PBAC and Data Governance

I’ve worked with several clients recently to help them identify their privacy data covered by CCPA and GDPR. In each case, they were using IBM IGC to tag business terms as personal data in their data glossary, and link those terms to database columns instantiating those business terms. They are then able to identify personal data that must be masked or pseudonymized to comply with privacy regulations.

However, this is only the first step. My clients’ Data Governance teams are not responsible for doing the actual masking; this is the responsibility of the various application teams. WIth thousands of databases presenting data in hundreds of UIs running on many different device types, this task is a multi-year moon shot.

Policy-Based Access Control (PBAC) may be an element of an enterprise solution to this problem. PBAC manages authorization based on policies specifying the user role, device, location, or other attributes. It also supports fine-grained access control down to the column level.

PBAC could provide a key element of a common toolset to comply with personal data access requirements across applications and databases. Combined with a data catalog providing security and privacy requirements for data elements, and UIs supporting dynamic masking at the field level, it would simplify the monumental privacy and security challenge faced by large enterprises around the world.