Data, data, data… what are your hidden costs?

Privacy debt can be defined as the difference between how your PII data is currently managed within an organization's IT systems, and the way it should be managed to comply with external regulations and an organization's internal policies --- Mark Settle, It's Time to Invest in a Privacy Stack

In its annual DataSphere and StorageSphere report, the International Data Corporation (IDC) found that in 2020, 64.2ZB of data was created or replicated. They predict that global data creation and replication will soon surpass data capacity. They also found that real-time data will grow from around 30% in 2020 to an astonishing 50% in 2025.

An acceleration of both volume and velocity is taking place, and with the harsh revenue-wise GDPR and volume-wise CCPA fines in place, a previously invisible debt that has always been brushed to the sidelines has become too big to be ignored.

With more varied ways in which consumer data is collected, consumers are also becoming increasingly concerned about how their personal data is being used and managed. This has led to residents of California voting for even stricter regulations, only less than one year after the enactment of California Consumer Protection Act (CCPA). CPRA, which this new consumer protection legislation will be called, is slated to be in effect in 2023.

For a business that relies on extensive data collection, especially that of personal information, these factors translate into an ever-growing set of business risks involving data mishandling and leakage, which is increasingly becoming difficult to anticipate and quantify.

Privacy debt will be the tech debt of the future --- Bessemer Venture Partners, 2020 State of the Cloud report

And even if privacy debt is correlated to the velocity, volume, and variety of data collected, the magnitude of proportionality is different for different companies, depending not just on industry and product, but also on the infrastructure in place to deal with privacy data management. Instead of trying to figure the privacy indebtedness of your organization from a high-level, it is better to go wide and deep through your company's data lifecycle. But before that, arming yourself with what leads to privacy debt will help you be laser-focused on what to look out for.

Factors contributing to privacy debt

The modern-day cloud-first environments pose growing challenges and inherent risks of sensitive data sprayed across the cloud data footprint. Data and security practitioners, with limited resources, are constantly trying to balance business priorities and growing threats.

Thus --- as a CIO, CDO, CSO, CISO, or any data or security practitioner --- it is imperative these days to be crystal clear as to what kind of sensitive data the organization is collecting for business needs, and the multiple touch points through which these data flows: from collection, transformation, storage, usage, transfer, archival, to destruction.

Such visibility is provided through the amount of investment put into data observability, or --- from a security standpoint --- privacy observability. With visibility, you get to be clear as to where sensitive information lies in the data lifecycle touch points, so that you can decide the proper strategies to manage such data. Only with knowledge can clear decisions be made. The lack of such infrastructure is a multiplicative factor in the bloating of privacy debt.

Visibility also entails not just what is on the surface, but also what is hidden or abandoned deep within the organization. These are termed dark data, and these are data that are unused and untapped, deemed too old to provide value, incomplete or redundant, or limited by a format that can't be accessed with available tools. More often than not, they simply are remnants left by predecessors in the company, unknown to any of the current employees. Such data has caused companies to suffer from breaches, for instance in this case, where a company acquired another, and was not aware of an abandoned database left by predecessors of the acquired.

(The different kinds of dark data. Picture from https://devopedia.org/dark-data)

Data visibility might be necessary, but it is still not sufficient. Privacy is also about security configurations, and the wrong configurations can nullify the efforts of having even the highest of visibility. One publicly exposed S3 bucket is sufficient to expose your company to public and legislative scrutiny, and this can happen to any company at any time. This is because humans make mistakes, and as the companies scale in headcount and interaction complexities exponentiate, more mistakes will happen. Having proper tooling to prevent such simple yet destructive mistakes from happening is a high value, low effort safeguard to reducing privacy debt.

It is also necessary to know that data storages are not just the only place where sensitive information can be leaked. In the data lifecycle, there are multiple touch points by different departments. The data collection may come from the developer, the data storage might be done by the data engineer, but the data usage can be by the non-technical folks, and such technical folks might not be incentivised to properly use, share, and destroy business data. Visibility thus has to extend beyond data storage, to the different SaaS products that are being used in the company. The chain is only as strong as its weakest link.

How does Borneo help to minimize your privacy debt

In order to have visibility of every single data touchpoint, oftentimes multiple products are required in order to work together to achieve the level of compliance needed. However, as said before, the chain is only as strong as its weakest link. If one product fails to meet expectations, then the chances of leaks will still be significant --- the privacy debt monster will still rear its head if the hole is not sealed. Borneo provides an all-encompassing platform solution for every touchpoint of your data's life cycle for quality, real-time, and uniform compliance monitoring and reporting. It is built to be the single pane of glass to your organization's data and security configurations, and provides the heavy-lifting needed to ensure compliance, so that your business can run smoothly without being hampered down by privacy issues.

We built Borneo because of the epiphany that security tools needed privacy data intelligence to solve hard problems. We took the first-principles approach at Borneo to build a platform that addresses the complex security and global privacy requirements for the new data-first business models and the modern cloud-native stack.

(Borneo is your jeep through your data landscape, both charted and uncharted. Picture from https://edmu.in/3HNuAX1)

Borneo is the jeep for your journey through the wilderness of your data landscape as you explore uncharted territories. We make sure your wheels are always pumped and your suspension well-oiled. Companies with a privacy observability solution in place will accelerate much faster than those without, by not being bogged down with having to deal with privacy compliance management and whatever new huddles that may come in the future through company growth, data growth, and the fast-paced legislation changes.

To enable us to achieve the success you are looking for, request a quick demo with us to get started!

---

What is Borneo?

Borneo helps security & privacy teams achieve continuous compliance and data protection through accurate & actionable data discovery.

Want to watch Borneo in action? Request a demo here and we will get back to you soonest.