Why do we seem to emulate the ostrich and put our heads in the sand when it comes to personally identifiable information (PII) discovery? Every other technology throughout history that I can think of has undergone multiple phases of evolution, including anti-virus, perimeter security, cell phones, the car – I could go on.
So please forgive me when I say that I find it incredulous that the current standard offerings that address PII discovery are still in their infancy compared with the solutions that are currently available. Can it really be that in the area of PII discovery, where the punishments for GDPR non-compliance are so severe, that we are stuck with antiquated solutions and methods of PII discovery? We don’t have to be, but it seems that way. Here’s why.
RELATED CONTENT: GDPR one year later: Slow compliance, lax enforcement
Network element discovery solutions have been around for many years. Crawler software has been around for just as long. Does it really take a visionary like Henry Ford to look at these two solutions to bring them together? Ford recognized that by combining the assembly line with automotive manufacturing he could mass produce automobiles — both technologies had been around for a while in this case, too.
Doesn’t it make perfect sense, then, to combine both crawling and network discovery technologies when it comes to PII discovery? The greatest weakness of current data discovery tech is that you must feed it with the already known or suspected known locations of PII. Instead, let’s add a way to automatically find the locations of PII and not rely on human input. In this way, enterprises can create an accurate and constantly updated list of PII locations, wherever they are, regardless of whether anyone knows about them.
Ford’s innovation brought about many other benefits; his suppliers, for example, all benefited through significantly increased orders, and his customers benefited from lower-cost automobiles.
By combining crawling software and network discovery technologies, we can suddenly understand which PII locations are sharing, storing, and processing data, which is an important GDPR compliance requirement. This approach brings many other benefits, including how to understand and know when PII is shared outside the organization, which is another significant data privacy compliance requirement.
The manual approach basically says to a company, “tell me where your databases and repositories are, and I’ll locate your PII within them. Not surprisingly, this approach has major flaws.
First, it doesn’t address the data repositories of which you are not aware. Repositories are constantly being created, with no efficient way to track these changes. There are major logistical challenges in finding time and resources to organize each data asset’s information into one area.
Secondly, and perhaps most importantly, is that the PII organizations store is constantly in motion. Let’s say I somehow have the resources to pull off the inventory challenge previously stated and can figure out how to organize it. Great, right? Not so fast. Ask yourself, what happens almost immediately when the database containing so-and-so’s information gets copied from a known repository to an unknown one, or when DevOps create a duplicate repository where we don’t see it or know about it? Now we’re back at square one, over and again.
Already, more than two-thirds of organizations are employing networking activity monitoring technologies to understand how personal data is traveling throughout the organization.
Reason being, only a true network approach can track how personal data is processed, stored, and shared in virtually real time and give a constantly updated view on where their personal data is being stored and shared within an enterprise.
The network approach can also organize an enterprise’s personal data about each customer into a single area. This is especially important for dealing with Data Subject Asset Requests (DSAR) and the right for erasure. A network approach offers organizations insight into their repositories that they didn’t know existed.
We live and work in an ever-changing world that requires our technology evolve and keep up. Clinging to old models, approaches, or to “the way we’ve always done things” extinguishes innovation. Proceeding this way with PII not only makes operating an enterprise unmanageable, it threatens to put it out of business.