Companies are collecting more data than ever about their customers and employees, while at the same having to comply with a growing number of privacy regulations both in the U.S. and abroad.
These laws are forcing organizations to create inventories detailing what data they have, where the information is stored and how it’s being processed.
If this work is undertaken in a manual fashion, it can take large businesses months to complete and be quite costly if outside expertise is needed.
To help organizations with their data cataloging efforts, the legal, governance and risk software provider Exterro recently released its Smart Data Inventory solution.
Company officials said the technology not only quickly provides detailed information about an organization’s data activities, but it also produces regulator-ready reports mandated by privacy laws in the U.S. and abroad.
Overall, the product “forms the foundation of an organization’s privacy compliance program,” Exterro’s Chief Product Officer Ajith Samuel told Legal Dive.
Tracking data usage
Exterro officials said creating effective data privacy and governance programs starts with organizations securing a real-time understanding of the data within their systems, as well as cross-border data transfers.
The Smart Data Inventory tool provides that type of information to businesses by identifying the data they collect and use, including personal data about individuals.
Additionally, the tool can help users track why they are collecting certain information, who might be receiving that information and where that data is stored and/or used.
In this way, Samuel said the Smart Data Inventory operates like a GPS for a company’s enterprise data landscape.
Ray Pathak, Exterro’s VP of data privacy, added that these functionalities are key because “a company’s ability to meet their compliance obligations is directly impacted by their ability to understand what information they have, where it lives, how it’s being processed and how long they keep it.”
Compliance with regulations
To further aid compliance, the Exterro software provides automated, AI-driven discovery of personally sensitive data and related data subjects. It then highlights which external regulations or internal policies are triggered by these discoveries.
Exterro provided the example of an organization collecting fingerprints from elderly individuals for use in administering health and wellness programs. In the hypothetical use case, at least one individual lives in Portugal and all the data is stored in France.
Based on this information, the Smart Data Inventory would determine that the European Union’s General Data Protection Regulation (GDPR) is triggered because elderly individuals are considered vulnerable data subjects and fingerprints are a special category of data.
Processing personal data with the purpose of administering health and wellness programs also requires an additional assessment, which in this case would be a Data Protection Impact Assessment (DPIA).
As a result, the Smart Data Inventory would flag the processing activity as “likely high-risk” and automatically produce the GDPR Article 35 report as required, according to Samuel.
Furthermore, he said that organizations can use a configurable rules engine to create enforcement triggers for internal requirements that are more restrictive than jurisdictional privacy laws and regulations.
Data Subject Access Requests
Exterro officials said the Smart Data Inventory also helps customers respond to data subject access requests, known as DSARs.
These requests typically feature the submitter seeking to find out what information about them the organization holds and how they are using such information.
The Smart Data Inventory has mapped more than 600 types of personally identifiable information, known as PII, to categories across multiple global regulations, according to Exterro President and CEO Bobby Balachandran.
“If a DSAR is submitted, Exterro Smart Data Inventory will be able to quickly identify what PII is held, how it’s used and where it is stored, making it easy and efficient to respond to the DSAR,” he said.
These capabilities could prove particularly useful to companies doing business in California, a state in which employees and job applicants can now submit DSARs in addition to consumers.
Additionally, Balachandran and Samuel said Exterro’s Smart Data Inventory can help users “future-proof” their data privacy compliance efforts.
They make this claim because they said the software is continually updated to reflect the latest privacy regulations from around the world.
“Thus, if a law is enacted or an existing one changes that requires a specific report when certain criteria are met, Exterro Smart Data Inventory will automatically include these new requirements, ensuring our clients maintain compliance in whatever jurisdiction they are doing business,” Samuel said.