August 18, 2023
How to Achieve Global Data Privacy Compliance in 2023
Learn about the challenges of achieving global data privacy compliance in 2023, and how Skyflow provides scalable architectural solutions to help global companies meet these challenges.
Since the EU’s General Data Protection Regulation (GDPR) went into effect in 2018, at least a dozen different countries and states have either enacted new data privacy laws or strengthened existing ones – many of which share similarities with GDPR. Even within countries like the United States, recent years have seen the rise of state-level privacy legislation like the California Privacy Rights Act (CPRA) and the Virginia Consumer Data Protection Act (VCDPA).
If you thought achieving GDPR compliance was tough, then imagine the complexity and effort involved in achieving regulatory compliance with several GDPR-like regulations, each subject to local legal interpretations of the concept of “data privacy” across each country where your business operates.
In this post, we’ll show why you should use a data privacy vault to both improve the security of your sensitive customer data and simplify global data privacy compliance instead of taking a piecemeal approach toward satisfying individual privacy laws.
Why Global Data Privacy Compliance Is Important
Across every region where your business operates, you need to store and manage sensitive data in accordance with local data privacy laws or risk legal penalties that include fines or other sanctions.
For example, say that your U.S.-based business collects personally identifiable information (PII), protected health information (PHI), and PCI data from users in both Australia and Brazil. If you are unaware of the data protection laws in place in these markets, you might send Australian and Brazilian residents’ plaintext sensitive data to your U.S. database as part of regular data operations to support workflows like analytics. But by doing so, you would be unwittingly violating laws in each of these markets that limit or prohibit such unapproved data transfers.
Such violations of global data privacy laws can have negative consequences for your business, including:
- Hefty fines: Businesses of all sizes are subject to fines for data privacy violations. A large multinational business like Meta, for example, recently faced a fine of 1.2 billion euros under GDPR, while the same regulation was used to fine a local German chat website business 20,000 euros.
- Bad press: In addition to costly penalties, non-compliance with local data privacy laws can harm – and in some cases, even ruin – the reputation of your business. For example, in addition to facing a £18.4 million fine ($23m) after a 2020 data breach, Marriott International paid an even larger price when its share price dropped by 8.7% in the aftermath of this incident.
- Local bans: Violating data privacy laws like GDPR can get your business barred from operating in a particular country or region. For example, the Italian Supervisory Authority (SA) banned ChatGPT from operating in Italy on March 31, 2023, because OpenAI, a U.S.-based company, hadn't yet implemented an age-verification system to prevent the service from collecting data from children. This ban was subsequently lifted, but companies can’t count on local bans like this one being short-lived.
How to Simplify Global Data Privacy Compliance with Skyflow
You can comply with a wide range of data privacy laws across the world by using Skyflow Data Privacy Vault to isolate sensitive data, protect this data with a variety of tokenization and encryption techniques, and control who can see what, where, and when with fine-grained access control. Skyflow also lets you localize sensitive data so you can comply with data residency requirements, and supports securely sharing sensitive data with trusted third party services.
Isolate and Protect Sensitive Customer Data
Isolating sensitive data in a data privacy vault keeps that data away from your other systems, avoiding sensitive data sprawl and thereby reducing your compliance scope. And protecting sensitive data with multiple encryption and tokenization techniques not only preserves data privacy, it also helps companies to maintain compliance.
Data Isolation and Sensitive Data Sprawl
Sensitive data sprawl occurs when sensitive data is replicated as it’s copied and stored across various applications, databases, data pipelines, and logs — making it impossible to effectively govern access and increasing the work required to comply with data privacy laws and industry standards. You might store customer information in your customer relationship management (CRM) system, for example, which later gets replicated to your billing system, data warehouse, and analytics tools, even in 3rd party SaaS apps. Systems that contain plaintext sensitive data are part of your scope of compliance, meaning that they are included in any audits or certifications.
When you start investigating the extent of sensitive data sprawl in your systems, you’ll probably discover that sensitive data is present nearly everywhere, as shown below:
With Skyflow, you avoid sensitive data sprawl by storing plaintext sensitive customer data in Skyflow Data Privacy Vault. Instead of handling plaintext sensitive data, your CRM system, billing system, data warehouse, analytics, and other systems handle tokens that point to this data. Skyflow lets you structure these tokens in a variety of formats to avoid input validation issues.
With sensitive data isolated in Skyflow, the example architecture shown above now looks like this:
Now that we’ve covered data isolation, let’s look at how data protection simplifies global data privacy compliance.
Data Protection and Global Data Privacy Compliance
One thing that all global data protection laws have in common is that they mandate the protection of sensitive data from data breaches and restrict the use of this information. For instance, Article 25 of the GDPR, Principle 3 of the Australian Privacy Act, Section 24 of the Singapore Personal Data Protection Act, Section 2 of the South Korean Personal Information Protection Act, and the HIPAA de-identification standard all require limiting the use of personal data to specific, authorized purposes. And, these laws also require businesses to implement security measures that prevent data breaches.
One way that you can use Skyflow Data Privacy Vault to limit the use of personal data is by de-identifying sensitive data records. For example, if your customer service agent (CSA) workflow only requires the last four digits of a credit card or social security number (SSN), you can use Skyflow to only reveal the last four digits to authorized CSAs. This limited information gives a bank employee or a healthcare billing agent what they need to verify the identity of a customer or patient without needlessly disclosing the complete SSN or credit card number.
Skyflow Data Privacy Vault also uses polymorphic encryption, a method that lets you run operations on fully encrypted data without the need to decrypt it first. For example, you can use polymorphic encryption to answer questions like “Is this customer’s credit score above 650?” without actually decrypting that customer’s credit score.
Or, you could polymorphically encrypt patient SSNs and run match operations on them to verify a patient’s identity. And, you can do the same with any other ID number, not just SSNs.
Implement Data Residency and Fine-Grained Access Control
Your business must establish effective data governance with fine-grained access control to comply with data privacy laws and data residency requirements. When it comes to data residency and sovereignty, Principle 8 of the Australian Privacy Act, Article 9 of the GDPR, and other data privacy laws impose specific conditions that restrict when sensitive data can leave the country or region of origin.
You can ease compliance with data residency requirements by storing all of your sensitive data inside multiple Skyflow vaults that protect sensitive data from each region where data residency requirements are in effect. For example, you can have one vault located in Brazil to manage the data of Brazilian residents, and another vault in the EU to manage the personal data of EU residents, as shown below:
In addition to managing residency requirements, you’ll also need a way to control who can access what data or format. For example, the customer support agent (CSA) of an insurance or billing company doesn’t require the entire social security number (SSN) to verify patient identities.
So, instead of allowing CSAs to access the entire SSN records of all patients, with Skyflow, you can restrict access with a policy such as:
By redacting all but the last 4 digits of all SSNs, you keep sensitive data out of your CSA workflow. Skyflow lets you define your own data types, so you can customize this behavior for other data types, including ones that you define, not just for SSNs.
You could also extend the policy shown above to make it specific to residents of California and aid with CPRA compliance. All you need to do is add a WHERE qualifier to your policy:
Using the APIs and SDKs provided by Skyflow Data Privacy Vault you can establish new data governance policies, implement fine-grained access controls and assign roles and attributes for each resource without developing any custom software.
Skyflow Studio gives administrators an intuitive user interface that makes it easy to maintain and update all of your policies.
Securely Share or Transfer Sensitive Data
Most data privacy laws, including GDPR, PIPEDA, PDP, POPIA, and LGPD, strictly limit or prohibit the transfer of sensitive data outside the region where the data originates. But your business needs to share data in some form with external entities such as payment processors, vendors, and third-party software tools.
One way that Skyflow addresses these needs is by swapping sensitive data with non-exploitable tokens. Because these tokens don’t contain any sensitive data, you can freely share them with trusted third party services without risking non-compliance. And when required, authorized parties can de-tokenize these tokens to retrieve plaintext sensitive data.
Additionally, Skyflow offers secure connections to any third-party API, from a card payment network like Visa to a check issuance service like PostGrid. These connections allow you to securely integrate trusted third party services and tools into your offerings to support scenarios like card issuance and payment orchestration.
To see how Skyflow can help your company to implement global data privacy compliance, including such aspects as PCI compliance and data residency, consider Apaya.
Apaya Uses Skyflow to Protect Sensitive Data and Ease Global Compliance
Apaya, a no-code payments automation platform, is quickly scaling operations across Europe, the Middle East, and Africa. To comply with PCI DSS and the various data privacy laws in these regions, Apaya needed to protect sensitive data, implement data governance, and meet data residency requirements.
Instead of building these capabilities in-house, Apaya partnered with Skyflow to build a modular and scalable solution. Today, Apaya uses Skyflow vaults located in the Middle East and Europe to capture, tokenize, and store sensitive PCI data. Each vault stores all sensitive data records within the region and sends tokenized data to trusted third-party payment processors. As a result, Apaya can provide its customers with seamless custom payment flows and ease their compliance burden.
To learn more about how Apaya uses Skyflow to achieve global compliance, read more about Apaya and Skyflow.
Every company that handles sensitive data needs a data protection strategy, and the right tools to execute that strategy.
To learn more about how Skyflow Data Privacy Vault can give your organization and your customers best-of-breed data privacy, contact us.