Implementing DBoM and Privacy Automation for largest private sector bank (HDFC) in India

Implementing Data Bill of Materials(DBoM) and Privacy Automation for largest private sector bank (HDFC) in India


Enterprise privacy , security and compliance teams rely on business owners and data teams to manage and safeguard data while governing the process of protection and compliance. The very first challenge is inventory of all data. In most companies , inventory of physical assets, software assets is maintained but how about inventory of sensitive or personal data? Exactly the same problem HDFC bank was challenged with when we approached the solution.

Introduction of the concept of Data Bills of Material (DBOM) by Ardent Privacy, privacy and security teams are better equipped to understand and monitor the presence and flow of data within organizations. DBOM effectively summarizes data through comprehensive data discovery processes, allowing Data Protection Officers and Security Officers to identify, classify, and protect sensitive information efficiently. This enhanced visibility ensures that data governance is maintained, compliance requirements are met, and security risks are minimized.

Starting with Privacy Impact Assessment Automation


To achieve DBoM at the bank , the first step was to identify business processes , various applications which process personal data, and business owners who are responsible for them. Bank had a streamlined privacy impact assessment process to do this however it was manual and managed using spreadsheets and communication was handled through email. Data Protection Officer (DPOs) needed to conduct Data Protection Impact assessments (DPIAs) and numerous other evaluations, requiring constant communication and follow ups with business owners. With TurtleShield PA (Privacy Automation), DPO can now automate these assessments, streamline communication and feedback with business owners, and generate comprehensive risk reports using risk scoring logic. Bank had a custom risk scoring logic which was very well thought of taking care of compensating controls while deciding score. Our low code platform took care of requirements as per business need and established the risk assessment as per bank’s requirement. Ardent was able to deliver a positive experience for both business owners and privacy officers.

Ecommerce

What our customer are saying


Establishing a Data Bill of Materials ( Crucial step for successful privacy program)


The Data Bill of Materials (DBoM) records the ownership, sharing history, storage and collection purpose of a unit of data. The purpose of a DBoM is to identify personal data as an asset and an essential component of the software and system inventory, just as integral as programs, servers and other components.

Ecommerce

Ardent’s TurtleShield is an ML and AI-powered enterprise software platform that helps businesses discover, identify, inventory, map, minimize, and securely delete personal data. It helps build data bill of materials across the organization.

At the bank we were challenged with data assets dispersed across organizations in structured as well as unstructured format. The PIA/DPIA process gave a good insight into scoping part of business processes and applications associated with it.

Challenges and solutions:

Massive volume and complexity of data

  • Massive Data Volumes

    Banks generate and store enormous quantities of data across multiple platforms and formats, making it challenging to monitor and manage all personal information effectively.

  • Data Silos

    Data is frequently distributed across various departments, databases, and cloud services, resulting in silos that hinder comprehensive data discovery and management efforts.

TurtleShield applied the unique oil drilling-like approach to data discovery across the entire data footprint. With appropriate prioritization, it focused on data which matters the most while offering meaningful insights into enterprise data. Patented AI-based technology can discover large data sets across environments saving up to 75% of discovery time.

Variety of Data

  • Structured Data

    This type of data is systematically organized and stored in predefined formats, like databases and spreadsheets, facilitating easier searching, analysis, and management.

  • Unstructured Data

    A significant portion of personal data is unstructured, found in emails, documents, and social media posts, which makes detection and classification more challenging compared to structured data.

Ardent Privacy TurtleShield provided an agentless as well as agent based approach to collect data intelligence with the least path of resistance and which fits best for organizations. Our promise is to reach across most data in a minimum amount of time and that is where machine learning and oil drilling approach helps to achieve results faster.

Identification and Classification

  • Rapid Identification

    Rapidly identifying relevant data within vast datasets is crucial for timely decision-making and compliance. Efficient tools and processes are necessary to achieve this speed.

  • Sensitive Data Types

    Identifying sensitive data types, such as health information, financial records, or biometric data, requires specialized tools and techniques to ensure accurate classification and protection.

In large data volumes speed is an important factor, rapid scan identifies sensitive data quickly and improves accuracy as it scans more data. TurtleShield provides a common list of data types however provides custom sensitive data types based on the company's requirements. Sensitive Data types are fed to machine learning so they are canned successfully.

Regulatory Compliance

  • Privacy Regulations

    In banking and finance industries, there are different privacy regulations (e.g. RBI rules, DPDP Act), requiring bank and financial institutes to stay updated and compliant with multiple sets of rules.

  • Evolving Legal Landscape

    Privacy laws are continually evolving, requiring ongoing adjustments to data discovery and management practices.

TurtleShield has a deep focus on Indian regulations and related requirements for compliance. Reporting as per required directive is provided to ensure regulators full satisfaction.

Technological Challenges

  • Legacy Systems

    Older systems often lack the design considerations necessary for modern data privacy requirements, making it challenging to implement effective discovery processes.

  • Integration Issues

    Integrating new data discovery tools with the existing IT infrastructure can be complex and resource-intensive.

The Ardent team worked hand in hand with the bank to ensure requirements are met which includes legacy systems , centralized identity management systems and aligned with business processes.

Resource Constraints

  • Expertise

    There is often a shortage of skilled professionals who possess knowledge of both data privacy laws and data discovery technologies, making it difficult to find the right talent to manage these processes.

  • Budget

    Implementing comprehensive data discovery solutions in banks can be a humongous task and extremely costly, yet it is essential to achieve compliance with privacy regulations within a constrained budget.

The Ardent team worked hand in hand with the bank to ensure requirements are met which includes legacy systems , centralized identity management systems and complex business processes. Ardent’s efficient approach to discovery is saving large cost for the bank while achieving required compliance and also enhancing data security posture.

--}}