To celebrate PII Shield, Demostack's latest tool that makes masking sensitive data quick and effortless, we interviewed our GRC David Williamson about trends in security and privacy. Just like GDPR, even if you're not interested in security, you'll find this interview relevant and insightful.
American Data and Privacy Protection Act or ADPPA update
There's an important piece of legislation called the American Data and Privacy Protection Act (ADPPA) before the US Congress right now. While it hasn't passed yet, it's expected to soon, as the bill has broad partisan support.
ADPPA's noteworthy feature is its focus on data minimization. Under this, companies can only collect and use personal data for 16 name permitted usages, such as authentication, cybersecurity, fraud protection, and online checkouts.
Additionally, marketing and selling efforts in the future will be based upon first-party data — data gathered directly from people — and not third-party data.
The upside to this is that ADPPA will preempt a lot of existing state and privacy laws, thereby simplifying your regulatory compliance responsibilities. Companies will have to primarily comply with a single federal standard instead of 50 (or more) state standards.
What does this mean for SaaS vendors? Considering first-party data will become the centerpiece of your advertising efforts in the future, I recommend the following:
- Respond promptly to people who reach out to your websites (there are your first parties).
- Tell a compelling story when demoing your services back to them.
Understanding ADPPA vs. GDPR & CCPA
ADPPA is similar to modern privacy and data protection regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act of 2018 (CCPA). But the difference here is the ADPPA’s more constrictive approach.
The bill explicitly names the specific types of data companies can gather and prohibits everything else, making it more restrictive than some of the existing legislation.
Non-compliance, in general, is a costly affair. But GDPR fines are on another level. where you can be fined up to 2% of your company's global revenue. Needless to say, this can be a whopping number for really large enterprises.
The fact that the European data protection authorities are quick to levy those fines doesn't make things better. Case in point—Instagram was recently penalized with a staggering $400 million fine for mishandling the personal data of minors.
Paying such massive penalties not only breaks the bank but also ruins brand reputation in the prospects' and customers' minds, making them less likely to trust your company.
Security of the cloud vs. Security in the cloud
Most companies and consumers have a great degree of trust in the major cloud providers, like Amazon Web Services and Google Cloud.
While this trust is warranted as the cloud is a secure platform, I think many of these users may be overlooking their privacy and security risks under the cloud provider's shared responsibility model.
Under this model, both the cloud computing provider and its users are required to follow certain security obligations to ensure accountability. But many users are still unclear about their responsibilities.
The cloud providers will give you the platform, but you may still have privacy or security risks tied to how your company configures and uses it. This distinction is commonly referred to as the security of the cloud vs. security in the cloud.
PII in demos. Can it be avoided?
Exposing PII Data in a demo
Exposing PII Data while giving a demo is a serious risk and compliance issue for most companies—one that's unfortunately underrepresented in their risk registers.
Understandably, you want to show prospects your SaaS product's greatest competitive features. But this shouldn't be at the cost of exposing sensitive customer, employee, or other PII data.
As someone who's seen tons of SaaS demos, it's often apparent I'm looking at a vendor's live customer data. This is a huge turnoff for me. I can't help but wonder if the vendor has no qualms showing me their current customer's data, they'll likely be okay presenting my company's private information to their next prospect.
It makes me question how much trust I can reasonably place in their company. Your prospects may also feel similarly if you use PII data in your demos.
All enterprises, but especially SaaS vendors, need to be able to show exciting, attention-grabbing demos of their services without violating privacy regulations, like ADPPA or GDPR. What's more, prospects expect to see your product's full features that are available and capable of distinguishing in a SaaS service.
The problem? Setting up a customizable demo environment to achieve this is highly complex.
This brings us to the next important question: how do you show your product effectively without inadvertently exposing PII data?
How Demostack's PII Shield helps
PII Shield in Demostack automates PII removal. It scours through your data to identify and mask any sensitive information, allowing you to give engaging product demos at scale, without any manual effort.
Our PII Shield uses a data masking technique called substitution to help you tell a better story, letting you mask PII with asterisks or with fake data
Use it to obfuscate as much data as possible and better protect PII. This shows good faith and minimizes legal and reputational risks, putting you in a much better kind of legal risk compliance.
Last but not least: PII at events
You should be able to show the great competitive features your SaaS services offer without exposing the customer, employee, or other PII data, even when demonstrating at trade shows and conferences.
Showing attention-grabbing and fully configured demos to prospects is already tricky, but doing it on a live event floor puts you at a greater risk of exposing live customer data when showing the richness of transactions. Our PII Shield helps eliminate such unique risk items, helping you maintain data integrity for both external use (prospects) and internal use (employees).
About the author: David has been involved with Governance, Risk, and Compliance (GRC) for more than 20 years. He has worked at Oracle, Visa, TripActions and is now the GRC at Demostack.