Data Discovery Doesn't Reduce Privacy Compliance Risks

Enterprise data is complex and snowballing. Privacy and data/IT teams have the impossible job of protecting the data while data is ubiquitously available across the organization. Organizations often focus on data discovery and classification. But they fail to apply similar rigor to analyze who is using the data and how it is used.

Why is data discovery not enough?

Unfortunately, in reality, most privacy fines are caused by non-compliant processing activities. Refer to the chart below that summarizes GDPR fines to date. 55% of the penalties are for processing activities. Therefore, understanding who uses the data and how they use it becomes critical.

For instance, Twitter was recently fined $150M for using customers' phone numbers that weren't intended for marketing purposes.

A modern approach to privacy and compliance

Delivering privacy and meeting compliance depends on many factors, including:

• Type, the sensitivity of the data
• Potential impact on the data subject and the organization in the event of a breach
• Geography, role, and function of the users of the data
• Variety, purposes, and location of processing activities

Current data discovery/classification tools focus on finding personal data (WHAT). But data discovery tools don't analyze the users (WHO) and activities (HOW). As a result, businesses spend months after completing a data discovery exercise to understand the risks and meet compliance.

Protecto tackles the questions that data discovery/ classification tools don't answer. We help companies holistically answer the following privacy questions.

• Who has access to personal data?
• How is the data used?
• Where are our highest privacy compliance risks? Where should we focus?
• How can we reduce risks?
• How do we avoid one-time activities and achieve continuous compliance?