At many companies, cyber security and data privacy are seen as different disciplines that often operate in silos. In an environment where so much sensitive data is captured and utilized, the review of third parties, new systems and new applications requires a multidisciplinary approach to privacy risk management — one that includes both privacy and security from the design phase through to organizational change management.
Keep individual rights top of mind
Privacy programs of the future must incorporate privacy-by-design thinking, which isn’t just a philosophy, it’s a cultural mindset and an organizational shift. Because privacy is not a stand-alone legal discipline, but instead a multi-faceted approach to data protection that includes privacy engineering, cyber security, technology and risk management.
Today more global awareness and recognition exists for individual rights in relation to their personal information. With the cascade of global regulations, from the General Data Protection Regulation (GDPR) in Europe to various individual regimes across Asia, North and South America — notably the Brazilian General Data Protection Law (LGPD), the California Consumer Privacy Act (CCPA) and other emerging US state laws, and federal and provincial laws being enacted in Canada — the focus on data rights, privacy and security is sharper than ever.
In near-real time you can see the evolution of the regulatory environment regarding data privacy. Governments and regulators are acknowledging that privacy incidents resulting from breaches are just a subset of the broader universe of cyber incidents. In addition, they’re demanding organizations disclose breaches much sooner, and in a much more transparent way, regardless of whether it’s had an impact on privacy.
Most jurisdictions globally now have in place breach-reporting obligations, so there’s no flying under the radar, with industry and non-privacy-specific regulators now taking a real interest and implementing similar obligations. This is a huge change from just a few years ago, pre-GDPR, when there was little more than a patchwork of rules and regulations worldwide.
It's paramount to secure explicit consent from any individual or entity at or prior to data collection. In turn, customers need to signal they understand the purpose of collection and what will be done with their information. Being fully transparent at all times should foster trust and help avert any ethical data-mining issues.
There is nearly universal harmony in the sense that so many countries/territories have implemented rights-based privacy rules and regulations aimed at empowering the individual and giving them back the control they relinquish when they share their personal information. With so many different regulations, however, the regulatory landscape is becoming increasingly difficult to navigate and comply with, particularly for global businesses operating in multiple jurisdictions.
Automation is the key, especially for organizations that don't have the bandwidth and resources to manage areas such as privacy risk identification and reporting. Organizations put themselves at a disadvantage if they don’t have, for example, automated IAM processes supported by effective metadata management. In a virtualized world, without automated controls embedded across day-to-day processes — including automation of subject access requests — most organizations simply will not have enough personnel to manually oversee new servers, data stores and applications in a manner that is efficient and effective.
What’s your move?
Keeping individuals’ data secure and taking data privacy seriously is more than just implementing new processes to satisfy regulatory requirements — it’s a cultural shift. Like security, organizations should adopt a privacy-first or privacy-by-design mindset. Embedding privacy and security into organizational change, culture, processes, technology and products is a good starting point and will likely help companies avoid costly retrofits and regulatory investigations, and foster trust inside and outside the organization.
This cultural shift should start at the top, with the C-suite recognizing that data belongs to their customers, clients and partners; and they have a responsibility to collect and employ it legally and ethically. With that goal in mind, companies are encouraged to develop complementary relationships between business lines, the privacy office and the security team. Similarly, there should be clarity regarding the responsibility for identifying and reporting on privacy risks, as well as owning and demonstrating a position of accountability that can be defended in front of a regulatory body.
Automation is critical for the effective management and enhanced efficiency of privacy processes, particularly privacy impact assessments and data subject access requests. This can enable the organization to leverage the governance, risk and compliance technologies in which they've invested — content and workflow management, and risk analytics, for example — which, in turn, can operationalize privacy modules that can make a tangible impact on data and access mapping.
We've relied for decades on the judgment and mostly good intentions of human workers. Now, with the arrival of AI, machines are processing huge volumes of information, and they're really good and efficient at doing what they're taught to do. But machines can’t weigh ethics. Guardrails should be installed as part of a privacy-by-design approach that respects consumer privacy rights and provides adequate notice for secondary use of their data.
Automation can also help break down the silos between the cyber security and privacy functions. These are very complementary disciplines, and organizations can align them operationally and essentially ‘share’ bigger budgets, which at many companies the cyber team enjoys while the privacy team doesn’t.
With metadata and data mapping, for example, cyber and privacy teams rely on the same assets. Both teams should understand the data to which the organization has access and their rights to use and process this information. They can then work together to implement appropriate security and privacy controls, while keeping in mind the zero-trust philosophy. Automation can enable them to better understand where their core data assets are located and how to use them more effectively. Then they're pivoting toward leveraging the same financial resources in service of achieving the same outcome: protecting the ‘crown jewels.’
Becoming familiar and conversant with emerging technologies such as automation and AI is important and recommended, but the basic principles from security and privacy perspectives are largely constant. That is, secure consent from individuals whose data you collect; only gather the data that is relevant; retain it only as long as it is needed; dispose of it when it’s no longer needed; and protect it properly.
Some key actions to consider for 2022
- Educate senior and business management on why striving to ensure individuals’ data collection consent is so important and how failure to respect consumer rights can negatively impact the company
- Align your data privacy program with both C-suite and business-line leadership priorities and vision to help ensure everybody is on the same page from collection, consent and usage perspectives
- Adopt a privacy-by-design standard to supplement and complement the rules, regulations and regulatory expectations around privacy
- Translate paper-based policies into verifiable business practices to convince consumers and regulators of your commitment to respecting consumer rights and protecting data
- Explore opportunities to implement a data privacy management technology tool to automate processes, comply with regulations, help increase response speed, and assist with reducing human error
Explore more cyber considerations from this report