The Necessity of ZERO Trust in Data Discovery for Privacy

I’m not upset that you lied to me, I’m upset that from now on I can’t believe you.”   –Friedrich Nietzsche

As a Privacy stakeholder, whether you are in a Legal, Governance or Security function, you must be certain that you understand all usage of personal data and that it is properly protected. CCPA fines are much harsher in cases of a breach where personal data was not properly protected. Same for virtually all other Privacy regulations.

Here is my question(s):

How can you rely on having quality data if you don’t understand all data uses? How can you be 100% sure of your coverage of sensitive data security requirements if you aren’t 100% sure you see everything?

In a dynamic enterprise there is one truth that is undeniable; business units in the organization create copies of personal data for a multitude of uses, whether it be for marketing, customer analytics or other reasons. This is the emerging use case of Discovery technologies, being able to continuously detect changes in the uses of personal data.

Why has this need arisen?

Because, to quote Dr. House, all patients are liars!

It’s not that they lie on purpose. They just don’t always know what is important and what isn’t.

While data security is not equivalent to data privacy, the two are fundamentally intertwined, and data security often forms the technical execution basis of fundamental data privacy functions.

Data Security is based on the Zero Trust principle. This is the dirty secret that all us veterans in the data security world know; we can’t trust people to tell us about the areas of exposure they have created. A technology that can do that is the only thing that can help.

This is why it no longer makes sense associating discovery with trust based on coverage of data made up of manual mapping of repositories.

There shouldn’t be any.

Photo Credit: https://www.bbc.com/news/entertainment-arts-51197894