Privacy Mode fellowship programme

Statement of Intent & Purpose

I had the opportunity to closely work with various stakeholders to ensure the privacy and “Governance, Risk & Compliance” posturing of my company Zeotap was adequate to enable our data business in EU and US. This was by virtue of my position of current CTO and past VP of Engineering at Zeotap. Zeotap has 2 offerings one as Data-as-a-service and another is data platform offered as a SAAS. The former is pure 3rd party data and latter has flavours of pure 1st party as well as combination of 1st & 3rd. Operating in EU means we had to adhere to GDPR regulations and have necessary measures across the Org for the same. When CCPA was established the measures we took for GDPR gave us an easy transition to compliance of CCPA as well.

To tackle GDRP we took a product centric approach with a longer term vision around reusing the bits for future compliance regulations whether they are county specific or vertical specific. The goal was to have a system in place which delivered the flexibility to extend for new type of regulations and data assets we may get.

The first step of detailing would be around how the regulations were broken down to specific usecases including sensitive data management, PII management, Consent management, User information management, Access rights, Audit needs and so on. Next to realize all the use-cases tech design which included our infra, data storage and processing applications with the necessary modules to realizes the product usecases.

During this fellowship we want to go over the internals of this usecase esp to the people centric data collected by business and give practical examples of how these were solved. We go over the scenarios around data flows and the challenges they present in solving for regulations and privacy. This would draw across principles from privacy engineering, security, data governance and infrastructure design in cloud. We would add the relevant cross-references to these principles so that practitioners could connect them with say an control requirement for an Audit.

Then we move on to 2nd business - data platform SAAS businesses wherein multi-tenancy around data sovereignty and more vertical specific extensions come into play and how do you transform your approach to cater to this added complexity would be seen. In this model there are certain elements in terms of access control rights, tenancy around storage and client specific needs around data catalog and PII data management all come into play. We will look at the evolution of the same from a product and tech perspective.

The deep-dive during the above is going to be about as a company where we had to invest in terms of additional entity models, the services/processing which were needed to be created and how these translates or get plugged in with products delivering business value.

The example architectures and solution design can be use used as reference implementation on any cloud-based technology stack.

In the end we find parallels between existing regulations and the proposed PDP bill and look at cross-fitting and extending the approaches to aid in compliance to the same.