Best Practices for Data Privacy Programs
Data Privacy – it’s on everyone’s mind. Consumers are demanding more protection and accountability. And with the flood of all the new and changing privacy regulations, data has become the newest regulated asset class. Europe set the standard in 2018. With no uniform Federal legislation, states are introducing their own legislation, with California (as usual) leading the charge here in the U.S. Privacy professionals are left overwhelmed. Companies don’t know where to turn. All are uncertain on how to build an effective and scalable privacy program to meet consumers’ demands and the increasing regulatory scrutiny and oversight.
Without a universal standard, we can look at Europe’s General Data Protection Regulation (GDPR) as a leader across the privacy landscape. The GDPR’s goal is to provide EU residents with more control and visibility on how their personal data is used, and requires that anyone who gathered, used or processed personal data enforce those controls and prove compliance. GDPR became effective in May of 2018 and several states were quick to follow Europe’s lead. On June 28, 2018 the California Consumer Privacy Act (CCPA) bill was passed with an effective date of January 1st, 2020. This bill closely mirrors the GDPR with the exception that it extends to household data as well and, in typical California style, adds a private right of action, much to the delight of the California plaintiff’s bar. Other states have followed California’s lead, and still others are considering doing so.
Privacy professionals should look to their information security colleagues for guidance and precedence. Security practitioners are accustomed to leveraging technology that addresses challenges at scale. They understand how to construct scalable solutions that supplement people and policy with a clear, technology-enabled policy enforcement and reporting framework.
Privacy and security dependencies overlap: privacy programs rely upon security controls, but a security program alone is not sufficient to resolve privacy concerns. For example, a security team may implement identity and access management technology to limit access to a network or data source. However, that tool can’t enforce the more granular, data-centric controls needed to govern the privacy of personal information within that store, or what happens to data exported by someone with valid credentials. This historically has been handled instead with pages of written policy documents governing how private data ought to be protected.
Information security professionals have long recognized that an effective security framework is comprised of a three-legged stool that includes people, process, and technology. Privacy professionals, in contrast, have historically relied more heavily on people and process. It’s now time to build a comprehensive privacy program leveraging technology that integrates with and reinforces your organization’s security framework.
This guide closely aligns with Gartner’s “Technology-Enabled Privacy Program,” which is heavily influenced by the progressive GDPR. We will walk through a privacy program guide that offers guidance for enabling “privacy by default and by design” no matter where your organization falls within its unique security and privacy maturity lifecycle. All items do not need to be addressed in the precise order listed, and steps must often be revisited in due course of auditing existing processes, addressing new regulations, or handling mergers and acquisitions activity. Regardless of where your organization is with its privacy program, you will walk away having a better idea on how to segment and prioritize different best practices and technologies that support the scale of your business.
Define Privacy Framework
This step is for an organization lacking the foundation and consistency of a privacy program. These are often start-up organizations or businesses affected by mergers or acquisitions, where data sets may have been classified or used differently. However, this checklist is invaluable for all organizations to review and validate that all steps have been addressed, especially as new business units or supply chain members are brought on board.
Develop the organizational understanding to manage privacy risks arising from data processing or user interactions with systems, products, or services.
- Locate the personal data in all environments (on-premises, cloud, and hybrid environments) while indexing the individual users and the types of users who are accessing the data.
- Assign risk-scores for personal data captured or shared between repositories, applications, and vendors. With these risk scores, your organization can prioritize which sets of data and processing activities merit closer attention.
- Classify the data by attaching all appropriate metadata to existing and new personal information.
- Record processing activities when personal information is handled. It should include contextual information: who viewed or used the data; where and why it was accessed; and who it was shared with.
Develop and implement appropriate activities to enable organizations or individuals to manage access to and protection of data across its entire lifecycle. Seek enough granularity to manage both security and privacy risks. Be able to communicate how your organization leverages personal data.
- Implement an overarching corporate policy with privacy as its own pillar that compliments your organization’s unique structure and values. Once internal corporate policies are in place, they should be transparent to your customers.
- Ensure that internal and external privacy policies complement each other. Internal privacy policies are the set of standards employees are expected to follow to ensure the organization is protecting their customers’ personal data. The external notices should represent your organization’s commitment to its users and how their personal data is handled. This could involve a subject’s rights management process that provides a structured response on how an individual’s data is used or a universal consent and preference management program that captures how individuals consent to different uses of their personal data. Transparency is key. Internal and external policies should align closely and be reviewed regularly.
Control and Protect
Develop and implement appropriate data processing safeguards.
- Delete data identified as no longer in use and not required for regulatory purposes.
- Implement identity and access management tools to provide baseline controls around accessing personal data.
- Partner with security professionals to enforce basic protection of personal data at rest and in transit.
Data Mechanics Technology Recommendations
In the same vein as the control and protect action recommended above, privacy professionals can begin to leverage the power of technology to scale their approach to identifying personal data. It’s key to start small using multi-faceted tools that grow with compliance needs. The result will be quick wins that show progress, gain line-of-business support, and validate processes.
- Seek an automated classification vendor to scale the process of locating, classifying, and tracking personal data across all environments including on-premises, hybrid, and cloud. Additionally, ensure the vendor can discover personal data across structured, unstructured, and semi-structured datasets. Some automated classification vendors offer tools to factor in domain specific knowledge, which improves the accuracy of risk scores.
- Reduce the footprint of data you need to regulate by leveraging a technology that can enforce data retention guidelines. Organizations can select from a list of risk-reduction methodologies to treat personal information at the end-of-life with a balanced, risk-based approach in both production and offline/storage backup environments. The ability to retire risk through simply enforcing retention guidelines is commonplace: Why continue to store, maintain, and protect data past its prime?
- Enlist a technology that enables the transformation of written policy into code. Written policies that depend upon people and processes are inconsistently applied. This isn’t good enough to protect against the stringent fines imposed by privacy regulations. Translating written policies into code creates portable, reusable rules that scale to bring the consistency of privacy by design across multiple environments.
Establish Proactive Visibility
After laying the foundation of a privacy program framework, strengthen your program with deeper visibility into how personal data is processed. This step covers developing KPIs and automating consistency. Proactive insights protect your organization; automation simplifies program management.
This step is for an organization with a baseline privacy program in place who is looking to enhance their operations and scale their business. These businesses typically handle more personal data and want to mature their processes. The checklist walks through how to provide your organization with proactive visibility to ensure future growth and automated security measures to better protect personal data.
Develop additional reporting capabilities to access real-time KPIs, chart data mapping, and automated impact assessments.
- Measure and track the efficiency of the privacy program by measuring SRR delivery metrics, privacy impact assessment (PIA) completion, and business process mapping.
- Map the lifecycle of personal data, visualizing how data flows through an organization, from creation to death.
- Implement PIA automation rather than relying on manual questionnaires, processing, and spreadsheet tracking. PIA automation tools allow for API-driven triggers to start the assessment process down a predefined workflow until it is closed or flagged for next steps.
Create a plan that maps appropriate procedures and actions needed if a privacy incident or breach occurs.
- Establish clear roles and responsibilities for everyone in the organization and practice the plan regularly.
- Develop an incident response plan that offers a clear and up-to-date procedure if an incident occurs. While practicing the plan, role-playing is critical to ensure all parties involved know their responsibilities. This includes how and when disclosure of an incident to end-users is needed.
Provide a first-class user experience for both internal staff and external end-users by enhancing operational efficiencies, reducing costs, and improving confidence.
- Implement a method for employees to access content and/or data in a secure fashion without jumping through hoops. This focus on internal user experience can greatly improve operational efficiency by reducing frustration and time. Managing an organization’s policies can also be a cumbersome process since they frequently change, especially as new regulations are introduced. Consolidate and automate policies across applications and data stores. Privacy engineering by default and by design helps reduce human error, scale business, and improve program management.
- Improve external user experience by mapping out different channels to inform end-users how their data is used. External user experience increases consumer confidence. Some examples to simplify the end user experience include automating SRRs so an end user can access this information on command and providing access to a self-service portal that gives the consumer control over how their data is used.
Proactive Visibility Technology Recommendations
- Partner with a vendor who can automate the data mapping process. Businesses often interview multiple individuals to understand how data moves throughout an organization based on a single point in time. However, capturing an accurate and comprehensive view from a few interviews alone is difficult. A technology with visibility that can track how data flows in structured, unstructured, and semi-structured environments provides a more accurate view of how data is actually being used in real-time. The friction to business operations imposed by access controls and protection methods can influence individuals to behave differently or find even riskier work-arounds. Technology that can automate the data mapping process allows organizations to optimize policies in an ongoing fashion because of the enhanced visibility.
- Use a managed security solution focused on your data in addition to your perimeter-based security solutions. Data is not necessarily compromised when a threat-actor infiltrates your network. Focusing security solutions around the data provides an additional security buffer when a security incident occurs. Technology vendors tout “data-centric” solutions, but these solutions typically only secure the data within a specific silo. For more sustainable results, ensure that the solution you select is truly data-centric, which means it’s agnostic to the data’s source and type, with controls that follow the data as it travels between traditional silos.
Future-Proof Your Privacy Program
Integrate specialist tools that reduce privacy risk with minimal impact to business operations.
- Enable contextual access controls to only give the right users access to the right data under the right contexts.
- Leverage tools that can anonymize and pseudonymize data.
Implement technologies that address more challenging components of a privacy program to improve operations.
- Consider solutions that can automate business intelligence. Automating business intelligence is complex, however the resulting ability to mine large data lakes for insight without violating an individual’s privacy rights is invaluable..
- Implement a technical solution that provides consolidated and auditable analytics around how privacy is enforced across your organization. The most competitive organizations are those who can report at scale
- Explore data end-of-life controls.
Focus on technologies that can help developers engineer privacy by default and by design into their applications. Incorporating security and privacy practices into the DevOps pipeline improves operations and scales consistent practices as application portfolios grow, especially in this climate of changing regulations.
- Seek secure development tools that support the broad principles of data privacy, visibility, control, and accountability.
- Look for open APIs (application programming interfaces), extensible SDKs (software development kits), and integrations with business systems to simplify adding security services to any data, application, or device. These tools allow developers to consistently implement policy across their portfolio.
- Abstract policy from application code so that developers don’t have to recode an entire portfolio of applications every time privacy regulations change. The entire organization benefits from this efficiency, allowing for quicker responses to business requests.
The purpose of this guide was to break down an approach to scaling your ability to address privacy requirements. With the daily fires, regulatory requirements, and the constant business demands on overwhelmed teams; our privacy practitioners are spread thin. Your goal is not to simply put a privacy program in place– there are many how-to guides available that cover those basics in more detail– but to understand how and where to introduce technical solutions. Technology will help scale your privacy program in the face of ever-growing pressures..
As you make technology decisions, don’t settle for a quick fix in one silo that leads to a technical dead end: Consider the need to enforce policy at the speed of your business, and make sure that you are selecting vendors that can scale to meet organization-wide needs. Look for the ability to report on policy transactions in an automated fashion to demonstrate compliance with your current regulatory landscape. Centralize policy management to ensure you can respond flexibly and proactively to current and even future privacy regulations. Ultimately, design with the end in mind, engineering privacy best practices from the ground up in all of the applications that handle your sensitive data.
- Gartner, The State of Privacy and Personal Data Protection, 2019-2020, Nader Henein, Bart Willemsem, 15 April 2019
- RSA Conference, “The NIST Privacy Framework: Helping the Legal Team Talk with the Tech Team,” June 3 2019, https://www.rsaconference.com/industry-topics/blog/the-nist-privacy-framework-helping-the-legal-team-talk-with-the-tech-team.
- National Institute of Technology, “Privacy Framework Working Draft,” last modified September 2019, https://www.nist.gov/privacy-framework/working-drafts.