Focusing on meeting the minimum bar of industry standards and legal compliance instead of building true data privacy into your products puts your company’s reputation and customers at risk.
Founded in 2019, Skyflow is a data privacy vault for sensitive data. Its founders wanted to radically transform how businesses handle their users’ financial, healthcare, and other personal data – the data that powers the digital economy.
Robin Andruss, chief privacy officer at Skyflow, has more than 13 years of privacy experience including senior-level positions at Google, Yahoo, TrustArc and Twilio.
Here Andruss explains why customers deserve data privacy.
Your customers want real data privacy when they entrust you with their data, not merely ‘compliance’ with laws and regulations like GDPR, GLBA, SOC2, and PCI. They want you to ensure that their sensitive data is only used for authorised purposes by those who need it, and protected from hacks, breaches, and leaks.
Go beyond compliance
Every company needs to go beyond treating compliance as an afterthought to deliver true data privacy. For example, in the Equifax data breach, the personal information of over 140 million customers was compromised. This happened despite Equifax being compliant with all applicable laws and industry standards.
Equifax has suffered lasting damage to its brand. And, while providing consumers with a year of free credit monitoring reduced the damage to customer relationships, no remedy can fully negate the impact of such an incident.
What could they have done differently? Protecting the privacy of sensitive data by isolating it and applying strong data governance would have helped.
This is just one example of how compliance is necessary, but not sufficient, to ensure data privacy.
ACH data deserves better
For another example of the need to go beyond compliance to protect sensitive data, consider the gap between the regulation of PCI and automated clearinghouse (ACH) data in the US. If you process transactions using both PCI data and ACH data you’ve probably noticed that the regulations around PCI data are stringent, but ACH data is very lightly regulated. That’s because payment card data is regulated by the PCI DSS standards, and no equivalent to PCI DSS exists for ACH data.
I’d argue that ACH data should have more protection than PCI data – consumers can contest fraudulent credit card charges, but it’s nearly impossible to reverse wire transfers. Should you wait for new regulations before securing ACH data? Of course not. You should centralise ACH and other sensitive data in a data privacy vault that isolates, secures, and tightly controls access to manage and use sensitive data – and that works with your existing infrastructure.
Raise the bar on customer data privacy
Skyflow’s Data Privacy Vault is designed to centralise and protect sensitive data, including financial data, health data, and PII. Skyflow offers a wide range of capabilities, including:
- Data Governance Engine: How much control do you have over your data if employee credentials are compromised? With Skyflow’s unique data governance engine, you can control who sees what, when, where, and how. You can also add column- and row-level data access controls, based on any combination of policy, role, or attribute; so you can keep your most sensitive data beyond the reach of employees who don’t need it.
- Polymorphic Encryption: Encryption-at-rest is required by several industry standards, and it’s far better than storing unencrypted data. But in many cases, encryption-at-rest isn’t sufficient. Skyflow’s polymorphic encryption lets you treat each type of sensitive data differently, so when you only need the last four digits of a customer’s SSN, that’s all you decrypt. And, it lets you run matching and comparison operations on encrypted data without the need to decrypt it, so you can run credit and KYC checks while keeping sensitive data fully encrypted.
Tokenise and centralise sensitive data
By using Skyflow’s APIs to collect sensitive data and tokenise it, you can manage sensitive data without having your backend systems ever touch it. Instead, your backend manages tokens that point to sensitive data that’s centralised and isolated in your Skyflow Vault.
To detokenise sensitive data, your backend provides those tokens to Skyflow, which confirms that your request meets zero trust access controls before detokenising and returning the requested data.
Centralising sensitive data carries a host of benefits, making it easier to meet data residency requirements and reducing the scope of PCI compliance.
Build for data privacy with Skyflow and Plaid
Plaid’s API connectivity to over 12,000 banks and financial services makes it a popular choice for companies that need financial data on their customers. Skyflow partnered with Plaid to make it easier than ever to protect sensitive data, so you can use Plaid’s APIs while also using Skyflow’s Data Privacy Vault to protect sensitive PII and financial data.
Give Skyflow a try
By centralising sensitive data in Skyflow’s Data Privacy Vault, you can ensure that your product goes beyond compliance with standards and laws that slowly evolve to respond to the threat landscape. To learn more about how Skyflow Data Privacy Vault can help you to isolate and protect your customers’ data, give Skyflow a try.