IT Thought Leadership Security

A Private Affair—How VMware Legal IT Automated User Rights

by: VMware Senior Business Systems Analyst, HR-Legal Manabhanjan Tripathy

In order to combat ever-increasing data breaches, governments and other entities have enacted greater privacy regulations. Examples include the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Personal Information Protection and Electronic Documents Act (PIPEDA). These laws cover data subject requests (DSRs), which are at the core of modern data privacy compliance. In general, DSRs encompass user requests to access, modify or delete personal information that an organization maintains, as well as other areas, such as explicit/revocable consent and data portability.

While these laws offer people control over their personal information, they can create massive challenges for security teams. 

Suffering in privacy

Statue of depressed man in rain

Legacy systems, manual processes and various other issues make compliance with modern data privacy laws a daunting undertaking, a fact that VMware security personnel discovered after internal audits.

Here are just some of the challenges we discovered:

  • The timeline to respond to DSRs was nearly 30 days, due to the team’s reliance on multiple (and disparate) data sources needed to extract information—and every DSR required a new and unique search. 
  • Reaching out to various app owners and multiple teams to retrieve personal identifiable information (PII) involved time-consuming tedious, repetitive tasks. 
  • No centralized repository existed to ascertain PII data and determine the mechanism to automate the PII findings from the application’s database. 
  • The process lifecycle to extract PII-related data from a specific application for a DSR involved a minimum of five hours of manual effort. 
  • There was no one-stop solution to manage/address access and deletion requests, PII discovery, data governance, and numerous other issues.

Ditching manual for automatic

Manual transmission with slash through it

Realizing these challenges, our Legal IT team designed the VMware DSR Privacy Portal. This adaptable tool enables self-service automated PII discovery and data rights fulfilment. Now, privacy teams have complete and easily accessible control over how data from any user whose information is stored in VMware’s IT systems—such as VMware Workspace ONE® UEM—is treated. This allows unprecedented levels of compliance regardless of the local/regional/national regulations. It also creates a deeper layer of trust with VMware customers, partners, current/former colleagues, and other entities. See Figure 1.

Privacy Portal schematic
Figure 1.

The DSR Privacy Portal solution employs a microservice architecture principle backed by cloud-deployment technologies, open-source components, API management, and other integration tools. It automatically finds the user’s personal data from application data sources, no matter where it is stored in the enterprise. Features include microservices hosted on a Kubernetes container platform, privacy mailbox, open source databases, and data streaming solutions. See Figure 2.

Legal IT DSR Portal schematic
Figure 2

How does it work?

The VMware DSR Privacy Portal now enables the privacy team to perform multiple streamlined tasks on demand, something previously impossible. This ability saves significant time and simplifies team workflows. See Figure 3.

How DSR works infographic
Figure 3.

Welcome to the future of privacy

Relaxed woman on pier on lake

Since initial deployment, the VMware DSR tool has proven its mettle time and time again. 

Service level agreements (SLAs) for response times/management of DSRs are now much less than 30 days. And less time means less laborious team interaction (including follow up) with application owners—a win-win for everyone involved. 

Automated PII discovery reduced DSR scan timelines from five hours to 15 minutes

Data lineage/governance made privacy implications for applications remarkably transparent, ensuring access and deletion of personal data is always accounted for, regardless of user. 

The self-service nature of the portal means personnel can manage scan notifications, views and other functionalities on the fly when the DSR is first generated. This eliminates the frustrating bureaucracy and waiting times normally associated with such efforts.

Currently, the VMware DSR Privacy Portal enables PII data discovery and management of 60+ VMware IT enterprise applications used across the globe.

Now it’s your turn

Chalk drawing of 'what's next' phrase

Currently, the VMware DSR Privacy Portal is a proprietary in-house tool used by our internal teams. This blog aims to help you to see the possibilities of automating the entire DSR/PII process in your own organization.

VMware IT experts are always here to support your endeavors, so feel free to schedule an informational briefing with one of our privacy experts by contacting vmwonvmw@vmware.com.

We look forward to hearing from you.

VMware on VMware blogs are written by IT subject matter experts sharing stories about our digital transformation using VMware products and services in a global production environment. Contact your sales rep or vmwonvmw@vmware.com to schedule a briefing on this topic. Visit the VMware on VMware microsite and follow us on Twitter.

Comments

One comment has been added so far

Leave a Reply

Your email address will not be published.