As privacy laws are set to go live on January 1, 2023, in California, Colorado, and Virginia, companies like DataGrail sit well-positioned to work with businesses to help them meet consumer requests for data privacy information.
DataGrail uses automated templates to help organizations assess their data risks across each application, something designed to make it easier to respond to a data subject request (DSR) from a consumer to either provide certain data or destroy it. SC Media caught up with DataGrail co-founder and CEO Daniel Barber about the data management challenges companies face, the elevated importance of data privacy among consumers today, and how his company was built to help meet those needs.
What are the major data management and privacy challenges that most organizations face today?
Barber: If you think about the last 20 years and look how software has changed, 20 years ago we used on-premise software and businesses would deploy the software and do updates as needed. Today, we’re doing this conversation over Zoom and the software gets updated live over the cloud probably automatically before the end of this conversation. Businesses have moved in that way, too. Now, the average Okta customer – which has invested in our Series A – uses about 100 applications across the business. And if they have been using Okta for about four years that numbers grows to 190 and so there’s an enormous amount of risk in the different apps used because your information and my information is shared across those apps. And we’re only talking about the 190 apps that are recognized by the business. We see organizations only recognizing only about 50% of what they actually have, so there’s an enormous amount of shadow IT that exists in a business. Where that comes into play in privacy: you now have hundreds of different systems, some the business knows about, and some the business doesn’t know about, processing information – and consumers want control over that information. Consumers would expect that a Nordstrom’s or a Nike could provide a record of that information, or at least have the ability to delete the information. The challenge is that's not a reality because businesses can barely keep track of the applications they’ve purchased, let alone what information is processed by those applications.
How was DataGrail formed to be a solution to these challenges?
Barber: All three of our founders saw the modern enterprise using significantly more applications and that the number wasn’t slowing down, so because we had that background, it uniquely positioned us to address these issues around data privacy. One, the business doesn’t really know what it has and second, there’s also regulatory challenges like [the European Union's General Data Protection Regulation] and [The California Privacy Rights Act] that are in response to consumer expectations. And this came from incidents like Cambridge Analytica and the challenges businesses had after that has led us to a place where the modern enterprise does need an integrated privacy solution.
Why has privacy been a stepchild in the security world and what needs to happen to change that perception?
Barber: Privacy at its core has a legal component. When you think about privacy, the regulations themselves are a reflection of consumer expectations but they have legal language that make it quite difficult to implement. Other areas of security - such as breach notifications and vendor management - are more black-and-white, but privacy has legalese which requires inter-departmental cooperation between both the security organization and legal or privacy teams. I think that’s why we’ve seen this challenge within businesses on how to align or assign a correct owner for privacy, but I think CISOs are now aware that this responsibility is really on their shoulders because they own the implementation of all technology within a business and the security risk associated with that. If you look at some of our customers, Overstock.com comes to mind. The CISO there advocates for privacy and ensuring that Overstock.com can deliver on the transparency that you and I expect on a brand that we trust.
Fines have not seemed to work to move companies forward on privacy, so what will get security teams -- and especially C-Suites -- more focused on privacy?
Barber: If you look at GDPR, there actually are a large number of organizations (check GDPR Enforcement Tracker) that have received fines in Europe. In California we’re really seeing the first wave of fines for business under that state’s privacy law. Cosmetics retailer Sephora settled for $1.2 million with California this past summer. The fine was low-value compared to the company’s market cap and annual revenue, but what you are seeing is brand degradation and cost to a business. For a consumer-facing company, the cost to the business of a privacy breach reported in the N.Y. Times or Wall Street Journal is far more from a brand degradation perspective than the fines under compliance regulations. What we see now is that top managers are more interested in the brand image of upholding consumer privacy rights.
Can you walk us through how the DataGrail Risk Monitor works internally as a management tool for companies?
Barber: The privacy managers needed an integrated solution to provide information on-demand to consumers. That requires that businesses have an inventory of the apps it uses. So in a typical business there are 200 apps and let’s say 150 collect personal info. So how can we reduce the risk over time? Existing solutions expect the data managers to have a background in assessing privacy risk, but Risk Monitor has integrations into all most common apps; the line-of-business people don’t need to understand the fields and processes of collecting personal information. So take a business that uses Checker for its background check process. Risk Monitor would process the first name, last name, email, or a home address of the applicant. It may require information to be retracted for validation of a person’s identity or validation of previous work history. This introduces business risk because you are sharing that information with Checker and Checker then shares it with other entities. That’s a privacy risk the business needs to be aware of. It’s probably moderate in the scheme of things, but it’s something that Risk Monitor would automate. The HR person who does not have much background in privacy would not have to make assumptions about what’s considered private and what they’re not allowed to share. We complete 90% of the assessment. If there aren’t any unusual use cases that are not standard the HR person can move forward, confident that the job applicant’s privacy wasn’t exposed.
According to your website, DataGrail raised $84 million thus far. How does the company plan to use the money and what's in store for the year ahead?
Barber: We went to market in mid-2018 and growth accelerated in 2019 and 2020 with the passage of the privacy law in California. A lot of American businesses needed a solution to address some of the privacy challenges they were seeing. DataGrail went from three founders to about 110 employees. We expect to double that in 2023 and will expand internationally as well. We will continue to invest in new products. Risk Monitor – which we introduced in mid-October – is an example of where we are headed. We will double-down on R&D investment and will have more product news for you next year.