- Peter Boaz
Exploring three of the most common obstacles to data privacy in organizations today.
The popular mantra, “Every company is a technology company” has become increasingly evident thanks to data privacy laws like GDPR and CCPA/CPRA. For decades, organizations were able to grow their reliance on data with little regard for the consequences. Now, laws like GDPR and CCPA/CPRA require organizations to have much greater awareness of their data, safeguard the personally identifiable information (PII) they hold, and actively manage the risks related to their data processing activities.
Despite good faith efforts, many organizations have yet to meet these goals. A 2021 survey found that “while 95 percent of business leaders say their company has strong or very strong data protection measures in place, 62 percent concede that their companies should be doing more.” To explain the apparent incongruity between law and practice, this series will explore three major gaps in present-day privacy management:
There is no unified data classification model under GDPR or CCPA/CPRA. Each organization must design its own models and categories. This requires buy-in from multiple stakeholders, significant time, and formal expertise that many organizations do not have.
The sheer volume of data and the distributed nature of a company’s processing activities make it very difficult for a compliance team to aggregate this information, view it in a way that makes sense, and oversee remediation efforts.
A global company may be subject to dozens of privacy laws across many jurisdictions, which requires localized knowledge that the average compliance team cannot sustain.
As Graphletter continues to grow and meet with more privacy practitioners, we will go in-depth on each of these three problems and learn how some organizations have addressed them. We want to find the practical solutions that have emerged through real-world problem solving, and use our learning to offer a n ever-simplified path forward to organizations still struggling to implement data protection measures.
Neither GDPR, CCPA/CPRA, or any other privacy law offers a definitive data classification model for organizations to follow. Each organization must design its own models and categories. This provides companies a degree of freedom, but also demands a much greater commitment of time, effort, and buy-in from multiple stakeholders.
We think there's a better approach. When a company onboards with Graphletter, they start with our universal data model that offers every possible variety of data that an organization may be employing. Users will then be able to pick and choose from pre-defined categories of data. This eliminates the high barrier to entry that most companies face when they have to decide their own model upfront. To continually hone our system, we'll look at examples from private and public sector entities that have designed their own models.
Once a company defines an initial data classification model, it can later add more granular levels based on its specific data, compliance requirements and other business needs. However, many organizations do not know how much data they handle. Processing activities are carried out by hundreds, if not thousands, of employees in a company. Gathering the necessary information from each one presents a huge coordination issue. Especially in distributed teams working remotely, email requests to colleagues can easily fall to the bottom of the inbox.
We think the Graphletter platform is the answer to this problem. Asynchronous work is a key factor, and our Admin Dashboard provides a central hub for companies to consolidate their processing activities and draw key insights. To ensure we're capturing all the information that practitioners find important, we want to examine various approaches companies have taken to address this problem.
Once a company understands its processing activities, it must determine the necessary controls for the collected data in accordance with applicable law. But as more privacy legislation is introduced around the world, it becomes extremely difficult for a small team to keep up with varying requirements and definitions of “personal information” from country to country.
At Graphletter, we think Computational Law is the solution. We have designed an expert system to mechanize legal reasoning. Looking at the latest work from in this field from groups like CodeX at Stanford University and MIT’s Computational Law Report, we want to share the exciting technology and research that Graphletter is built on.