Understanding Enterprise Data Privacy Challenges: A Three Step Primer
In a connected world, robust data protection paradigms are an integral component of enterprise risk management and continued business success. With recent developments, including a marked growth in the number of cyberattacks and the aftermath of the Schrems II judgement on data privacy, we are witnessing an urgent need to redefine the existing processes governing transfer, use, and storage of an individual’s personal data by organizations.
As new laws regulating the sphere of privacy and data protection continue to evolve and the existing laws becoming more stringent on free flow of personal data, global businesses must be careful in their role as the leading users of such information.
The scenario is further compounded by the adverse impact of a data privacy violation on the company valuation and customer trust scores. A case in point is the admission by a leading internet company of a three billion account data breach, underscoring the costs associated with a failure in protecting the data resources consigned to our care.
While the global community is undertaking new and more responsible measures to ensure data safety and privacy, organizations continue to stumble due to a lack of transparency, excessive personal data collection, ignoring consumer privacy choices, and retaining personal data longer than necessary. Unsurprisingly, the news coverage on data privacy has moved from the technology to the business section, and even adorns some of the front pages.
I feel that the first step for a reasonable approach towards ensuring robust data privacy paradigms should start with a clear understanding of the underlying challenges defining the scenario. These learning would be vital in shaping our response, and defining a roadmap to ensuring the expected and desired levels of data security and privacy — one that would drive trust amongst the organization’s stakeholders, be they customers, employees, or the society at large.
Here’s a Three Step Primer to help get you started on the journey ahead:
1. Security and Privacy Conflation
Data privacy and data security are often considered as being similar domains. However, given the key differences involved, it is vital to understand the differences for creating a reliable action plan for the future.
Data privacy covers the use, sharing, and/or leveraging of stakeholder personal data by authorized users within an organization for well-defined purposes, while data security consists of measures undertaken to prevent any unauthorized use of such assets, whether by internal or external agents.
An un-defined use of personal data can constitute a data privacy breach, even when undertaken by an approved user, irrespective of their ultimate intent. Sharing personal data assets by such users without the agreement of the concerned individual also constitutes a data privacy breach, which can contribute to an erosion of the trust in the organization. Possible redressal mechanisms, therefore, comprise of a mix of technology-enabled checks and balances, along with regular knowledge sessions on data usage guidelines and best practices.
On the other hand, data security is more of an infrastructure challenge, requiring safety mechanisms that prevent all unauthorized access in the first place. The focus should be on ensuring that the data stored is only accessible to approved users for their requirements, and that no unauthorized access is possible.
2. Security Risk Modeling
Factors such as likelihood, threats, vulnerabilities, problematic data, and impact are common terminologies within the privacy risk models.[JR5] Data privacy risks include, but are not limited to, lack of appropriate technical and organizational measures and safeguards, social media attacks, mobile malware, third-party access, negligence resulting from improper configuration, outdated security software, social engineering, lack of encryption, and an absence or lack of awareness among the staff.
Data privacy risks can therefore exist throughout the personal data life cycle, underscoring the need to manage and govern data properly.
A number of privacy risk management activities can be undertaken during the data life cycle. Designing a privacy risk management framework is the first step to ensure data validation and data protection, to monitor and control data, and to comply with all applicable laws and regulations.
3. Data Hoarding: Retaining versus Risking Data
Implementing a robust data retention policy begins with the realization of the various types of personal data that your organization holds and then classifying them. The requirement clearly varies based on the nature of data collected. For instance, at healthcare companies, this could be health related information, while for financial services organizations, this could be credit scores, payment history or loan information.
Classifying the personal data is therefore a best practice for data retention because not all data requires the same retention levels. To cite an instance of this principle in action, GDPR compliance requires that organizations that handle the personal data of EU data subjects must classify the types of data they collect in order to comply with the law. It categorizes certain data — race, ethnic origin, political opinions, biometric data, and health data — as “special” and therefore subject to additional protection.
What this means is that organizations not only need to know what types of data they hold, but they also need to be able to label that data as public, proprietary, or confidential.
This is why when following best practices for data retention, organizations should consult with either internal or external regulatory compliance specialists to determine which legal requirements for data retention apply to their organization. Deleting personal data once it is no longer required or after the data retention period has been met is a critical best practice for data retention that many organizations fail to follow because they believe that holding onto such data longer than required could be more secure than deleting it and needing it later.
However, this misconception couldn’t be further from the truth.
Holding onto personal data longer than required by law or longer than needed for use can have various ramifications, such as increasing chances of experiencing a data breach or security incident and placing client or stakeholder personal data at greater risk from such incidents. In order for an organization to implement an effective data retention policy, data that no longer serves a purpose to the organization or data that has been held for the required retention period should be deleted.
Moving Ahead to a Secured World
Data is a vital component of business success in the connected global ecosystem. However, incorrect handling of this asset can have major ramifications, and impair plans for current and future growth.
What we need, therefore, is a combination of enhanced understanding of the underlying tenets of data privacy with latest digital technologies for creating a robust and reliable framework for leveraging our data assets. Only then can we expect the true ROI from the priceless asset stream represented in our data flows.
Author
Chief Risk Officer
L&T Technology Services
