robotic machines in varying positions across surface with gridlines like blueprint paper

Best Practices for Data Privacy Programs

Free PDF available with printable steps

Download

Data Privacy – it’s on everyone’s mind. Consumers are demanding more protection and accountability. And with the flood of all the new and changing privacy regulations, data has become the newest regulated asset class. Europe set the standard in 2018. With no uniform Federal legislation, states are introducing their own legislation, with California (as usual) leading the charge here in the U.S. Privacy professionals are left overwhelmed. Companies don’t know where to turn. All are uncertain on how to build an effective and scalable privacy program to meet consumers’ demands and the increasing regulatory scrutiny and oversight.

Without a universal standard, we can look at Europe’s General Data Protection Regulation (GDPR) as a leader across the privacy landscape. The GDPR’s goal is to provide EU residents with more control and visibility on how their personal data is used, and requires that anyone who gathered, used or processed personal data enforce those controls and prove compliance. GDPR became effective in May of 2018 and several states were quick to follow Europe’s lead. On June 28, 2018 the California Consumer Privacy Act (CCPA) bill was passed with an effective date of January 1st, 2020. This bill closely mirrors the GDPR with the exception that it extends to household data as well and, in typical California style, adds a private right of action, much to the delight of the California plaintiff’s bar. Other states have followed California’s lead, and still others are considering doing so.

Historically, privacy practitioners have focused their efforts and budget dollars on compliance strategies that lean heavily on people and process, tending to shy away from technology. Given the scope and reach of regulations such as GDPR and CCPA, along with the sheer magnitude of data driven by digital transformation, cloud adoption, etc. people and process simply will not scale to meet the demands. Technology must be incorporated into the mix to ensure enforcement and provide the proof required by emerging regulations and customer demands. Simply saying that all of your employees took the annual privacy policy review test and promised to abide by it will not cut it.

Privacy professionals should look to their information security colleagues for guidance and precedence. Security practitioners are accustomed to leveraging technology that addresses challenges at scale. They understand how to construct scalable solutions that supplement people and policy with a clear, technology-enabled policy enforcement and reporting framework.

Privacy and security dependencies overlap: privacy programs rely upon security controls, but a security program alone is not sufficient to resolve privacy concerns. For example, a security team may implement identity and access management technology to limit access to a network or data source. However, that tool can’t enforce the more granular, data-centric controls needed to govern the privacy of personal information within that store, or what happens to data exported by someone with valid credentials. This historically has been handled instead with pages of written policy documents governing how private data ought to be protected.

Information security professionals have long recognized that an effective security framework is comprised of a three-legged stool that includes people, process, and technology. Privacy professionals, in contrast, have historically relied more heavily on people and process. It’s now time to build a comprehensive privacy program leveraging technology that integrates with and reinforces your organization’s security framework.

Recently Gartner released a research note titled “The State of Privacy and Personal Data Protection, 2019-2020”1. This note addresses the challenges that organizations face while trying to adopt a privacy policy management program and offers up recommendations on how security leaders should approach building and prioritizing a privacy program. According to Gartner, leaders should focus on “the developments in the technology-enabled privacy landscape…as these practices are likely to be the difference between exceeding expectations and insolvency.” This statement should stop any professional in their tracks with the critical question: how do we get started?

This guide closely aligns with Gartner’s “Technology-Enabled Privacy Program,” which is heavily influenced by the progressive GDPR. We will walk through a privacy program guide that offers guidance for enabling “privacy by default and by design” no matter where your organization falls within its unique security and privacy maturity lifecycle. All items do not need to be addressed in the precise order listed, and steps must often be revisited in due course of auditing existing processes, addressing new regulations, or handling mergers and acquisitions activity. Regardless of where your organization is with its privacy program, you will walk away having a better idea on how to segment and prioritize different best practices and technologies that support the scale of your business.


STEP 1:

Define Privacy Framework

Developing a privacy policy framework is the foundation of a successful program and requires understanding all aspects of what personal data is and how it is used across all facets of your organization.

Organization Type:
This step is for an organization lacking the foundation and consistency of a privacy program. These are often start-up organizations or businesses affected by mergers or acquisitions, where data sets may have been classified or used differently. However, this checklist is invaluable for all organizations to review and validate that all steps have been addressed, especially as new business units or supply chain members are brought on board.

Identify

Develop the organizational understanding to manage privacy risks arising from data processing or user interactions with systems, products, or services.

  • Locate the personal data in all environments (on-premises, cloud, and hybrid environments) while indexing the individual users and the types of users who are accessing the data.
  • Assign risk-scores for personal data captured or shared between repositories, applications, and vendors. With these risk scores, your organization can prioritize which sets of data and processing activities merit closer attention.
  • Classify the data by attaching all appropriate metadata to existing and new personal information.
  • Record processing activities when personal information is handled. It should include contextual information: who viewed or used the data; where and why it was accessed; and who it was shared with.

Communicate

Develop and implement appropriate activities to enable organizations or individuals to manage access to and protection of data across its entire lifecycle. Seek enough granularity to manage both security and privacy risks. Be able to communicate how your organization leverages personal data.

  • Implement an overarching corporate policy with privacy as its own pillar that compliments your organization’s unique structure and values. Once internal corporate policies are in place, they should be transparent to your customers.
  • Ensure that internal and external privacy policies complement each other. Internal privacy policies are the set of standards employees are expected to follow to ensure the organization is protecting their customers’ personal data. The external notices should represent your organization’s commitment to its users and how their personal data is handled. This could involve a subject’s rights management process that provides a structured response on how an individual’s data is used or a universal consent and preference management program that captures how individuals consent to different uses of their personal data. Transparency is key. Internal and external policies should align closely and be reviewed regularly.

Control and Protect

Develop and implement appropriate data processing safeguards.

  • Delete data identified as no longer in use and not required for regulatory purposes.
  • Implement identity and access management tools to provide baseline controls around accessing personal data.
  • Partner with security professionals to enforce basic protection of personal data at rest and in transit.

Data Mechanics Technology Recommendations

In the same vein as the control and protect action recommended above, privacy professionals can begin to leverage the power of technology to scale their approach to identifying personal data. It’s key to start small using multi-faceted tools that grow with compliance needs. The result will be quick wins that show progress, gain line-of-business support, and validate processes.

  • Seek an automated classification vendor to scale the process of locating, classifying, and tracking personal data across all environments including on-premises, hybrid, and cloud. Additionally, ensure the vendor can discover personal data across structured, unstructured, and semi-structured datasets. Some automated classification vendors offer tools to factor in domain specific knowledge, which improves the accuracy of risk scores.
  • Reduce the footprint of data you need to regulate by leveraging a technology that can enforce data retention guidelines. Organizations can select from a list of risk-reduction methodologies to treat personal information at the end-of-life with a balanced, risk-based approach in both production and offline/storage backup environments. The ability to retire risk through simply enforcing retention guidelines is commonplace: Why continue to store, maintain, and protect data past its prime?
  • Enlist a technology that enables the transformation of written policy into code. Written policies that depend upon people and processes are inconsistently applied. This isn’t good enough to protect against the stringent fines imposed by privacy regulations. Translating written policies into code creates portable, reusable rules that scale to bring the consistency of privacy by design across multiple environments.

STEP 2:

Establish Proactive Visibility

After laying the foundation of a privacy program framework, strengthen your program with deeper visibility into how personal data is processed. This step covers developing KPIs and automating consistency. Proactive insights protect your organization; automation simplifies program management.

Organization Type:
This step is for an organization with a baseline privacy program in place who is looking to enhance their operations and scale their business. These businesses typically handle more personal data and want to mature their processes. The checklist walks through how to provide your organization with proactive visibility to ensure future growth and automated security measures to better protect personal data.

Analyze

Develop additional reporting capabilities to access real-time KPIs, chart data mapping, and automated impact assessments.

  • Measure and track the efficiency of the privacy program by measuring SRR delivery metrics, privacy impact assessment (PIA) completion, and business process mapping.
  • Map the lifecycle of personal data, visualizing how data flows through an organization, from creation to death.
  • Implement PIA automation rather than relying on manual questionnaires, processing, and spreadsheet tracking. PIA automation tools allow for API-driven triggers to start the assessment process down a predefined workflow until it is closed or flagged for next steps.

Respond

Create a plan that maps appropriate procedures and actions needed if a privacy incident or breach occurs.

  • Establish clear roles and responsibilities for everyone in the organization and practice the plan regularly.
  • Develop an incident response plan that offers a clear and up-to-date procedure if an incident occurs. While practicing the plan, role-playing is critical to ensure all parties involved know their responsibilities. This includes how and when disclosure of an incident to end-users is needed.

Simplify

Provide a first-class user experience for both internal staff and external end-users by enhancing operational efficiencies, reducing costs, and improving confidence.

  • Implement a method for employees to access content and/or data in a secure fashion without jumping through hoops. This focus on internal user experience can greatly improve operational efficiency by reducing frustration and time. Managing an organization’s policies can also be a cumbersome process since they frequently change, especially as new regulations are introduced. Consolidate and automate policies across applications and data stores. Privacy engineering by default and by design helps reduce human error, scale business, and improve program management.
  • Improve external user experience by mapping out different channels to inform end-users how their data is used. External user experience increases consumer confidence. Some examples to simplify the end user experience include automating SRRs so an end user can access this information on command and providing access to a self-service portal that gives the consumer control over how their data is used.

Proactive Visibility Technology Recommendations

  • Partner with a vendor who can automate the data mapping process. Businesses often interview multiple individuals to understand how data moves throughout an organization based on a single point in time. However, capturing an accurate and comprehensive view from a few interviews alone is difficult. A technology with visibility that can track how data flows in structured, unstructured, and semi-structured environments provides a more accurate view of how data is actually being used in real-time. The friction to business operations imposed by access controls and protection methods can influence individuals to behave differently or find even riskier work-arounds. Technology that can automate the data mapping process allows organizations to optimize policies in an ongoing fashion because of the enhanced visibility.
  • Use a managed security solution focused on your data in addition to your perimeter-based security solutions. Data is not necessarily compromised when a threat-actor infiltrates your network. Focusing security solutions around the data provides an additional security buffer when a security incident occurs. Technology vendors tout “data-centric” solutions, but these solutions typically only secure the data within a specific silo. For more sustainable results, ensure that the solution you select is truly data-centric, which means it’s agnostic to the data’s source and type, with controls that follow the data as it travels between traditional silos.

STEP 3:

Future-Proof Your Privacy Program

Now that your privacy policy is mature, your focus should shift towards scaling your business and anticipating any new regulations that develop. This section explores advanced technology examples of data protection by default and by design that can future-proof your privacy program and business.

Organization Type:
This step is for a mature organization with a robust privacy policy looking for advanced technologies to ensure that business operations continue to run smoothly as new regulations are mandated. These businesses are typically Fortune companies or organizations that manage highly sensitive personal data. The list below provides multiple technologies that will help scale your business.

Evolve

Integrate specialist tools that reduce privacy risk with minimal impact to business operations.

  • Implement a technology solution that consolidates the authorship and enforcement of privacy policies. Managing privacy policy across multiple proprietary consoles is time-consuming and inconsistent. Reduce operational overheads and improve the consistency of your privacy program by centralizing operations into a single policy engine.
  • Enable contextual access controls to only give the right users access to the right data under the right contexts.
  • Leverage tools that can anonymize and pseudonymize data.

Enhance

Implement technologies that address more challenging components of a privacy program to improve operations.

  • Consider solutions that can automate business intelligence. Automating business intelligence is complex, however the resulting ability to mine large data lakes for insight without violating an individual’s privacy rights is invaluable..
  • Implement a technical solution that provides consolidated and auditable analytics around how privacy is enforced across your organization. The most competitive organizations are those who can report at scale
  • Explore data end-of-life controls.

Elevate

Focus on technologies that can help developers engineer privacy by default and by design into their applications. Incorporating security and privacy practices into the DevOps pipeline improves operations and scales consistent practices as application portfolios grow, especially in this climate of changing regulations.

  • Seek secure development tools that support the broad principles of data privacy, visibility, control, and accountability.
  • Look for open APIs (application programming interfaces), extensible SDKs (software development kits), and integrations with business systems to simplify adding security services to any data, application, or device. These tools allow developers to consistently implement policy across their portfolio.
  • Abstract policy from application code so that developers don’t have to recode an entire portfolio of applications every time privacy regulations change. The entire organization benefits from this efficiency, allowing for quicker responses to business requests.

Conclusion

The purpose of this guide was to break down an approach to scaling your ability to address privacy requirements. With the daily fires, regulatory requirements, and the constant business demands on overwhelmed teams; our privacy practitioners are spread thin. Your goal is not to simply put a privacy program in place– there are many how-to guides available that cover those basics in more detail– but to understand how and where to introduce technical solutions. Technology will help scale your privacy program in the face of ever-growing pressures..

The first step is understanding where your organization falls within the privacy policy maturity framework. Next, identifying where gaps or bottlenecks exist can help shed light on which technologies make the most sense to implement. This guide walks you through a “crawl, walk, run” approach with specific checklists and technology recommendations that are relevant for your unique state of privacy.

As you make technology decisions, don’t settle for a quick fix in one silo that leads to a technical dead end: Consider the need to enforce policy at the speed of your business, and make sure that you are selecting vendors that can scale to meet organization-wide needs. Look for the ability to report on policy transactions in an automated fashion to demonstrate compliance with your current regulatory landscape. Centralize policy management to ensure you can respond flexibly and proactively to current and even future privacy regulations. Ultimately, design with the end in mind, engineering privacy best practices from the ground up in all of the applications that handle your sensitive data.

Footnotes
  1. Gartner, The State of Privacy and Personal Data Protection, 2019-2020, Nader Henein, Bart Willemsem, 15 April 2019
References