Modern data privacy: Maintaining compliance now and in the future

In Part I of our modern data privacy series I discussed the current privacy regulations that affect businesses. I covered they key elements of these laws that dictate the responsibility an organization has when PII is collected. Also covered was the California Consumer Privacy Act (CCPA)and how additional US states are beginning to craft their own similar legislation.

Part II: Methods and tools to use to stay compliant

There are a multitude of best practices that an organization should incorporate into their data privacy program to ensure they meet the expectations of governing laws and the discerning public. Properly utilized technology combined with administrative controls will create a healthy foundation for the establishment of a program that is able to evolve with changing legislative environments. These are some of the baseline standards that an organization must consider and address to begin the process of protecting the privacy of PII.

Senior management commitment

Data privacy begins with a commitment by senior management to establish a company culture that prioritizes data, and thereby the PII collected on its data subjects. After all, the stewardship of data applies across an organization — from technology teams to marketing, sales, operations, and beyond. Anyone who will potentially evaluate, share, or leverage PII needs to be bought into the same culture of respect and value for data and its subjects. And, since accountability begins at the highest levels, organizations should appoint a senior privacy official that is responsible for overseeing the data privacy program. In fact, this role is required of any organizations looking to stay compliant within GDPR, CCPA, and HIPAA.

Data classification and inventory

A robust data classification policy and procedure should be instituted to maintain regulatory compliance to establish the appropriate areas where data may be stored and who will have access to this data. Tags can be applied to sensitive and non-sensitive data to differentiate between them. Knowing the exact location of where the data is in the system and finding the data subject will make it possible to efficiently ‘forget’ the data when requested by a user. An organization must have a comprehensive data retention policy; this is important when a consumer requests the right of erasure since it can be impractical to remove the data that is being stored in backups. A retention policy will allow a consumer to be notified that their data was removed from production but may still be in data backups, which will be deleted upon the end of the data lifecycle.

Collecting the minimum necessary data

Organizations should take careful measures to collect only the minimum amount of data required to accomplish their goals. Ask yourself, “do we need this data metric right now?” before gathering the information. While collecting additional information may seem useful down the road, this line of thought should be avoided in order to maintain a compliant data privacy foundation. The use of tokenization to separate PII from personal data should be considered to provide a solid protection against data breaches and limiting risk. However, the increase in cost and possible performance reduction due to tokenization should also be considered. The existing applications and infrastructure may need to be re-built or retrofitted in order to create a tokenized system. Also, as the database scales in size it will take additional effort by the staff to maintain performance. These topics will need to be addressed when making the decision to tokenize PII.

Notification

Organizations should notify individuals upon collection of PII of their right of ownership of the data. Who the organization will share the information with and what the data will be used for should be clearly stated upon collection. This goes back to how the organization establishes the culture of data privacy. GDPR and CCPA require this notification but do not spell out exactly how it must be accomplished. It would be in the best interest of the business to clearly and transparently identify the anticipated use of the data to the individual. This approach will ultimately build trust between the consumer and organization.

Establishing a data security framework

While this article has emphasized data privacy, the importance of creating a secure information system cannot be overlooked. Beginning with a strong framework such as, but not limited to, NIST or ISO is the start of creating an information security management program that can protect the valuable data that the organization controls. I come from a compliance assessor background, so I believe in the importance of instituting a common framework, but no organization should trust in the fallacy that adhering to the minimum compliance requirements equals a secure system.

The organization must stay vigilant and not be afraid to embrace new technologies that can automate the security monitoring of their systems. We have seen a recent mass migration into cloud technology from a tradition of on-premises infrastructure. This direction has the potential to create a more secure future, but only if architecture of the solution is planned and executed properly. There will be a need for the organization to employ experts in designing cloud architecture (whether full-time or project-based) to fill the need if qualified internal resources cannot be found.

Breach response strategy

HIPAA, GDPR, and CCPA all require that the subject of the data be notified in a timely manner once a breach has been discovered. The organization will need to be watchful and prepared for the worst to happen. Clear policies and procedures along with responsibilities need to be evaluated prior to this unfortunate eventuality occurring. Proper inventories of PII stated above will allow the organization to notify all the individuals that were affected by the breach. Having a quick response can shut down the avenues of the data loss and prevent any additional damage, while helping to maintain a level of trust with end users.

Employee training

Workforce members that have access to PII should be properly trained on the importance of data privacy and the affected regulations that guide the organization, regardless of the team they are on. This goes beyond the system administrators and security team with direct access to the data and needs to include supporting staff and other teams that may have indirect access to the PII. For example, anyone with access to marketing automation or customer relationship management systems has access to PII. The privacy training should be in addition to any security awareness training that is currently in place. Organizations should look to prioritize this training to employees upon onboarding and annually thereafter to address any changes in the privacy environment. This is a critical point to address considering we are in a world that is dominated by social media, which has created a culture that encourages the sharing of personal events with the public internet. This represents a direct conflict with the paradigm of data privacy and if left unchecked can result in privacy violations. There have been instances of HIPAA violations where images and videos of patients were uploaded to social media accounts without the consent of the patient. Violations of this type often result in severe penalties, including fines and loss of work (not to mention the brand damage from loss of patient or customer trust).

The above methods and tools are a starting point to a mature data privacy program. To create a secure framework, an organization must be willing to allocate the monetary resources and assign a work force to complete the tasks successfully. When an organization chooses to accept and promote this realization they will begin creating a culture of data privacy that every organization should strive to achieve.

Privacy in the future

We are seeing a rapid change in the awareness of the significance of data privacy from the institution of new government regulations to the court of public opinion. This momentum will only continue into the near future. The new regulations that have been recently passed now allow governments to levy large fines on businesses that do not adhere to privacy requirements. Reputational loss that is suffered from data breaches or the misuse of information will have long lasting repercussions. Employee flight from a company that does not value privacy is a real concern. It will now make not only ethical sense but also business sense to create a culture of data privacy in your organization. The future only holds more — more data being collected from more devices across more potential consumer touchpoints. From IOT, smart vehicles, facial recognition technology, augmented reality, and growing surveillance, we will all need to have forward thinking solutions in place to procure and protect data.

Businesses should endeavor for a future that does not become what was described in 1984, but instead strikes a balance of convenience, productivity, respect, and privacy that everyone can appreciate. Organizations need to address the current regulations but also continue planning for a future when the laws governing data privacy will only strengthen. This means understanding the rules of privacy that currently govern, creating a company culture that values the protection of PII, and utilizing technology and administrative controls to achieve this attainable objective.

The evolution of privacy laws should not be perceived as a hindrance to an organization’s ability to conduct effective business. It should be viewed, instead, as an opportunity to establish and maintain trust between the individual and the corporation. It will take a commitment and a change in culture across all components of the organization to meet this goal, but the benefits of adopting a modern approach to data privacy will only secure the successful future of the organization.