The wave of new, tougher compliance regulations springing up worldwide can be disconcerting for organizations, regardless of how they engage with and serve their customers. This two-part blog aims to provide some recommendations to help those attempting to deal with the security aspects of data privacy as organizations begin to prepare for new regulations, including the California Consumer Privacy Act (CCPA).
If your organization does business with customers in multiple regions and thus must comply with multiple privacy regulations, a suggested best practice is to address them as a single, combined initiative. Take a unified approach to data privacy. Identify best practices and how they can address compliance requirements common to the myriad regulations, and then align them to the most stringent aspects. Such an approach can help you avoid duplicate or even conflicting efforts, potentially saving significant time and money.
While technology is a vital part of managing privacy, practitioners should not expect it to be the only expense in the journey toward achieving data privacy compliance. According to TrustArc, 61 percent of organizations expect to need third-party technical consulting, and 55 percent expect to engage legal consulting. Forty-five percent will need additional personnel training to develop, deliver and follow augmented policies and procedures for privacy compliance.
It’s important to remember that compliance for its own sake is not security, but creating a robust security program that addresses compliance needs will serve you well. It is important to note that approaching compliance as a separate effort, rather than as an integral part of the security program, may cause problems.
Here are some best practice considerations to improve security to meet data privacy compliance requirements.
Step 1: Evaluate In-House Capabilities and Design Your Program
Set up the internal project leadership and program management team. If there is no clear charter or organizational structure, there will be gaps that an attacker can exploit. Identify the business stakeholders that are affected by the change in your compliance requirements, including all organizations that are responsible for the collection, maintenance and use of personal data. Both data owners and custodians should be identified and where none clearly exist, senior management must assign the responsible parties.
Appoint an executive champion for the program. This step is often missed. In some cases, the natural choice will be from IT security leadership. In other cases, he or she may be from IT leadership and in others, the best fit may be from legal department leadership. No matter who is chosen, the person identified must have authority over data security and wield enough influence within the company to gather the necessary resources and maintain momentum. It is common for that champion to delegate responsibilities for project tracking and execution to one or more people to make sure it gets covered in a timely manner, but be careful that it doesn’t get offloaded entirely.
Once a champion is in place, review and update the security program mission goals. Ensure they include the compliance program. Once appropriately defined and documented, begin creating the projects to address the gaps that have been identified, then communicate expectations for the projects and outcomes. Keep each project stage as small as possible to avoid scope creep and losing steam on a mammoth objective that cannot be completed in a reasonable period. Upper management needs to see progress, so relatively short milestones will demonstrate regular progress improvement.
Evaluate the in-house security and compliance capabilities. Whether your information security operations are internal, fully outsourced or a hybrid approach, objectively determine what is being done well, what needs improvement and, most importantly, what is not being done at all. If you reasonably feel that meeting any of the technical requirements is beyond what your security organization can accomplish within its constraints — such as the tools, skills, organizational structure or political climate — consider engaging a service provider. Make sure to work with stakeholders to gather and allocate appropriate budget and resources. Some of the budget may need to come from other organizations to which security provides services, so they will want to understand the benefits to them before chipping in. Don’t just go for the least expensive. All service providers are not created equal, and the largest providers are not always the best fit for your specific requirements. Look for the best match and balance of capabilities, rigor on execution and price.
Step 2: Conduct a Privacy Impact Assessment
Once you have evaluated your internal capabilities, it’s time to determine the extent of your organizational exposure. All of the following must be captured in a well-documented fashion:
- Based on your current operating geographies and the geographies of your targeted customers, what privacy regulations are you currently responsible for complying with?
- What applications are currently collecting privacy-related information?
- What privacy-related data are you currently storing? Do you have a valid business need for maintaining that data?
- Where is the privacy-related data stored?
- Who has access to the data, and what access do they have? This is an extension of storage, because it is highly likely that someone who has permissions to copy the data has done so and put copies of some of it in an undocumented location while performing work with the data.
- What are the current policies and procedures for managing the collection, storage, processing, distribution and disposal of privacy-related data? Do they accurately reflect what is actually being done? If not, either the documentation or the way things are being done needs to change to align them.
Step 3: Assess Risks and Create Awareness
To fully understand the data privacy security risks in your organization, you must understand the data you have. Few organizations fully manage their data. Create a personal data inventory. This is one of the most crucial steps in achieving security — and one of the most time-consuming. It will most likely take the most time of any individual step in the process. There are tools to help you in data discovery, so don’t rush it. Keep in mind that you will also need to validate personal data stores at a business process level with key stakeholders and map back to the privacy impact assessments before you go off and scan data stores. Otherwise, you run the risk of doing unnecessary work.
Assess the personal data you store. You must quantify what it is worth to the organization from a revenue perspective, both directly and indirectly. Indirect data is data that helps support customer engagement or satisfaction, while direct data is required to provide services or purchase products. This process includes using data flow analysis to map out which tools and people interact with or otherwise access the data.
Conduct a data risk assessment for all identified personal data. Once you know what data you have, how it is being accessed and the purposes for which it is being used — including controlling data sharing and transfers to third parties — you must decide whether or not the expense of protecting it is appropriate for the benefit it provides. Much of the data that is retained for convenience or for possible future use may unnecessarily increase risk. Decide whether your organization wants to pursue a minimalist approach to data retention or a single protection strategy that treats all collected data as needing the highest level of protection. Each approach has its benefits and disadvantages.
The risk assessment will identify controls and process gaps associated with the collection, processing, storage and use of personal information. Based on the data privacy protection strategy you decide to adopt following the risk assessment, you will need to update existing policies and procedures, create new ones to cover the gaps and conduct training on them. With the regularly changing compliance landscape, it is even more imperative that these updates are conducted regularly to ensure they are being followed or adjusted to meet the evolution of approved operational and regulatory changes.
Step 4: Design, Implement, Manage and Enhance Operational Controls
To adapt to the plethora of current and upcoming compliance regulations and those yet to emerge, you will need to implement the physical, technical and administrative safeguards to monitor and manage personal data in the newly defined and documented security structure and requirements.
Update and distribute privacy notices applicable externally for those whose information you are requesting, and internally for accessing and using information after collection.
Formalize the data dispute resolution process and procedures so those who wish to remove consent or have other issues can address them in the appropriate time frames and with reasonable effort.
Ensure formalized reporting is in place and functioning properly. Whatever tool(s) you use should have a flexible framework for creating ad hoc reporting and meet new content and delivery requirements.
Update or implement the organization’s data breach response plan. Ensure it covers the technical and management personnel, including data owners/custodians, to engage and when to engage them. Document who is responsible for communicating to internal and external organizations, such as legal teams and law enforcement, during an incident. Test it!
Step 5: Conduct a Privacy Data Cleanup
Now that the data stores are considered protected or within the bounds of compliance, you must also ensure the proper data retention periods are in place, but not exceeded. This will require strict adherence to the data disposal procedures for each data store by information type. If you had not previously considered these procedures, now is the time. Regardless of whether you adopted the “protect everything” or the “retention minimalist” strategy, compliance regulations require differing storage durations, both maximum and minimums, that must be met.
Demonstrate Ongoing Compliance
Both security and compliance require ongoing, nearly continuous maintenance and improvement. Continue to evaluate and audit policies and procedures and control effectiveness. This provides the opportunity to tune them for performance and newly released rulings. If they are not updated on an ongoing basis, you will have to repeat all these activities in a herculean effort as audit cycles occur or emergencies arise. While this reactive approach may require fewer resources, it is highly disruptive to the business, costly and prone to errors.
For new compliance regulations, understand that at the time of initial publication, there can be poorly defined or otherwise nebulous requirements. Get legal counsel on how best to proceed. Keep records of decisions, response actions and exceptions, clearly documenting why those were made to demonstrate strong effort in the event of an audit or challenge if a ruling is made in an unexpected direction. Other regulations hitting the books may have the same issue.
Privacy regulations are evolving and expanding. As you build your program, you will need to be forward-thinking to address new privacy challenges that will inevitably arise from the locations in which you currently operate business and/or the areas you plan on entering. A good example is that not all privacy regulations currently require subject consent for data collection, but the number of geographies requiring consent is increasing. Consider this part of your plan as a data collection best practice.
Use these guidelines to help address operational aspects related to data prepared for the swath of globally expanding privacy legislation.
Check out the Forrester report on technology practices for cybersecurity and privacy
Managing Research Director for Security and Risk Management, Enterprise Management Associates