Make a submission

Accepting submissions till 28 Feb 2022, 11:00 AM

What are lean data practices and how can you adopt it for compliance? How do you handle user data deletion requests at an exobyte scale? How can you anonymize PII while also sharing data with third party tools and services? What data governance strategies do the best organizations in India follow?

The Privacy Mode Best Practices Guide is a compendium of answers to these, and other questions around privacy and data security. Compiled from talks, interviews, focus group discussions, the BPG guide is a practitioner’s view of implementing better privacy from the design stage, and ensuring compliance with national and international laws.

Each submission is a chapter of the BPG, and will cover one or more of the following topics
* Data asset enumeration
* Data flow enumeration
* Data classification
* Access control based on classification

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by

Omidyar Network India invests in bold entrepreneurs who help create a meaningful life for every Indian, especially the hundreds of millions of Indians in low-income and lower-middle-income populations, ranging from the poorest among us to the existing middle class. To drive empowerment and social i… more
about.facebook.com/meta
We’re the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. As a hyperscale cloud service provider, AWS provides access to highly advanced computing tools on rent for startups and SMEs at affordable prices. We help t… more

Anwesha Sen

@anwesha25

Best Practices Guide: GDPR Compliance at Intuit

Submitted Jan 31, 2022

Name of Organization: Intuit

Domain: Financial Software Company

Talk by Kalusivalingam Thirugnanam

Summary

Intuit uses important financial information about their customers which requires them to be compliant with GDPR and CCPA. In practice, this requires them to enable their customers to access their information as well as request deletion of their information.

To comply with these requirements, Intuit built a system with four components - the request manager, the queue or topic, data managers, and the central document management platform. For access requests, information is archived and provided to the customer through the central document management platform. Deletion requests go from data managers to their individual services.

Competing compliance requirements, distributed status tracking, scaling requests, organising content, and receivable offline processing were the key challenges that Intuit solved for.

Terms/Glossary
* GDPR: General Data Protection Regulation
* CCPA: California Consumer Privacy Act

Detailed study

Intuit is a software company in the financial domain, and their products include TurboTax (tax automation software), QuickBooks (accounting automation software), and Mint (personal finance management software). In all of these products, Intuit uses key financial information about their customers from across the world. Hence, they are required to comply with GDPR and CCPA to protect their customers’ data.

In order to comply with the regulations, Intuit has to enable their customers with:
- The right to access information - Enable customers to be able to know what Intuit knows about them. This information is made in a simple archive in an easily consumable form. This is done in a time bound manner.
- The right to request deletion of information - Customers can request to delete all the parcels of their information. The customer can also selectively choose what information they want to delete.

There are four components in the approach that Intuit has used to solve this problem. The first component is the request manager. This manages the requests that come from customers to either access or delete their information.

When the request manager receives this request, it employs a queue or a topic where the information is published. This is the second component.

The queue or topic then goes to the third component which are the data managers. There are many domains within personal finance products such as QuickBooks that handle the data of customers. These individual domains keep a data manager to carry out requests such as these. So, there are multiple data managers involved in this flow.

The data manager for individual domains collect the data and publish it to the central document management platform, which is the final component. Here, the information is archived and sent back to the customer in the case of an access request.

In the case of a delete request, the same flow happens from the request manager to the data managers. The data managers in turn connect with their individual services for which they are responsible and perform the delete operations.

Intuit’s High Level Architecture for Regulation Compliance
The following are the top five challenges that Intuit went through and their solutions:

  • Competing compliance regulations for information access and deletion - They keep each data element and the document with an attribute that can let them know whether the data is required to be kept for another compliance or not. For example, when a CCPA request comes in, the QuickBooks capital offering would request to delete that information. Before they delete the data, it is made sure whether there is any other compliance for which this data is to be used. If so, the data is kept till the compliance requires it.

  • Distributed status tracking - They built an infrastructure where they can keep track of the status to fulfil the complete request for a customer.

  • Scaling for the requests provided with message bus and message queues - Intuit tunes their system in a way that they compute the consumers’ processing speed and the amount of messages that individual brokers can bring in, so that they equally distribute messages to all the consumers to effectively process their request. Apache ActiveMQ is leveraged to process this work order request.

  • Organising content from different data managers - They organise the contents in folders and sub folders and within the folders they also provide a ReadMe file. This ReadMe file provides the structure of the content in individual files, and explains how this data can be understood.

  • Receivable offline processing - The status tracking mechanisms were extended to the data managers, services, as well as the output records that the services brought in. This enables them to track whether or not each individual’s file has been successfully archived. In case they run into problems and have to restart, they start from the place where they left instead of from the beginning.

Tech stack/Tech solutions:
Apache ActiveMQ

Comments

{{ gettext('Login to leave a comment') }}

{{ gettext('Post a comment…') }}
{{ gettext('New comment') }}
{{ formTitle }}

{{ errorMsg }}

{{ gettext('No comments posted yet') }}

Make a submission

Accepting submissions till 28 Feb 2022, 11:00 AM

Hosted by

Deep dives into privacy and security, and understanding needs of the Indian tech ecosystem through guides, research, collaboration, events and conferences. Sponsors: Privacy Mode’s programmes are sponsored by: more

Supported by

Omidyar Network India invests in bold entrepreneurs who help create a meaningful life for every Indian, especially the hundreds of millions of Indians in low-income and lower-middle-income populations, ranging from the poorest among us to the existing middle class. To drive empowerment and social i… more
about.facebook.com/meta
We’re the world’s most comprehensive and broadly adopted cloud platform, offering over 200 fully featured services from data centers globally. As a hyperscale cloud service provider, AWS provides access to highly advanced computing tools on rent for startups and SMEs at affordable prices. We help t… more