Enterprises today generally undertake privacy initiatives in response to a growing number of regulations across multiple geographies. While readiness to comply with privacy regulations is required from a legal perspective, organizations often overlook the added business benefits and competitive advantages that privacy enhancement features can drive.
Most importantly, privacy by design can help organizations gain their users’ trust. According to an IBM survey conducted by The Harris Poll, 75 percent of the 10,000 consumers surveyed won’t buy from companies they don’t trust to protect their privacy — no matter how great their product or service.
When did privacy become such an important part of our lives? Technology and how we use it have been redefining privacy. Just over the past decade, there has been a tremendous increase in the number of devices that we use — smartphones, tablets, voice assistants, health and fitness tracking devices, the list goes on. Not only are there more devices, but with the internet of things (IoT) permeating everyday items, they are increasingly interconnected with access to our private information.
According to IoT Analytics, the number of connected devices in use worldwide now exceeds 17 billion, with the number of IoT devices at 7 billion. The amount of data coming in and out of these devices is tremendous and growing every day.
As the volume of private information grows on multiple platforms and in varied formats, there is an urgency to better control it. Automating the processing of this information can benefit users and, eventually, the business. Additionally, the ways by which data is collected, processed and used can make it incredibly hard to manage manually and to ensure compliance without automation.
On the other hand, systems designed with privacy automation in mind can save time, help with compliance and, ultimately, help cut costs.
Challenges in Privacy Automation Today
Automation can bring efficiency into many business processes, and managing user privacy is no different. But there are a few notable points to consider.
To begin with, data privacy, which used to be the domain of a privacy officer or even IT teams in smaller companies, is now becoming a collaborative effort that pulls in stakeholders from the chief technology officer (CTO)’s office, legal, IT and the security team in a concerted effort to operationalize data privacy — to define and automate its processes.
This collaboration is positive, and at the same time introduces some challenges that enterprises face in automating privacy initiatives. Some examples include:
- Requirements are often lost in translation. Privacy requirements are often driven by the legal or compliance teams in an organization, but the teams or personnel responsible for implementing them usually come from other groups who may have a different understanding of the subject, not to mention different business objectives.
- No definitive implementation guidelines. While there are multiple industry standards and frameworks available for automating business process controls or IT security controls, the same is not true for data privacy controls, as this area is still evolving. This low maturity state means that much is left to individual interpretation and can be harder to standardize across various industries.
- Lack of partnership between IT security and privacy organizations. Although IT security teams are usually tasked with implementing controls, their partnership with the privacy organization can sometimes be weaker and may cause organizational friction, silos and even turf wars when it comes to planning and implementing new projects. As a result, progress can be hindered, and the organization is less able to manage relevant, rising data privacy risks.
Where Can You Start? The Data Life Cycle
In today’s digitally connected world, data is the lifeblood of the modern enterprise. At the heart of most recent regulations is the necessity to provide visibility and control to users over their personal data and the way it is used once they agree to share it.
One approach is to follow data from when and where it is created to the time it is securely destroyed. This data life cycle methodology is often followed by security organizations when implementing IT controls for safeguarding data and the systems that process and store it.
By working with privacy or compliance groups within the organization, requirements can be identified at every phase of the data life cycle and, when applicable, established IT control automation practices can be reused for automating controls.
Following the Data Life Cycle Approach for Privacy Automation
Following a data life cycle approach to address privacy requirements can have multiple advantages. Many of the IT security frameworks today follow this approach and certain control recommendations can be reused to satisfy privacy requirements.
Tools used for automating many IT security controls can be leveraged to automate privacy requirements as well. For example, visualization tools that are often used to model business process diagrams can be used to model data flow maps. Using these simple tools, teams can visually represent the flow of personal data between datastores, business applications and business processes.
Communication of both data security and data privacy requirements to the relevant business stakeholders can be streamlined by relying on existing communication policies and channels.
Discovery and classification of sensitive data is a key priority in information security activities, defining the type of controls to be applied commensurate with the sensitivity and criticality of the data assets. The same process of discovery and classification of personal data is comparatively a critical requirement of recent regulations, such as the General Data Protection Regulation (GDPR), or the California Consumer Privacy Act (CCPA). The process organizations undertake here can be used for both purposes.
A similar comparison can be made between the requirements of data security incident response measures against the data breach notification actions mandated by the recent regulations.
At each stage of the data life cycle, the following privacy-related guidelines can help select controls for automation. Based on determining the applicability and an assessment of maturity of controls, the guidelines below can help organizations prioritize which controls can be automated.
- Provide notice of personal data collection. Define an extensive list of personal data categories and provide notice to the users on what type of personal information is collected. Aside from what the user knowingly submits, most consumer websites collect information such as IP address, browser settings, operating system versions and other related information from the user’s device, and they should be notified about that.
- Define and communicate the business purpose of personal data collection. Understand what personal information is needed about your users, discover where personal data is stored within your enterprise, process structured and unstructured stores, and store metadata results in a common catalog.
- Obtain user consent. A consent service providing a framework for obtaining, maintaining and applying where specific consent is required. Traditionally, using the services of a website implicitly assumed the user’s agreeing to terms of service of the website. However, recent regulations mandate that users can rescind consent for using their personal data and still continue to use the website. This requirement helps companies move away from the current single consent that is commonly imposed — for example, in a website’s terms and conditions page — to having users understand that they agree to specific privacy clauses.
Usage and Processing
- Handle requests for information and access from data subjects. Define an enterprise-scale, consistent and auditable processing of all requests to determine a definitive timeline for providing a response.
- Manage opt-ins and opt-outs. Establish a transparent system for users to opt-in and opt-out of consent to collection and processing of their personal information.
- Implement data privacy impact assessments. Similar to performing security assessments before an application goes live, a similar assessment can be implemented, or the security assessment can be updated to include privacy requirements criteria.
- Conduct data privacy training for employees. Employee training in place today can be updated to include privacy requirements and new policies should be provided in role-based training programs.
Data Sharing and Transfer
- Review vendor contract clauses for data handling. Private data handling guidelines or specifications can be requested from third-party vendors that handle private information just as they are part of the security requirements in such contracts.
- Handle data transfer and portability requests. The GDPR mandates that companies provide an option for data subjects to download or transfer all their personal data. Requests for data portability can be handled by implementing an enterprisewide system by gathering requirements while obtaining user consent.
Data Archiving and Retention
- Retain only the data you need. Specific to the business purpose of the data, archive data if it is no longer needed and only needs to be maintained for regulatory compliance.
- Honor the right to be forgotten. Similar to data portability requirements, provide users the option to remove all their private data on request.
- Enable secure destruction. Ensure there is an auditable, secure method for data wiping and equipment destruction after use, as needed. Software tools and some third-party vendors offer data erasure and can help with the right options for data that needs to be permanently eliminated.
Privacy Controls: It’s High Time to Automate
As tools and systems in the market evolve, there is a great opportunity for organizations to begin their journey of automating their privacy initiatives. This is particularly true if the organization uses private data for critical business functions. With the tremendous growth of data being gathered and used, and a growing number of privacy regulations, the time to automate your organization’s privacy initiatives is now.
To learn more about how IBM can help your organization manage privacy requirements and address compliance, check out our Data Privacy Services page.
Check out the Forrester report on technology practices for cybersecurity and privacy