When I started at Square, one of our primary privacy challenges was that we needed to scale and automate insights into what data we stored, collected, and processed. We relied mostly on manual work by individual teams to understand our data. As a company with hundreds of services, each with their own database and workflow, we knew that building some type of automated tooling was key to continuing to protect our users’ privacy at scale.
The author details Square's investments in automatically detecting PII and scoping user's access to it appropriately. This is a really non-trivial problem, and I really don't believe many organizations are doing it well today. It's a big issue, too—without being able to do this well, your only two options are:
- fail to protect user PII (presents huge organizational and consumer risk)
- be highly restrictive in what data access you hand out (significantly limits culture of self-service)