CYTRIO has launched its cloud-native privacy rights management automation solution. It is aimed at mid-sized enterprises to help them navigate a growing list of data privacy regulations. The company lists CCPA, CPRA, VCDPA and CPA as typically of the regulations it is addressing. The product is only aimed at US companies which is a surprise given the much more mature privacy market in the EU.
Vijay Basani, founder and CEO of CYTRIO, said: “CYTRIO is addressing the biggest pain point for mid-market companies: managing data privacy rights without dedicated resources or privacy teams while addressing a growing list of data privacy regulatory challenges and building consumer trust.
“With this new solution, mid-market enterprises, which are essential to the US economy, can now confidently navigate the data-driven economy where consumers want more control over their personal data.”
What has CYTRIO released?
Its SaaS solution is described as an all-in-one solution that will do everything from detecting PI data to automating DSAR requests. In doing so, the company claims, it gives customers control over their data.
CYTRIO is using what it calls Intelligence Data Discovery. It uses machine learning/AI to discover, identify and classify PI data automatically. It sounds simple, but as other vendors In this space have discovered, it isn’t. The rules on what is and what isn’t PI constantly change.
It is not clear if the controls take the strictest interpretation of what is PI data. It would be the easiest solution, and it means that data is over rather than under-protected. The company does claim to correlate the PI data with customer identity to eliminate false positives. While such a move is good news, it also raises questions about that correlation and how secure that data is.
How much data is being correlated? Is it broken up by compliance regulation or regions, or is it in a single data store? How is the data secured? Is it down to the customer to enforce security through configuration, or does CYTRIO do that for them? The latter is especially important in a cloud setting to prevent accidental leakage of insecure containers.
Putting the control in the hands of customers
One part of this solution is of particular interest – the data subject access request (DSAR). These are often difficult for many companies to deal with. First, there is the problem of uniquely identifying the requestor. It is often done through government-issued ID, but what if the ID has been stolen? This is where manual checks are often more useful than machine-driven systems.
Once identity has been established, it is about finding and identifying the requested data and then assembling it. Even then, not all data found can be released. It needs to be checked to ensure there is no privacy issue for other people. For example, if a data record contains information on the requestor and another person(s), additional PI data would need to be redacted. Alternatively, that other person(s) might consent to a partial data release as part of an additional DSAR. Those would then need to be linked together to create a more comprehensive record.
CYTRIO is promoting its DSAR solution as a simple 2-click process. However, it has provided no details on how it will verify requestors. There is also no detail on any additional steps the system will take to ensure that only the data for the requestor is released. It raises the question, where is the oversight? These are all things that need to be answered by the company as the website provides little depth on how it works.
Investors willing to take a chance
This announcement comes less than a month after the company raised $3.5 million in seed funding. The question is, will that be enough to fully meet its claims for the solution? Even if it is, it doesn’t seem to leave much for building out a partner network. This is critical as the company has said it is not going to do direct sales. Instead, it will rely on channel partners to promote and sell the product.
CYTRIO is pricing the solution at $495 per month. As its customer base grows and it picks up customers with more complex data, it might need to consider a more granular pricing model.
Enterprise Times: What does this mean?
Identifying and securing PI data is complex. It is about more than just looking for keywords or relying on properly formatted fields in a database. It needs software that can do contextual searching and identify data that might appear innocuous at first glance.
Automating the contextual search also requires a lot of data experience. What is not clear here is what level of knowledge customers will require. Given the low price point, it would imply not a lot, but that might be a mistake given that rules will need to be verified and data checked to ensure nothing is being ignored.
Despite the challenges, this is a very lucrative market to be in. Companies are struggling to identify PI data under one piece of compliance, let alone manage multiple sets of compliance requirements. Few can respond to DSAR requests within months, let alone immediately. If CYTRIO can get this right, it should have a big success on its hands.