Welcome to the webcast, Understanding Privacy or the Privacy Evolution. And I'm delighted to be joined by Sam Gillespie, who is the Data Governance Offering Manager at OneTrust. And he will be talking later. So before we get going in the actual webcast, just a couple of or a few housekeeping notes. You don't have to do anything. Just relax, listen and watch. No need to mute yourselves. We have a couple of polls during the webinar, and we'll look at those results as well. There will be opportunities for you at the end of the webinar to ask some questions.
And you can enter those questions at the panel that you'll see on the right. And finally, if any of your colleagues wish to see this webinar, couldn't make it today, then please note that we will record it and it will be downloaded in the next few days from our website. So that's just what's happening.
Now, as I said, and in case you missed it at the start, I'm Paul Fisher. I'm a Lead Analyst at KuppingerCole. I'll be talking a little bit about privacy and some of the issues around that data privacy and governance. And then I'm delighted that Sam Gillespie will be joining us from OneTrust. He was the Data Governance Offering Manager for OneTrust. And then right at the end, we'll look at the final poll result, Q&A, wrap up, and then goodbye. So just to kick off the event, as it were, let's have a quick poll on data governance and your experience.
So do you currently have a data governance and privacy program implemented in your organization? By that, we mean an actual project that is designed to improve data governance and privacy across all your infrastructure and enterprise. So the poll's open. If you could quickly enter a yes or no. And when we think we've got enough, yeah, I think that's, well, fairly overwhelming response there, but we'll keep the result until the end, or at least we can talk about the result at the end.
So let me just start off by talking a little bit about identities and resources and how the cloud, in particular, has affected data management, data governance, and also, surely, the actual level of data in organizations. And so we focus this on three key platforms that will monitor or manage access and monitor or manage access and entitlement, so privilege access management, cloud infrastructure entitlement management, which is a newer cloud-focused entitlement management, and then, of course, identity and access management in all its shades.
And we also, at Kubernetes, identify six major identity types who are likely to be operational in an organization across the infrastructure, trying to get data and applications. And those would be traditional administrators, developers, who are increasingly part of the mix, and increasingly a very important part of the mix in that they are contributing not just to the day-to-day running of the organization, but developing platforms and applications within the organization.
So end users, obviously, human end users, despite the onset of chat GPT and the excitement generated by that, particularly on LinkedIn, I noticed, that we still, I am sure, have a lot of human users doing all sorts of things in our organizations for some time to come. That will also include third parties. When we say third parties, we mean partners or, say, supply chain partners within an organization increasingly are now integrated within the infrastructure and networks of the organization that they're working with.
Endpoints, again, those will be the actual devices that sit on the endpoint and looking for access. And, of course, customers.
Again, these are increasingly a part of modern-day computing, particularly in sectors such as retail or finance, where customers are now increasingly allowed some sort of access into the infrastructure for ease of use, for better customer service, et cetera. And, generally, these identities will be looking and working and looking for data on either platform as a service, SaaS, software as a service, infrastructure as a service, private clouds, and, of course, even good old-fashioned legacy on-prem data centers, which still exist in many forms.
And data, of course, is huge. Trying to quantify the amount of data in an organization and this is a big task.
But, again, you can limit it to file servers, workloads, containers, virtual machines, credentials, and, of course, database. And add to that huge amounts of unstructured data, big data, et cetera, even data that may lie within email, individual documents, et cetera.
So, all this stuff, or this framework, creates a challenge for organizations to keep track of the data and, particularly, keep private data secure, because that's a key part of data governance, privacy, which is what we'll be talking about a little later. And then, at the bottom there, we have the sort of elements that act as a foundation to an organization and help with the flow of data. I put there zero trust. We can talk a little bit about that at the end of this. Risk management platforms, identity lifecycle management, which is all part of PAM and SIM IAM.
And then, of course, data governance and privacy and compliance platforms, which work with this to protect that data. And, finally, endpoint detection, et cetera, which is a classic piece of cybersecurity to protect the infrastructure, such as it is, including all the cloud, from the outside, from outside attacks.
So, that's a simplified look at what is happening in a typical organization. Now, some people argue that one way to protect data, and, indeed, one way to improve cybersecurity in your organization is with security and awareness training.
Now, I possibly have never been a great believer in, and this is a personal view, not necessarily a wider view, but I've always felt that security awareness and training is nice to have. It's good to have on top. There's nothing wrong with telling people that it's bad to click on certain links, that they should be aware of this and that. The problem is that some organizations rely on this too much, as if awareness on its own will improve data management, would improve security, et cetera, throughout the organization.
Human beings, and it was obviously aimed at humans, such things, tend to have short attention spans, even within any session in which they are taking part in awareness, and they don't remember. But, particularly, users can be careless with data, and I think this is the crucial part of the human element in poor data management, is that it is end users that attach a credit card detail to a file which is left open, unprotected, for example, or they may send in an email details which should not leave the company, and so on.
So, what I argue is that we're in the business of technology. Technology has the, increasingly, the ability to automate a lot of the things which would prevent the sort of mistakes that end users make and would allow the end users to get on with looking for that data and using that data in the diagram that I just showed you.
So, security and awareness training can be, as I say, a spiral into sort of nowhere. Plus, a lot of awareness packages that are available are kind of off the shelf. They're very generic. They don't necessarily work for the organization that you have, an organization, and how you use data within that organization, and how you share the data, who your customers are, etc.
So, my message is, yes, there's nothing wrong with it, but don't spend too much money on it, but look to what the solutions are from vendors in managing data. So, I mentioned that privacy is important, and it certainly is. In the last few years, we've all heard of GDPR. We've heard of the California Privacy Act, etc. Ever since GDPR, consumer-focused or end-user-focused privacy has become not only very important, but actually very successful in that it has raised awareness amongst public and consumers about their privacy and the privacy of their data.
It has meant that organizations have had to be a lot more careful about how they use data. And what you can see on the right is from an energy company, and this is quite typical now of how a company might explain to their customers how they use data, where they collect it from.
So, you can see the customer will volunteer data on the left there, but the company will also collect data, and then they are, in this particular industry, required to get a certain amount of data for industry compliance purposes. So, if you look at that as just one small part of one company and one set of data for one customer, you can see just how much data is now being collected, how much of that is private, how much of it is valuable to thieves or cybercriminals, and how much of it your customer wants you to protect.
So, it's a huge task to protect data because the data is expanding. Data is now being shared within chatbots, as you know, in social media, customer access tools, and so on.
So, it's a big challenge to track this data. The easy bit is collecting it, tracking it, monitoring it, deleting it when it needs to be deleted. It's a lot harder. That's where data governance and data privacy platforms come in.
So, you need some kind of data management program or a data governance program. Now, what we've listed here is a highly simplified view of a data management program in which data governance and privacy platforms would play a part. But very simply, you need to, first of all, look at your organization, define the model for your data architecture, where it is, et cetera, where it comes from, and cover all those aspects from the source to utilization. And then you've got to somehow put data privacy and governance as a layer across all those areas.
So, every part of your organization that handles data, which, in effect, is your entire organization, needs to be subject to the data governance and privacy and the overall data management platform, sorry, data management program that you define for your organization. And you need to have data catalog. Data catalogs are fundamental in telling you what kind of data you have and where it is, et cetera, what it contains. Is it private? Is it personal? Does it contain financial advice, et cetera, financial information?
So, that last line there, you cannot utilize and secure or govern the data that you don't know exists. That's crucial and fundamental to data management in all types. If you don't know that data exists in your organization, and that includes on the most remote endpoint, don't forget, that might all include a user that has downloaded a spreadsheet of some sort onto his local drive or her local drive because of some gap in security. And that's sitting there vulnerable outside of any protection.
So, data, as I said, is everywhere, and you need some kind of solution that can find that data so that you can manage it. So, this is a kind of a classic covering a whole hierarchy of data management.
Really, it's something you can look at in more detail, but you can see at the bottom, really feeding in all our data. So, we have databases, lakes, business apps, legacy apps, analytics, every kind of data source. That feeds into the data catalog, which I've just been talking about, and then the metadata, which I only haven't mentioned, and then you do a process of quality and integration.
Finally, your data analytics, which forms part of business intelligence. Data analytics is the bit that tells you what you have, where it is, what use is, whether it's out of date, whether it should be deleted, et cetera. And then finally, that data where it is used for digital services, for applications, et cetera. And then data privacy management and data governance, as well as data security, are the three sort of pillars that underpin all of that to keep it secure.
So, there's your data management hierarchy, there's your data governance tools, which again is another way of looking, this is a different, maybe more complex way of looking at the slide I showed you, first of all, in this presentation. And here are just some desired capabilities of any data management program that you will introduce, and we'll talk more about that in the second part of this webinar.
But again, there's all sorts of dashboarding, flexible view dashboarding, I mean, even in itself, dashboarding is fantastically crucial to this kind of program. If you can't see at a glance what's happening, it's very hard to make decisions.
So, all of those there in that slide are worth looking at when you start thinking about the kind of platform that you want for your data management and data privacy capabilities. So, before I hand over, we'll just do this final poll, which is just a question we often ask our customers, is how many cloud providers do you use?
So, at the moment, do you use just one? Do you use only the big three, as they're called, AWS, Azure, and Google Cloud? Do you do more than three, but not including those?
So, more than three of others, more than three, but also including AWS, Azure, GCP? Or, and this isn't actually a trick answer, you may have no idea.
So, please, answer that now, just while we are voting. So, do you have just one? Do you have only AWS, Azure, GCP? More than three, but not including AWS, Azure, and GCP? More than three, including those?
Or five, no idea? So, just leave that.
Okay, I think we've got enough votes now to get some kind of result. So, thank you so much. That's the first part of that. I just wanted to quickly talk about Zero Trust, because it's something that's been talked about an awful lot recently. It sort of has become, I think, with the rise of multi-cloud and big data, et cetera, Zero Trust has become sort of in vogue. And certainly, a Zero Trust policy or implementation or architecture design certainly would work well with data privacy and guidance by controlling the primary access to data.
And Zero Trust can also incorporate the data management tools, or access management tools, such as IAM, PAM, CIM. But again, it's a cliche to say that Zero Trust is not something that you can buy off the shelf, but it's true. Zero Trust is a way of doing things. It's a philosophy. It's a design. But it's a big exercise, and it's a big commitment if you're going to get it right. But it's worth bearing in mind if you're thinking of improving privacy and data governance at the same time.
And these, just to give you a brief idea, I'm sure that many of you already know about Zero Trust, but NIST in the United States is actually probably the preferred source of information regarding Zero Trust in that they have probably the best ways of describing Zero Trust, the best advice about it. And here are the seven tenets of Zero Trust, which I'm not going to read through.
Again, you can read these at leisure when you get the download. But the thing about this key one for me is that the enterprise collects as much information as possible about the current state of assets, network infrastructure, communications, to improve its security posture. And that kind of means everything that's happening in the network, including the data, where it is, et cetera. So that is the end of the first part of the webinar. I will now hand over to Sam Gillespie, who is the Data Governance Offering Manager for OneTrust.
Hello, Sam. Yeah, really interesting topic. And once again, thanks for inviting me to this webinar today. I've done a couple with Kupinga Kaur, and it's always really, really valuable insights that we get through these webinars. And just a bit of background about what I'm going to be presenting. I've been working in data privacy for almost five years now, and definitely with the many different customers that I'm working with, seeing an evolution in how customers are responding to privacy requirements, but also how it's becoming much more integrated in their broader data operations.
And that's for a few reasons. Number one is that the privacy regulatory landscape is, of course, getting more and more complex. GDPR is not going away, if anything, it's going to be evolving over the next few years. We see a whole plethora of new privacy regulations in the US, state by state, hopefully in the future, some sort of federal regulation. And of course, globally as well in other regions, there's definitely an increase in the number of privacy requirements. But of course, they're not all the same. That would be far too simple.
The fact is, is that they often have similar underwhelming principles, but at the same time, they do have their differences. So in order for you to really respond to these different regulations, you do need to have a foundational program in place. But likewise, as well, privacy is important, but it can be integrated with your broader data governance program. And data governance is there to really enable business use of the data and all the good things that we are as organizations using data for.
And so if you embed privacy into your kind of operations, into your broader data governance program, you will, of course, be able to respond to those requirements that you see, but you'll be able to use it as a competitive advantage and really as a way to help develop your business and meet your objectives. So what I'll be showing you today is how you can really implement a kind of combined, I'd say more of a privacy-focused data governance program in your organization, doing it in an effective and efficient way that will be able to have those two objectives.
I will be doing it through the lens of how we do it at OneTrust. We're a software application, so how you can use OneTrust as a tool to help this. But of course, you can incorporate OneTrust into these different elements. You can use your existing processes in place, but really kind of the steps that we see customers taking to respond to, you know, this global change in how the expectation of privacy.
Likewise, as well, what's important to note is that this can be kind of for both big, small organizations, multinational, country-specific ones, because ultimately this is really going to give you a foundation. It's not, you know, a tailored response. There will be specifics that you'll have to do based on your industry, based on, you know, your country regulations, etc. But really, this is what we're recommending to our customers, is what they should be implementing in order to really respond to the changes in privacy, but also use it as a enabler in the business.
And really, I see this split into two areas. Obviously, this is kind of simplifying things, but really this is the crux of what organizations need to be considering. The first is often the priority for most companies, and this is for obvious reasons. This is really what I would say the most public aspects of your privacy and data governance programs. This is how privacy is essentially integrated into your digital estate, and because it is, you know, publicly available, publicly visible, it is going to be the first to be criticized and viewed by your customers and external parties.
And this is around just giving individuals control to their data. So giving individuals the visibility to how you're using data, processing it, who you're sharing with, but also giving them the ability to be able to control how that data is being used, when it should be removed, or some sort of other adjustment given to it. That's the public facing aspect. The other aspect, of course, is kind of on the back end. This is how you can actually operationalize your program.
So, of course, how we can meet those key compliance and risk objectives when it comes to your privacy program, but also how that can be incorporated into a broader data governance program in order for you to really have privacy enable the business use of data as well. So let's look at those kind of consumer facing aspects.
Again, this is really important because ultimately this is what is very visible from your organization, and this is typically is how your privacy program is integrated with your digital estate. You know, things like your website, your mobile apps, but also other technologies that you're using that are ultimately collecting and processing data. You can really split this again into two areas. Number one is what I would kind of refer to as unidentified users. These are people that are visiting your website, but also maybe visiting your app.
They're not exactly disclosing data, but these technologies will use things like targeted advertising. They will kind of collect browsing information in order, for instance, to provide adverts later on in their kind of browsing experience. So there is privacy concerns here, and likewise certain regulations do require organizations to give individuals the ability to opt out of this particular technology. The second side is when actual individuals are giving data, giving first party data.
Again, typically this is through your digital estate, such as your website, when they're signing up for a product or service, or maybe signing up for a marketing campaign. This again, we need to make sure that we have the proper governance in place so that we're continuing to use this data for good things, to market to those individuals, to be able to produce analytics, but in a way that those individuals feel like they have control of their data, because guess what? Individuals that don't feel like you respect privacy are not going to sign up for marketing.
They're not going to feel confident of giving their data to companies. So the first part is I'm going to speak about is that kind of unidentified user. Typically this is through a visitor to your website, and this is something that is pretty much, you know, you'll see on most websites now, is that we do need to give website visitors the opportunity to opt out of certain use of tracking technologies found within websites. This is obviously a fundamental aspect of GDPR and e-privacy, but we see here in the U.S.
with the do not sell requirement under California that we do that, you know, the use of advertising technology, particularly cookies or pixels, that this does count under the umbrella of selling information, so we need to give individuals the opportunity to opt out. And the way you achieve this is very easy, you know, this is something that, you know, most websites have been using for years, but you do need to obviously look at specifics to different country markets and country visitors to your website, but essentially you do need to be doing an audit of your website.
What tracking technology are we using in there? Is it just cookies or are we using, you know, other browser-based technologies? What's generating these cookies? Are we using tags on our website that we need to be integrating with so that if someone does choose to block it, how that can actually, you know, be enforced? And likewise, you know, if we are using third-party cookies, who's providing that? You can manually do this, however, of course, using a scanning tool is going to be the most efficient way to respond to that.
But then, of course, you know, how does that banner look like when a website visitor actually comes to your website? You know, a lot of organizations do want a tailored approach to this, that someone who's visiting from Europe is going to have a different experience to the U.S. And this is something you do want to consider because ultimately we don't want to be blocking website traffic. We want to make this easy for the individual, but it does need to be something that respects their privacy. So how's that banner going to look and feel? What text are we going to have?
And do we want to have a different experience for different website visitors is something that you do need to be considering when implementing your cookie solution within your website. Just to note as well is that something to be considered is, of course, your mobile apps as well. They don't use cookies, but there are certain SDKs that are used to tailor the experience, but could also we want to give people the option to opt out of the use of that particular of those SDKs.
And also things like apps on your TV as well, on TVs as well, is something that we do maybe want to be incorporating this consent management process. And this is where we want to also include what model are we going to operate when it comes to that? Do we want someone to physically opt into the different categories of cookies that we have in the website? Do we want people to have a different experience dependent on their location that they're visiting that website from?
This is something that is great to consider because we do want to make sure we go for the optimized model for that website visitor as well. Something to also note as well is that there's increasing attention worldwide on global privacy control. These are browser-based either extensions or actual browsers. That is essentially a signal that is set by the user that says, I don't want to use any sort of tracking or other technology, only what is strictly necessary for the website to visit, for the website to function automatically.
And you do need to have a process in place to respect global privacy control on your website. But of course, not every customer interaction is just going to be a website visitor. There are going to be instances where you're actually collecting data, whether it just be first name, last name, or email, or enhanced data. And we want to make sure this is managed.
And again, you want to integrate with these different collection points that you have in place, whether it be through your web, but it can also be offline. It can also be throughout the application. Make sure that consent record is maintained, but also building up a user profile of what they consented to and not, so that we're really sure what we can send or use that individual for. And that's going to enable our marketing objectives to be met, but in a way that, of course, respects their privacy and the law that we have.
So typically, we see that kind of integrated, of course, with your website when someone's signing up for a newsletter or signing up for products or services. But like I said, it can be other offline or other collection points where essentially we're taking individual's data. And the important thing is for us to understand what data we collected, what was agreed to, where was this collected from, what was shown to that individual, so that when we ultimately go to use that data, we can be really sure what we're able to use it for and optimize the use of that first party data that was collected.
But likewise, we are going to want to obviously give the individual the opportunity to really manage their preferences. And this is where we do build up kind of consumer profiles, so that when they go into a preference sensor, either through an email and through logins into their account or an other method, this links to that profile so they can see what they've consented to. And if they do wish to update this, they can do.
But the great thing about integrating a consumer profile with a preference sensor is that ultimately you're not just completely terminating the relationship with that individual. We are giving them the ability to have that kind of granular level of choice of maybe opting in and opting out of certain activities or marketing campaigns without completely terminating that relationship.
On the other side, though, most privacy regulations do have the requirement that we do give individuals full privacy rights, so not just opting out of certain activities, but things like the right to have that to be forgotten or to have that data deleted, rectification. We see the do not sell or share requirement under California. So we see that we want to give people the choice to exercise different types of rights, maybe just updating preferences right up to fulfilling full privacy rights requests, as is required under a lot of regulations that we see globally.
And of course, these can end up being really challenging to fulfill because, you know, data ends up in lots of different locations, used for different purposes, controlled by different teams. But most of these regulations do have time limits to the time that we response. So we want to make sure that from both intake to fulfillment, this is as efficient as process as possible.
So typically, we see customers incorporate a kind of intake form into either their privacy policy or as part of that do not sell filter requirement that you see under CCPA, where the individual can make, can, you know, submit the request, and we take the right information from them to be able to fulfill it. And then obviously creating a centralized queue in order to actually fulfill these requests.
And again, maybe one of the best practices that I see is that we do have different queues for employee requests versus consumer. So one of the big changes that was seen in California is that now employees under scope, always been under scope of regulations like GDPR. But typically, you know, the systems and who needs to be authorizing those requests is a little different. It's very HR and legal focused. So you can have request routing be put in place, should it be the most efficient way to respond to these requests.
Now, of course, you know, there are going to be different steps that you need to go through, whether it be validating the identity of that individual, or when it comes to actually fulfilling this request. And to make sure that your response is as efficient as possible, you're going to make sure you want to have automated application of workflows to involve the right individuals to be able to either identify the request or to fulfill it. But that fulfillment aspect is what is often the biggest challenge. Like I said, data ends up sprawling in different locations.
And how can we find the data of Joe in this particular case. And this is where you do want to be starting to think about utilizing data discovery solutions that will take the kind of identifiers of the individual, maybe first name and email, do lookups of that data and return the results for us to then fulfill the request, whether it be a deletion or access. If it is an app, which are the two typical request types. If it is an access request, obviously, we then want to be providing that to individuals through a secure portal.
If it is one of the deletion requests, then going through once we've gone through our due diligence, then completing the next steps in order to fulfill that deletion request. Now, it might not necessarily be an automated deletion in the source system that can often be dependent on the security in place. But maybe we want to have a workflow whereby we open up tickets with the irrelevant team with the location and types of data to then either be deleted or anonymized, depending on what's available in that system.
So here, for example, from the consumer perspective, obviously, they don't see all of this in the background. This is all going to be done through a portal like this, where they can then obviously see the update of the request and obviously see the information if it is an access one as well. Always remember that ultimately, you're going to be wanting to prove the great work that you're doing, but also proving that your privacy program is effective.
And there will often be cases where you do need to report on your response times to these requests, how many you've received and how that plays a part in your overall program. So you're going to want to also be including metrics on number of requests, times of completion.
And also, if you're looking at the individuals involved, what activities they're doing in their time to complete them. So that's on the giving individuals the kind of control aspect. The other part is then operationalizing your program and also integrating this into your broader data governance program. And when it comes to what was kind of the traditional aspects of privacy, when it comes to the main parts that you needed to be implementing for GDPR and other regulations, these are still super important, of course, and still really the foundation of your privacy program.
And these are the typical areas that we see customers focusing on when it comes to responding to not only their compliance objectives, but also making sure that their privacy program can also integrate with other areas of the business. So of course, for you to really respond to your privacy requirements, you need to understand what personal data you have and where, as well as other relevant metadata information. You do need to be performing risk assessments. You need to be understanding your third parties. And of course, respond to incidents and breaches where personal data is involved.
But of course, as Paul kind of spoke about in his presentation, data resides in all sorts of different locations. It can be both structured and unstructured data. It could be on prem. It could be in one of the cloud providers. So it's increasingly becoming a challenge for organizations to understand where they have personal as well as other sensitive data types. So we are seeing a shift in organizations to move towards using an automated data discovery solution in order to understand what types of personal data we have as well, as well as collect other metadata to meet other privacy objectives.
So increasingly, we're seeing in regulations the requirement to have data minimization or retention applied. So looking at how long we've had data for and when it was last used, as well as our collecting data around access to ensure that we've got the right access to data and it's kind of removed the sensitive data types that are found in there. Data discovery is great because it can work with different data types. It could work with both structured and unstructured data, as well as, you know, SAS applications.
And it allows you to automate the understanding of data, whereas before you would rely on that human element. And of course, data could be hidden.
You know, it can be very difficult to understand where there's personal data in like files bound on to say things like file share. So utilizing data discovery is really going to kind of expand your understanding and governance of what data you have, as well as being able to use that to meet your privacy compliance objectives. So here we can see, for instance, these are some sample of the scan results that we've completed using our data discovery solution.
You see we've kind of scanned a whole bunch of different types of systems and understood, you know, what data we found and then where using all sorts of different classification methods that we have configured within the tool. We have your traditional regex, but also we can utilize kind of AI technology as well, which is particularly useful for unstructured data. But of course, the more technical aspects of that understanding, you know, where we have systems, what data, as well as other relevant data, very useful, very needed for your kind of broader data protection.
But there is still that requirement that we need to understand not just what data we have and where, but how we're using it. Of course, this is found under GDPR in article 30, building up that record of processing activities. But in general, for you to be a kind of privacy led organization that has privacy by design instilled, you need to understand as an organization how we're using that data, what's our legal basis, who's using it, etc. So this is where you can utilize your data discovery to understand the data, you know, at rest and then start to link it to the processes that we have.
So you can build up those article 30 reports, but also build up a much better map of your data. So here you can see we have a kind of inventory of the processes that we have in the organization. This can be built up in different methods, either through sending, you know, assessments to people or having them in, you know, report on this. And we can also start to add attributes of those processes that will allow us to, you know, understand further how we're processing data as an organization. So you'll see here, these are very focused on what's required under article 30 of GDPR.
But if you are a global organization that also needs to understand how we're using that data to respond to other privacy regulations, then you can add those types of attributes. You see here, we've got ones focused on the California Consumer Privacy Act.
Now, of course, a lot of this information does still need to come from humans. You know, we're getting very smart when it comes to automated privacy technology, but there's still a, you know, human element. Ultimately, you're the individuals who are, you know, doing this day to day in terms of using data, performing those processes. They are the ones that are going to be able to best give you the insight into that, to feed that into your broader data map.
But likewise, there are going to be circumstances where you're, you know, are doing what is kind of referred to as high risk processing, maybe due to the amount of data or the types of data, where under a lot of regulations now, you do need to be doing enhanced privacy impact assessments or DPIAs using GDPR terminology. But again, these can end up really being a blocker to the business use of that data. So we want to make sure that it's incorporated into your existing processes.
And we have a lot of different templates available that are allowing you to, you know, perform these impact assessments efficiently, or you can obviously go ahead and build your own one. So this allows the collection of the relevant information to do that risk assessment. And then we can actually build in rules to define what are the next steps based on that information given.
Likewise, a lot of this information is going to be super useful for your broader kind of data mapping initiative. So let's get this information and use it to populate your data map.
And again, to kind of really instill that concept of privacy by design, we really recommend customers embed this into, you know, their kind of project or process map that they have in place. So when someone's developing a new product, when someone is, you know, running a new marketing campaign, when someone is adjusting the way that we're using a tool, what we encourage is that they proactively, you know, at least give the basic details of what they are doing.
And then from there, it can be determined by either the privacy or legal team, whether we need to be performing a full kind of privacy impact assessment. Likewise, as well, there's always the opportunity that if you've been made aware that certain projects happening, that we then proactively send them that assessment. And then it's the case of just the individual detailing what they're doing in a very easy to fill out questionnaire with prompts and hints and different question types. This is typically obviously filled out by someone that doesn't work in privacy or data governance.
So we want to make it easy for them to gain the, you know, give the right information, but again, not impacting their job too much, because ultimately this is very important, but it's not, you know, their day-to-day objectives. But the key element of way reason for doing this is not just understanding, you know, what they have in place, but to identify potential risks that then need to be remediated.
But again, we want to do this in a way that is very efficient. So make sure that the risk flagging can be automated, or at least the kind of remediation processes as well is done in an efficient way based on a workflow. The last aspect to kind of building up this really important map of your data and how we're using it and the risk involved is of course your processes, you know, who, where you're using third parties, the profiles of them, and of course the risk in those third parties.
So you'll see as part of our inventory, we can also include a list of what vendors we're utilizing as well as, you know, profile information around them. And of course the risks that are being, you know, that are presented through using that process so that we can hopefully mitigate them.
Again, this could be sourced through lots of different channels. It could be sourced through integrations with, you know, other tools. It can be done through risk assessments, or you can also utilize an exchange. This is something that more and more organizations are utilizing because there is a push towards kind of common frameworks when it comes to third party analysis. So let's utilize risk assessments that have already been completed on these processes and look at, you know, how they're utilizing data and the protections that they have in place.
So here you can see an example of the one trust exchange and includes lots of information and scoring around that vendor that's going to allow you to do a really quick risk analysis of them. The last aspect of this is, of course, you know, incidents happen, things happen, people make mistakes.
But, you know, more and more it's becoming really, really vital that the way we respond to them is, you know, efficient and that we're having a comprehensive review of how we're responding to incidents, especially those involving personal data. If it's done incorrectly, not only are we going to, you know, break the law when it comes to privacy regulations, it's going to potentially cause, you know, reputational damages.
So, again, we want to incorporate a incident response that allows individuals to really report those incidents easily, but also respond that the teams that required to respond to those incidents. So the complexity of this, like a lot of things, privacy is that, you know, different regulations in the world have different requirements when it comes to how you respond and report incidences. And likewise, the kind of thresholds of, you know, when you need to be, for instance, involving notifying the individuals of their data that's been affected.
So this is, again, where you want to make sure you have the correct workflows in place, but also that you know what your responsibilities when it comes to, you know, the jurisdictions that have been affected. So here you can see, you know, we have an integrated incident response module here, but it also has incorporated guidance as to whether you need to be notifying supervisory authorities, whether you also need to be notifying those individuals as well, as well as other kind of security frameworks that have requirements when it comes to responding to incidences.
Last but not least, a lot of this work that you're doing in order to, you know, mature your privacy program can really be used by other parts of the business and really being fed into other areas of your data governance initiative. And one of the aspects I showed you at the beginning was the data discovery solution, which is going to scan, classify data, as well as collect other relevant metadata in order for you to really profile what data we have.
Now, this is going to bring benefits to your, you know, privacy program, but it's also going to allow you to bring in governance on that data. So what you can do is set policies of where we have, you know, data meet a certain criteria that we need to be improving. We can then improve that through automation rules.
So here you see a couple of examples of during that data discovery process, the type of data issues that we can kind of surface and then bring in remediations that benefits privacy, obviously, particularly if there's personal data that needs more protection, for instance, but also benefits other teams as well. And you can work collaboratively in order to ultimately improve our data landscape. And then ultimately that means we can use our data more efficiently.
So here we can see, for example, where we found sensitive data in the data warehousing solution, making sure that the proper protections are in place with that sensitive data, but without, you know, completely removing access to everyone, doing it more dynamically so that we can more efficiently use that particular data set. Likewise, as well, obviously, then a lot of this information we then do want to be feeding into a data catalog.
The data catalog can be used by, you know, lots of different personas within an organization, whether it be data stewards wishing to bring in, you know, improve their data sets or BI analysts looking for reports or data sets to create particular reporting. So, of course, if we have brought in that governance, we're happy that the data is protected. We're happy that it's personal information that we can use or at least has the right tools in place to enable us to use that.
We can then feed those insights into a data catalog solution in order for individuals who need to locate trusted data sets that have gone through that privacy-focused governance approach. They can then do so and ultimately locate data sets that they need to for, you know, their own individual or their team objectives.
Finally, you know, one of the aspects that's becoming more and more important for our customers and also for just, you know, broader data transformations is, of course, understanding the journey that data takes as well. This could be as a compliance lens.
You know, we see data transfer requirements until the EU and the U.S. agree a transfer mechanism, but also in other locations.
But also, as we want to understand the data journey and the potential impact that that's had and, you know, things like access and remediation of that data, using tools such as lineage is going to become more and more important as we start to understand, you know, the cross border but also intra-transfers of data. Now, lineage is a complex thing to do. It's a complex thing to create.
So, you can't expect that there's a plug and play and be able to visually show all the transfers of your data within one minute. But it's a tool that you can start to incorporate into your privacy and data governance program to start to build up a better map of, you know, where data is residing, where it's kind of transferring to other systems, but also our kind of intercompany transfers of data and how that's sourced so that we could start to bring in improvements and also kind of remediate issues when they're found up there. Excellent.
So, that's kind of my presentation. I think I may have gone over a little time a bit there, Paul.
So, apologies. But thanks for letting us to present this part of how we're seeing customers implement their privacy programs. Absolutely. No problem.
No, thanks. Well, I said dashboarding was important.
So, there's no doubt about it. Thanks so much for that in-depth look at OneTrust. We do have a little bit time left.
So, quickly, the poll results, 88% of people said that they have a data governance program in place, which is pleasing and actually a lot higher than I thought. And then the second poll, which considered the clouds, there we have.
So, as I said, no idea is not a joke answer. I think it's actually important because it just shows, you know, challenges of having multi-cloud in that some clouds we don't even know exist. And if there's a cloud, then there's data on it somewhere. Only 8% use just AWS, Azure, and GCP. Good news for other cloud providers. 25% use more than three, including AWS, Azure. And 17 use more than three, but not including those big guys.
So, Sam, any comment on those results there? I think it's not surprising.
Obviously, a lot of organizations have cloud-first initiatives, but that's easier said than done. So, I think the fact that a lot of companies still using a combination of different data storage methods is still going to be prevalent for quite a while.
So, not super shocking results, to be honest. Okay. We have got time for a couple of questions, if I can just get them up on my screen here. Okay. Yeah.
I mean, we talked about unstructured data is kind of like the elephant in the room. Or maybe it's not the elephant in the room. But anyway, it's the unstructured data is the tricky bit. How does OneTrust discover that? Yeah.
So, unstructured data is obviously tricky because it can take different forms. And often, as well, when you're looking for certain data types, it's all about the context, right?
So, if you look at like a document, there could be personal data in there, but it's really defined from the context of how it's used. So, that probably is tricky. And obviously, the volume of it as well.
So, one of the things we developed is one scalable way to be able to scan unstructured data. And truly, for you to really understand the data you have and govern it, you need to do that by scanning the actual data itself. If you just collect the metadata that's generated from unstructured data, it won't really help.
So, we actually scan documents, images, PDFs to look at the data in there. The other way is then using kind of models that we've trained in order to, like I said, look at the context and the kind of where that data resides. A good example we give is that Jordan can be a country, it can be a brand, it can be a name.
So, you need to look at how that's used in order to understand whether you've got personal information there or not contained within that particular document. So, huge challenge for organizations is, as we all know, there's a lot of different places that unstructured data can reside, and it can often include quite sensitive data types.
You know, the number of times organizations have used our solution and found really sensitive information contained within things like SharePoint, or file shares, or S3 buckets, and not just sensitive personal information, things like intellectual property as well. So, through having a scalable solution that scans and classifies different types of unstructured data and also uses different models to classify it, you're going to be able to, you know, bring in much better governance on it.
It's going to be, you know, a long-term project, it's going to need to, you know, evolution as you evolve the way you handle it, but it's something that's going to be really important for most companies because it's a massive vulnerability for a lot of organizations. Sure. One thing that I didn't talk about, and you did, and that is the consent, which is increasingly hugely important.
So, how does the data discovery deal with those requests? You know, now every time I go on a website, I'll, you know, they'll accept cookies, this and that. How do you help with processing data subject requests for access and deletions, which must be really hard.
Yeah, it is difficult. I mean, the first thing we say to customers is, you know, start to understand where potentially the data of those individuals resides, and that's where, you know, data mapping combined with, you know, discovery and cataloging is important because you need to understand where we have to look up that individual's data. And then the second is, you know, we really do think using automation is key here. I'm not just saying that as a software provider.
Ultimately, for you to be certain that you have located that individual's data, doing so in a manual way, you know, can often mean that that data is missed. So, looking at incorporating workflows with system subtasks that can look up that data is really key.
Now, when it comes to the fulfillment of deletions, a lot of people get nervous that, oh, we can't completely automate that. That sounds horrible. Automated deletion always makes me nervous.
You know, we appreciate that. So, use a combination of methods. If you do want to have, you know, a semi kind of automated way whereby we create tickets or tasks or projects with, you know, teams where they know exactly where that data is located, but then they, you know, manually go through the method of applying a control to that, then do so. And there is ways that we can completely automate the deletion if there's a requirement to do so, really depends on where that system resides.
But, you know, these privacy rights are not going anywhere and which they shouldn't because, you know, it's a fundamental aspect of privacy. So, look at a way that you can incorporate automation where you can to respond to these requests and be sure you've fulfilled them.
Okay, fantastic. I'm running out of time now.
So, I'll just quickly mention, I showed you some related research just there, but we will be publishing a new data governance and privacy leadership compass later this year in which OneTrust, I'm pleased to say, are taking part. So, that will be something to look forward to in probably around about Easter time.
So, with that, Sam, thank you so much for this afternoon. Enjoy your time in Atlanta. Is that right? I can't remember now.
Yeah, that's it. Atlanta, Georgia.
Okay, well, have a good time and thank you all for watching today. It's been a pleasure. Bye now. Appreciate it. Thank you.
