Data privacy continues to evolve as regulations work to keep pace with both the audacity of threats and other regulations that pop up around the globe. Not all regulations are the same, and some only loosely define what an organization has to have in place with the terms “adequate controls.” This can make finding common ground between what legal teams want to do and what IT teams need to do difficult.
PKWARE sat down with guest speaker Enza Iannopollo for a webinar, “Building A Privacy Foundation on A Changing Privacy Landscape,” to discuss more about taking what’s on paper with the law and turning it into something tangible for technology. This post-webinar Q&A takes a deeper dive into what organizations should consider as they build their data privacy strategy.
What are the top 3 – 5 considerations for an organization when planning for a data privacy and/or governance project? Do these considerations change at all if the organization must meet multiple data privacy laws, whether state- or region-based?
Setting up the appropriate data privacy and/or governance program depends on many factors, including the maturity and complexity of the organization, business goals, and priorities, as well as the specific outcomes that the program should achieve. The fact that a company must comply with multiple regulations at the same time is a key factor to consider. It adds complexity, creates urgency for a more comprehensive and proactive program, and put processes under pressure. Keeping up with evolving regulatory requirements across regions is a challenge in itself, but it has become a common one.
According to UNCTAD, 128 out of 194 countries worldwide have some legislation in place to secure the protection of data and privacy. And, about 40 percent of organizations already must comply with multiple privacy regulations at once. Hence, it’s likely your company must comply with one or multiple regulatory frameworks no matter how local or small it is. If you are getting started, the goal is to establish the basic elements for your program.
- Start with a regulatory gap analysis to identify gaps and prioritize actions. To make compliance change management smarter, identify common requirements across privacy bills, establish remediations that are flexible enough to adapt to new requirements, and adopt a set of leading key principles to enable your company to comply with new requirements more efficiently.
- Build the foundation for basic privacy oversight and define privacy policies, procedures, and governance. At this stage, there are two foundational programs to build: an employee training and awareness program, and a third-party risk management program.
- Put in place security controls to remediate critical gaps. Cleaning up access, managing identities more effectively, and adopting essential data security controls are common actions.
As you progress, your priority must be data discovery and classification. It’s that simple: If you don’t know what you are trying to protect and where it is, your program is going to fail, no matter how much technology you throw at it. Before thinking about program automation and more sophisticated in-use data protection cases, ensure that you know what you must protect.
How do elements such as Records of Processing (RoPA), Privacy Impact Assessments (PIA), and Data Protection Impact Assessments (DPIA)—all of which are key to meeting privacy laws and mandates—both play into data discovery and security and create additional value for the organization?
Creating a record of processing activities and performing privacy risk assessments such as PIAs and DPIAs are part of the foundational work of virtually every privacy team. To be able to meaningfully create these assets, privacy, risk, and security teams must understand the data that underpins both the processing activities and the assessments that they must run. And, our research shows that, while gathering data as needed for their privacy work, these teams also achieved improvements of their data strategies.
Many have started to proactively align data governance framework to their privacy program in order to act more consistently, efficiently, and safely on data. As many as 74 percent of firms that have invested in solid privacy programs reported operational efficiency as one of the business benefits they achieved. The value of this work goes beyond privacy: Security, data governance, IT, and the business largely benefit from consistent data practices.
It seems like the majority of organizations focus data security and privacy on larger data repositories (warehouses, lakes, etc.), yet especially in light of the new hybrid office/remote work environment, how should organizations be folding endpoint data protection into their overall data privacy strategy?
Privacy rules apply to personal identifiable information—structured, unstructured, and semi-structured—wherever it resides, is processed, and is stored. I have seen a large amount of organizations starting their data discovery work from structured data in large repositories. They progressively expanded the scope of their work to unstructured and semi-structured data, mainly on large repositories across cloud and on-premises environments.
The next level of action is on “less prioritized” repositories. The latest enforcement actions looked at employee personal data and helped to shift organizations’ attention to systems that are not the classic CRM or other customer data warehouse. Employee data lives on different systems and largely on endpoints, too. In the last 18 months, even larger amounts of personal data have moved on endpoints, as employees worked remotely. Both the trend of remote work and employee data privacy are going to continue and it’s crucial that privacy, security, and risk teams prioritize data discovery of those systems and data repositories they have so far overlooked.
Data privacy in and of itself is already a complicated challenge. What are the most important considerations when assembling a complete data security and privacy solution, especially if an organization is attempting to use multiple disparate platforms to create one workflow for DSAR, PIA/DPIA, and/or record keeping?
This is a hard question to answer. But I have some tips.
First, do not start from technology. Instead, define clear objectives that the solutions should deliver, choose critical KPIs to measure where the solution is performing as expected, and optimize continuously. We hear often that privacy and security is everybody’s work. The multi-functional nature of privacy definitely makes that a true statement. Work with the teams that must support the solution, allocating responsibility and accountability as needed. If you do this groundwork, you are ready to build and assemble the most appropriate solution. Use maturity assessments, audits, or gap analysis to determine which investments you must prioritize.
Deploy technology that progressively delivers against your objectives. Also, focus on products that deliver value against multiple use cases, ideally across privacy, security, and data management. Data discovery and classification, consent management, effective IAM, and security controls for data in use protection are some examples.
Stitch things together progressively. Accurate data discovery, in particular, is a critical capability that will feed data across a number of those workflows. RoPA, privacy risk assessments (such as DPIAs and PIAs), individuals’ privacy rights management and fulfilment, as well as zero-trust use cases will benefit from it. Having data discovery as the backbone of a privacy and security solution also allows organizations to automate workflows in an meaningful way. Understanding risks dynamically and delivering data protection in business context and at business speed will not only increase the effectiveness of security and privacy, but also enable greater data-driven innovation and growth.
Learn more about applying technology to address constantly changing policies. Watch “Building A Privacy Foundation on A Changing Privacy Landscape” with PKWARE data expert Chris Pin and guest speaker Forrester analyst Enza Iannopollo.