Blog

  • Privacy

Data Classification to Support Subject Rights Requests and Proactive Privacy Management

With modern data stores decreasing the price of storage, it’s now possible to collect more data and keep every scrap. Yet, it has become increasingly difficult to know what type of data you’re collecting and which data is subject to data privacy laws. This lack of visibility is a challenge for privacy teams struggling to manage Subject Rights Requests.

Simply put, if you can’t identify and monitor where an individual’s information resides and how it’s used, you won’t be able to produce it for a Subject Rights Request (SRR). You also won’t be able to modify it or remove it to meet SRR requirements. To locate data related to an individual making a request, you need the capacity to search files across vast repositories and group data together. That calls for data classification.

Security and IT teams may already have data classification schemes in place to rank data according to risk categories and make operations more efficient. Unfortunately, most data classification approaches don’t address the practical needs of privacy teams.

As part of our series on managing Subject Rights Requests, we’ll take a look at how data classification schemes that log and validate repositories of personal data can provide privacy teams with the granular supervision they need to do their job. With a coordinated approach, privacy, IT, and security teams can design and manage data classification processes to match privacy requirements.

A Coordinated Approach to Data Classification for Privacy Management

1. Classify Data to Flag Information Subject to Privacy Laws

What’s in your data stores? Did you know that 21% of files in the cloud contain sensitive data that could be regulated by privacy laws? This includes personal data, protected health information, information about minors, and other types of personally identifiable information (PII).

PII is any information about an individual that can distinguish or trace that individual’s identity. GDPR has loosened the definition of PII so that it now includes more than personal data such as name, email address, and social security number. The scope of PII has expanded to include related information that can be linked to an individual. As a result, you need to follow all of the links from personal data to additional information which could be analyzed and connected back to the source and classify that data as well. This includes information provided by supplemental data sources or observed through automation or analysis (a user went to a certain webpage, purchased a product, etc.) or inferred (such as preferences based on behavior).

Unstructured data, such as customer comments, reviews, blog posts, customer service notes, account management emails, even internal messaging, also needs to be classified as potential sources of personal information. Especially when combined with personal data, this type of unstructured information represents behavior-based insights that can become personal information.

By labeling, grouping, and classifying data, you’ll be able to identify personal data that represents the highest risk and must be handled with care to meet privacy obligations. You’ll also have more fine-grained control over access rights for personal data because you’ll know what’s inside.

2. Automate Processes to Classify High Volumes of Data

Make sure you classify data you store, as well as data you process or compute. When data lives in multiple places, it may need to be classified differently, depending on how it is used.

Automated classification and tagging solutions save time and energy to surface, categorize, and prioritize data.

When databases are managed in the cloud, it’s much easier to classify data automatically. Technology can provide insights into database schemas, which can then be analyzed at the top level to identify personal and sensitive personal information. Data can be tagged into key categories related to data protection requirements. Schema analysis can also be run automatically to collect data in a way that keeps information evergreen.

3. Verify Automated Classification

As great as automated classification is, it can’t do the job alone. Even with comprehensive data discovery and classification, data labels and tags within a data store can’t tell you all the information you need to know. Data may look innocuous on the surface, but actually be sensitive, personal information. Privacy management requires human judgment to confirm categories, provide context, and review results for false positives and negatives.

For example, it’s clear that names, email addresses, and social security numbers are personal data. But what if your database includes a series of numbers for each account? On the surface, these are just numbers. But, if each number represents what political party a person belongs to, that is personal information that should be protected. An automated classification scan will result in false negatives, and you may never know until an audit or data breach uncovers the problem.

To protect personal information and reduce risk, IT and security leaders need to collaborate with privacy professionals as well as business functions to understand the process and intention behind data usage and ascribe meaning to data to create a complete picture. Technologies and processes must support collaboration so that everyone involved in privacy management – from Privacy Offers to legal, compliance and security teams – shares the same information and can adjust quickly.

4. Adapt Classifications as Needed to Meet Changing Definitions and Data Lifecycle Stages

Any system that classifies and tracks personal data needs to be flexible enough to adapt to new requirements.

Privacy laws are evolving and definitions are changing. For example, we expect that data categories noted in CCPA will be further refined and may require new types of classifications.

Additionally, data doesn’t stay in a static state. Through its lifecycle, data may be moved, amended, appended, redacted, etc. Classification schemes need to adjust and continuously update as data changes.

WireWheel Data Discovery Classifies Data for Privacy Management

WireWheel’s data privacy management solution incorporates data classification directly into a central, accessible platform that lets you respond accurately and rapidly to SRRs.

WireWheel connects to Amazon Web Services, Google Cloud Platform, and Microsoft Azure via our API for a rapid scan of your data, including data-related integrations with vendors and partners. We parse structured and unstructured data to find patterns, label and group information according to risk and privacy categories you define. Continuous scanning keeps information current as data is added and processed so you always have the most complete, up-to-date information.

  • CCPA & CPRA
  • Regulations

Our Take on California’s New Ballot Initiative

A year after his initial success with the California Consumer Protection Act (CCPA), Alastair Mactaggart is continuing to advance the privacy journey with a new California ballot initiative slated for the November 2020 election. The California Privacy Rights and Enforcement Act of 2020 seeks to continue the work started by CCPA by strengthening consumer protections and defining new requirements businesses need to follow.

Key Elements of the Ballot Include:

  • Enhanced efforts to restrict access to information regarding children and teenagers. While the existing statute focuses on permission to sell that data, the new proposal would require a company obtain permission before collecting data from consumers younger than 16 – an “opt-in” provision. If the person is 13 or younger, the company would need approval from a parent or guardian to collect data.
  • Requirements for technology companies to disclose information about the algorithms used to target consumers with specific advertisements.
  • Creation of a new state agency to field privacy questions and complaints and enforce the privacy protections rather than leaving oversight to the California attorney general’s office.
  • Tracking the time period a business intends to retain each category of a consumer’s personal or sensitive information, providing the business doesn’t retain information for each specific disclosed purpose for which it was collected for longer than is reasonably necessary.

Our Take: Change Is Inevitable

Privacy legislation is an ongoing journey that is going through a period of great change. CCPA brought new requirements for organizations to track the types of data they were processing and the types of vendors they were sharing it with and provide that information to consumers via Subject Rights Requests. When CCPA was penned, however, we knew that clarifications and changes would follow.

This new initiative underscores the importance of the privacy issue and is a step toward building an infrastructure that can provide expert, detailed guidance.

The Importance of Transparency

The new requirements further the goal of putting control of personal data in the hands of the people to whom it belongs.

Since the early days, modern privacy legislation has been crafted to implement controls directed at achieving our core human values. Privacy is a fundamental right that resonates with all humans. “The right to left alone” as it has been described demonstrates that humans want to be in control and choose how they interact with the world. This concept was penned by Louis Brandeis, a member of the supreme court, when describing core privacy values and challenges in a Harvard law review article he authored in 1890.

Technical advancements have fueled the pursuit of these rights over the past 40 years. All business transactions are now completed with the aid of computers and produce digital information which has become increasingly more personal and sensitive. This information – although about people – is not controlled by the people to whom the data refers. Additionally, this information has become an entity unto itself and contains valuable details on how we live, eat and function.

Flexibility Is Key

In creating these and other new requirements surrounding the processing of personal information the ballot authors will be forcing organizations to further improve their data management capabilities.

Granular tracking of data collection procedures, opt-in management, analytic operations, and data retention will require more details about the data to be captured, stored and understood. Serving up the right data to complete a Subject Rights Request will be an exercise of understanding the status and make-up of any particular piece of data quickly and accurately.

Privacy management platforms will have to be flexible and scalable enough to support these new requirements. Comprehensive inventory and classification solutions that enable organizations to understand and track sensitive customer data will be key to meeting current and future privacy regulations.

  • Analyst
  • Company

WireWheel Privacy Management in Three Gartner Hype Cycles

Recognizing the influence of privacy requirements on key business and technical decisions, Gartner has placed privacy management tools within not just one but three 2019 Hype Cycles.

The privacy landscape is changing rapidly and new technologies are emerging on a continuous basis. “Maturing privacy requirements globally have driven organizations to identify specific privacy requirements and compliance needs, creating substantial demand which has driven rapid development in the emerging vendor space,” Gartner reports. “Security and Risk Management (SRM) leaders in organizations that operate in multiple jurisdictions especially benefit from privacy management tools, facing various privacy laws. Similarly, SRM leaders operating in regulated industries such as healthcare, financial services and in regulated jurisdictions like the EU, or facing U.S. state privacy requirements like the California Consumer Privacy Act (CCPA), will benefit from these tools.”

But Why Three Different Hype Cycles?

By including WireWheel as a Sample Vendor in the Hype Cycle for Privacy, 2019, Hype Cycle for Data Security, 2019, and Hype Cycle for Risk Management, 2019, Gartner believes people come to the privacy problem from multiple perspectives. Each function in an organization – privacy, security, and risk management – has its own objectives, metrics and solutions. Privacy is where they intersect.

Privacy teams are subject matter experts typically responsible for managing Subject Rights Requests (SRR) and Privacy Impact Assessments (PIAs). Security teams keep personal data safe from cyber threats and insider abuse and must store and classify data according to privacy needs. Risk management teams consider privacy in light of legal requirements and business continuity.

None of them can address privacy on their own, which means privacy solutions must meet the requirements of all three. As Gartner points out, “wherever possible, SRM leaders should participate in related security, risk and compliance initiatives to achieve efficient spending across these disciplines and ensure that deployed tools sufficiently cover privacy demands. After all, various stakeholders require information dashboards with differently presented information, essentially derived from the same subsystems.”

According to Gartner, each Hype Cycle drills down into five key phases of a technology’s life cycle:

  • Innovation Trigger: A potential technology breakthrough kicks things off. Early proof-of-concept stories and media interest trigger significant publicity. Often no usable products exist and commercial viability is unproven.
  • Peak of Inflated Expectations: Early publicity produces a number of success stories — often accompanied by scores of failures. Some companies take action; many do not.
  • Trough of Disillusionment: Interest wanes as experiments and implementations fail to deliver. Producers of the technology shake out or fail. Investments continue only if the surviving providers improve their products to the satisfaction of early adopters.
  • Slope of Enlightenment: More instances of how the technology can benefit the enterprise start to crystallize and become more widely understood. Second- and third-generation products appear from technology providers. More enterprises fund pilots; conservative companies remain cautious.
  • Plateau of Productivity: Mainstream adoption starts to take off. Criteria for assessing provider viability are more clearly defined. The technology’s broad market applicability and relevance are clearly paying off.”

Interrelated, Integrated Solutions Appear in All Stages of Each Hype Cycle

Gartner includes WireWheel as a Sample Vendor of privacy management tools, noting “comprehensive (privacy and risk) management tools and consulting services are priced at a level that is prohibitive for many privacy officers, who usually have only a limited budget, which drives an increased interest in specialized (and less expensive) privacy management solutions. Hence, purpose-built (modular) privacy management tools have emerged that focus on fast deployment and usability.” The “modular” approach WireWheel enables is key for organizations starting to manage and automate critical privacy activities at scale. For example, companies expecting an influx of Subject Rights Requests (SRR) under CCPA come January 2020 need to get up and running with cost-effective solutions that solve their immediate need.

Additionally, to realize its true transformational potential, privacy management must be approached with a holistic strategy. Gartner notes that “finally, there are early indications that multiple privacy tools, developed for very specific use cases, are starting to converge toward more comprehensive privacy management platforms that can replace fragmented current solutions.” Gartner recommends “ideally, tooling supports compliance with both oversight, documentation and transparency, and offers integration with associated platforms such as data-centric audit protection (DCAP) or mobile device management (MDM), where control over personal data throughout its lifecycle is in scope” and advises companies to “look for privacy management vendors that integrate with various vertically connected solutions.”

We agree. Privacy can’t be managed in a silo. That’s why WireWheel is built to integrate with and enable many privacy solutions.

  • Data classification to organize information assets and identify personal data
  • Data security governance for risk assessment, prioritization and mitigation
  • Data operations to improve the communication, integration and automation of data flows
  • Privacy-by-design strategies that embed privacy often and early in technology development, procedures and processes
  • Consent and preference management that allows customers to determine how much of their data to expose, to whom and for what purpose
  • Format-preserving encryption to protect data at rest and in use, for example when fulfilling Subject Rights Requests

A comprehensive approach to privacy management considers every part of the privacy experience, both for internal teams and external customers and partners. By incorporating multiple solutions at every phase of the Hype Cycles, from the Innovation Trigger to the Plateau of Productivity, WireWheel’s approach supports you throughout your privacy journey.


Disclaimer

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

  • Privacy

The Difference Between Privacy and Cybersecurity and Why It Matters

The terms “privacy” and “cybersecurity” are closely intertwined but they aren’t the same. Your organization needs to excel at both privacy and security to maintain customer trust and comply with regulatory requirements. Understanding how these concepts differ and how they overlap impacts how you structure internal operations, collaborate across teams, and measure success.

While it’s possible to have security without privacy, it’s impossible to have privacy without security. Why is that?

Security Is about Safeguarding Data and Systems from Unauthorized Access.

The goal of cybersecurity is to keep external threats and malicious insiders from breaching critical systems that hold sensitive information, including personal data and corporate intellectual property. In addition to keeping information confidential, cybersecurity must also maintain system availability and data integrity.

To mitigate the risk of a cyber-attack, cybersecurity teams implement a variety of security tests and controls. For example, encryption, multi-factor authentication, and password protection solutions determine who can access what, including IoT systems that share information without human intervention. Security tools such as firewalls, virus scans, and data loss prevention software lower the risk of cyber-attack by monitoring IT systems and identifying and blocking unexpected behavior.

Let’s say all users accessing your customer database are “authorized” and their behavior is “expected.” Your IT systems likely meet the security test. But, do your operations meet the privacy test? Not necessarily. Anyone with valid credentials could view and manipulate a customer’s personal data or use it for a purpose for which consent has not been received, and that customer may never know.

Privacy Is about Safeguarding Information Tied to Personal Identity.

The concept of privacy is both more granular and broader than security.

How is it more granular? Importantly, privacy relates specifically to personal information, including any information related to an identified or an identifiable individual. Phone numbers, email addresses, financial and healthcare information, etc. are all personal information when they are tied to a unique individual. Privacy laws such as the General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) are designed to protect customers’ personal information.

Why broader? When you collect or process personal information, you take on an obligation not only to keep it safe from cyber-attack, but also to treat the information you collect responsibly and fairly and in line with the consent provided by the consumer.

Individuals have the right to keep their own information confidential. If they do share information, they have the right to expect it will be kept private and used only for the purpose they have authorized. Their information should never be accessed, shared or sold without their knowledge.

To meet privacy obligations, you need to ask the following questions:

  • Am I am being fair to my customers in the way I treat their data?
  • Have I explained to my customers how I treat their data, in a way that they easily understand?

To answer these questions privacy professionals are responsible for knowing answers to four fundamental privacy pillars:

  • What data do you have
  • Where that data is stored
  • Where data is processed
  • What third parties have access to that data and what are they doing with it

A privacy program can’t address these four pillars without the support of a security program. While the privacy team typically sets the requirements for data management, the security team typically selects and runs the actual IT systems and tools that manage data storage, access, sharing, and reporting.

Improving Collaboration and Communication Between Privacy and Security

Within an organization, there are often two distinct roles: a Chief Information Security Officer (CISO), who typically has an information technology background, and a Chief Privacy Officer (CPO), often an expert on legal and compliance issues. Although their areas of expertise and approaches may be different, these leaders and their teams must build a cooperative relationship to be successful.

The most effective and efficient privacy and security teams set a foundation for collaboration by putting a few core tenants in place:

  • A shared vocabulary for data classification. Security and privacy teams need to agree on how data is categorized. What data is considered “personal” or “protected?” Data classification allows certain data to be tagged and tracked throughout its lifecycle.
  • Transparency. Security and privacy teams need to share information about where data resides, who has access, and what data processing actions have occurred. When both teams can see the same information in a common platform, they save time communicating and planning.
  • Employee empowerment. Security and privacy teams are each responsible for making sure everyone in an organization, as well as third-parties that touch data, have the knowledge and ability to manage data responsibly. People must be trained on security and privacy best practices and understand their legal responsibility for acceptable data use. They must be empowered with tools that allow them to do the right thing regarding personal data and still be able to get their jobs done productively.

Both privacy and security are critical for an organization’s success. Let’s face it; their fates are intertwined. If a cyber attacker does circumvent security controls, he or she may access and expose personal data, triggering numerous privacy violations and destroying customer trust. Building a privacy operation based on close collaboration with IT security teams is an essential step in the privacy process.

Click here to learn more about WireWheel’s unique approach to privacy.

  • Privacy

Keys to a Customer-Centric Privacy Experience

Keys to a Customer-Centric Privacy Experience

Customer relationships have always been at the heart of a successful business.

Companies that craft exceptional customer experiences outperform the market by 107.5%, due to higher revenue and lower expenses. When customers believe a company has been serving them well and made them feel special, over 40% are willing to forgive the occasional mistake.

What Does Customer Experience Mean for Privacy Teams?

Customer service has been the traditional domain of marketing, sales, and support teams, not privacy and security leaders. For the most part, legal, compliance, IT operations, and infosec teams focus on strengthening internal processes, rather than creating an exceptional experience for external customers.

Until now.

The latest privacy laws have made consumer privacy experience a core requirement. Both EUGDPR and California’s Consumer Privacy Act (CCPA) are designed to bolster consumer understanding and control over how personal data is collected, processed and shared. To achieve compliance, privacy teams now need to consider the end-to-end privacy experience, from the very first touch a customer has with a brand to the potential interactions that may follow.

Communication about data privacy must be fast, friendly and above-all, customer-centric.

Privacy Notices and Preference Centers

Privacy notices and preference centers are critical communication vehicles to build customer trust and understanding. “As companies start to think through their customer preference center and how they are going to address individual rights, having some granular choices that show real transparency is going to be important,” says PwC’s Jocelyn Acqua, an expert on cybersecurity, privacy and regulatory risk.

As soon as your customers visit your website or interact with your product, you have the potential to collect data (including user behavior and preferences) that can become personal information.

At or before the point of data collection, businesses subject to CCPA must notify consumers of categories of personal information collected (bought, rented, obtained, received, or accessed) and the purposes – or potential purposes – for which that information will be used. CCPA doesn’t explicitly say how companies should communicate this information, but guidance from privacy experts provides clear direction.

“A consumer can only truly consent to the collection, use and the sale of their personal information – including the terms of service and privacy policies they readily click to agree to – if they understand what information is being collected,” Mary Stone Ross, co-author of the CCPA initiative, writes in an article for IAPP.

GDPR Shows its Teeth: Enforcement of Transparency Requirements

Recent developments with GDPR underscore the importance of transparency when communicating data privacy information with consumers. At the start of this year, the French Data Protection Authority (CNIL) issued a fine of €50 million against Google for infringing GDPR’s principle of transparency.

Although Google’s information regarding privacy was posted publicly, according to CNIL, it wasn’t sufficiently accessible or understandable to a typical reader. As the finding states, key information was “excessively disseminated across several documents, with buttons and links on which it is required to click … implying sometimes up to 5 or 6 actions.”

TO DO: As European regulators seek ways to show the GDPR has some teeth, review your own privacy communications from the perspective of a first-time visitor seeking information. Is it clear? Can you get what you need?

Data Subject Access Requests (DSAR)

“Data subject access is coming up all the time,” Jocelyn notes. “The question that we’re getting is how to be responsive to customers in an efficient way.”

As a first step, companies need simple ways to receive subject access requests from customers. When they receive them, they also need automated ways to manage the collection of data and get it ready and approved internally. Finally, they need a secure method to efficiently and reliably deliver information back to the requestor.

“Companies need technology to work collaboratively across their enterprise,” explains Jocelyn, so they can streamline the DSAR process internally, ensure accuracy and accelerate response time. If requests take too long to process, customers may wonder about the accuracy of the information and lose trust. Worse, they may share their concerns with others or escalate using the courts.

TO DO: Test your own DSAR process from a customer perspective. How long does it take to process a request? How do you feel about the results?

How Can You Make Your Privacy Interactions with Customers More Human and More Helpful?

We’ve put together recommendations to improve the customer privacy experience with the Ultimate Guide to Data Subject Access Request (DSAR) Management. Get your copy to learn more about privacy portals, DSARs, and CCPA and GDPR requirements for privacy communications.

You can also test out the WireWheel DSAR solution with a free 15-day trial. Try it out today.

  • Regulations

Step One for Subject Rights Requests: Verification and Authentication

Sara is the Data Privacy Officer (DPO) at a large retail company. She’s the first to admit she’s still figuring out the implications of the California Consumer Protect Act (CCPA). And the clock is ticking.

CCPA gives consumers rights to access, delete, correct and move the data that Sara’s company collects about them. CCPA is the first major U.S. state law designed to increase transparency about how companies collect, process, share and sell personal information.

When the European Union General Data Protection Regulation (GDPR) required that companies handling consumer information employ a DPO, Sara was tapped by her company’s CISO to take on that role. She got her feet wet in data privacy management with GDPR and handles Data Subject Access Requests (DSARs) through manual processes, relying on email questionnaires and Excel spreadsheets. The real floodgates will open in January 2020, when Sara expects to receive thousands of Subject Rights Requests (SRRs) from California consumers asking to access, delete, correct or move the data that the company has collected about them.

Let’s take a closer look at what Sara is dealing with.

To Process Requests, Sara Must First Verify and Authenticate Them

Sara needs to ensure that SRRs her company receives are legitimate and coming from the appropriate person – in other words, confirming that they are who they say they are.

  • Verification: making sure any asset a user provides, such as a document or email address, is legitimate
  • Authentication: making sure that asset is tied specifically to that individual

When her company receives a consumer’s SRR, how does Sara know that the request is really coming from that person?

  • Best-case scenario: the consumer already has an online account with the company and Sara can verify their identity using their existing login information.
  • Worst-case scenario: the person isn’t even a customer. Sara needs more information about the person to fulfill the SRR. But the law says she can’t collect more information than she already has. Policymakers want to ensure that a company can’t benefit from the consumer’s SSR. If your company has zero information on that person, you’re in a catch-22 situation.

Between the best-case scenario – the requestor is customer who has an online account – and the worst-case scenario – they aren’t a customer and you can’t identify them – is another huge abyss of murky SRRs: consumers may not be making the requests themselves.

Sara is thinking:

  • How do I know the requestor is really the parent of a minor child as they claim?
  • What if this is an estranged spouse trying to track down their partner?
  • Is this a watchdog group checking to see how I respond to SRRs?
  • Am I going to expose information to a hacker?

A large-scale cyber attack could involve thousands of SRRs inundating your system with fraudulent assets in an attempt to steal consumers’ personal data. Or it could be one individual waging a personal vendetta against a family member or (former) friend.

The complexity of verifying and authenticating SRRs is a looming headache for businesses like Sara’s. Simply operationalizing a process involving such a large amount of data is daunting. Many businesses aren’t prepared to scale their data privacy management for CCPA, nor are they prepared to achieve the high level of collaboration and transparency required across different functions for prompt response to SSRs.

And Then There’s the Risk of Violations and Lawsuits.

What happens if you don’t respond to an SRR? Maybe you don’t have the processes in place yet, or maybe you just choose to ignore the SRRs. If you’re found in violation of CCPA, your company will be subject to fines. Under CCPA, fines are enforced by the Attorney General and can reach up to $7,500 per every violation (in the case of intentional violations). Non-intentional violations are subject to a $2,500 maximum fine.

The fines are harsh, but probably won’t put your company out of business. A data breach, on the other hand, could have a much larger impact. A data breach occurs when your company gives data to the wrong person, regardless of whether it was intentional or accidental. Breach investigations can uncover various types of data misuse – a red flag for regulators and fodder for class action lawsuits. This type of liability can be much more costly than fines.

The good intentions of the CCPA open up a can of privacy worms, especially for B2C companies like Sara’s.

What’s Sara to do?

Take Action Now

A third-party can provide a “Goldilocks” solution to remove the burden of verification and authentication. As a third-party provider, WireWheel helps verify that an email, driver’s license, or other asset a consumer provides as proof of identity is legitimate as well as authenticate that it’s connected to a specific individual. An additional option for an electronic sworn affidavit allows a user to certify their identity, giving you a legal document to support your SRR activity. Our encrypted environment secures the data and we never use data for any purpose other than verification and authentication of your company’s SRRs.

By solving the twin challenges of verification and authentication, Wirewheel can lift a monumental worry from the shoulders of B2C companies. In our upcoming blogs we will explore how Wirewheel’s data privacy management platform also helps you assign tasks, query data stores, and identify specific consumer data to respond to SRRs.

If you’d like to learn more about CCPA and SRRs, check out the eBook, 5 Keys to Managing Subject Rights Requests.

  • Regulations

You Don’t Have to Boil the Ocean to Achieve Privacy Compliance

When GDPR mandated Privacy Impact Assessments (PIA), lawmakers had the best of intentions. They wanted companies to understand how personal data is used in their business process. And, they wanted to see demonstrable proof – a tangible output – of privacy practices. Admirable in theory. But unworkable in practice.

GDPR’s PIA Focus Asked You to “Boil the Ocean”

Without clear definitions of “business processes” the scope of GDPR’s PIA challenge was beyond belief for many companies. To meet the requirement, they struggled to identify every system in their organization that contained personal data, including their enterprise tech stack and shadow IT.

Then, they set out to create a PIA for each one. Microsoft created 41,000 PIAs. Even a mid-sized company drowned in paperwork.

When everything is equal, you have to find everything. Everyone has a different opinion of where to start and there’s no end in sight.

CCPA’s Customer-First Approach Drives Prioritization

Now that companies are turning attention to the requirements of CCPA, the conversation has changed. We’ve seen a fundamental difference in the way they approach privacy management.

CCPA has no PIA requirement. There’s no need to create thousands of documents detailing every system and process across your organization.

Instead, CCPA’s primary focus is Subject Rights Requests (SSR), the right of a customer to request, change, or remove their personal information from your data stores. This approach puts the priority for managing personal data where it should be: creating trust with your customers.

Working backwards from the goal of processing a timely, accurate and clear SRR, you can focus on tech systems that directly impact customer data and communications:

  • CRM systems like Salesforce
  • Marketing and advertising systems
  • Product usage data
  • Technical support systems
  • Billing systems
  • ERP systems
  • Customer communities
  • Systems that provide customer data to you
  • Third parties that process downstream data you provide

Once you’ve identified and categorized customer data throughout your data supply chain, you can ensure you have the capabilities to confirm and fulfill a customer’s data access request securely.

Our customers are saving thousands of hours spinning their wheels by prioritizing this way. They also reduce their risk more quickly by making sure they’re prepared for an influx of SSRs in 2020.

By the way, this customer-first approach isn’t limited to those preparing for CCPA. Companies collecting and processing European residents’ data are also using this method to knock out 70-80% of the work they’d need to do to produce GDPR’s PIAs. After starting with systems that touch customers, they can then move on systems that process employee and operational data.

Learn More about WireWheel’s SRR Solution

You don’t need to boil the ocean to manage data privacy. Let’s talk about how you can achieve compliance, reduce risk, and build customer trust with WireWheel’s prioritized approach.

  • Regulations

Rising to the Challenge of Subject Rights Requests

Data privacy laws give people rights to access, delete, correct and move the data businesses collect about them. Consumers assert their own privacy rights by submitting a data subject access request (DSAR) directly to the organization that collected or processed their data. Businesses are required to follow the DSAR procedure promptly addressing their data requests without placing an undue burden on consumers.

What they don’t say is exactly how businesses should go about managing consumer data requests efficiently and accurately. In fact, in our recent roundtable privacy expert Dan Solove said that lack of clarity on this issue is one of the major stumbling blocks in operationalizing CCPA.

Need help with CCPA or GDPR DSAR? WireWheel SRR Software can help!

In this post we’ll outline the challenges businesses face handling data requests and detail a five-step process to manage them at scale to get closer to DSAR compliance. This is the first in a series of posts about this complex and important issue, so stay tuned!

First, some definitions.

What makes DSAR, VCR, and SRR and the Other Data Request Acronyms so Confusing?

Data privacy terminology can be riddled with jargon and swimming in acronym soup. Take Data Subject Access Request (DSAR), Verifiable Consumer Request (VCR) and Subject Rights Requests (SRR). Are they the same, or just similar?

DSAR, VCR, SRR and other acronyms we’re going to talk about are related to the same thing: managing requests regarding consumer data. Some terms you’ll hear with respect to the request process are tied to specific privacy regulations and indicate different requirements. For example, GDPR uses the term Data Subject Access Requests (DSAR), as in GDPR-speak, a “data subject” is any person whose personal data is being collected, held or processed and that includes your employees. CCPA, on the other hand, uses the term Verifiable Consumer Request (VCR) and doesn’t include employees. You may also hear the terms Subject Access Request (SAR) or Individual Rights Request (IRR).

We prefer the term Subject Rights Request (SRR) because it covers all scenarios above, regardless of specific regulatory requirements. Subject Rights Request is the term we use within WireWheel because our data privacy platform allows you to address requests whether you’re working to comply with GDPR, CCPA or any other privacy law that evolves.

Whatever you want to call them, these data requests present a major challenge for many businesses in their quest to become DSAR compliant.

The More Consumer Data You Collect, the Greater the Challenge

Your level of effort and exposure to risk related to Subject Rights Requests depends on the type of business you run. B2B companies receive very few Subject Rights Requests. If you’re in a commercial relationship with B2B customers, you likely have a Master Services Agreement in place that covers data privacy requirements and allows them to access or remove their data whenever they want. To satisfy regulators, you simply need to show you have a basic, accessible SRR process set up.

For B2C companies, however, the scope of Subject Rights Requests and the associated risk are sky high.

WireWheel’s consumer-focused customers are currently receiving tens of thousands of SRRs each year and anticipate receiving millions as more regulations take hold and awareness increases for DSAR policies.

OYCWith the power of modern marketing technology, B2C companies are tracking tons of data about known customers, prospective customers AND unknown users. Data stores are a mix of first-party data from different business units and acquired companies, as well as behavioral insights, purchased data, and other third-party data that could fall under the requirements for SRRs.

For a B2C company, handling Subject Rights Requests can become very costly. Your privacy and IT teams spend valuable resources fulfilling data requests instead of focusing on priority projects. Your company can be penalized by regulatory bodies if you can’t demonstrate a well-executed SRR process. In the worst-case scenario, mistakes in the SRR process – even unintentional ones – can cause a data breach, which will exponentially increase your liability.

How Can You Operationalize Subject Rights Requests?

The more efficiently you manage Subject Rights Requests, the better the privacy experience will be for your customers, the easier the effort will be for your internal team, and the more likely you are to meet expectations of auditors and regulators who are checking for DSAR compliance.

Before you can optimize an SRR process, you must first allow people to register a Subject Rights Request. You can offer this option on an external-facing privacy page to show customers and regulators that you’re doing the right thing with data. Your privacy page can also be turned into a portal to enable two-way communication with customers.

Let’s walk through the steps you need to take to build an efficient, compliant SRR.

Step 1. Verify and Authenticate

If you receive a request for information regarding a person’s data, you need to be sure the person asking for it is who they say they are. If your customers already have password-protected accounts, you can require them to log in to your privacy portal so you can confidently match the person making the request to a specific individual.

But, if a Subject Rights Request comes from an unknown user, the situation is not so simple. To make this step even more challenging, you aren’t allowed to ask for any additional personal information from the consumer than what you’ve already got. This is where a third-party can provide verification and authentication to remove the burden.

Step 2. Set up Ticketing to Process Requests

Managing a large volume of Subject Rights Requests is a team sport. You’ll need to assign requests, or parts of requests, to different people and keep track of each task as the request progresses through your workflow.

Step 3. Collect Data to Address Requests

To identify customer data related to a request, your systems and team members need to look into multiple data stores – customer databases, marketing databases, product databases, etc. The faster you can query your data stores automatically, the easier the SRR process will be.

When you get a deletion request, you should make every effort to remove that individual’s data from all the places where it’s being stored and processed. Make sure you have a way to prevent the reappearance of data about an individual who is opting out of your service.

Step 4. Deliver Information Securely to Customers

The way you provide information in response to requests is another part of the SRR process you must handle with care to avoid a data breach. Only the sender of a request should be able to receive the data in return. Passing information via email may expose you to a data breach, which, as we’ve discussed, dramatically increases your liability. Therefore, you should make sure that consumer information is sent securely, encrypted at rest and in-transit, all the way from request to delivery.

Step 5. Document Your Process for Tracking, Reviewing and Approving Requests

You can demonstrate compliance with privacy laws by recording all communications, reviews, and approvals that are part of your SRR process. Maintain complete audit trails of all the requests you receive and actions you take so that when an auditor asks, you have them at the ready.

How WireWheel Can Help

WireWheel’s consumer-facing DSAR portal gives you the capability to receive Subject Rights Requests, whether requesters are known customers or unknown individuals. Our data privacy management platform helps you assign tasks, query data stores, and identify specific consumer data to respond to SRRs and stay within DSAR compliance.

Most importantly, WireWheel solves the twin challenges of verification and authentication in the DSAR process. As a third-party provider, WireWheel helps you verify that an email, driver’s license, or other asset a consumer provides as proof of identity is legitimate as well as authenticate that it’s connected to a specific individual. An additional option for an electronic sworn affidavit allows a user to certify their identity, giving you a legal document to support your SRR activity. Our encrypted environment secures the data and we never use data for any purpose other than verification and authentication of your company’s SRRs.

We’d love to show you how WireWheel enables Subject Rights Requests. Get in touch for a personalized demonstration of our DSAR software.

  • Analyst
  • Company

Gartner Says We Are a Cool Vendor in Privacy Management!

We claim to be a lot of things, but we would never claim to be cool. Like all truly cool things, that should be left to the rest of the world to judge……. and they just did. Gartner just named WireWheel a Cool Vendor in their April 2019 Cool Vendors in Privacy Management report!! And, while it may not recognize us as being cool in the ‘hip and trendy’ sense of the word, Gartner thinks the vendors in this report are cool because of their innovative approach “to boost privacy management program maturity, enhance insights into data-processing activities and detail regulatory compliance, and streamline personal data usage by parameterization of “what is allowed”. Coming on the back of WireWheel’s nomination as a top ten finalist at this year’s RSA Innovation Sandbox Awards (Watch the 3-min video), we couldn’t be more proud.

I want to highlight and comment on a few things that Gartner raises in the report about the privacy management space in general:

Gartner Prediction:

“By 2021, more than 60% of large organizations will have a privacy management program fully integrated into the business.”

This is reassuring to see; we didn’t know the actual number, but this aligns with what we are seeing in the market – more and more companies treating privacy as a first-class citizen. Not just as a stand-alone compliance function, but as a way of orchestrating the activities of the entire organization around ‘doing the right thing’ with personal data. To do that, it must be integrated across the business.

Gartner Observation:

“By treating privacy as more than a compliance issue, maturing organizations are able to position and use privacy as a business opportunity.”

We couldn’t agree more. There is a growing population of consumers and employees who only want to do business with companies they trust. That makes privacy management a strategic and competitive differentiator not just a risk mitigation tool. Many of our customers have growing Data Ethics teams, not just compliance functions – data ethics raises privacy management to a higher level of ‘doing the right thing’ not just doing what the law(s) say(s).

Gartner Recommendation:

“Increase customer trust by creating a smooth and direct privacy user experience by prioritizing automation and self-service capabilities over manual processes and reducing manual workforce pressure.”

Yes, yes and yes! We are investing heavily in not just allowing our customers to understand, improve and communicate their privacy policies better, but to actively engage their customers and employees in intuitive processes that automate the communication of what their own data is being used for and automate the execution of their preferences and consents i.e. what should be done with that data.

WireWheel was described as being a ‘Privacy API’ for the organization, allowing data to be surfaced from disparate systems, processes and functions into a common privacy context. This allows us to engage with CISOs who have an active role to play in ensuring underlying systems are handling personal data correctly, in addition to the privacy office that is managing the core programs.

All of that being said, we all agree that there are challenges ahead in this market. This is something that we at WireWheel never shy away from. For those of you that have been in sales meetings with the team, you will always hear us say that “we haven’t figured it all out yet”. Our philosophy is one of partnering and rapid evolution, so that we get it right for them and we evolve as the market, best practice and regulations mature.


Disclaimer

Gartner, Cool Vendors in Privacy Management, Bart Willemsen et al., April 19, 2019

Gartner does not endorse any vendor, product or service depicted in our research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

The GARTNER COOL VENDOR badge is a trademark and service mark of Gartner, Inc., and/or its affiliates, and is used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s Research & Advisory organization and should not be construed as statements of fact. Gartner disclaims all warranties, express or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

  • CCPA & CPRA
  • Regulations
  • Uncategorized

Am I My Device? According to CCPA, Yes

When the alarm wakes me up, I reach for my mobile phone and check email. Next, I strap on my smartwatch. Over breakfast, I read the news on my tablet while Alexa plays some tunes. I join a conference call while driving to work and spend much of the day on my laptop. When I return home, the thermostat adjusts to my presence while I check out what my FireTV recorded.

Sound familiar? Almost 20% of Americans are just as hyperconnected, meaning they live in a household with 10 or more connected devices. The median household contains five, according to the Pew Research Center. In each one, multiple computers, shared media, work devices, and personal devices are constantly collecting and aggregating data.

How Will CCPA Treat Data Collected by Devices?

Understanding the nexus of individuals and the various devices they use will be key to preparing to meet operational requirements of the new California Consumer Protection Act (CCPA). As the Internet of Things (IoT) brings more connected devices into our lives, more personal data will be collected and aggregated.

CCPA is designed to increase transparency about how companies collect, process, share and sell personal information. Under CCPA, “personal information” is defined to mean, “information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.

Let’s Unpack that Wording to Explore How CCPA Takes Devices into Account.

Each phrase within the definition above sparks questions the California Attorney General will need to address in order to determine if companies adhere to the letter – and the spirit – of the law.

  • The inclusion of “household” data stretches the concept of personal information and requires clarification. Sure, my personal phone and smartwatch are tied to me. But, streaming and shopping services could be related to a household. And, what about a work-issued cell phone that may be used on a temporary basis? In their inventory and classification schema, companies will need to consider how data may be tied to an individual, device and/or household.
  • Relates to” is potentially all-encompassing. Companies may need to widen the net to collect more information in their data inventory. Personal information may include not only “objective” information (e.g. social security numbers, credit scores, the presence of a certain substance in one’s blood) but also “subjective” information (e.g. opinions, assessments, preferences indicated by online behavior). CCPA includes “audio, electronic, visual, thermal, olfactory, or similar information” under the definition of personal information, which directly impacts a number of IoT devices.
  • Technical identifiers,” which includes things like connected devices, IP addresses, and network activity, are recognized as potentially PI and need to be classified in a company’s data inventory.
  • Inferred data” can become PI when linked or aggregated with other data. Using the online advertising ecosystem as an example, CCPA obligations apply to much of the information collected and used by marketing automation systems, website publishers, ad buying and selling platforms, and other technologies which businesses in the online ecosystem use to target customers.
  • All sorts of information is “capable of being associated with” an individual. Even if a business is currently not aggregating data, it may in the future. Companies will need to decide how they will inventory and disclose information that may require analysis (e.g. data about the functioning of a device where human intervention is required). The key unanswered question is what kind of diligence will be expected for a company to identify, classify and analyze data for its intended – or potential – purpose.

A “Living” Law Built to Evolve as Technologies Change

In our recent CCPA roundtable discussion, data privacy advocate Alastair Mactaggart explained why the authors intentionally left so much room for interpretation. As he points out, past privacy regulations became out-of-date quickly because they couldn’t keep pace with changing technologies and data processes. Data privacy discussions even five years ago didn’t anticipate the proliferation of data-consuming IoT devices that surround us today, both at home and at work.

In contrast, CCPA has been called a “living law.” The goal is to continue to protect consumer privacy and enable people to control what happens to their data, even as more devices are invented and data analysis becomes more sophisticated.

To keep pace, companies need to develop data privacy programs with the flexibility to identify and classify both people and their devices. They need to anticipate potential future uses of data they collect and prepare to share that information with consumers.

Preparing for Operational Challenges of CCPA?

Get started with the Ultimate Guide to California’s Data Privacy Law.

  • Regulations

What “State of the Art” in IT Security Will Satisfy European Regulators?

WireWheel is adding to our stable of experts on privacy! We’re excited to have Gabriela join us as a regular contributor on deeper technical topics.

The European Agency for Network and Information Security (ENISA) and the German IT Security Association (TeleTrusT) recently published comprehensive guidelines describing what is the “State of the art in IT security” (Guidelines), an important factor to take into account for compliance with data security obligations under the General Data Protection Regulation (GDPR). These Guidelines provide much-needed clarity around this otherwise vague concept by defining it and listing actual technical and organizational measures considered to be “state of the art”.

One of the biggest changes brought by the GDPR in May 2018 was recognizing the importance of accountability for data protection compliance. Organizations are expected to act as trusted “data keepers” and proactively take steps to account for every personal data item that enters their care. The GDPR enshrines several obligations that contribute to accountability, including an obligation in Article 32 for organizations to implement “technical and organizational measures to ensure a level of security appropriate to the risk”, taking into account “the state of the art” in IT security. Non-compliance with Article 32 can lead to administrative fines up to € 10 million or up to 2% of the global annual turnover of the organization for the preceding year.

But What Does “State of the Art” Mean in This Context?

As a piece of legislation that intends to be technically neutral, the GDPR does not itself establish what is the state of the art of IT security. This is good news, since both technology and security threats constantly evolve. However, organizations whose activity falls under the GDPR still need to figure out what it means, since it represents a presumably objective indicator of the robustness of their security program, and, hence, their compliance with Article 32. Data Protection Supervisory Authorities, like the UK ICO and the French CNIL, also refer in their data security guidelines to this concept, but without defining it.

This is where the ENISA – TeleTrusT Guidelines step in and fill the gap, even if they are meant to support compliance with both the GDPR and the 2015 German IT Security Act (therefore, they also refer to some specific obligations of the German law).

First of all, the Guidelines explain that, in general, “state of the art” of technology is a concept “situated between the more innovative existing scientific knowledge and research technology level and the more established generally accepted rules of technology level”, and it must be “independently measurable”. The Guidelines define “state of the art” as “the procedures, equipment or operating methods available in the trade in goods and services for which the application thereof is most effective in achieving the respective legal protection objectives”. But most of the Guidelines’ value actually rests in identifying specific technical and organizational measures which can be considered “state of the art” for 2019.

Under technical measures, the authors of the Guidelines catalog state of the art security measures for many operations, including but not limited to server hardening, password strength assessment, multi-factor authentication, encryption of files and folders, securing electronic data communications with a Public Key Infrastructure (PKI), cloud-based data exchange, network monitoring using Intrusion Detection System, web traffic protection and remote network access and maintenance. For each of the cataloged operation they also look at known security threats and they explain the protection objective covered by the measure, like availability, integrity, confidentiality or authenticity.

For example, with regard to cloud-based data exchange, the most common threats identified are unauthorized access and inspection by the operator of the service; hacking by third parties while the data is transported through the internet; and theft or unauthorized use of the identity that was agreed on with the cloud service. To prevent such risks from happening, the appropriate measures identified are:

  • encrypted transmission of files to and from the data exchange service;
  • client-side, end-to-end encryption of data for the recipient prior to transfer to the cloud, either through encryption integrated into the data exchange service in the client software that is part of the cloud, or through separate client end-to-end encryption software.

As for organizational measures, the Guidelines make clear that having security measures in place, even if they are “state of the art”, will not actually achieve data security without staffing measures and a system of methods, procedures and rules for managing corporate information security. These rules should be adopted and systemized within an Information Security Management System, which should also include “methods for regular inspection and documentation of organizational and technical changes”. The Guidelines identify what are considered state of the art internal processes to achieve data security, such as security organization (establishing a management framework), requirements management (legal, contractual or other types of requirements), or knowledge and competency management.

The authors even draw a map of security specific roles that can be attributed within an organization and list their main responsibilities, from upper management (who has strategic responsibility), to the Chief Information Security Officer, Information Security Officers, the Information Security Management team/Security steering committee, to the Audit Manager. As for the Data Protection Officer, the authors highlight that this role “should not necessarily be seen as part of IS management team, but instead as an important contact in matters regarding compliance, ideally regularly involved in the IS management process”.

Will Following These Guidelines Satisfy European Regulators Enforcing the GDPRThat an Organization Is Using “State of the Art” It Security?

This could be the case, considering that they are backed by an authoritative voice of European network security, ENISA. The Guidelines certainly provide for a solid baseline, especially in the absence of advice from DPAs. However, organizations always need to pay attention to the specific guidance issued by their Lead DPA, if they have one, or by the DPAs whose jurisdictions cover the organizations’ activity. It is notable, though, that the European Data Protection Board did not include any guidance on data security or Article 32 GDPR in its recently published busy work program for 2019-2020. In the absence of harmonized advice on state of the art security from the DPAs, reports issued or endorsed by ENISA will be the closest available resource to follow at European level.

Here is a list of further resources that can be helpful for identifying the “state of the art” in IT security for GDPR compliance purposes:

  • Regulations

How Are Personal Data and Consumer Rights Defined in the California Consumer Privacy Act (CCPA)

How are personal data and consumer rights defined in the California Consumer Privacy Act (CCPA)?

Privacy concerns have entered the mainstream. High-profile data breaches and news of companies selling data has caused consumers and regulators to ask questions and demand answers. New data privacy laws are designed to protect personal data and put power back into the hands of the consumer.

Chief among the new laws is the California Consumer Privacy Act (CCPA). Born from a consumer-driven ballot initiative to protect personal data privacy, CCPA will go into effect January 2020. With California the fifth largest economy in the world, CCPA is influencing the privacy landscape across the United States. That’s why it’s important to understand how consumer rights and personal data are defined under CCPA, and how businesses will be affected.

What’s Shaking Consumer Trust?

In the first few months of 2019 alone, several stories came to light regarding companies selling customers’ location data to third-party service providers, including AT&T, which announced upon discovery that it would terminate all location-sharing agreements. Other mobile service providers followed suit. IBM’s Weather Channel app is also under scrutiny following a lawsuit by the city of Los Angeles, claiming that it tracks users “throughout the day and night” to sell their personal location data to advertisers, retailers and hedge funds.

Data breach investigations are also threatening to business integrity. Chances are high that a company will experience a data breach of some sort. In fact, according to the Ponemon Institute, businesses are more likely to suffer a data breach of at least 10,000 records than an individual is to catch the flu this winter. If a data breach becomes public, suddenly a light will be shined on a business’s data privacy practices, triggering a closer look by regulators.

Key Definitions in CCPA

The California legislature rushed to draft and pass CCPA, primarily because it is easier to amend than a law enacted via the state’s initiative process. But the fast-tracked process produced a law with confusing and contradictory language that leaves many details unexplained or open for interpretation. Therefore, it’s important to have a grasp of consumer rights outlined by CCPA, what is classified as “personal data” and how it applies to a business.

“Personal data” as defined under CCPA is much broader than one would think, extending beyond the conventional names, addresses, emails, phone numbers, license and social security numbers to include biometric data, IP addresses, geolocation data, online aliases, employment and education information, purchasing history, internet activity (e.g. browsing and search history, web tracking data) and any “inferences drawn” from this data.

CCPA Introduces the Following Rights for Consumers Regarding Such Personal Data:

  • Right to know all personal data collected by a business;
  • Right to say no to the sale of personal data Right to delete personal data;
  • Right to be informed of what categories of personal data will be collected prior to its collection, and to be informed of any changes to this collection;
  • Mandated opt-in before sale of children’s information (under the age of 16);
  • Right to know categories of third parties with whom personal data is shared;
  • Right to know categories of sources of information from whom personal data is acquired;
  • Right to know the business or commercial purpose of collecting personal information;
  • Private right of action when companies breach personal data.

Impact of CCPA

Any breach of these rights under CCPA will result in hefty fines enforced by the Attorney General that can reach up to $7,500 per intentional violation and up to $2,500 for non-intentional violations. Affected consumers also have the right to take individual or class action lawsuits against offending businesses. With damages ranging between $100 and $750 per violation, costs could escalate quickly. A data privacy lawsuit could easily put a small-sized company out of business. On the other hand, demonstrating commitment to CCPA and data privacy overall will become a competitive advantage that fosters trust with your customers.

To understand how CCPA will impact your company’s data privacy strategy, download our eBook, The Ultimate Guide to Calfornia’s Data Privacy Law.

  • Company

The Roots of WireWheel

Over the past five years, we have seen real urgency develop worldwide around the topic of privacy – and the story starts and ends with people.

Why? Because most people didn’t – and still don’t – believe they are in control of their own information. Individuals, advocacy groups, legislators and technologists began demanding change – and governments have started to take action.

Organizations, too, have started to take privacy seriously and to charge technical teams, security teams, and compliance teams with the job of protecting information and establishing trust.

But, if protecting privacy is now part of your job, it might seem like a nearly impossible task. The information necessary to protect privacy is either buried in your technical stack, or in the minds of people all over your organization and your wider network of partners, vendors, consultants and advisors. You often have to tackle this with limited time, limited resources, and the threat of significant fines hanging over your head.

We founded WireWheel because organizations needed a different approach to tackling privacy. Our vision is based on two main principles:

  • First, it takes people to protect privacy. Technology alone will not help organizations ensure they are doing the right thing with personal information.
  • Second, privacy management technology needs to leverage what organizations have already purchased and translate it for their privacy teams. By enabling privacy teams to understand technical stacks, they can tackle privacy protection, and CTOs and CISOs no longer have to answer the same privacy questionnaires over and over again.

Momentum for achieving privacy excellence is building. A year into this endeavor, we are thrilled to be selected as one of RSA’s 10 Innovation Sandbox Finalists.

I can’t wait to build the next phase of WireWheel.

Behind the Scenes of Privacy and Trade Negotiations

I had the honor of representing the United States around the world on privacy during the Obama Administration, and it started when I came into the Administration after the “Snowden Disclosures” in 2013. Around the world, governments needed assurance that the U.S. respected personal information, and European lawmakers even suggested that they should stop European data transfers to the U.S.

Governments around the world also started arguing that there was an unfair playing field for their organizations, claiming that they had to follow strict privacy rules, while U.S. organizations did not.

We realized at that time that organizations would need a better way to tackle privacy. Without better solutions, governments could use domestically based privacy laws to drive digital trade and data storage to be localized in their own countries. For example, if startups did not have better privacy technology, they would not be able to compete on the world stage.

The Answer: Data Protection-as-a-Service

We built WireWheel to empower organizations to be diligent caretakers of the digital footprints people leave behind in everything they do. And, the WireWheel Privacy Management Platform does this by simplifying, structuring, and automating privacy programs.

WireWheel simplifies privacy by focusing privacy teams on the four central pillars of privacy protection that applies to any law, including GDPR, CCPA or any future Internet Bill of Rights:

These four central questions are:

  • What personal data are you collecting or observing?
  • Where are you storing that personal data?
  • Where are you processing that personal data?
  • With whom are you sharing that personal data, and for what purpose?

WireWheel then structures and automates your privacy program to efficiently collect the critical information from the systems and people around your organization and vendor networks.

The platform is centered around three modules:

  • WireWheel’s unique tasking and project management engine helps organizations stand up and manage privacy programs at scale. WireWheel includes frameworks and pre-configured workflows to easily manage and maintain a comprehensive privacy program.
  • WireWheel translates your existing technologies to make them usable for your privacy teams. For example, plug in your infrastructure-as-a-service (IaaS) or data stores, and WireWheel can automatically spot data stores, processing, and personal data. In this way, you can think of WireWheel as the interface that translates your existing technologies into something that is really usable by your non-technical privacy teams.
  • WireWheel includes a “Privacy Studio,” that allows your privacy teams to build internal and external resources focused around privacy. And, the Privacy Studio integrates with WireWheel APIs to automate customer preference centers for preference management and customer data access, deletion, correction and portability.

With a single pane of glass, privacy and security teams now can create critical data and business process maps to make collaborative, informed decisions.

In this way, the WireWheel platform supports all phases of a global privacy management and compliance program including data inventories, privacy and data protection assessments, vendor risk management, “data subject” or customer data access, deletion, correction, and portability requests, and more.

And we have priced WireWheel’s platform to enable organizations of all sizes to get the benefit of our platform.

Enhancing the Privacy Experience

As WireWheel has grown we’ve brought on a team of privacy, cyber security and technology experts who have been in the trenches of managing privacy and IT programs. Key customers such as Under Armour and BlackBoard have provided critical feedback to make sure our solution matches their business needs.

In every development discussion we have, we focus on the privacy experience for our customers, ensuring that our technology is really usable by non-technical privacy leaders. The concept that “It Takes People to Protect Privacy,” has imbued our product development, hiring decisions and organizational culture.

At the end of the day, we ultimately believe that people will protect privacy, that organizations will help build trust, and people will get back in charge of their information.

And these movements, we hope, will be driven in part by WireWheel.