I’ve been spending a good deal of time with customers, many of whom have growing concerns about the GDPR—which is no surprise, given that, according to PwC, over half of US multinationals say GDPR is their top data protection priority.
But one of my biggest surprises is how many silver bullet-type questions I’ve been receiving about GDPR—silver bullet being my phrase for the “one and done” solutions that seem to be too good to be true. More colloquially, these solutions might also be described as snake oil. And, quite frankly, when it comes to the GDPR and other data regulations, there seems to be a lot of it.
From my perspective—both at a software product company (selling a solution to help with GDPR) and as someone frequently asked to give legal advice—I thought I’d take to the blog to make a few recommendations.
When it comes to identifying snake oil in compliance solutions, here are a few things to watch out for:
- The One Solution Trap: The more complex the policy requirements, the more complex the solution is going to be. This means that products or approaches that claim to reduce the compliance burden to zero—immediately!—are often overhyped, and frequently unrealistic. The magic of software is that it can, in fact, reduce highly sophisticated actions to automated tasks. But human teams doing complex work in large organizations require human thought, planning, supervision, and more. So when it comes to GDPR, be aware of any product that claims that serious thought, planning, and management won’t be a key component of your successful compliance program.
- Anonymization Without Risk: Anonymization is an incredibly important, and at times a highly effective, way of managing risk and data regulations. But thanks to the rising prevalence and ease of things like linkage attacks, anonymization will never be a cure all. More specifically, to fully guarantee privacy and anonymize a dataset, the utility of the data itself will be significantly reduced (sometimes to zero). On the other hand, the higher the utility, the more risk will be involved—and as long as there’s risk involved in anonymization, serious thought is going to be required. The EU’s Article 29 Data Protection Working party did some pretty great work on the value and dangers of anonymization here. As our CTO Steve Touw says, anonymization is not a “get out of jail free card”—not for the GDPR, and not for other data regulations. In reality, anonymization is more like the business card for a very effective lawyer (if you happen to find yourself in jail).
- Memo-based Enforcement: As much snake oil as there is in the tech product space, there’s also some of it in the old-fashioned legal approach. The reality is that the increasing compliance burden created by new global data regulations cannot be met effectively with the standard, memo-based approach—where a compliance department interprets the rules, sets them forth in memos, and then sends the memos out into the ether expecting full compliance. Resisting technical solutions to the growing problems of data regulations is both antiquated and very ill-advised, especially if you want a successful data science program.
To sum up, it’s really going to take a mixed approach of traditional, old-fashioned legal analysis, project management and new technical solutions to govern data in the world of enterprise-driven AI and advanced analytics. The reality is that governing data successfully is an increasingly difficult job in large organizations, and a lot of tools—technical and not—can help.
So where does Immuta fit in?
Right now, there are myriad point solutions for data science within the enterprise IT landscape—but no connective tissue between all these solutions. There’s simply no one place that data owners, data scientists, business analysts, and compliance teams can go to use the data they need, and to ensure that their data is governed.
And that’s exactly what we’ve built at Immuta—a first-class data management platform that can integrate any storage technology, and any data science or BI tool, while also enforcing complex data privacy and data security policies. Admittedly, we’re not going to solve all your problems. But being a panacea for every data governance issue isn’t a realistic, or even an honest, goal, for the reasons I’ve outlined above.
Instead, our aim is to be the hyper-scale control plane that can solve what we believe are the most important issues in data governance, like accelerating access to data, easily enabling advanced anonymization techniques like differential privacy, and enforcing purpose-based restrictions on data to comply with regulatory regimes like the GDPR and others.
Interested in learning more? Reach out to me at firstname.lastname@example.org.