How data analytics can help improve the way you manage privacy

Fewer than 40% of senior leaders say they’re ready to meet the risks coming out of an increasingly digital world. The proliferation of data allows companies to make better market predictions, improve customer insights and provide personalized services. But as businesses accumulate more data, they can find themselves exposed to critical situations that have the potential to either earn or erode trust.

To help manage existing and emerging digital privacy risks, businesses are creating personal information (PI) inventories. These inventories help them answer questions around what PI they have, where it’s located, why they’re processing it, what third parties may be involved, who has access to it and if they have appropriate controls in place to process it (e.g. deletion, consent/notice). But traditionally, these PI inventories are difficult to use, as the data is depicted using traditional rows and columns (e.g. Excel) or embedded in privacy impact assessments (PIAs), making it challenging to extract valuable insights.

How can you get the most out of your PI inventories to better understand and manage your privacy risks?

In 2021, we built a Data Trust Lab at PwC Canada that enables our teams and clients to explore data trust and privacy tooling capabilities in our collective efforts to build more trust in data use and manage emerging risks. As part of this effort, we found and built a graph-based approach leveraging existing PI inventory efforts to gain more visibility and insights into our clients’ complex data ecosystems to help them answer key questions as they address existing and new privacy requirements.

Graph-based approach to personal information governance and privacy management 

With a graph-based approach, we’ve been able to visualize personal information data flows in a way that helps organizations address questions around data and build specific action plans to reduce privacy and data trust risks. Graphs help organizations provide transparency around how they’re using data by visualizing the combined business and technical metadata. This enables effective and efficient data governance and supports organizations in privacy compliance obligations.

What questions does graph-based analysis help answer?

Completion of a PI inventory exercise, even using the leading tools on the market today, doesn’t necessarily provide the level of analysis that can be gained from graph-based efforts. This is mainly because a traditional row- and column-based analysis doesn’t showcase the complexity of the data flows and interconnectivity of information in situations where data flows through multiple systems.

In the sample graph-based analysis outputs (Figures 1 and 2), blue nodes represent processing activities that collect or use PI/HSPI, yellow nodes represent assets in the enterprise environment and beige nodes represent purposes of processing. Figure 1 shows assets with multiple purposes for processing with asset node size proportional to the number of purposes, indicating their complexity. Figure 2 displays how the PI/HSPI elements flow through multiple assets. 

Here are some questions that graph-based visualization and graph data science algorithms can help answer:

1. What assets contain PI that’s no longer needed based on our retention schedule?
2. What assets contain PI that’s considered the highest risk (e.g. based on volume of sensitive PI, highest risk processing activities)?
3. Where are our PI collection points so we can make sure we’re providing appropriate notice and consent to prepare for Bill C-27 or QC Law 25 changes?
4. Which assets or PI processing activities have PIAs completed on them, and where do we need to complete them?
5. Where do we find PI to respond to data subject rights requests?

In addition to the graph-based visualization and graph data science algorithms, organizations can build privacy dashboards based on insights generated from the graphs. Figure 3 shows a sample privacy dashboard incorporating output generated by graph-based analysis. 

Graph-based analysis on an ongoing basis can help mitigate privacy risks by allowing you to fully understand what’s going on with your customer and employee data.

Analyzing the PI entrusted to you by either customers or employees on an ongoing basis can help you understand your PI and data ecosystem. This allows you to both build data trust (discover, protect, govern and minimize your data) and help address existing and new requirements for privacy.

Want to learn more? Get in touch with me and / or our privacy team.

Jordan Prokopy, Partner, National Privacy Practice Leader, PwC Canada

Susan Niu, Manager, Data Scientist and Data Trust Lab Lead, PwC Canada