By Kish Galappatti, Data Privacy Engineer at Privitar
As enterprises start to focus more on data privacy as a core part of their overall data strategy, the decision often comes down to building something in-house to meet the need to de-identify data or buy a vendor solution. This decision should be based on a number of factors that we will discuss in this blog post.
In the early stages of data privacy evolution, many enterprises take an ad-hoc, point-solution based approach to de-identifying sensitive data. These ad-hoc approaches are driven by specific business use cases and are developed using disparate technologies and design patterns. While some of these solutions will meet narrow compliance or regulatory requirements, they are not comprehensive across use cases and compliance frameworks.
Data privacy is complex and highly contextual. The techniques required to ensure effective privacy vary based on each business use case. Ideally, a wide variety of privacy enhancing techniques should be employed within a use case to achieve the right balance between privacy and utility of the de-identified data. These techniques vary from basic masking and tokenization to more advanced techniques such as perturbation and k-anonymity.
Typically, homegrown solutions employ a limited set of basic privacy enhancing techniques such as redaction and perhaps tokenization. This leaves gaps in the data privacy strategy, which increases risk. Another important aspect to consider is linkability of data generated by ad-hoc solutions. Due to the lack of comprehensive techniques, the risk of re-identification by linking several data sets together is quite high. Lack of internal consistency will often reduce the utility of the data as well.
When Buying A Data Privacy Solution Is a Better Option
As data initiatives grow and approach scale, homegrown solutions become increasingly problematic. Enterprises require a streamlined provisioning process that can meet the volume and breadth of data usage in their organizations and stand up to regulations and audit. While manual approval processes and bespoke scripting may have worked at small scale, these approaches are slow, unreproducible and ultimately break under enterprise load. This is when it is time embrace a systematic and automated approach that removes the friction between data users and sources while enforcing data privacy
Using a data privacy platform can streamline and automate data privacy, eliminates slow, error prone manual processes and automatically applies privacy controls across datasets. This makes it easier to get the right data into the hands of data consumers, and enables faster time to data-driven insights.
For example, The Privitar Data Privacy Platform™ ensures that there is centralized governance and that best practices are applied across all use cases in a comprehensive manner. The platform enables you to take a policy-based approach to managing privacy risk rather than a narrow technical one. From a governance aspect, it offers you robust audit and traceability features, including both changes to data privacy policies, as well as who owns and uses the data, and where it goes. Watermarking and digital fingerprinting features allow speedy forensics in case of a breach but also help build a culture of data ownership and due diligence.
Applying advanced privacy enhancing techniques on terabyte or petabyte scale data sets is non-trivial. It requires distributed processing and orchestration capabilities that are complex to develop. Lack of such capabilities introduces delays in using data and causes friction when it comes to integration with existing operational processes.
In summary, data privacy platforms like Privitar provide key benefits that homegrown point solutions cannot, and become more important for organizations as their data initiatives come to scale. In addition to offering a variety of privacy enhancing techniques, a data privacy platform can centralize policy management, as well as have robust audit and governance capabilities that enable data privacy risk to be managed at an enterprise level rather than in an ad-hoc manner.