Companies Can’t Comply Without Knowing Their Data Flows

In CCPA, Compliance, Data Flow, Data Lineage, Data Privacy, GDPR, Information Management by clairvoya

Learn How To Meet The New Standard Of Care

If you deal with data, there’s one simple truth: you can’t comply if you don’t know your company’s data flows. Privacy regulations, information security, incident management, records management, and more require insight into data flows to meet regulatory obligations, executive expectations, or customer demand. 

That reality has made understanding data flows the new standard of care for anyone involved or responsible for enterprise data. To meet that standard of care, they need to be able to answer five fundamental questions:

  1. What’s in the data?
  2. Who touched it?
  3. Where did it come from?
  4. How did it change?
  5. Where did it go?

Without answers to all five questions, a company isn’t in compliance and is exposed.

Privacy Matters

For privacy, data flows are a vital imperative across the numerous regulations created through the years. From CCPA and GDPR to a plethora of vertically focused federal privacy laws (US Privacy Act of 1974, HIPAA, COPPA, GLBA), there exists a legal requirement to understand the movement of information within organizations to meet the underlying obligation.

“Privacy regulations are primarily concerned with how data is used and how it flows through your organization. From a compliance perspective, you have to know lineage (data flows). It’s a practical matter,” says Clairvoya CEO John Ritter.

Understanding data flows for privacy purposes assists with that essential question of context—under what circumstances is access to certain data elements acceptable? Without it, companies can’t comply with regulator or consumer expectations.

Information Security Controls

The complement of privacy compliance is information security posture. Without insight into data flows, cybersecurity professionals make decisions about access and technical controls without fundamentally knowing how data is being used.

“If data is water and how it flows is a river, think of the controls put in place as a dam.  Without understanding data flows, organizations are putting dams in places without a good idea of how information is flowing. Without that knowledge, those dams may be on top of mountains or in the middle of deserts instead of rivers, where they could prevent undesired access or activity”, says Clairvoya CTO Phil Richards.

Having actual insight helps cybersecurity teams understand the operational reality of their company’s data flows so they can implement controls that prevent the type of activities that create risk.

Incident Management

What happens when organizations don’t know their data flows? High-profile breaches like Blackbaud, Marriott, and the DNC and Sony email breaches are examples of a failure in controls. And some are facing privacy fines like the British Airways GDPR fine and impending CCPA levies now that the California AG recently started enforcement.

“Information protection, privacy compliance and incident management are so interrelated that you can’t separate them. Incident management is effectively failed privacy and security,” says Ritter.

 If these companies knew what was in their data and where it was going, they would have responded better. Data flows can convey if controls are failing in advance of a breach because it can show that data is in places where it doesn’t belong or isn’t intended to be. And the stakes have never been higher for understanding data flows. With laws requiring notification to individuals in case of a breach in all fifty states and each breach costing companies an average of $8.19 million, companies need that information to better command and control response and take preemptive steps to avoid them in the first place.

Records Management

Underpinning and supporting all of the above is records management, which includes programmatic identification and categorization of an organization’s information from creation through disposition.  Records management professionals everywhere struggle to understand their data so that a records schedule can be built and implemented in a way that’s automated and sustainable. And understanding how data is used and where it’s flowing is a key part of properly determining classification according to the schedule. Missing the mark may mean handling information in a way that’s at odds with regulation, increased risk from holding onto data too long or deleting too soon, or a lost opportunity because companies can’t make the most of the information available.

A Better Way to Map & Understand Data Flows

Although it’s critical to complying, signs point to companies struggling to understand data flows and the limitations of commercial solutions available to help with that task, according to a recent Law.com article. This struggle goes beyond privacy compliance and applies to the fundamental obstacles to data flow enlightenment across the board. Everyone is facing the challenge of determining a way to understand data flows that is efficient and cost-effective.

While the need to understand data flows has existed for some time, it has primarily been addressed via interviews and surveys. Those methods often capture data flows at a point in time and are subject to the judgment and recollections of those questioned. And while technology solutions attempt to transcend those challenges by leveraging machine learning and artificial intelligence to create a more informed view of data flows on certain data sets, they are limited to the underlying information, a specified date range, and expensive. For the most part, there is still a gap in meeting the full requirements of compliance.

However, the problem is not unsolvable, and there is a way to gain a holistic and defensible hold over data flows. Clairvoya has developed patent-pending data lineage technology that solves the problem and delivers a comprehensive, objective picture of data flows. By employing blockchain principles, it shows data lifecycle and flows – how data has changed, where it came from and where it went. This approach connects the data or document with any changes in content, location, and user to tie it all together, allowing companies to understand the full life cycle of the data element and how it flows through people, lines of business, and the entire organization.

This blockchain technology is immutable and automatic, with no action required once it’s implemented. While other technologies rely on AI and analytics to derive data lineage and flows, Clairvoya uses actual intelligence. With Clairvoya’s blockchain-based data lineage, organizations have complete visibility and control in high fidelity and, most importantly, the confidence to answer the five critical questions to ensure compliance today and in the future.

Contact us for a demo to see how Clairvoya can provide unprecedented insight into data flows.