Oops! Something went wrong while submitting the form
Oops! Something went wrong while submitting the form
We founded Soveren to help businesses incorporate data privacy principles into their processes and to ensure their compliance with global data privacy regulations.
We believe that privacy compliance should be a technology feature, not a business constraint. Soveren delivers data privacy as a service, allowing business to automate compliance and developers to build applications that incorporate data privacy by design.
We also believe that consumers have the right to full control over how their personal data is used and who it is sold to and they deserve transparency about these. Many businesses have benefited significantly by collecting and processing personal data. However, in doing so, some have repeatedly violated personal data protection rights and violated the trust contract that they have with consumers.
Taking data privacy seriously is not only a question of regulatory compliance, it is increasingly becoming a competitive differentiator that determines customer loyalty.
Almost every company that interacts with the growing digital world has to worry about data privacy. And they need to figure out how to move beyond the incessant troubleshooting issues and high cost of compliance. They need to leverage their compliance activities to improve the trust contract they have with their existing customers and attract new customers.
Companies can do this by automating compliance and driving as much cost out of that process as possible.
Once this is established, companies can examine how incorporating data privacy into company operations can be used to achieve a competitive advantage in their respective markets and how that advantage can be extended by incorporating “privacy by design” into their application development from the outset.
One of the first priorities for companies looking to manage their compliance challenges and incorporate data privacy into their company strategy, is to pick a vendor-partner who can provide the building blocks to help them successfully transit their journey.
As the world became more and more digitized, a large number of technology companies recognized the value of collecting and processing personal data. For the first decade of this millennium, consumers allowed these companies to collect and process their personal data in exchange for convenience.
Fast forward ten years and the digital surveillance economy is now in full stride. Before we start our workday, we have told our mobile phone company, our online news service, our ride share company, and even the company that prepares our morning coffee a lot of information about ourselves. By the end of the day, we have shared with e-retail companies, search engines, credit card companies, our car company, and whoever runs the parking application, an awful lot about who we are, what we like, where we go, and what we do. … and for the most part, we have been okay with that so far.
But something very important happened a few years ago. Companies began to violate consumer trust. The many data breaches — especially thefts of personal and financial details — left consumers worried about identity theft and upset with companies about their cavalier handling of sensitive information. The Cambridge Analytica scandal and stories of foreign actors manipulating elections opened people’s eyes to the dark side of the misuse of personal data. In response, governments passed more stringent data privacy regulations to protect consumer rights.
Companies now find themselves at a crossroad where their interest in using personal data to generate revenue and provide better-quality services is in conflict with consumers’ data rights and new government regulations.
The data privacy issue is here to stay.
On one side, companies’ ability to capture and process personal data is growing rapidly. The proliferation of IoT sensors, artificial intelligence, DNA testing, e-health, and the general digitization of most aspects of our lives means that more, and more granular, personal data is being captured than ever before. This data will allow these companies to bring extremely compelling, highly personalized offerings in areas such as healthcare, finance, and transportation.
On the other side, consumers are increasingly exercising their privacy rights and punishing companies that violate their trust. Countries are passing data privacy and consumer rights legislation (currently 132 countries and counting) and enforcing them with increasing regularity.
Companies now face the reality that they need to tackle data privacy head on and integrate it into their strategic thinking. And they are doing just that. Over 500,000 companies in the European Union have appointed chief privacy officers, and US legislation is pending to force all mid- and large-sized companies to do the same. Companies are budgeting billions of dollars to put compliance measures in place. However, a few companies are looking beyond compliance. They want to implement strategies to use data privacy as a competitive differentiator that would build strong trust contracts with their customers.
The first step of a company’s data privacy journey is compliance. Compliance can be expensive. The General Data Protection Regulation (GDPR) in Europe and the California Consumer Privacy Act (CCPA) in the US are the most notable examples of data privacy regulation. It is estimated that GDPR compliance will cost Fortune Global 500 companies $7.8 billion a year, and initial CCPA compliance will cost US businesses
$55 billion. Furthermore, failure to comply with these regulations has already resulted in large fines. In the past two years, more than $6 billion in fines have been levied for violations of privacy regulations.
These data privacy regulations mandate that companies must process personal data:
In a transparent and fair manner
With a legal basis in accordance to the consent given by the consumer
In a way that it is protected against unauthorized and unlawful processing
In a way that protects it from accidental or unlawful destruction, loss, alteration, and unauthorized disclosure
They are also required to:
Process the minimum amount of data necessary
Keep data only for as long as necessary
Keep data up to date
In addition, consumers have the right to issue Data Subject Requests (DSRs) that require a company to:
Provide a copy of all the personal data that they hold on that person
Describe how the data is used (processed)
Disclose who the data has been sold to
Consumers further have the right to demand that:
Personal data be updated
Personal data be deleted entirely
Their consent be adjusted to reflect new permission restrictions, including that the data should not be sold to third parties
Companies typically have either 30 to 45 days to comply with such requests depending on the jurisdiction. Because personal data and the related consent are distributed widely across a typical organization in many different kinds of systems, DSR responses involve a lot of expensive manual processing, and they can have many errors and omissions. According to Gartner, an average DSR will cost $1,400 — and some larger companies receive 500 or more DSRs per month. As the trust contract between companies and consumers erodes, and as awareness of data privacy rights under this legislation becomes widespread, the number of DSRs a company has to process every month is skyrocketing.
In response, many companies are turning to software vendors who specialize in data privacy compliance to help them automate their DSR processes.
Software vendors such as Soveren provide the tools to systematize and automate compliance with data privacy regulations.
The major building blocks of compliance automation are:
Data mapping and inventory tools are used to record where all the personally identifiable information (PII) resides in an organization. Graphing technology is used to understand the relationships between PII, consent, and processing type.
With this information in hand, an organization is not only better able to understand its risk of noncompliance or customer dissatisfaction, it is also better able to efficiently respond to DSRs and regulator demands for reports.
Setting up a self-service portal is the most efficient way to process DSRs. Once a consumer has been validated, the data map can be queried, and a report generated instantly. Should a consumer wish to request a data change or erasure, or change their consent, those changes can be made through the portal and automatically sent to the systems in which the data and consent are stored.
Existing applications and data stores need to be mapped and constantly monitored and updated. However, new applications can be designed with data privacy coded into their fabric. Soveren provides an API into its service so that applications can determine in real time if PII processing is appropriate and control who has access to the data and for how long. It can ensure that activity is logged properly so that reports and DSR responses are accurate and timely. This service becomes part of the fundamental data processing infrastructure for the organization.
Applications also must deal with the reality that there are many different and constantly evolving regulations that may impact the PII records they are processing. Being in partnership with a service that can be relied on to manage the variability of the regulatory landscape and automatically incorporate appropriate actions, simplifies development, reduces maintenance, and improves compliance.
Those applications that can easily leverage the data privacy infrastructure can support advanced configurations, such as the need to split PII data from non-PII data and store the PII data on a server in a particular geography, or support a variety of encryption schemes.
A potentially game-changing advantage of implementing an API-accessible data privacy service is that it will be able to support multiparty configurations. Groups of companies that work together to deliver goods and services may have to collectively demonstrate data privacy compliance.
We at Soveren believe that personal data is an important and valuable resource that allows for improved, personalized experiences for consumers. We also strongly believe that consumer data should be handled with care and respect. With the right data privacy infrastructure, companies do not have to choose between wanting to maximize the productive potential of personal data and respecting consumers' data privacy rights and government regulations.