Incorporating privacy into data protection strategy
Nowadays, the term privacy echoes across boardrooms globally, where each country and enterprise races to update its laws and policies to keep up with the need for data privacy controls.
This massive wave of interest is largely driven by the introduction of emerging technologies such as robotics process automation; Internet of Things (IoT) and artificial intelligence (AI), which are increasing the number of sources of personal data available to enterprises. This, in turn, is increasing data protection risk to enterprises.
A recent ISACA whitepaper, Enforcing Data Privacy in the New Digital World, highlights the fact that although many enterprises are focused on data privacy compliance, data breaches can also cause irreparable monetary and reputational damage. This is supported by a 2018 IBM study that reports the average cost of a data breach to be $3.86 million.
In addition, if we examine the global risk landscape recently assessed by the World Economic Forum, massive data fraud/theft comes in fourth place, followed by large-scale cyber-attacks. These reports confirm data privacy is now a significant risk that should be tackled immediately by enterprises since the benefits from implementing controls to address data privacy are beyond the costs.
After laying down the numbers and facts, in order to implement data privacy controls, enterprises should start from the top – by incorporating data privacy into the enterprise’s data protection strategy. This will set the direction in which the enterprise will move forward concerning the data privacy initiative. At this phase, careful consideration must be taken in harmonizing the data privacy strategy with the corporate strategy. In the end, data is flowing throughout the organization, and unlike many assumptions, it is not limited to IT departments.
Once the data privacy strategy is defined, enterprises can move forward with translating it into their governance activities. Enterprises should begin with an examination of their current organizational structure.
Data privacy acts and laws, such as GDPR, have introduced new roles to be implemented within enterprises to ensure compliance and proper implementation of data privacy. Some enterprises fall short of properly defining the responsibilities needed to implement the data privacy strategy, where such new roles may end up siloed and without proper reporting lines and involvement in the enterprise. Enterprises should also revisit or prepare policies and procedures with particular focus on data privacy. These guidelines must be formally written and enforced in the enterprise. An example of those policies is the definition of guidelines over data retention, information security, monitoring and reporting procedures, data disposal, etc.
As enterprises move forward with the data privacy project, they will begin to understand the types of data currently processed in their environment. This allows enterprises to also determine the challenges they need to overcome to be fully capable of applying data privacy controls. Following this, enterprises can work on establishing controls such as implementing tools to ensure data privacy within the IT environment, developing a privacy culture within all departments and ensuring periodic training and awareness sessions on data privacy.
An important point here relates to third-party involvement in data privacy. Typically, enterprises outsource certain functions within the IT department to third-party vendors in order to provide the needed skills and support to customers. Nevertheless, outsourcing does not remove the responsibility of the enterprise to ensure their vendors comply with data privacy policies and laws. Enterprises should revisit their third-party vendor contracts and service level agreements to ensure that data privacy compliance provisions are included.
In light of the growing importance of data privacy, enterprises that incorporate privacy compliance within their corporate strategy, role definition, policies and procedures, controls, and third-party management practices will be best positioned to reduce regulatory non-compliance penalties and reputational risk.
(This post originally appeared on the ISACA blog, which can be viewed here).