CommandK’s Post

*Collecting Data is a Responsibility and not a Privilege!* Can you really lose your life's savings to a scam? or it just fear mongering? That's exactly what happened to a person a couple of months back. They lost more than Rs. 1 crore to an elaborate Fedex scam that was only possible because they had access the person's personal data. If you check out my last post, you'll know that the number of data breaches are growing exponentially! This has made every country come with their own data privacy law. Non-compliance with these laws can get very expensive, India's DPDP can fine you Rs. 250 crore per instance of Data Breach. But the cost of non-compliance goes beyond monetary penalties. A single data breach can erode customer trust, damage your reputation, and lead to lost business. The average cost of a data breach in 2023 was $4.24 million. All of this points towards one thing: 🚨 Collecting Data is a responsibility and not a privilege. By collecting customer data, you are opening up your organisation to potential fines under data privacy laws, reputation damage and lost business. So make sure that you absolutely need a data point before collecting it. Now what to do about the data you've already collected? As a start, you need a live Data Inventory which gives you the ability to understand your data. I might be able to help here :)

Over the past two months, we've been conducting DPDP workshops with multiple consumer and fintech companies. The agenda is simple: 1. All the relevant stakeholders are present. 2. We walk you through all key points of the DPDP bill and how it applies to your organisation. 3. We wrap up things with a quick demo of Enclave. The best part of the session is that because all stakeholders throughout your organisation are here, the session becomes super interactive and everyone leaves with a clear understanding of how to start becoming DPDP Compliant. Interested in scheduling one for your org? Request a workshop from the link in the first comment.

🚨 We own a lot of customer data You know what's wrong with this? This statement assumes the company that has the data owns it. This is how companies most companies function. This is why your data is "sold" in the grey market. After all, you can sell what you own. Right? This is exactly what Account Aggregators solved. A customer's financial data is theirs. Not a financial institution's to keep for perpetuity. Now you can easily share your data to apps like Fold or Jupiter using Account Aggregators like Finvu or Setu. Your financial data is finally yours. Now, imagine that, but for all your data. That's exactly what the DPDP Act does for *all* your data. Every company has to ask for consent before collecting your data. They have to tell you how they use it and who they share it with. The best part? You can ask them to modify, delete, or even ask them to add a nominee for your data. Now if you are a company collecting this data, you must implement all of this at your end. Want to go live without any engineering effort? Drop me a dm :)

As a tech or compliance leader, you're likely aware of the customer data your organization collects. But do you know where it is sent? Who uses it and why? It would be impossible for you to fully understand if you only require regular reporting from all your business and engineering teams. One of the biggest mistakes companies make is to simply create a list of collected data and where it is stored, then call it a Data Inventory, only updating it twice a year. However, while knowing the data might seem easier, what about all the vendors it is shared with? Or the new microservice that reads data from Kafka and processes it? This approach does not truly aid in anything beyond checking off a compliance list item. If your aim is to be a privacy-first company and, more importantly, to comply with Data Privacy Laws worldwide (e.g., DPDP, GDPR, LGPD, etc.), what you need is a live Data Inventory. Such an inventory would continuously scan your infrastructure and code to understand where and what data is being stored, highlighting potential risk vectors. This keeps you compliant without the need for a time-consuming review twice a year. Looking for a solution like this? Check out Enclave's AI-powered Live Data Inventory in the first comment.  #DataPrivacy #DataCatalog #DataPrivacyCompliance #GDPR #DPDP

It is a problem we’ve all come across all too often. You bought a shirt from a company that also has men’s accessories and nutraceutical brands. For the next few weeks, you’re flooded with ads pushing you supplements for your receding hairline. These chasing ads are a violation of our privacy. We all know, vaguely or in great detail, that these are violations. Why isn’t this a bigger problem? Simple answer: these ads can be useful. But for most, it’s a problem. It’s not as easy to solve this either because of how companies store our data. Often the same company has different brands, but a single backend infrastructure. So both have access to your purchase history from either brand. To give users greater control over their data, regulatory requirements have evolved. For example, India’s Digital Personal Data Protection Act clearly lays out the ground rules for processing data after obtaining the consent of the person it belongs to. This means if you’re collecting and processing data for, say, insurance, you cannot use the same data to offer them a personal loan. I thought it would be useful to understand why this is not a straightforward task to implement for businesses. It is already proving hard for different business entities/brands under the same parent organization to design the consent notice for customers. Often, they may not even realize they are being non-compliant. An example is the case of a real estate company and a condo management startup suing each other for data theft in 2020. Both accused each other of using the other’s data to solicit business from users. Under the DPDP Act, both would have faced additional fines for using consumer data without their consent. I believe that there is a cultural shift incoming in the way enterprise customers and end consumers view data. The evolution of this shift may have been hastened by the new data protection laws but companies and founders will need to evolve fast or lose capital and, more importantly, customers. 

Does your company collect PII? Do you know what you collect, where you use it, why you use it, and what the usage agreement with third parties is? If you do, how often do you validate it? Product and Business teams keep collecting and processing PII because they need it to drive revenue and improve performance. But is relying just on the process you've defined a good idea? Especially when employees come and go, and new systems are built every other year. When we started building Enclave, we knew that if we solved this problem first, we could get any company on Earth compliant with any Data Privacy Law in the world in weeks. We do that with an always-live, AI-powered Data Inventory. Think of Enclave as modular building blocks to implement a solid Data Privacy practice; our data inventory is the bedrock! All you have to do is set up our connectors and code scanners, and we create a live data inventory and data map for you to track. The best part? We detect PII in your internal systems and all the third-party service providers you send data to. No more talking to each team individually to understand what PII they store and where. This is one of the many data privacy building blocks that Enclave offers! Curious to know more? Check out the link in the first comment.