Given that privacy concerns have led to the creation of laws and regulations, companies are striving to meet the requirements to safeguard third-party personal data against breaches of confidentiality, integrity, and availability.
To achieve their objectives, companies must first identify any gaps in data privacy, which may involve the inappropriate use of personal information. Such gaps can result in significant privacy incidents, leading to losses that extend beyond the potential application of fines and sanctions. It all begins with the need to identify information assets, which involves surveying the data of holders and its purpose of use across various environments and media.
In these times of ensuring compliance with data privacy regulations, the search for tools such as Data Discovery and Data Mapping has been on the rise.
However, one may wonder about the effectiveness of this automated software technology. It is noteworthy that the term “Personal Data” (referring to information related with anyone identified or that can be identifiable) is now legally provided for in data privacy regulations.
This definition indicates that there are two different contexts to consider.
In the first context, the data is related with someone who is already identified. This means that the information is clear about who is being referred to, such as name, ID, or other data is linked with that individual. In the second context, it would be the crossing of data that would make the person identifiable. It is important to note that data, in isolation, cannot be considered personal since it does not refer directly to the person.
Upon observation of the aforementioned tools, it is quite noticeable that they utilize an indexed data search for individuals. However, it is worth noting that this search method may not be viable due to the lack of data protection regulations that regulate the capture of this information, until recently. The only feasible way to conduct such a search would be by using standards such as ID, for example. It is important to mention that the search for data would be limited only to the first context mentioned above, through directly-identifying information. It is not possible to conduct such a search when there are several data variables that make the person identifiable – indirect data.
Furthermore, it is imperative to consider that the primary focus of tools such as Data Discovery and Data Mapping is mainly to perform database mapping. In this context, it is necessary to expand this analysis into other environments that may maintain data, such as file systems: content maintained in e-mail systems that are not always covered by these solutions, for example.
In the second context mentioned above, it would be imperative to consider the human factor. It is worth noting that a tool alone would not suffice for such research. Instead, a highly-developed artificial intelligence environment would be required, capable of navigating through distinct scenarios and determining whether the person in question is ‘identifiable.’ However, it is important to acknowledge that such technology is not yet available. Without information that indexes the data to the person, it is not possible to make the identification as proposed by these types of software.
Data Discovery and Data Mapping tools hold some value, albeit minimal, as they can aid in identifying data and thereby reduce some workload. However, when it comes to the quality of information, it is important to note that these tools should only be considered as auxiliary aids to interviews and questionnaires in order to determine and organize Databases.
Henceforth, it is comprehensible that, contingent on the magnitude and constituents of the enterprise, the most optimal data mapping is accomplished through interviews and specific questionnaires, conducted by a proficient data privacy consultant who comprehends all the feasible methods of identifying an individual, which tools such as these would be incapable of doing.
Furthermore, by merely asking the appropriate questions, such as the purpose of the data use (legal requirement) a company would be capable of accumulating the information required to make the right decisions and alter things that will render the business compliant with the regulation.
Marcio Cots – Chief Operating Officer
GetGlobal International*
*GetGlobal International is an international consultancy that assists companies aiming to comply with personal data privacy regulations based on constant legislative and market updates. We selected the best and most respected experts in Data Privacy in different regions who are worldly specialists in data privacy, offering the necessary support for your company to fit regulations quietly and safely. GetGlobal’s team has helped hundreds of companies from all sectors. They’ve become a reference in data privacy compliance as a complete and multidisciplinary solution