ASG is now part of Rocket Software! Please visit to learn more. Follow our journey
Blog > May 2019 > Data Intelligence and the Specter of Privacy Debt

Data Intelligence and the Specter of Privacy Debt

By now, we’re all acutely aware of privacy regulations like the GDPR and more recently the California Consumer Protection Act (CCPA). There are others springing up all over the country that will add to the current complexity. At some point, the U.S. will shift sufficient national focus on this important topic to drive federal action for consistency across the country, as the EU has accomplished with GDPR.

Up until now, complying with privacy regulations has focused mostly on structured data and currently active repositories and applications. Yet some organizations are also looking at the risk of personal data in unstructured information—an area ASG has led by connecting our Data Intelligence solution to unstructured content including ASG’s Content Services (Mobius). Paying attention to both structured and unstructured data will be essential as privacy remains at the forefront of data regulation.

Privacy Debt: Looking Back to Move Forward
We are trained to think ahead and not to dwell on the past. And everyone hates history class (well, not everyone, I, for one, love history!). But bellwether companies have been collecting data for decades, and even many digital native organizations have been around long enough to have what I call privacy debt.

Privacy debt describes the reams of personal data that organizations collected before privacy regulations made the big-time and that now loom large as a liability. Consider it akin to technical debt or code debt that represents the cost of reworking historical design or legacy code.  Facebook’s recent privacy debacle was not about the improper use of data it collected recently. Rather, it was penalized for the data it shared with partners years ago, which is improperly managed and stored and is vulnerable to access and improper use. Facebook disclosed this quarter that it may be fined as much as $5 billion by the FTC for past privacy violations that have come to light.

Regulators are beginning to recognize the liability of privacy debt. The CCPA specifically provides a 12-month lookback period where data collectors must maintain records of what data they’ve collected and how they’ve used and shared it during that period. However, data currently held, no matter when collected, could still be vulnerable, and if it’s been shared with partners or processors, these organizations must also protect the data or delete it

The past of data can live on and haunt companies, and like student debt, it must be paid and the longer you wait, the greater the challenge.  But how do you know the magnitude of the debt and where this data is now?  As we and others have written about GDPR compliance, the first step is discovery. Organizations must survey what information they have under management and put compliant processes in place over it. But how far back do you look? If you’re an established company that has been collecting data for a long time, you will need to look back over a longer timeline and into many including legacy systems. Uh oh, could personal data be stored on the mainframe? You betcha. 

Start Paying Off the Debt Today
This is where ASG brings a real advantage. ASG’s Data Intelligence solution has the broadest range of scanners or metadata collectors available from any vendor—and we have solutions for structured and unstructured data. Our 30 plus years in the business and the maturity of our product gives us the technology and experience to get to sources that newer companies have no experience with. Sure, IBM and other mature IT companies understand the challenge, even if they may not have the solution. But can these new data management entrants even spell mainframe? If they see a “z,” do they think of sleep rather than IBM z/OS?

Past data collection creates this current privacy debt, but past partner relationships can exacerbate it. While looking back to see where data has been shared in the past is hard, there may be records that you need to examine and follow up with. For example, if you were collecting personal data and providing it to your advertising firm for mailings, you should check back with them to determine if they still have it. If yes, ask them to delete it. Going forward, you’ll need to keep clear records of how you’ve shared data and assure that it is shared with organizations either bound by regulations to protect privacy or bound contractually with your organization to provide similar assurances.

The message here is simple: as Bob Marley sang, “in this bright future, you can’t forget your past.” Living in the moment may be fun, but ignoring the past can jeopardize the future (to paraphrase Star Wars). Privacy debt can come back and bite you. Like all debt, you can make a plan and chip away at it piece by piece. First by stabilizing the current situation—which most companies have done to comply with current data collection and use regulations—and then by making a plan and working through older data and past data-sharing relationships. ASG has the experience and the tools to help with the present, the future and the past. 

To learn how ASG’s solutions can help you get your arms around privacy debt, visit our Content Services (Mobius) product page and our Data Intelligence product page.

Posted: 5/6/2019 3:07:37 PM by Rob Perry