How to Overcome Privacy Program Stumbling BlocksContributors: Steven Ransom-Jones
The need to have a strong data privacy and protection plan continues to heat up. The more we share, the more market researchers gather information on their consumers, the more vigilant we need to be on our privacy programs and compliance. Guidance on creating a privacy program can seem pretty straight-forward, such as outlined in this recent blog from Cisco’s Chief Privacy Officer. However, new regulations and compliance requirements can be vague and confusing, leaving organizations struggling to build effective privacy programs.
Our Security Services team works with customers to navigate these waters. I recently spoke with Steve Ransom-Jones who is a lead consultant in our Privacy and Data Protection Services practice. According to Steve, there are a few key areas where organizations can stumble:
- New dimensions of data access management
- Traceability and assurance
Following is a summary of our discussion and key recommendations for those of you tasked with creating and implementing effective privacy programs for your organizations.
What makes privacy compliance challenging for organizations?
With privacy compliance, we must take an information-centered perspective. We must change our perspectives from protecting systems and applications to responsibly managing the information assets.
We must be clear and transparent about our information management practices. We need to establish trust by understanding and clearly communicating the types of personal information that we are collecting, the purposes for which we will use it and how we will keep to those commitments.
And then, we must assure the effectiveness of our privacy program. We need to understand the full range of our obligations for trustworthy information management, build a program to meet those requirements and actively demonstrate our effectiveness at meeting those responsibilities.
On the surface, the idea of data privacy – even as outlined above – is pretty simple. But reality is that data is not static. It travels across servers, across the network, into the cloud – or clouds – and through various applications. Privacy must be protected across all of those domains and applications.
How do we apply consistent management of information assets for an effective privacy program?
While the idea of responsibly managing personal information may seem straight forward, it requires a different approach than is traditionally followed by security practitioners. Security controls can be focused on protecting computing assets, such as servers, networks and applications. In contrast, a privacy program needs to be centered around the information assets that will traverse through multiple technology domains and business processes, some of which may reside outside the direct control of the organization (for example, with third party processing or cloud-based services).
The challenge is to provide consistent management and control over the information assets throughout their lifecycle.
Managing privacy requires expertise across all of these domains. There must be visibility to the full picture (traceability across all domains) – knowledge of how the data asset is to be used from end-to-end – and even anticipate potential future use of the data, so it can be planned for.
For some IT managers, data privacy requirements may be very different from their usual day-to-day jobs. It’s not just about security technology and tools.
How do we understand what is needed to be clear and transparent about our information management practices?
A key tenet of a privacy program is “transparency”. Organizations need to communicate to their customers:
- What information is tracked
- How is the information used
- What are the options for consenting to use of their data
You must understand business needs for the data and have visibility to potential use cases where data is traveling into the hands of new or different partners (example of healthcare program partners).
Transparency starts with a thorough understanding of what business process are collecting or using personally identifiable information, what those elements are, the purpose for processing and where they may be further communicated. This goes beyond a simple data inventory and classification to a more complete comprehension of what information assets you are using, the purpose for use and in which technical domains they may be processed.
With this understanding we are in a strong position to make more complete and accurate representation of our information collection practices as required by many of the privacy regulations as well as a guide for permissible future uses for information.
This approach can be critical where information may be used in across a number of business processes. Just as information crosses multiple technology domains, it is quite possible for the same record to have different uses and value to different parts of a business. Medical records, for example, may be used for treatment, billing, insurance claims, research, efficacy monitoring and follow-up appointment scheduling by different departments and organizations.
Here’s an example: employee use of fitness tracker. In this use case, the fitness tracker data:
- Is stored on the device (fitness tracker)
- Travels to cloud (info shared on multiple devices)
- Can be used by employer health programs, which may be managed by 3rd party providers
- Could be used intentionally for various applications and purposes:
- Healthcare benefits program: get “points” toward health benefits based on exercise
At the same time, the “big data” (data analytics) has accelerated the myriad of ways data can be viewed – and consequently, there are new ways of using customer data that may not have been outlined in original agreements. So, a Privacy plan has to anticipate what you might want to do with the data in the future. For example, many organizations have realized that they have acquired many years of customer purchase history that may be used to predict the success of new products or to perform targeted marketing. We would now have to consider if product research (possibly with anonymized data) or marketing communications are legitimate uses, per the privacy statements or agreements.
The third big challenge is “traceability and assurance”. What is that?
Privacy regulations increasingly require that organizations prove that they have effective programs in place and, in recent years, there has been an increase in enforcement actions both in the EU and by the FTC in the US against organizations that make false compliance claims. With the potentially devastating fines in the General Data Protection Regulation, there is a much greater emphasis on demonstrating the effectiveness of privacy programs.
Probably the most efficient approach is through traceability. Just as we have discussed basing our information use transparency statements on an information asset analysis, we can use a similar technique for the overall program.
We can state our privacy obligations based on an analysis of all drivers (including regulations, published policies, privacy statements, contracts and user agreements). A clear mapping of the capabilities (organizational, processes and technical measures) that we will implement to meet these obligations will define a what our program should consist of. This mapping demonstrates that all obligations can be traced to capabilities. Similarly, we can trace how each of these capabilities will be implemented across the different business and technology domains. This approach allows each capability to be implemented by the most efficient means in each area (possibly using existing measures that are unique to each) while demonstrating conformance. The final link in this traceability chain is the testing of each measure and management of issues.
For most regulations and compliance, an organization must provide three key elements:
- Privacy agreement
- Implementation plan
- Ability to demonstrate or prove that it is an effective program
In demonstrating the program, you must be able to detail the technical controls you have in place to protect the data. You also have to demonstrate you can respond to customers who want to know what is happening to the data they are sharing with your organization.
Privacy sounds like it’s a specialized function. Where can I get help?
Privacy is a relatively new role in US organizations, though it has been around a while in some of the more regulated regions of the world. New legal and compliance requirements have increased the need for organizations to more fully understand Data Privacy requirements and how to solve the problem. Cisco, for example, has a dedicated data protection program as part of our Trust Center.
Privacy can seem like a daunting challenge, but having a good program can be a business differentiator and protect your business from the effects of security breaches: reputation and brand loss, fines, loss of customers, etc. Cisco Security Services has the expertise to meet you on your data protection journey. If you need help building a privacy program to meet your unique requirements or want to spot the gaps in your program, consider Cisco Privacy and Data Protection Services. Our experienced technology and privacy consultants will help you build a privacy framework and program to support your digitization and technology initiatives.