In the initial half of 2023, there have been landmark developments such as the Irish DPC’s landmark judgement, the EU-US Data Transfer Framework and India’s Digital Personal Data Protection Bill1 passed by the Indian Parliament. The new EU-US Data Transfer Framework is the third attempt at developing an adequate framework and is aimed at eliminating unjustified surveillance of US national security agencies. Consultation with the committee of EU member states may help in ensuring that the decision will be strong enough to not attract future objections from the legal watchdogs. Considering the two-layer redressal process and consultation with the committee, the new framework appears to be promising at first glance and will create a level playing field for data-driven technology businesses. We have also seen US states passing new regulations and Japan’s adequacy decision from the European Commission.
These developments around the world have also coincided with the hyperdrive of adoption of Artificial Intelligence (AI) as organisations are integrating AI into their existing technologies which has evolved the nature of privacy risks and the controls required to mitigate them as well. The EU regulator has passed the Artificial Intelligence Act, which is the first regulation to govern the use of AI. In July 2023, Singapore also came out with its Proposed Advisory Guidelines on the use of Personal Data in AI Recommendation and Decision Systems, which connects itself to requirements under Singapore’s existing privacy regulation. Taking a step further from the AI Act, which consists of risk levels, the Advisory Guidelines aim to limit processing based on circumstances and the purposes for which personal data is processed using AI technologies. More importantly, it aims to exempt a few circumstances, which can bring a future where organisations may be able to efficiently strike a balance between compliance and legitimate business interests.
Considering the evolving dynamic environment in which these privacy risks keep evolving, the IAPP and KPMG International together have conducted a privacy risk study this year, which addresses different aspects of privacy risk management and challenges faced by organisations. In addition to analysis of public disclosures from organisations, this year’s study includes perspectives, practices and insights from workshops and interviews of senior privacy leaders. This complex and evolving risk environment gives rise to privacy aspects, which need to be considered.
- Identifying risks and choosing your privacy framework
For a balanced privacy risk programme, an organisation is required to analyse domains such as legal requirements, third-party management, data subject rights, etc. to identify where possible risks may lie. This basic requirement assists your organisation to anticipate the efforts required to identify risks and plan to remediate them efficiently starting with high risks which can cause the most harm. Identifying high, medium and low risks will help understand which standard is required as there are several standards such as the ISO 27001 and the NIST Risk Management Framework, among others. A standardised framework demonstrates an organisation’s effort taken to identify and control privacy risks. It is also a good practice to have audit mechanisms in place for identifying gaps and becoming aware of key issues. However, if your organisation has a mature privacy programme, a customised framework could also be implemented based on your organisation’s processes. Like most entities, which have now adopted AI for basic processes, the NIST AI Risk Management Framework is a good point to start.
- Understanding legal and regulatory challenges
It is pertinent to note that regulations form the basis for privacy requirements which varies in different geographies. For instance, although the GDPR applies to countries in the European Union, countries including Austria and Germany require organisations to have a double opt-in mechanism and hence create a new risk for organisations processing personal data from these countries. Hence, it is necessary to identify regulations which are applicable to your organisation and understand if there are any additional requirements or conflicts between these regulations. This process helps in minimising risks, if not mitigating them. Standing on the verge of enforcing the Digital Personal Data Protection Act, 2023, India has seen a drift in the last decade to becoming one of the largest consumer markets. Considering the heavy backlash in the Indian Parliament on 3 August 2023, India’s privacy law has come out stronger. Looking at the new amendments such as requirement of valid contracts with sub-processors, responsibility of data fiduciaries, enhanced data retention requirements and specified legitimate uses, India has come closer than ever to achieving transparency and protection of Indian citizen’s personal data. Moreover, keeping up with compliance across multiple regulations has been the most common and emerging privacy risk according to the Privacy Risk Study 2023.2
- Utilising technology and mitigating cybersecurity risks
Using basic or privacy enhancing technologies can help organisations simplify processes such as data subject rights management, data mapping, consent management and incident response, to name a few. The Privacy Risk Study, 20232 shows that every company uses some level of technology in their internal processes as a part of their privacy risk management. Thirty per cent of these organisations use basic technologies such as spreadsheets. These technologies can also be integrated with your organisation’s enterprise risk management technologies and with automation, can reduce cost. Weaknesses or vulnerabilities in security technology also lead to a higher risk of breaches. The Verizon Data Breach Investigations Report also reports that 80 per cent of cybersecurity attacks are from external factors and 20 per cent of breaches were due to human error. Using technology can also curb unintended data breaches as many breaches occur due to human error.3 Living in a world where individuals and organisations are prone to cybersecurity attacks, it is a basic requirement to have controls in place to reduce the risk of cybersecurity attacks. Privacy enhancing technologies can aid in automating detective and preventive controls and can help mitigate risks or bring them to a level which is in line with your organisation’s risk appetite. It is also a good practice to structure a line of defence including response teams, reporting structures and oversight responsibilities based on the level of risk arising from incidents.
- Integrating risk management and privacy by design
Privacy by Design helps go beyond compliance and strengthens your privacy framework. It includes aspects of risk, security and privacy, and enables organisations to demonstrate compliance to regulators as well. As a part of your risk management programme, it is also very crucial to identify roles and responsibilities of your employees and can help in identifying departments having higher risks and require more training. This design should also enable privacy departments to work with other functions such as product and engineering, marketing and human resources departments. This can help in improving your framework and planning your risk appetite. Involving your privacy department in the early stages of these processes to identify risks and prepare for any exposure arising from these risks can increase efficiency. The lack of implementing Privacy by Design is an internal risk and was identified as the third highest risk in the Privacy Risk Study 2023.2
Risk and privacy for your organisation: What can you do?
From a business perspective, privacy plays a crucial role in your overall business structure. In the evolving risks of privacy, there has been a cultural shift which makes privacy more than just a compliance requirement. In the global landscape, concerned stakeholders require that privacy is implemented as a business standard across various industry sectors rather than a compliance requirement. Additionally, consumers now understand the value of their personal data and require organisations to go beyond compliance and implement best practices. In light of the above, organisations can take the following steps:
- Establish or fine tune your privacy practices to meet the changing regulatory needs
- Identify data privacy regulations which are applicable to your organisation and business jurisdictions
- Implement a robust and suitable data privacy framework including the policies and procedures
- Know your data and understand the risks involved
- Leverage on technologies to implement those controls which are part of the identified framework
- Design businesses processes based on data privacy principles
- Align your culture to give importance to privacy
- Be prepared to embrace the change, more is yet to come
- Maximise business outcomes based on data led economy while embracing data privacy
Organisations can stand out from their competition and leverage the above aspects. In addition to complying with regulations, the above measures can help organisations in building trust and increasing their reputation in the global market.
1The Digital Personal Data Protection Bill, 2023, Bill No. 113 or 2023
2Privacy Risk Study 2023, International Association of Privacy Professionals and KPMG International Limited, June 2023, 4 August 2023
32023 Data Breach Investigation Report, Verizon, June 2023, 4 August 2023