Wednesday, November 11, 2020

Trust-Hub Maps Company Data for Privacy and Other Uses

Marketers care about privacy management primarily as it relates to customer data, but privacy management overlaps with a broader category of governance, risk, and compliance (GRC) systems that cover many data types. Like privacy systems (and Customer Data Platforms), GRC systems require an inventory of existing customer data, including systems, data elements within each system, and uses for each element.   These inventories form the foundation for functions including risk assessments, security, process documentation, responses to consumer data requests, and compliance monitoring.

Having a single inventory would be ideal. But each application needs the inventory to be presented in its own way. One reason so many different systems gather their own data inventories is that each is limited to its own type of presentation.

Trust-Hub Privacy Lens avoids this problem by creating a comprehensive data inventory and then enabling users to create whatever views they need. This requires gathering not just a list of data elements, but also documenting the users, systems, geographic locations, and business processes associated with each element. These attributes can then be filtered to create views tailored to a particular purpose. The system builds on this foundation by creating applications for related tasks such as risk analysis, privacy impact assessments, and security risk analysis. Users access the system through customizable dashboards that can highlight their particular concerns.

Privacy Lens offers a range of methods to collect its inventory. It can import existing information, such as spreadsheets prepared for s compliance reporting or security audits. It can read metadata from common systems including Salesforce and BigID or import metadata gathered by specialized discovery tools. When the data is not already assembled, Trust-Hub can scan existing data sources to create its own maps of data elements or let users enter information manually. In addition to data elements, the system can track business processes, user roles, individual users, resources, locations, external organizations, legal information, and evidence related to particular incidents. This information is all mapped against a master data model, helping users track what they’ve assembled and what’s still missing. The data is held in a graph database, Neo4J, a technology that is particularly good at tracking relationships among different elements.

Although some Privacy Lens users will focus on loading data into the system, most will be interested in using that data for specific purposes. Privacy Lens supports these with applications. Privacy managers, for example, can see an over-all privacy risk score, a list of open risks, a matrix that helps to prioritize risks by plotting them against frequency and impact, detailed reports on each risk, and additional risk scores for specific data types and processes. These risk scores are based on ten factors such as confidentiality, accuracy, volume, and regulation. The scores enable users to assess not just the risk of violating a privacy regulation, but risk of a security breach and the potential cost of such a breach. Trust-Hub argues that companies tend to focus on compliance risk even though the costs of litigation and reputation loss from a breach are vastly higher than any regulatory fines.

Privacy officers can also use the system to conduct formal assessments, such as Privacy Impact Assessments, by answering questions in a system-provided template. The system keeps a copy of each assessment report along with a snapshot of the data model when the report is created, making it easy to identify subsequent changes and how they might change the assessment. Compliance and security officers can conduct other assessments within the system, such as tracing risks created when data is shared with external business partners.

Risks uncovered during an assessment can be assigned a mitigation plan, with tasks assigned to individual users and reports tracking progress towards completion. Data in the model can also create other reports, such as Record of Processing Activity (ROPA), consent dates, and legal justifications. Personal data usage reports can take multiple perspectives, including which systems and processes use a particular data element, which elements are used by a particular system or process, and where a particular individual’s data is held.

Trust-Hub has two additional products that exploit the Privacy Lens data map. Privacy Hub loads actual customer data from mapped systems, where it can be used to respond to data requests by consumers (Data Subject Access Requests, or DSARs) or answer questions from business partners without revealing personal information (for example, to verify that a particular individual is over 18). Privacy Engine loads masked versions of personal data and makes it available for analysis, so that users can run reports and create lists without being given access to private data.

Trust-Hub was founded in 2016 and released its first product in 2018. The company now has more than one hundred clients, primarily large organizations selling directly to consumers, and service providers to those companies, such as consultants, system integrators, and law firms. Pricing is based on the number of users and starts around $25,000 per year.