Category Privacy Tech

How to Shop for a Data Privacy Solution

Look for simplicity and elegance, not jargon and needless complexity. 

Data privacy doesn’t come cheap. Spending on data-privacy solutions at both small and large enterprises doubled in 2020, according to Cisco’s latest Benchmark Study, with organizations spending an average of $2.4 million to manage data-privacy issues.

The good news is that many organizations get excellent value for money: more than two-thirds of businesses say they get significant benefits from their data-privacy tools, and 35% of the 4,700 industry leaders polled by Cisco said their data-privacy solutions generated ROI equivalent to at least double their investment. 

On the other hand, not everyone’s happy: about a third of businesses didn’t get significant benefits from their tools, and 15% said they didn’t get enough ROI to justify the millions they’d spent building out their data-privacy infrastructure.

Clearly, when you’re spending serious money on data privacy, you need to do everything you can to maximize the return you get on your investment. So how can you optimize your procurement process to ensure you’re getting value for money?

1. Know what you’re using.

It’s always better to shop for software by weighing the product you’re eying against a specific alternative. If you’re already using a data-privacy solution, make sure you understand exactly how it works, and what its strengths and limitations are, so you can see where a new option succeeds or falls short.

Perhaps you’re using a cheap but inflexible cookie-based consent system, or perhaps you’ve adopted a third-party solution with its own strengths and limitations. Make sure you understand the way your current system addresses your specific use-case, and pay close attention to how well it copes with any new pain-points that may have emerged as your business has grown and regulations have evolved.

2. Know what you need.

The key to getting positive ROI from your data privacy solution is to keep its core functionality front-of-mind while you’re shopping. No matter how many bells and whistles a particular platform offers, its core task is to ensure you and your partners only use data in legal ways that align with your user’s expressed preferences. A tool that falls short on that basic metric won’t deliver positive ROI, no matter how many other features it has.

Once you’ve found a shortlist of solutions that meet your basic needs, start thinking about additional features that add value for your specific use-case. If a feature sounds cool but you can’t immediately see how you’d use it, it might not add much value for your team. That said, it’s also important to think about your future needs — a solution that offers flexible, futureproof functionality is likely to deliver ROI as your business grows.

3. Research the alternatives.

When doing due diligence, it’s important to look beyond the marketing materials provided by a software vendor, which are always going to show their product in the best possible light. User reviews on sites such as G2 offer unvarnished insights into how products perform in the real world, but bear in mind that while individual users know how their own solution works, they may not have experience using competing products. To get a broader perspective, it’s also useful to look for expert opinions, such as analysts’ briefings and market reports. 

Personal connections are also valuable as you’re shopping for software. Crack open your Rolodex and phone friends and colleagues who understand your company and your needs, or try quizzing your LinkedIn or Twitter followers to get product recommendations and warts-and-all stories about their company’s data-privacy solutions.

4. Avoid complexity.

When you’re trawling through jargon-filled corporate websites, it’s easy to start to feel overwhelmed. Many vendors serve up long laundry lists of features using highly technical language, and it’s tempting to simply assume that the companies with the longest and most complicated lists of features are offering a better product. That’s a mistake: instead of getting seduced by complexity, make sure you stay focused on the subset of features that add real value for your organization.

After all, while it’s true that ensuring data privacy can be a complex process, the solution you deploy needs to be elegant and effortless to use if it’s going to add lasting value for your organization. As with any other technology, the best data privacy tools are transparent and easy to understand, and don’t require you to dig through endless configuration tools and expensive optional add-ons in order to get the functionality you need. Simplicity, not complexity, is the key to generating real ROI.  

5. Remember who’s in charge.

Buying software can feel a bit like buying a car — the salesperson is going to do everything they can to get you to sign on the line, and it’s easy to forget that you’re the one who’s really in the driving seat. Don’t let your vendor obfuscate or hide behind jargon, and don’t let yourself get locked into an approach that isn’t right for you. Make sure you ask the questions you need to — and get answers to them! — in order to ensure you’re getting the right solution for your organization’s needs. 

The bottom line: you’re paying real money, and you deserve to get good value. If the vendor you’re working with can’t provide the solutions you need, then there are plenty of other options on the market that will deliver better value for your company.

It would be wonderful if you could buy enterprise software as easily and confidently as downloading a smartphone app. The reality, though, is that when it comes to data privacy the stakes are high, the problems are complex, and the solutions are both more expensive and more technologically advanced. That means there’s no alternative to doing careful due diligence, and putting in the time and effort required to ensure you’re picking a solution that will truly work for your organization.

At Ketch, we know just how much of a headache buying enterprise software can be — and we believe software buyers should never feel confused or out of their depth while making important decisions. That’s why we’ve got a team of dedicated specialists on hand who’ll discuss your needs, demo our data-privacy solutions, and make sure you’re able to make this important decision with absolute confidence. So get in touch today, and tell us about the problems you’re trying to solve. 

Systemic Embrace: The Coexistence of Data Dignity, Compliance and Growth

In the often dizzying and confusing arena of data privacy, a new normal is rapidly unfolding, a paradigm that elevates data rights and data dignity. Characterized by a wave of new regulations and competing imperatives, the complexity of this new paradigm can overwhelm and paralyze business leaders searching for the ideal and responsible path forward. 

Many believe they face an impossible Sophie’s Choice: Dismiss privacy requirements and use personal data to grow -- or comply and stagnate. 

They are wrong.

There are leaders who understand the opportunity inherent in respecting data privacy and data dignity and they grasp that it’s possible to build value while honoring values.

Steve Jobs was leading the way in 2010:

“I believe people are smart and some people want to share more data than other people do. Ask them. Ask them every time. Make them tell you to stop asking them if they get tired of your asking them. Let them know precisely what you're going to do with their data.”

Effective solutions that respect and protect data privacy build trust with consumers. It veins with responsible stewardship of data and abides by Steve Jobs’ admonition to ask customers about data uses and to keep asking about their needs, wants, and priorities.

Most of all, it puts customer prescriptions and desires around the allowable use of data into action. Doing so builds trust, and building trust fuels privacy-compliant data stores -- the precondition for successful operations and AI.

Leaders like Microsoft CEO, Satya Nadella, are doubling down on the idea of data dignity as an extension to data privacy.

At the 2020 World Economic Forum, Nadella declared that data privacy at an individual level needs to be thought of as a human right and called for further work on the concept of “data dignity”:

“It’s not just ‘privacy’ and ‘oh, I give away my data’. I should be able to control in a much more fine-grained way how my data is being used to create utility for me and the world and the causes I care about”

When it comes to managing the interplay between the promise of data and the imperative for privacy, companies fall into four basic states: resigned surrender, wishful denial, ruinous inertia, or systemic embrace. 

Ruinous inertia: These companies don’t pursue data-driven initiatives or invest in their enabling tools and processes, yet also fail to comply with basic privacy regulations governing their interactions with employees, partners, and consumers.

Resigned surrender: These companies have resolved that the risks of non-compliance are existential and therefore too perilous to ignore, and on that basis have opted to suppress their collection and usage of data across multiple channels and platforms (particularly digital marketing initiatives that depend on consumer data). 

Wishful denial: These are companies who take liberties with data and blast full steam ahead with the quiet recognition that they’re non-compliant with regulations they know pertain to them. They are either in denial about the risks, or in denial that their non-compliance could ever be discovered or significantly damage their business. 

Systemic embrace: These companies recognize the risks of non-compliance, the opportunities that come from cultivating privacy and greater trust with stakeholders, and the strategic imperative to participate fully in the data AI revolution. They reject Sophie’s Choice and are committed to the systemic pursuit of compliance and growth.   

Systemic Embrace is the path to peaceful -- and profitable -- coexistence of data dignity, compliance and growth. It recognizes the rising urgency of data privacy and the enduring premise of data-driven growth.

To learn more about how businesses are responding to the complexity of privacy- check out the Ketch Privacy Primer Part 2 here.

Can Orchestrating Privacy Data Subject Requests be Automated?

The complex, time consuming, and downright annoying process of exporting, erasing, or rectifying personal data to respond to valid data subject requests sanctioned under privacy data regulations like GDPR and CCPA likely has you wondering if there’s a better way. You’re not alone if you’re considering a ticketing-based solution touting the ability to automate this process. But can orchestrating data requests from customers be automated?

Personal data exists in multiple formats across multiple in-house, cloud-based, and third-party systems. It can be an email in one system, a rewards number in another, or a cookie in yet another. Before a data subject request can even be fulfilled, much less automated, you need to find the data. Easier said than done. Consider a request based on email address. If that’s not the system identifier, you need to either gather more information from the now-frustrated customer or delve into the system to try and determine the data format. That’s not always possible with systems that hold only obscure device identifiers or cookies. And by law, you can’t claim you don’t have the data just because you don’t have the identifier. Without this information, compliance is at risk and automation is not possible.

Even when the data is located, fulfilling the request requires knowing all the steps within the workflow of each system. For external systems, this could be sending an email or going through the user interface to generate the request. For internal systems, it means identifying the responsible system owner and operator. This is all compounded by the fact that you still need to determine if the request was even received and fulfilled—for every system.

Since the definition of personal data is broad, and it can reside in several linked systems and subsystems, the question also often remains whether the scope of all the data was even dealt with. You might think a data subject request only requires you to delete the customer table containing names, email addresses and account information. But if that customer’s data exists in other locations and formats like purchasing or browser history, you’re only in compliance if ALL the appropriate data is deleted. That also means you need to know what data is exempt and must be maintained for contractual, legal, or auditing purposes.

Considering the complexity of it all, don’t be fooled by ticketing-based system that have you thinking the actual work of fulfilling data subject requests will be automated. Sure, these systems may automate the creation of a ticket, an email response to the customer acknowledging the request, or the due date required by a specific regulation. They may even help you manage HOW to fulfill requests—that is once you’ve determined and set up all systems, identifiers and workflow requirements. But ticketing-based systems are simply not capable of automating orchestration.

So the question remains—can orchestrating data subject requests even be automated or is that just pie in the sky? That’s where Ketch come in.

Using technology rather than process, Ketch is working to solve the barriers of automation by invoking tools like open-source APIs, syntax command templates, and system integration in conjunction with a central control system that lets you automatically record, track, and respond to data subject requests. When it comes to privacy data compliance, our goal is to make data systems work so you don’t have to.

Stop Worrying About Regulations

For global businesses, the data-privacy rulebook isn’t getting any shorter. The GDPR and the CCPA are just the tip of the iceberg; over 80 countries have passed or strengthened data privacy laws. Industry-specific regulations such as HIPAA and FERPA further complicate matters, while COVID-19 contact tracing will open a whole new Pandora’s box of regulatory complexities. With China and India also joining the party, the regulatory landscape will only grow more tangled in coming months.

There’s no way to avoid all those rules and regulations. Data, not oil, is the fuel powering our economy, and we’re using more of it than ever. New innovations such as AI and IoT constantly add to the torrents of data inundating businesses: a single smart-car produces 300 terabytes of data a year; by 2025 the world will generate a colossal 175 zettabytes of data a year. Companies can no more opt out of using data than a fish can opt out of the ocean.

But managing all that data while simultaneously complying with a constantly changing and growing body of regulations is a major challenge, one most companies aren’t equipped to handle. Firms typically respond to new regulations by patching their data management tools to ensure data is handled correctly, but taking an iterative, point-solution approach while navigating the expanding global regulatory morass is like playing Whac-A-Mole — except that the field is growing, the moles are proliferating, and you have only a single mallet. No matter how fast you hammer, you’ll never be able to keep up.

That’s the bad news. But there’s good news, too. While the challenges are real, there’s also a real and practical solution that can help businesses to stay compliant amidst a sprawling and ever-changing regulatory landscape. And paradoxically, the best way to stop the bleeding and stabilize the patient is to stop worrying so much about regulations.

Put Data First

Obviously, you can’t ensure compliance without paying attention to regulations. But that doesn’t mean everyone in your organization should be constantly fretting about how regulations affect them.

Under the current paradigm, when new regulation is enacted, businesses have to gather together everyone — business leaders, legal experts, developers, and so forth — to hammer out a fix. That’s fine when you’re dealing with modest amounts of data and a circumscribed body of regulations. But when you’re dealing with rapidly changing data and regulations on a global scale, it simply isn’t sustainable. All too soon, you’re left with a patchwork of point solutions — complex, brittle, failure-prone, and impossibly expensive to maintain.

This Rube Goldberg approach to regulatory compliance also takes up huge amounts of time and energy, driving up costs and distracting your legal, business, and technical teams from more important matters. It also stifles innovation and slows product development as engineers shelve other projects to bolt yet another set of unscalable compliance solutions onto an already struggling tech stack. And it forces legal and business stakeholders to second-guess what’s technologically possible, and engineers to parse the nuances of statutes and regulations as they struggle to ensure their code is compliant.

What’s really needed is a more efficient approach: not an all-hands effort to rebuild your data management system each time a new regulation comes along, but rather a mediating layer between legal and business experts, on the one hand, and developers and engineers on the other.

Instead of treating compliance as a regulatory problem, treat it as a data-processing problem — and build a data-tech stack that’s capable of natively support any new regulations, and applying changes seamlessly across your entire data-set without requiring legal folks to understand code, or developers to understand the fine points of privacy statutes.

A Scalable Solution

That’s where Ketch comes in. Our platform decouples your data handling and compliance processes by establishing a central control system that lets you update data governance protocols without ever touching the code driving your data-handling tools.

By separating these functions, we free legal and business teams to focus on articulating a data governance worldview that’s aligned to the latest regulatory requirements, and to consumer needs and rights, without worrying about execution. On the tech side, developers can integrate data-handling systems with the data governance module once and once only, and never worry about compliance again.

Sound too good to be true? Here’s how it works:

First, using our simple but feature-rich Regulatory Harmonization tools, legal and business folks develop policies setting out what’s allowed and what’s not. Imagine TurboTax, but for privacy regulations instead of the tax code: a simple, slick dashboard that requires no technical expertise, but lets you draw on Ketch’s experience and templates, plus your own industry knowledge, to create a customized rulebook that determines precisely how your company can handle data.

At this point, the legal and business team’s work is done, but Ketch is just getting started. Based on the policies you’ve defined, we automatically generate permits — a kind of smart contract that sets out the precise rights and obligations of every user or piece of data in your system. Enforced through high-end encryption, the permits make it literally impossible for data to be used incorrectly, much as DRM makes it impossible for IP assets to be improperly shared.

Finally, we assign each piece of data a unique identifier, a bit like the barcode that identifies every can on a supermarket shelf. That’s important because it’s the only piece of our system that developers need to worry about: using a simple API, developers can use that identifier to check whether a specific action is permissible for a given piece of data. They never have to interpret the rules themselves — they just ask the question, and get a straightforward answer.

The power of that approach should be obvious. If a new law is passed, or an old one changes, the only people who have to worry about it are your legal and business team. They can implement the new policies, and know that their changes will propagate instantly across the company’s entire data infrastructure. And because compliance is handled centrally, your codebase never changes or needs revising — while the permitted actions for any given user or bit of data might change, the infrastructure itself remains the same.

The result: a top-to-bottom governance system that ensures future-proof compliance without forcing you to rewire your data infrastructure. Policy changes propagate through your system automatically, even extending downstream into middleware, or to partners and consumers who access or use your data. And because you’re no longer working with a patchwork of point solutions and custom fixes, the entire network is more secure, more efficient, and easier to maintain.

Deploy Once, Secure & Comply Everywhere™

For too long, digital enterprises have been running to stand still when it comes to data compliance. It’s time to get off the treadmill, and find a new, genuinely scalable approach that treats data compliance first and foremost as a data-processing problem.

Ketch is that solution. Just as Stripe revolutionized online payments with an API approach, so we’re turning data compliance into a solvable problem. No matter how quickly regulations change or how fast your business grows, you’ll never have to waste time rewiring your data management tools — you’ll just update your data policies, and get back to serving your customers.

Global regulators aren’t about to stop passing privacy laws, but you don’t have to let your company get swept away by the deluge. If you’re ready to stop playing catch-up, get in touch today, and let Ketch change the way you think about compliance.