Is Data Privacy Evolving Into Data Rights? Checking-In On Data Rights Management (DRM)

In a January 2021 interview, Joseph Carson, chief security scientist and Advisory CISO at Thycotic, predicted, “Ultimately data privacy will evolve into Data Rights Management which means rather than giving up personal data for so called free use of internet services, citizens should and can get paid for allowing their personal data to be used for marketing purposes. It will become more about how the personal data will be used, and what monetization is resulting from the data. In the future everyone will become an influencer this difference is how much is it worth.”

Though we cannot predict the future of data rights management, one thing is certain: customers and other users want more control of their data and, as a result of recent regulations, now have the power to do so.

As a result of data laws such as GDPR, processing data subject access requests (DSAR) have surged. In fact, in the year following the implementation of GDPR, customer data solutions provider Segment experienced a 45% increase in customers requesting data deletion.  

Despite this increase, DASR processing has continued to be an expensive and time consuming process fraught with security vulnerabilities. In fact, the average mid-sized British company spends approximately $2 million every year processing DASRs. That’s about $5,982.25 per request with a little less than half taking over 30 days to complete, the most difficult aspects of processing involve locating personal data in an unstructured format, monitoring data protection practices of third parties and data minimization.

With that in mind, companies are rethinking and developing new approaches to data rights management (DRM). 

DRM Tools and Solutions

According to the October 2020 The State of Data Rights report:

• 82% of companies manually manage DSAR with a front-end portal or similar submission form.
• 24% use backend data fulfillment automation software.
• 15% utilize consent and preference management tools.
• 13% rely on data discovery platforms.

In terms of investments for future solutions, the two biggest contenders:

• 51% - Data discovery/inventory/mapping.
• 34% - Consent and preferences management.

30% of respondents indicated that they had no plans to invest in additional solutions. 

Secure DRM

Given that the request could include requests to obtain, delete or transport personal identifiable information (PII), validating the identity of the user is paramount. As more and more customers, employees and other data stakeholders make data-related requests, ensuring secure access will become increasingly challenging. 

What is the DSAR Processing Workflow?

Image sourced from https://www.ey.com/en_us/forensic-integrity-services/how-to-comply-with-data-subject-access-requests 

According to the aforementioned The State of Data Rights report:

• 47% of companies verify a data subject’s identity via email only.
• 47% accept photo identification (e.g., driver's license or passport).
• 30% require login with email and password.
• 29% use challenge questions .
• 15% leverage an identity proofing platform.

In addition to validating the user’s identity, sharing data with users also presents a number of security-related challenges. Though many companies reportedly still rely on email to transfer user data, this approach has proven to be high risk even if data is encrypted. Instead, companies should utilize self-service portals that use encryption to protect data throughout the DSAR lifecycle. That combined with clear procedures for handling sensitive data are key to building a future-facing DRM strategy.