And welcome to the webcast, understanding Privacy or the Privacy Evolution. And I'm delighted to be joined by Sam Gillespie, who is the Data Data governance's offering manager at OneTrust. And he will be talking later. So before we get going in the actual webcast, just a a couple of, or a few housekeeping notes. You don't have to do anything, just relax, listen and watch. No need to mute yourselves. We have a couple of polls during the webinar and we'll look at those results as well. There will be opportunities for you at the end of the webinar to ask some questions and you can enter those questions at the panel that you'll see on the right. And finally, if any of your colleagues wish to see this webinar couldn't make it today, then please note that we'll record it and it will be download in the next few days from our website. So that's just what's happening now, as I said, and I, in case you missed it at the start, I'm Paul Fisher, I'm a lead, Analyst cope. Carl, I'll be talking a little bit about privacy and some of the issues around that, data privacy and governance. And then I'm delighted that Sam Gillespie will joining us from OneTrust, he was the data governance offering manager for OneTrust. And then right at the end, we'll look at the final poll result, q and a wrap up, and then goodbye.
So just to kick off the, the event as it were, let's have a quick poll on data governance and your experience. So do you currently have a data governance and privacy program implemented in your organization? By what that would mean an actual project that is designed to improve data governance and privacy across all your infrastructure and enterprise. So the polls open, if you could quickly enter a yes or no and when we think we've got enough, yeah, I think that's, well fairly over overwhelming response there, but it will, we'll keep the result until the end, or at least we can talk about the result at the end. So let me just start off by talking a little bit about identities and resources and how, how the, the cloud in particular has affected data management, data governance and, and also surely the actual level of data in, in organizations.
And so we focused this on sort of three key platforms that will, that monitor or manage access and entitlement. So privilege, access management, cloud infrastructure, entitlement management, which is, is, is a, a newer cloud focused entitlement management. And then of course identity and access management in all its shades. And we also at Koga sort of identify six major identity types who are likely to be operational in an organization across the infrastructure, trying to get data and applications. And those would be traditional administrators, developers who are increasingly part of the mix and increasingly a very important part of the mix in that they are contributing not just to the day-to-day running of organization, but developing platforms and applications within the organization. So end users, obviously human end users despite the onset of chat G P T and the excitement generated by that, particularly on LinkedIn, I noticed that we will still, I am sure have a lot of human users doing all sorts of things in our organizations for some time to come.
That will also include third parties. When we say third parties, we mean partners or say supply chain partners within organization increasingly are now integrated within the infrastructure and networks of the organization that they're working with. Endpoints, again, those will be the actual devices that sit on the endpoint and looking for access. And of course customers, again, these are increasingly a part of modern day computing, particularly in sectors such as retail or finance, where customers are now increasingly allowed some sort of access into the infrastructure for ease of use, for better customer service, et cetera. And in generally these identities will be looking and working and looking for data on either platform as a service, SaaS, software as a service, infrastructure as a service, private cloud, and of course even girl fashioned legacy on prem data centers, which still exist in, in many forms. And data, of course, is, is, is, is, is huge.
Trying to quantify the, the amount of data in and it sits is a big task. But again, we, you can limit it to sort of file servers, workloads, containers, virtual machines, credentials, and of course database and add to that huge amounts of unstructured data, big data, et cetera. Even data that may lie within email, individual documents, et cetera. So all this stuff or or this framework creates a challenge for organ organizations to keep track of the data and, and in particularly keep private data secure cuz that's a key part of data governance privacy, which is what we'll be talking about a little later. And then at the, at the bottom there we have the sort of elements that act as a foundation to an organization and help with the flow of data. And I put there zero trust, we're can talk about a little bit about that at the end of this risk management platforms, identity lifecycle management, which is all part of PAM and sim I am.
And then of course data governments and privacy and compliance platforms which work with this to protect that data. And finally, endpoint detection, et cetera, which is a classic piece of cybersecurity to protect the infrastructure such as the, is including all the cloud from the outside, from outside attacks. So that's a simplified look at what is happening in a typical organization. Now some people argue that one way to protect data and indeed one, a way to improve cybersecurity in your organization is with security and awareness training. Now, I possibly have never been a great believer in, and this is a personal view, not necessarily a wider view, but I've always felt that security awareness and training is a nice to have. It's good to have on top. There's nothing wrong with telling people that it's bad to click on certain links that they should be aware of this and that the problem is that some organizations rely on this too much as if awareness on its own will improve data management, would improve security, et cetera throughout the organization. Human beings, and it was obviously aimed at humans. Such things tend to have short attention spans even within any session in which they are taking part in awareness and they don't, they don't remember and well particularly users can be careless with data. And I think this is the crucial part of the human element in poor data management is that it is end users that attach a credit card detail to a file which is left open, unprotected, for example. Or they may send in an email details which should not leave the company and so on.
So I, what I argue is that we're in the business of technology. Technology has the increasingly the ability to automate a lot of the things which would prevent the sort of mistakes that end users make. I'm allow the end users to get on with looking for that data and using that data in the diagram that I just showed you. So security and awareness training can be, as I say, a spiral into, into sort of into nowhere. Plus a lot of awareness packages that are available are kind of off, off the shelf. They're very generic. They don't necessarily un would work for the organization that you have an organization and how you use data within that organization and how you share the data, who your customers are, et cetera. So my message is, yes, there's nothing wrong with it, but don't spend too much money on it, but look to what the solutions are from vendors in managing data.
So I mentioned that privacy is important and, and it, it certainly is. In the last few years we've all heard of gdpr, we've heard of the California Privacy Act, et cetera. Ever since gdpr consumer focused or end user focused privacy has become not only very important but actually very successful in that it has raised awareness amongst public and consumers about their privacy and the privacy of their data. It is meant that organizations have had to be a lot more careful about how they use data. And what you can see on the right is from an energy company, and this is quite typical now of how a company might explain to their customers how they use data, where they collect it from. So you can see the customer will volunteer data on that left there, but the company will also collect data and then they are in, in this particular industry required to get a certain amount of data for industry compliance purposes.
So if you look at that as just one small part of one company and one set of data for one customer, you can see just how much data is now being collected, how much of that is is private, how much of it is valuable to thieves or cyber criminals and how much of it your customer wants you to protect. So it's huge, huge task to protect data because the data is expanding, data is now being shared within chatbots, as you know, and social me media, customer access tools and so on. So it, it's a big challenge to track this data. The easy bit is collecting it, tracking it, monitoring it, deleting it when it needs to be deleted, it's a lot harder. That's what data governance and data privacy platforms come in.
So you need some kind of data management program or a data governance program. Now what we've listed here is a highly simplified view of a data management program in which data governance and privacy platforms would play a part. But very simply you need to first of all look at your organization to find the model for your data architecture, where it is, et cetera, where it comes from and covers all those aspects from the source to utilization. And then you've got to somehow put data prevalent, privacy and governance as a layer across all those areas. So every part of your organization that handles data, which in effect is your entire organization needs to be subject to the data governance and privacy and the overall data management platform, sorry, data management program that you define for your organization and you need to have data catalog, data catalogs are fundamental in telling you what kind of data you have and where it is, et cetera. What it contains, is it private, is it personal? Does it contain financial advice? Et cetera, financial information.
So last line there, you cannot utilize and secure or govern the data that you don't know exists. That's crucial and fundamental to to to data management and all types. If you don't know that data exists in your organization and that includes on the most remote endpoint, don't forget you, that might will include a user that has downloaded a spreadsheet of some sort onto his local drive, what her local drive because of some gap in security and that's sitting there vulnerable outside of any protection. So data as I said, is everywhere and you need some kind of solution that can find that data so that you can manage it.
So this is a kind of a classic co coal hierarchy of data management reading really it's something you can look at in more detail, but you can see at the bottom re feeding in all our data, sorry, databases, lakes, business apps, legacy apps, analytics, every kind of data source that feeds into the data catalog, which I've just been talking about. And then the metadata, which is only haven't mentioned, and then you do a process of quality and integration. Finally your data analytics, which forms part of business intelligence, the data nalytics business is a bit that tells you what you have, where it is, what use is, whether it's out of date, whether it should be deleted, et cetera. And then finally that data where it is used for digital services, for applications, et cetera. And then data privacy management and data governance as well as data security are the three sort of pillars that underpin all of that to keep it secure. So there's your data management hierarchy, there's your data governance tools, which again is another way of looking it just more different, maybe more complex way of looking at the slide I showed you first of all in this presentation
And here are just some desired capabilities of any data management program that you will will introduce and we'll talk more about that in the second part of this webinar. But again, there's all sorts of dashboarding, flexible view, dashboarding, I mean even in itself dashboarding is is fantastically crucial to this kind of program. If you can't see at a glance what's happening is very hard to make decisions. So all of those there in that slide are worth looking at when you start thinking about the kind of platform that you want for your data management and data privacy capabilities.
So before I hand over, we'll just do this final poll which is just a, a question we often ask our customers is how many cloud providers do you use? So at the moment, do you use just one, do you use only the big three as they're called aws, Azure and Google Cloud? Do you do more than three but not including those? So more than three of of others, more than three, but also including aws, Azure, G C P, or, and this isn't actually a trick answer, you may have no idea. So please answer that now just while we are voting. So it's do you have just one, do you have only aws, Azure, GCP more than three, but not including aws, Azure and gcp, more than three including those or five? No idea. So just leave that. Okay, I think we've got enough votes now to get some kind of result. So thank you so much. That's the first part of that. I just wanted to quickly talk about zero trust because it's something there's been talked about an awful lot recently. It sort of has become, I think with, with the rise of multi-cloud and big data et cetera, zero trust has become sort of in vogue and certainly a zero trust policy or implementation or architecture design certainly would work well with data privacy and guidance by controlling the primary access to data.
And zero trust can also incorporate the data management tools or access management tools such as iam, pam, cm. But again, it's a cliche to say that zero trust is is not something that you can buy off the shelf, but it's true. Zero trust is a way of doing things. It's a philosophy, it's a design, but it's a big exercise and it's a big commitment if you're going to get it right. But it's worth bearing in mind if you're thinking of improving privacy and data governance at the same time. And these, just to give you a brief idea, I'm sure that many of you already know about Zero Trust, but NIST in the United States is actually probably the preferred source of information regarding zero trust in that they have probably the best ways of describing zero trust. The best advice about it and here are the seven tenants of zero trust, which I'm not gonna read through. Again, you can read these at leisure when you get the download, but the thing about just key one for me is that the enterprise collects as much information as possible about the current state of assets, network infrastructure, communications to improve its security posture. And that kind of means everything that's happening in the network, including the data, where it is, et cetera.
So that is the end of the first part of the webinar. I'll now hand over to Sam Gillespie who is the data government's offering manager for OneTrust. Hello Sam.
Yeah, really interesting topic and once again, thanks for inviting me to this webinar today. I've done a couple with KuppingerCole and it's always really, really valuable insights that we, that we get through these webinars. And just a bit of background about what I'm gonna be presenting. I've been working in data privacy for almost five years now and definitely with you know, the many different customers that I'm working with. Seeing an evolution in how customers are responding to privacy requirements, but also how it's becoming much more integrated in their kind of broader data operations. And that's for a few reasons. Number one is that the privacy kind of regula regulatory landscape is of course getting more and more complex. GDPR you know, is not going away. If anything it's going to be evolving over the LA next few years we see a whole plethora of new privacy regulations in the US state by state, hopefully in the future some sort of federal regulation and of course globally as well in other regions there's definitely an increase in the number of privacy requirements.
But of course they're not all the same. That would be far too simple. The fact is is that they often have, you know, similar underwrite, underwhelming principles, but at the same time they do have their differences. So in order for you to really respond to these different regulations, you do need to have a kind of foundational program in place. But likewise as well, you know, privacy is important but it can be integrated with your broader data governance program and data governance is there to really enable business use of the data and all the good things that we are as organizations using data for. And so if you embed privacy into your kind of operations, into your broader data governance program, you will of course be able to respond to those requirements that you see. But you'll be able to use it as a competitive advantage and really as a way to help develop your business and meet your objectives.
So what I'll be showing you today is how you can really implement a kind of combined, I'd say more of a privacy focused data governance program in your organization. Doing it in an effective and efficient way that we'll be able to have those two objectives. I will be doing it through the lens of how we do it at OneTrust. We are a software application so how you can use OneTrust as a tool to help this. But of course you know you can incorporate OneTrust into these different elements. You can use, you know, your existing processes in place. But really kind of the steps that we see customers taking to respond to, you know, this global change in how the expectation of privacy. And likewise as well, what's important to note is that this can be kind of for both big small organizations, multinational country specific ones because ultimately this is really gonna give you a foundation.
It's not, you know, a tailored response. There will be specifics that you'll have to do based on your industry, based on you know, your country regulations, et cetera. But really this is what we're recommending to our customers is what they should be implementing in order to really respond to the changes in privacy but also use it as enabler in the business. And really I see this split into two areas. Obviously this is kind of simplifying things but really this is the crux of what organizations need to be considering. The first is often the priority for most companies, and this is for obvious reasons, this is really what I would say the most public aspects of your privacy and data governance programs. This is how privacy is essentially integrated into your digital estate. And because it is, you know, publicly available, publicly visible, it is gonna be the first to be criticized and viewed by your customers and external parties.
And this is around just giving individuals control to their data. So giving individuals the visibility to how you are using data, processing it who you are sharing with, but also giving them the ability to be able to control how that data is being used when it should be removed or some sort of other adjustment given to it. That's the public facing aspect. The other aspect of course is kind of on the back end, this is how you can actually operationalize your program. So of course how we can meet those key compliance and risk objectives when it comes to your privacy program but also how that can be incorporated into a broader data governance program in order for you to really have privacy enable the business use of data as well. So let's look at those kind of consumer facing aspects. Again, this is really important because ultimately this is what is very visible from your organization and this is typically is how your privacy program is integrated with your digital estate.
You know, things like your website, your mobile apps, but also other technologies that you're using that are ultimately collecting and processing data. You can really split this again into two areas. Number one is what I would kind of refer to as unidentified users. These are people that are visiting your website but also maybe visiting your app. They're not exactly disclosing data but these technologies will use things like targeted advertising. They will u kind of collect browsing information in order for instance to provide adverts later on in their kind of browsing experience. So there is privacy concerns here and likewise, certain regulations do require organizations to ha give individuals the ability to opt out of this particular technology. The second side is when actual individuals are giving data, giving first party data, again, typically this is through your digital estate such as your website when they're signing up for a product or service or maybe signing up for a marketing campaign.
This again, we need to make sure that we have the proper governance in place so that we are continuing to use this data for good things, you know, to market to those individuals to be able to produce analytics but in way that those individuals feel like they have control of their data because guess what? Individuals that don't feel like you respect privacy are not going to sign up for you know, marketing. They're not gonna feel confident of giving their data to companies. So the first part is I'm gonna speak about is that kind of unidentified user. Typically this is through a, you know, a visitor to your website. And this is something that is pretty much, you know, you'll see your most websites now is that we do need to give website visitors the opportunity to opt out of certain use of tracking technologies found within websites.
This is obviously a fundamental aspect of G D P R and pricy but we see here in the US with the do not sell requirement under California that we do that you know the use of advertising technology particularly cookies or pixels, that this does count under the umbrella of selling information. So we need to give individuals the opportunity to opt out and the way you achieve this is very easy. You know, this is something that you know most websites have been using for years, but you do need to obviously look at specifics to different country markets and country visitors to your website. But essentially you do need to be doing an audit of your website. What tracking technology are we using in there? Is it just cookies or are we using you know, other browser-based technologies? What's generating these took cookies? Are we using tags on our website that we need to be integrating with so that if someone does choose to block it, how that can actually, you know, be enforced?
And likewise, you know, if we are using third party cookies who's providing that, you can manually do this. However, of course using a scanning tool is gonna be the most efficient way to respond to that. But then of course, you know, how does that banner look like when a website visitor actually comes to your website? You know, a lot of organizations do want a tailored approach to this that someone who's visiting from Europe is gonna have a different experience to the US and this is something you do want to consider cuz ultimately we don't wanna be blocking website traffic, we wanna make this easy for the individual but it does need to be something that respects their privacy. So how's that banner gonna look and feel? What text are we going to have and do we wanna have a different experience for different website visitors is something that you do need to be considering when implementing your, your cookie solution within your website.
Just to note as well, is that something to be considered is of course your mobile apps as well. They don't use cookies but we, there are certain SDKs that are used to, you know, tailor the experience but could also, we wanna give people the option to opt out of the use of that particular, those STKs and also things like apps on your TV as well on TVs as well as something that we do maybe wanna be incorporating this consent management process. And this is where we wanna also include what model are we going to operate when it comes to that? Do we want someone to physically opt into the different categories of cookies that we have on the website? Do we want people to have a different experience dependent on their location that they're visiting that website from? This is something that is great to consider because we do wanna make sure we go for the optimized model for that website visitor as well.
Something to also note as well is that there's an increasing attention worldwide on global privacy control. These are browser based either extensions or actual browsers that is essentially a signal that is set by the user that says I don't want to, you know, use any sort of tracking or other technology only what is strictly necessary for the website to visit for the website to function automatically. And you do need to have a process in place to to respect global privacy control on your website. But of course, you know, not every our customer interaction is just going to be a website visitor. There are gonna be instances where you're actually collecting data, whether it just be first name, last name, or email or you know, enhanced data and we want to make sure this is managed and again you want to integrate with these different collection points that you have in place, whether it be, you know, through your web but it can also be offline, it can also be through up the application, make sure that consent record is maintained but also building up a user profile of you know, what they've consented to and not so that we are really sure what we can send or you know, use that individual for and it that's gonna enable our marketing, you know, objectives to be met but in a way that of course respects their privacy and the law that we have.
So typically we see that kind of integrated of course with your website when someone's signing up for a newsletter or signing up for products or services. But like I said, it can be other offline or other collection points where essentially we're taking individuals data and the important thing is for us to understand, you know, what data we collected, what was agreed to, you know, what was this collected from, what was shown to that individual so that when we ultimately go to use that data we could be really sure what we're able to use it for and optimize the use of that first party data that was collected. But likewise we are gonna wanna obviously give the individual the opportunity to really, you know, manage their preferences and this is where we do build up kind of consumer profiles so that when they go into a preference center, either you know through an email they do log into their account or an other method, this links to their profile so they can see, you know, what they've consented to and if they do wish to update this they can do.
But the great thing is about, you know, integrating a consumer profile with a preference center is that ultimately you're not just completely terminating the relationship with that individual, we are giving them the ability to have that kind of granular level of choice of maybe opting in and opting out of certain, you know, activities or marking campaigns without completely, you know, terminating that relationship. On the other side though, you know most privacy regulations do have the requirement that we do give individuals full privacy rights. So not just you know, opting out of certain activities but things like the right to have their to be forgotten or to have their data deleted. You know rectification, we see the do not settle share requirement under California. So we see that we want to give people the choice, you know, to exercise different types of rights, maybe just you know, updating preferences right up to fulfilling pro full privacy rights requests as is required under a lot of regulations that we see globally.
And of course these gonna end up being really challenging to fulfill because you know, data ends up in lots of different locations used for different purposes controlled by different teams, but most of these regulations do have time limits to the time that we respond. So we wanna make sure that from both intake to fulfillment this is as efficient as process as possible. So typically we see customers incorporate a kind of intake form into either their privacy policy or as part of that do not sell footer requirement that you see under C C P A where the individual can make, you know, submit the request and we take the right information from them to be able to fulfill it and then obviously creating a centralized queue in order to actually fulfill these requests. And again, maybe one of the best practices that I see is that we do have different cues for employee requests versus consumer.
So one of the big changes that was seen in California is that now employees under scope always been under scope of regulations like gdpr but typically you know the systems and who needs to be authorizing those requests is a little different. It's very HR and legal focused so you can have request routing be put in place should it be the most efficient way to respond to these requests. Now of course you know there are gonna be different steps that you need to go through, whether it be validating the identity of that individual or when it comes to actually fulfilling this request and to make sure your response is as efficient as possible. You're gonna make sure you wanna have automated application of workflows to involve the right individuals to be able to either identify the request or to fulfill it. But that fulfillment aspect is what is often the biggest challenge.
Like I said, data ends up sprawling in different locations and how can we find the, the data of Joe in this particular case And this is where you do wanna be starting to think about utilizing data discovery solutions that will take the kind of identifiers of the individual maybe first name and email do lookups of that data and return the results for us to then fulfill the request, whether it be a deletion or access if it is an at which of the two typical request types. If it is a access request, obviously we then want to be providing that to individuals through a secure Porwal if it is one of the deletion requests, then going through once we've gone through our due diligence, then completing the next steps in order to fulfill that deletion request. Now it might not necessarily be an automated deletion in the source system that can often be dependent on the security in place, but maybe we wanna be have a workflow whereby we open up tickets with the irrelevant team with the location and types of data to then even be deleted or anonymized depending on what's available in that system.
So here for example, from the consumer perspective, obviously they don't see all of this in the background. This is all gonna be done through a kind of Porwal like this where they can then obviously see the update of the request and obviously see the information if it is an access one as well. Always remember that you know, ultimately you are gonna be wanting to prove, you know, the great work that you are doing but also proving that your privacy program is effective. And there will often be, you know, cases where you do need to report on how you know your response times to these requests, how many you've received and how that plays a part in your overall program. So you're gonna wanna also in be including metrics on you know, number of requests times to completion and also if you're looking at the individuals involved, you know what activities they're doing in their time to complete them.
So that's on the giving individuals the kind of control aspect. The other part is then operationalizing your program and also integrating this into your broader data governance program. And when it comes to what was kind of the traditional aspects of privacy when it comes to you know, the main parts that you needed to be implementing for GDPR and other regulations, these are still super important of course and still really the foundation of your privacy program. And these are the typical areas that we see customers focusing on when it comes to responding to not only their compliance objectives but also making sure that their privacy program can also integrate with other areas of the business. So of course for you to really respond to your privacy requirements, you need to understand what personal data you have and where as well as other relevant metadata information you do need to be performing risk assessments, you need to be understanding your third parties and of course respond to incidents and breaches where personal data is involved.
But of course as Paul kind of spoke about it and his presentation data resides in all sorts of different locations. It can be both structured and unstructured data. It could be on-prem, it could be in one of the cloud providers. So it's increasingly becoming a challenge for organizations to understand where they have, you know, personal as well as other sensitive data types. So we are seeing a shift in organizations to move towards using an automated data discovery solution in order to understand what types of personal data we have as where as well as collect other metadata to meet other privacy objectives. So increasingly we're seeing in regulations the requirement to have like data minimization or retention applied. So looking at you know, how long we've had data for and when it was last used as well as our collecting data around access to ensure that we've got the right access to data and it's kind of removed the sensitive data types that are found in there.
And data discovery is great because it can work with different data types, it can work with both structured and unstructured data as well as you know, SaaS applications and it allows you to automate the understanding of data whereas before you would rely on that human element. And of course data can be hidden, you know it can be very difficult to understand where there's personal data in like files found on say things like file share. So utilizing data discovery is really gonna kind of expand your understanding and governance of what data you have as well as being able to use that to meet your privacy compliance objectives. So here we can see for instance these are some samples of scam results that we've completed using our data discovery solution. You see we've kind of scanned a whole bunch of different types of systems and understood you know, what data we've found and then where using all sorts of different classification methods that we have configured within the tool.
We have your traditional reds but also we can utilize kind of AI technology as well which is particularly useful for unstructured data. But of course the more technical aspects of that understanding, you know, where we have systems, what data as well as other relevant data, very useful, very needed for your kind of broader data protection. But there is still that requirement that we need to understand not just what data we have and where but how we are using it. Of course this is found under GDPR in Article 30, building up that record of processing activities. But in general for you to be a kind of privacy led organization that has privacy by design instilled, you need to understand as an organization how we're using that data, what's our legal basis, who's using it, et cetera. So this is where you can utilize your data discovery to understand the data you know at rest and then start to link it to the processes that we have.
So you can build up those article 30 reports but also build up a much better map of your data. So here you can see we have a kind of inventory of the processes that we have in the organization. This can be build up in different methods either through sending, you know, assessments to people or having them in, you know, report on this. And we can also start to add attributes of those as of those processes that will allow us to, you know, understand further how we are processing data as an organization. So you'll see here these are very focused on what's required under article 30 of gdpr, but if you are a global organization that also needs to understand how we're using that data to respond to other privacy regulations, then you can add those types of attributes. You see here we've got ones focused on the California Consumer Privacy Act.
Now of course a lot of this information does still need to come from humans. You know, we are getting very smart when it comes to automated privacy technology, but there's still a, you know, human element ultimately your the individuals who are, you know, doing this day-to-day in terms of using data, you performing those processes. They are the ones that are going to be able to best give you the insight into that to feed that into your broader data map. But likewise there are gonna be circumstances where you, you know, are doing what was, what is kind of referred to as high risk processing, maybe due to the amount of data or the types of data where under a lot of regulations now you do need to be doing enhanced privacy impact assessments or DPIs due in GDPR terminology. But again, these can end up really being a blocker to the business use of that data.
So we wanna make sure that it's incorporated into your existing processes and we have a lot of different templates available that are allowing you to, you know, perform these impact assessments efficiently or you can obviously go ahead and build your own one. So this allows the collection of the relevant information to do that risk assessment and then we can actually build in rules to define what are the next steps based on that information. Give them. Likewise, a lot of this information is gonna be super useful for your broader kind of data mapping initiative. So let's get, get this information and use it to populate your data map. And again, to kind of really instill that concept to privacy by design, we really recommend customers embed this into, you know, their kind of project or process map that they have in place. So when someone's developing a new product, when someone is, you know, running a new marketing campaign, when someone is adjusting the way that we're using a tool, what we encourage is that they proactively, you know, at least give the basic details of what they are doing.
And then from there it can be determined by either the privacy or legal team whether we need to be performing a full kind of privacy impact assessment. Likewise as well, there's always the opportunity that if you've been made aware that certain project is happening, that we then proactively send them that assessment and unless the case of just the individual detailing what they're doing in a very easy to fill, fill out questionnaire with prompts and hints and different question types. This is typically obviously filled out by someone that doesn't work in privacy or data governance. So we wanna make it easy for them to gain the, you know, give the right information but again, not impacting their job too much because ultimately this is very important but it's not, you know, their day-to-day objectives. But the key element of way visa for doing this is not just understanding, you know, the what they have in place, but to identify potential risks that then need to be remediated.
But again, we want to do this in a way that is very efficient. So make sure that the risk flagging can be automated or at least the kind of remediation processes as well is done in an efficient way based on a workflow. The last aspect of kind of building up this really important map of your data and how we're using it and the risk involved is of course your processes. You know who, where you're using third parties, the profiles of them and of course the risk in those third parties. So you'll see as part of our inventory we can also include a list of what vendors we are utilizing as well as, you know, profile information around them and of course the risks that are being, you know, that are presented through using that process so that we can hopefully mitigate them. Again, this can be sourced through lots of different channels.
It can be sourced through integrations with, you know, other tools. It can be done through risk assessments or you can also utilize an exchange. This is something that mo more and more organizations are utilizing cuz there is a push towards kind of common frameworks when it comes to third party analysis. So let's utilize risk assessments that have already be completed on these processes and look at, you know, how they're utilizing data and the protections that they have in place. So here you can see an example of the OneTrust exchange and includes lots of information and scoring around that vendor that's gonna allow you to do a really quick risk analysis of them. The last, as the last aspect of this is of course, you know, incidents happen, things happen, people make mistakes, but you know more and more it's becoming really, really vital that the way we respond to them is, you know, a fashion and that we are having a comprehensive review of how we're responding to incidents, especially those involving personal data.
If it's done incorrectly, not only were we gonna, you know, break the law when it comes to privacy regulations, it's gonna potentially cause you know, reputational damages. So again, we wanna incorporate incident response that allows individuals to really report those incidents easily but also respond the, the teams that required to respond to those incidents. So the complexity of this, like all a lot of things privacy is that you know, different regulations in the world have different requirements when it comes to how you respond and report incidences and likewise the kind of thresholds of you know, when you need to be for instance involving notifying the individuals of their data that's been affected. So this is again where you wanna make sure you have the correct workflows in place but also that you know what your responsibilities when it comes to you know, the jurisdictions that have been affected.
So here you could see, you know, we haven't integrated incident response module here, but it also has incorporated guidance as to whether you need to be res notifying supervisor authorities, whether you also need to be notifying those individuals as well, as well as other kind of security frameworks that have re requirements when it comes to responding to incidences. Last and not least, a lot of this work that you're doing in order to res, you know, mature your privacy program can really be used by other parts of the business and really be in fed into other areas of your data governance initiative. And one of the aspects I showed you at the beginning was the data discovery solution, which is gonna scan classify data as well as collect other relevant metadata in order for you to really profile what data we have. Now this is gonna bring benefits to your, you know, privacy program, but it's also gonna allow you to bring in governance on that data.
So what you can do is set policies of where we have, you know, data meet a certain criteria that we need to be improving, we can then improve that through automation rules. So here you see a couple of examples of during that data discovery process, the type of data issues that we can kind of surface and then bring in remediations that benefits privacy obviously, particularly if there's personal data that needs more protection for instance, but it also benefits other teams as well and you can work collaborative collaboratively in order to ultimately improve our DA data landscape. And then ultimately that means we can use our data more efficiently. So here we can see for example, where we found sensitive data and data warehousing solution, making sure that the proper protections are in place with that sensitive data but without, you know, completely removing access to everyone doing it more dynamically so that we can more efficiently use that particular dataset.
Likewise as well. Obviously then a lot of this information we then do wanna be feeding into a data catalog. The data catalog can be used by, you know, lots of different personas within an organization, whether it be data stewards wishing to bring in, you know, improve their datasets or bi Analyst looking for reports or data sets to create particular reporting. So of course if we have brought in that governance we're happy that the data's protected, we're happy that it's personal information that we can use or at least has the right tools in place to enable our to use that we can then feed those insights into a data catalog solution. In order for individuals who need to locate trusted data sets that have gone through that privacy focused governance approach, they can then do so and ultimately locate data sets that they need to for you know, their own individual or their team objectives.
Finally, you know, one of the aspects that's becoming more and more important for our customers and also for just you know, broader data transformations is of course understanding the journey that data takes as well. This could be has a compliance lens, you know, we see data transfer requirements until the EU and the US agree transfer mechanism but also in other locations. But also as we wanna understand the data journey and the potential impact that that's had and you know, things like access and remediation of that data using tools such as lineage is gonna become more and more important as we start to understand, you know, the cross border but also intra transfers of data. Now lineage is a complex thing to do, it's a complex thing to create. So we can't expect that there's a plug and play and be able to visually show all the c transfers of your data within one minute. But it's a tool that you can start to incorporate into your privacy and data governance program to start to build up a better map of you know, where data is residing, where it's kind of transferring to other systems but also our kind of intercompany transfers of data and how that's sourced so that we could start to bring in improvements and also kind of remediate issues when they're found off there.
Excellent. So that's kind of my presentation. I think I may have gone over a little time a bit there Paul, so apologies. But thanks for letting us to present this part of how we are seeing customers implement their privacy programs.
Absolutely, no problem. No thanks. Well I said dashboarding was important so there's no doubt about it. Thanks so much for that in-depth. Look at OneTrust, let's we do a little bit time left so quickly, the poll results, 88% people said that they have a, a data governance program in place which is pleasing and actually a lot higher than I thought. And then the second poll, which considered the clouds that we have. So as I said, no idea is not a a a joke answer. I think it's actually important cuz it just shows, you know, challenges of having multi-cloud in that some clouds we don't even know exist. And if there's a cloud then there's data on it somewhere. Only 8% use just aws, Azure and gcp. Good news for other cloud providers, 25% use more than three including aws, Azure, and 17 use more than three, but not including those big guys. So Sam, any any comment on on those results there?
I think it's not surprising, you know, obviously yeah a lot of organizations have cloud-first initiatives, but that's easier said than done. So I think the fact that a lot of companies still using, you know, a combination of different data storage methods is still gonna be, you know, prevalent for quite a while. So not super shocking results to be honest.
Okay, well I've got time for a couple of questions if I can just get them up on my screen here. Okay, yeah, I mean you talk, we talked about let's say, does, does data, unstructured data is kind of like the, the elephant in a room or maybe it's not the elephant in a room, but anyway it it's the unstructured data is is the tricky bit. How, how does OneTrust discover that?
Yeah, so unstructured data is obviously tricky because it can take different forms and often as well, you know, when you're looking for certain data types it's all about the context, right? So if you look at like a document, there could be personal data in there, but it's really defined in the context of how it's used. So that proves tricky and obviously the volume of it as well. So one of the things we developed is one scalable way to be able to scan unstructured data and truly for you to really understand the data you have and govern it, you need to do that by scanning the actual data itself. If you just collect, you know, the metadata that's generated from unstructured data, it won't really help. So we actually scan, you know, documents, images, PDFs to look at the data in there. The other way is then using kind of models that we've trained in order to, like I said, look at the context and the, the kind of where that data resides.
A good example we give is that, you know, Jordan can be a country, it can be a brand, it can be a name. So you need to look at, you know, how that's used in order to understand whether you've got, you know, personal information there or not contained within that particular document. So huge challenge for organizations as, as we all know, there's a lot of different places that unstructured data can reside in. It can often include quite sensitive data types, you know, the number of times organizations have used our solution and found really sensitive information contained within things like SharePoint or file shares or S3 buckets and not just sensitive personal information, things like, you know, intellectual property as well. So through having a scalable solution that scans and classifies different types of unstructured data and also uses different models to classify it, you're gonna be able to you know, bring in much better governance on it. It's gonna be, you know, a long term project, it's gonna need to, you know, evolution as you evolve the way you handle it. But it's something that's gonna be really important for most companies because it's a massive vulnerability for a lot of organizations.
Sure. One thing that I didn't talk about and you did and that is the consent, which is increased hugely important. So how does the data discovery deal with those requests? You know now every time I go on a website ask, you know, they'll accept cookies, this and that. How do you help with processing data, subject requests for access and deletions, which must be really hard.
Yeah, it is difficult. I mean the first thing we say to customers is you know, start to understand where potentially the data of those individuals resides and that's where, you know, data mapping combined with, you know, discovery and cataloging is important because you need to understand where we have to look up that individual's data. And then the second is, you know, we really do think using automation is key here. I'm not just saying that as a software provider ultimately for you to be certain that you have located that individual's data doing so in a manual way can, you know, can often mean that in that data is missed. So looking at incorporating workflows with system subtasks that can look up that data is really key. Now when it comes to the fulfillment of deletions, a lot of people get nervous that, oh we can't completely automate that, that sounds horrible.
Automated deletion always makes me nervous, you know, we appreciate that. So use a combination of methods if you do wanna have, you know, a semi kind of automated way whereby we create tickets or tasks or projects with you know, teams that where they know exactly where that data's located but then they, you know, manually go through the method of applying a control to that then do so. And there is ways that we can complete the automate the deletion if there's a requirement to do so. Really depends on where that system resides but you know, these privacy rights are not going anywhere and which they shouldn't because you know, it's a fundamental aspect of privacy. So look at a way that you can incorporate automation where you can to respond to these requests and be sure you fulfilled them.
Okay, fantastic. Running run outta time now. So I just quickly mentioned, I showed you some related researchers there, but we will be publishing a new data governance and privacy leadership compass later this year in which OneTrust, I'm pleased to say are taking part. So that will be something to look forward to in probably around about Easter time. So with that Sam, so much thank you so much for this afternoon. Enjoy your, your time in Atlanta, is that right? I can't remember now. Yeah,
That's it. Atlanta, Georgia.
Okay. Well have a good time and thank you all for watching today. It's been a pleasure. Bye now.
Appreciate it. Thank you.
