Is Privacy Roulette Wheel? – Is There a Triumphant Approach?
Did you know that there was a privacy tort written on December 15, 1890 in an issue of the Harvard Law Review, attorney Samuel D. Warren and future U.S. Supreme Court Justice, Louis Brandeis, wrote the article entitled “The Right to Privacy”?
Advance to the late 1990’s when only a handful (~80) of privacy professionals who were members of the IAP (not an error, the IAPP, which was founded in 2000, was originally the IAP). Then onto 2002, seventeen years ago, California (“CA”) enacts the first US data breach law, with an enforcement date of July 1, 2003. At that time only a handful of companies actually had the foresight to staff and fund a privacy program, as for many companies, privacy was not even a twinkle in the AG’s or CEO’s eye.
Fast forward to 2018, the complexity of privacy compliance in just the United States (“US”) is mind boggling; fifty US data breach laws, HIPAA, GLB, COPPA, FCRA, FDCPA, DPPA, Financial Privacy Act of 1978, numerous US State Privacy laws for Student, Driver, Retail or Online data, and more.
Don’t stop reading yet, in addition, as a multinational that collects personal data/information; you also may have to manage privacy not just in the US, but in over 50 jurisdictions and across “multiple verticals” to include:
- communication privacy
- financial privacy
- healthcare privacy
- information privacy or data protection
- online privacy
- privacy in one’s home
What is one to do? Hopefully this brief document provides insight, so read on.
Regulatory compliance prior to regs such as the General Data Protection Regulation, was to create and maintain a documented set of policies, statements and notices based on the applicable privacy law and/or regulation. Regulatory audits were a “paper audit”, if you produce documentation and educational materials, you probably receive a passing grade.
In today’s world, the privacy office is accountable for all personal data/information collected, transferred, processed and maintained, has to translate the legal and regulatory requirements, provide direction and communicate the risk levels to executive management. Simple enough, right?
Responsibilities continue to expand, privacy need to provide individual rights, be active in operational, employment, compliance and marketing practices, knowledgeable of data transfers, work with the business to apply retention periods, document systematic processing and data storage locations and have a working knowledge of information security fundamentals.
Subsequently, moving forward if we follow all the hype, you need to assess, update, change, modify, create, regionalize or outsource the privacy program with each new regulation, now your panicking… how to comply with GDPR, CCPA, LGPD or others??? Step back, relax and do not fall into that black hole, “you need to create a privacy program for each regulation”. OK, breath and continue to read the balance of the document to come to terms that there is a manageable approach to a global or domestic privacy program.
The recommendation is to breakdown your privacy program into four key functional activities: data privacy, information governance, data breach/incident management and data security. Greater details are summarized for these 4 key functions below.
Data Privacy – objectives should include; simplification of privacy tasks for employees, reduce risk from potential litigation, define individual responsibility in handling of personal data/information with confidentiality, integrity and responsibility, provide an overview of the structure and content for data privacy documentation and definitions for consumer, client, employee and business personal data/information.
- organization – function may be an independent privacy office, within information security or corporate compliance or legal;
- accountability – ownership by every employee, contractor or vendor – reporting of compliance levels;
- define global Standards and Controls
- definitions for privacy and security terms;
- processes for management of individual rights;
- proper data classifications for consumer, client, employee and business personal data/information;
- job and management responsibilities for data protection compliance;
- personal data use and collection requirements;
- day to day administrative responsibilities;
- requirements for minimum information security technology;
- data management actions for logical and physical access, transfer, and storage of the data by classification;
- recommendations on disposal and destruction, as well as additional responsibilities for data privacy compliance; and
- provide a clear and straightforward responsibilities for additional areas related to data privacy management
- define regional Standard Operating Procedures
- Standard Operating Procedures (SOP) provide detailed guidelines required by regional legislation, industry requirements (i.e. PCI) or business conditions for operations, marketing or business development. SOPs’ shall be based on the minimum requirements defined in the Standards and Controls
- privacy statements/policies & external guidance
- documentation includes on-line privacy statements/policies, any external communication or guidance, or recommendations to business partners and consumers related to data privacy;
- on-line privacy statements/policies content may vary and based on requirements by country legislation or law; and
- guidance documentation should be considered as recommendations, not requirements to reduce potential future liability due to adverse events caused by outside events
- employee privacy
- employee privacy statement/policy may be required to comply with country law or legislation (released by country as required) and to assist employees in understanding how company handles personal data
- privacy impact assessments or data privacy impact assessments – validation of privacy functionality for high risk processing to include any systems, number of gaps identified, ownership of actions and reporting of number open vs. closed
Information Governance – key tasks to build and operationalize an information governance program
- organization – function may be within the privacy office, information security, corporate compliance or records management;
- data flows – document a data map of data or information from whom, the point of collection, data transfers, departmental systems (to include vendors or cloud providers), storage platforms and disaster recovery systems;
- data classification – document the categories of Information (examples; name, address, financial information, medical data, etc.) and classify based on potential harm to the individual and impact to business if breached, misused or lost;
- retention periods – defined regulatory or legal obligations, practical business application, litigation process, and the privacy rights of the consumer, customer, client or employee;
- technology – discovery, classification and data protection and auto retention tools;
- change management – educational materials, communication process and executive commitment; and
- accountability – ownership by every employee, contractor or vendor of program reporting and compliance
Data Breach/Incident Management – A data breach may require external reporting to customers, clients or regulators, it is imperative that precise and concise internal communications transpire to management. The list below includes high level tasks.
- organization – activity may be owned either by the privacy or information security office;
- create an incident response plan that:
- identifies the types of the personal data collected and stored across the business; this will assist in the creating a cost model to migrated or resolve the vulnerabilities, engage external counsel (when necessary) and implement additional protection;
- quantify the tools, level of resource skills and time necessary to complete the data breach investigation;
- define the process to include the sources of the personal data, digital, offline, country or state and business entity;
- gather and document a list of resources for rapid analysis of data breach regulations and laws, that define the thresholds for external notification (i.e. the number of individuals, geography, sensitivity of the data and timing);
- identify the potential financial fines, civil actions (business and executive), revenue risks (i.e. due to loss of use of personal data from country x), and enforcement actions such as government oversight programs; and
- the likelihood of regulatory action or possible publicity.
- management reporting:
- a concise summary of the incident, this should be limited to 1 to 1 ½ pages;
- identify resource levels to complete data breach investigation, ongoing monitoring and periodic reassessment of the regulatory environment and level of risks for external threat changes and developments;
- overview the applicable legal and regulatory risks and actions needed to update policies and data protection controls;
- costs and resources necessary to identify a potential breach;
- agreement on designate ownership for reporting;
- risk details:
- risks ranked by the importance or impacts to the business;
- regional specific risks, tasks and costs of a data breach; and
- potential future risks, due to enactment of pending regulations or laws
Data Security – A data breach may require external reporting to customers, clients or regulators, it is imperative that precise and concise internal communications transpire to management. The list below includes high level tasks.
- organization – function may be an independent information security office, corporate compliance or information technology;
- organizational controls for security should include:
- inventory of authorized and unauthorized devices
- inventory of authorized and unauthorized software
- continuous vulnerability assessment and remediation
- controlled use of administrative privileges
- secure configurations for hardware and software
- maintenance, monitoring, and analysis of audit logs
- email and web browser protections
- malware defenses
- limitation and control of network ports
- data recovery capabilities
- secure configuration for network devices, such as firewalls, routers and switches
- boundary defense
- data protection
- controlled access based on the need to know
- wireless access control
- account monitoring and control
- implement a security awareness and training program
- application software security
- incident response and management
- penetration tests and red team exercises
Once your organization has tackled and implemented the key activities above, the privacy program can operationalize individual rights, compliance tasks and data protection requirements. As “new or enhanced” regulations come along only “tweaks” should be necessary for the program, remember that privacy program should not be shelf-ware, but part of the company’s fabric and tied to executive management compensation and incentives. These tweaks may include:
- updated assessment – evaluate the current state of the business and ability to comply with changing regulatory requirements for Marketing, HR, Service Delivery, IT/Application Development, Call Center Operations, Vendor Management, InfoSec and Legal;
- validate if your business will be a data controller/owner or data processor/service provider and mapping actions to enable compliance;
- identified areas that require updates to documented policies, procedures or service delivery practices;
- continued inclusion of privacy in your business requirements for the product roadmap(s) to provide the features and functionality that enable your company or clients to comply; and
- update training content, expand to address role-based training for employees, vendors that handle choice, access, correction, erasure requests and practices related to potential data breach events
In conclusion, simplification and continuous improvement of the program is necessary, as there are and will continue to be increasing oversight and scrutiny by data protection authorities, customers, clients and media. In today’s regulatory environment, gone are the days of “paper-audits”, survival in the event of an audit will depend on the privacy office ability to measure, report, manage and sell the organization’s compliance level to regulators, the board, executive committee and media.
For assistance in defining, implementing, managing and reporting of global or domestic privacy requirements for a privacy program, feel free to contact us at firstname.lastname@example.org or directly to Jim Keese at email@example.com.