E-Compliance is a rising topic among organizations. The introduction of consumer-friendly legislation such as GDPR and CCPA in the recent years is excellent news for citizens, but undoubtedly poses technical challenges to organizations. Those regulation mandate organizations to adhere to two principles: Right-to-be-Forgotten (RtbF) and Right-of-Erase (ROE), two rights given to individuals (also known as Data Subjects).
Data Fragmentation is a Nightmare
Data is fragmented in nature and spread out across multiple systems and locations. It could reside on-premises in files or proprietary applications, in SaaS applications, and even in backup records just to keep the list short. Addressing this regulatory requirement often turns into a nightmare, as there is no clear solution that covers all.
After going through tedious steps to eliminate personal data, the issue is not over. Users who may have asked for full opt-out may enroll themselves again, intentionally (through a new purchase for example) or not (imagine a new sales person bringing in their client base and accidentally re-adding that user).
Organizations need to continuously monitor their data for compliance. This can be done, but there’s another challenge, how to solve the conundrum of keeping track of someone to ensure we aren’t tracking them anymore?
Continuous Compliance with Anonymity
We recently talked with ComplyTrust, a startup whose focus is around continuous data privacy compliance. One of their solutions, branded Forget-Me-Yes, revolves around durably addressing RtbF and ROE. The solution is API-based and currently allows organizations to locate, organize and manage data subject personal information in a secure, efficient and persistent way.
The solution maintains minimal viable information to identify a data subject which has requested for their records to be deleted. That information is hashed, encrypted and stored. If unauthorized data subject records re-emerge, Forget-Me-Yes will be able to identify these records and inform the relevant organization that they are in breach of regulations.
The current version offers reporting capabilities, and the next iteration should allow also deletion of data subject personal information. We recommend checking the Forget-Me-Yes solution web page which provides a detailed feature list about the product, and explains how security is handled.
While we didn’t engage direcly with ComplyTrust, we received a friendly tip to check their solution, and we have to admit that we were positively impressed by the current features as well as the potentialities of this solution.
Adherence to data protection regulations through e-compliance is usually a feature offered by data protection vendors as a part of their product suites. It is a complex and challenging topic to successfully implement, which explains why only a subset of those data protection companies have viable e-compliance solutions.
We believe that a solution such as ComplyTrust, although extremely focused, has the potential for a lot of success. It is not yet clear what is the envisioned business model for this company. They could either decide to operate the service as it works now, i.e. through a subscription model based on a certain number of API calls. Such a model would be available to organizations, as well as potential data protection vendors who could forge partnerships with ComplyTrust (i.e. “e-compliance from vendor XYZ powered by ComplyTrust”).
On another hand, the IP seems so compelling, that another probable strategy (or rather exit) would be to sell the product and IP to a large data protection contender.
Whatever happens, we believe that ComplyTrust sets the way for e-compliance done right.