Most board members of organizations are concerned with data breaches. No executive wants to see their company’s reputation tainted on the news next to a major headline about leaked credit card details or personal information. However, not many understand the technical aspects of securing data. New regulations such as the General Data Protection Regulation (GDPR) make data protection even more complex for organizations doing business globally. Its about capturing the context of data and being able to prove everything is being done to protect the subject’s data and the rights of the subject itself.
“According to a 2019 Ponemon Institute study, 50% of SMBs are unfamiliar with GDPR and the EU-U.S. Privacy Shield, which govern the use and transfer of customer data for customers based in Europe.”
At its core, an effective data privacy management program looks and acts like an integrated cybersecurity and risk management program. Some questions to begin:
- Do you know what data is relevant to privacy regulations within your industry?
- Do you know where your critical data is stored?
- Do you know who has access to this critical data?
- Do you have the right controls and audit processes in place to protect that data?
- Do you have logging and monitoring to show your work if due diligence is required?
- Can you prioritize various privacy regulations against your other cybersecurity threats?
An organization that is already doing enterprise cybersecurity risk management – including things like basic data management and identity and access management is on the way there.
SIX (6) STEPS TO BUILDING A PRIVACY PROGRAM
By using existing privacy and security concepts you can build the privacy foundation you need to establish a robust data privacy program. Here are seven building blocks:
#1 External Privacy Policy. Draft an external-facing privacy policy if you don’t already have one. Depending on your regulatory and compliance landscape, you may require specific language and components. Check with your legal, finance and audit resources for specific language especially if you are publicly traded company. If you do business globally, each country or economic unit may have specific requirements like GDPR.
#2 Internal Privacy Policy. An internal policy functions as a privacy primer for employees, staff and contractors. The policy can address a variety of topics specific to the way you want privacy to function within your organization. Lay out the types of data the organization controls, the proper procedures for handling the various types of data, any security protocols relevant to privacy, or other privacy procedures that make sense for your company.
#3 Employee Training. Conduct training sessions as required to educate your employees and contractors on the established privacy rules of your organization. You can raise awareness on privacy topics and engage colleagues in identifying potential privacy issues in their roles within the company. Ensure you have support from senior leadership for training.
#4 Privacy by Design. Privacy by design means your organization takes a proactive approach to privacy, building privacy considerations into new products, systems, business processes, etc. A privacy-centric approach will save your organization both time and money, as handling privacy matters proactively is always more efficient than changing designs, options, or technical specifications after the project is completed.
#5 Breach Response Plan. A data breach response plan should address topics such as the establishment of a data breach response team, how a data breach investigation will be conducted and who will handle items like legal compliance with breach laws and coordination with law enforcement and the media, if necessary.
#6 Data Retention Policy. A data retention policy encompasses various organization-specific decisions addressing the types of data you control and how long your organization will retain that data. This can reduce the risk and impact of a data breach, in addition perhaps cutting data storage costs. Ensure you involve key stakeholders as this effort may take some time, depending on your stakeholders and constituents, how much data you have, and how far back it dates. You may have specific regulatory and compliance requirements for data retention.
SUMMARY
Data privacy is becoming a crucial area of focus for organizations of all sizes, and privacy topics are in the news constantly. Before building the privacy program, take some time to get to know the business by becoming familiar with the products or services. You need to understand what data your company has, where it comes from, and how it flows through the company. Every organization has a variety of categories of data, and they are very often used for different purposes. This is probably the most complicated piece of learning about the company.
Getting started with a rough sketch of what kinds of data you have, why you have the data and where the data is stored is a good start to understanding the nuts and bolts in developing your companies data privacy program.
Author:
Laszlo S. Gonc, CISSP, First Senior Fellow, DivIHN Cybersecurity Center of Excellence
