As of May 25, 2018, the EU General Data Protection Regulation (GDPR) started enforcement. This was followed by the passing of the California Consumer Protection Act (CCPA) in June of 2018, as well as the appearance of other GDPR-like regulations in many other states and countries. A key component of these new privacy regulations is that of Individual Rights. That is, people now have the right to see what data a company tracks about them, and that same person can exercise control over that data. Truyo provides a streamlined solution to help your organization meet these regulatory requirements with various levels of automation and scale available.
No, the GDPR applies to any company anywhere, as long as the company is tracking information on EU citizens. Similarly, the CCPA applies to any company with global revenues greater than $25M/year, OR you track over 50,000 California citizens’ information, OR you make over half your revenue by selling data.
Modern privacy regulations are very broad, and cover many areas like breach notification, security practices and privacy by design. Truyo helps automate and streamline the area of Individual Rights. That is, the rights of a person to request to see the data a company is tracking on them, and to exercise control over that data. This is one of the main areas of exposure to a company, and serves as the primary entry point for complaints and fines if not done properly, so it is important to execute Individual Rights properly, and to the degree a company receives many Requests, to do so at scale.
Also called a SAR or DSAR, a Data Subject Access Request refers to the new requirements under privacy regulations that allow a person, the Data Subject, to request to see the data that a given company is tracking on them. This includes a very broad set of data tied to that person’s identity in your systems, like website visits, shopping history, demographic information, etc. For most companies, this data resides in multiple back-end systems. Companies have 30 days under the GDPR or 45 days under CCPA to compile this information and deliver it to the requestor in a format that is understandable. Further, a Data Subject can also ask for that data to be deleted from all systems, for it to be modified, or for it to be provided in an exportable format, depending on the regulation.
Personal data is any information that can be used to directly or indirectly identify a person. This information ranges from social media activity, credit card information, medical information to computer IP address. Public, private and work data is all covered under the regulation.
If you have over 10 back-end systems that contain privacy data, AND you get or plan to get at least one SAR per week, then you should consider at least some level of automation. Back-end systems include CRMs, ERPs, billing systems, help desk and ticketing systems, marketing systems, analytics, e-commerce, applicant tracking systems and payroll systems, just for example. The first level of automation -- validating identities, validating requests, generating tasks, logging and reporting -- will cut out 20 to 30% of your operational overhead without any systems integration required. The next level of automation, information gathering and compiling, will cut out another 30 to 40% of your overhead, and will require simple data ingestion integration to your systems. The last level of integration, fully automating changes to back-end systems, requires more integration effort, but will help you achieve a fully-automated, self-service experience for your customers and employees.
By default, Truyo sends verification links to any emails or SMS endpoints given by the Data Subject before a Request becomes “verified” and actionable. But Truyo can incorporate many additional verification methods, including integration with 3rd party verification tools and even integration to your own authentication systems for customers and employees. Truyo also offers you the option of requiring the Data Subject to upload a photo ID.
Yes, the entire product is built for variable enterprise requirements and stringent security standards and is driven by a set of flexible APIs so it can be largely tailored to your specifications. Customizations are performed and billed as a Professional Service.
Yes, many companies do not require automation because they get very few, if any, Requests from Data Subjects, or they have very few back-end systems which hold data. These companies use the Truyo secure portal, task management system, logging and reporting engine without any connected data sources, while supporting manual responses to SARs. This is a cost-effective and more compliant alternative to receiving SARs to an email alias or a simple web form. But if you do start getting a lot of SARs, it is an easy upgrade to start adding automation to the system.
Yes, in fact most of our deployments are on a company’s own cloud instance. Truyo is built on Kubernetes and can manage and maintain remote installations while keeping your data secure on your infrastructure. Truyo can also be deployed on premise or in a multi-tenant environment.
Truyo leverages a secure, immutable ledger to log and timestamp all events associated with your SAR operation, including Requests, Task assignment and Task fulfillment. We then provide simple graphical reports as well as flexible filters so you can see and create the reports you need very quickly, whether for internal purposes, or for external purposes like an audit or legal defense.
Through your secure, branded Data Subject Portal, Data Subjects are guided through options to help them formulate exactly what they are trying to Request. Your users do not need to be knowledgeable about the regulations, but their Requests are properly structured so you can act on them easily and quickly without having to interact with the Data Subject.
Truyo can integrate with any system capable of supporting an API. Truyo uses over 100 pre-built Connectors to all of the most popular CRMs, ERPs, marketing tools, HR tools, etc. For systems where Truyo does not have a pre-built Connector, we use a flexible API builder that includes standard components like error checking, caching, retries, etc.
Oftentimes, legacy applications or printed materials have no possibility of an API connection. In these cases, automation may not be possible. But Truyo can automatically create a manual Task for your team members when it is necessary to interact with these sources.
A Data Lake is similar to a Data Warehouse in that is stores a vast amount of information in a central location. But unlike a Data Warehouse, which requires significant effort to normalize the data coming into the Warehouse, a Data Lake requires virtually no effort to normalize the data, so it is much easier to not only connect many disparate systems, but to also maintain those connections. Further, Data Lakes require no expensive hardware, so they scale very cost-effectively. Lastly, once built, a Data Lake can be used not only to fully-automate privacy operations, but it can be used to develop additional business insights and functions that could never exist without a centralized data asset.
For manual processing of SARs, you do not have to create a Data Lake. But if you want any kind of automation, you will have to somehow centralize or interconnect your data sources to one degree or another. A Data Lake is significantly easier to set up and maintain than a Data Warehouse, easier to get buy-in from the data source owners, creates predictability for your operations, and it can be used to drive value for your enterprise through new insights, business intelligence and much more. With that said, Truyo leverages Data Lakes by default, but there are other configurations and ingestion options available if required.
Truyo leverages a secure, private blockchain implementation to serve as the evidentiary component of the service. There are no public nodes participating in the blockchain, and no PII is ever stored on the blockchain itself. Instead, the Truyo blockchain serves as an immutable ledger for timestamping and recording all events like Requests, Tasks and Responses. We also use the ledger to store hashes of data so that we can confirm when data was changed.