the protection of your private information. Andy Sambandam, founder and CEO of Clarip, Inc. recently shared how this company is able to protect your data.
IoT Evolution: The industry talks a lot about security, but most of what they are trying to protect is data. Can you help talk about security from the protection of data side?
Andy Sambandam: We hear a lot about breaches. There is a news story almost monthly, sometimes weekly about a major security breach with the most recent high-profile examples being Equifax and Yahoo. The reality is most security breaches are, in fact privacy breaches. Someone’s data is being lost. Data protection is very important and the EU (European Union) regulation, known as GDPR, requires, among other things, companies to create and employ a “Data Protection Officer”. In most organizations, there is a gap between what Legal/Compliance knows and what is actually happening on the Marketing side. The marketing folks engage with different tech vendors and use tools that depend on “another” third-party, and data flows down the chain...in some cases without the knowledge of the compliance person. The data protection is a function that is critical today, since companies are collecting data from multiple channels and engaging with customers and tracking them.
IoTE: Often the word privacy gets associated with personal information. What are the implications of privacy from a corporate viewpoint?
AS: There are many sides to privacy from a corporate point of view. Regardless of whether or not you are a consumer-facing business, you are handing someone's data. This data could be employee data, corporate customer data, and/or consumer data. Whether you're a retailer, hospital, insurance company, financial institution, or entertainment company, you are likely handling personal information in one form or another. In some cases you handle more data than just name, address, and social security number. Even IP address is considered Personally Identifiable Information (PII).
So when you are looking through a corporate lens, you also need to understand not only what data is being collected, but what data is being shared with partners and how the data is being used. Data is collected under your Brand’s umbrella - so this is a risk you need to understand and handle responsibly. If one of your technology partner is using the collected data in a manner that is not originally intended for, you could face serious liability.
Understanding customer and/or employee preferences is important because in today’s age, you interact with them across multiple channels. When you have permission, you can engage when and where it matters most without violating one’s privacy. Every person has different preferences and on how they are communicated with and about what. Plus, they want to have more control over what information about them is shared and with whom.
Furthermore, it is critically important for companies to reconcile what is stated in its privacy notice, to what is actually happening in the code on their websites/apps. We have seen in many cases there is data collection and sharing that is occurring that the company is unaware of. So tools that can identify these "gaps" are vitally important. Third-party cookies and beacons must be carefully monitored. Usually the CISO or Chief Privacy Officer's eyes get very wide with concern when they see this information in visual form.
IoTE: What standards impact the management of data?
AS: For companies who have customers in Europe, they also need to comply with General Data Protection Regulation, or "GDPR". This is a new regulation that applies to any company with customers that reside in EU - whether the company itself is located in the EU or not. This new law, which takes effect in late May 2018, is designed to protect all EU citizens from privacy and data breaches.
Under the new law, EU data subjects have the right to give or withdraw consent, the right to access personal information, the right to be forgotten altogether from systems, the right to take their personal data with them (portability). The law requires "privacy by design” approach, breach notifications and in some cases appointment of a Data Protection Officer. The penalties for non-compliance are significant. Organizations in breach of GDPR can be fined up to 4% of annual global revenue or 20 Million Euros (whichever is greater).
IoTE: Internationally, there are rules about where data is stored. How does that impact privacy management strategies?
AS: These rules have big impact in an organization’s technology strategy. Typically we see companies partner with local data centers to handle this. Especially in the EU, with GDPR and other regulations, companies are setting up infrastructure and relying on cloud vendors that guarantee local data centers and servers to store data and run applications from.
As you can imagine, however, the laws in each country are different and ever evolving. The laws in parts of Asia may vary from country to country while in North America, the laws in Canada are different than those in the US. It also puts significant pressure on the CISO, Chief Privacy Officer, and General Counsel in a company to make sure the legal notices are in sync with what's actually happening in software, and that they are complying with local regulations. It is critical to partner with a right privacy management vendor who understands cross border regulation. At Clarip, we use hybrid AI (Artificial Intelligence) to help organizations manage privacy risks, manage customer consent, identify gaps in disclosure notices, and easily implement proactive risk monitoring tools.
Edited by Ken Briodagh