BreachExchange mailing list archives
Five key privacy programme elements that make it work
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 16 Sep 2015 19:22:35 -0600
http://forbesindia.com/blog/business-strategy/five-key-privacy-programme-elements-that-make-it-work/ Although privacy is making rapid strides, one big challenge remains – how do organisations demonstrate that they respect the data subjects’ right to privacy? In fact, the challenge has increased multifold due to greater awareness, regulations, and incidents. Today, enterprise data privacy programmes must address both privacy and security needs. Meeting these needs and creating privacy programmes call for a systematic approach to designing it. The privacy programme must be kept simple with minimal jargon and easier to understand expressions for all levels of stakeholders. While the programme can be driven with regulatory compliance as the stick, the carrot would be ease of understanding and implementation. But ensuring its sustenance and scalability calls for making it part of the organisation’s culture and not merely an organisational policy. This is, perhaps, the hardest job in hand of an implementer and often, leads to a pertinent question: Is there a simple design that can be scaled at the pace the organisation needs? In my experience, five steps go into designing a simple data privacy programme that can be scaled as per the organization’s needs: 1. Data visibility Conduct a data visibility exercise for the entire organisational processes in scope. Such an exercise will be an enabling tool for all process owners to disclose personal data controlled and processed by them. It will help put together an inventory of personal data managed by the organisation with details such as, but not limited to: Who is the owner of the data? Why is the data required? How is it stored / processed? Who can access it and why? How long is it retained? How is it disposed? What is the nature of the data (PI, PII, or SPI)? Set up a process to update this inventory real-time or periodically, in line with the legal requirement to ensure continuous data visibility. Data visibility of this sort provides implementers, attorneys, and regulators with the data they need to understand the privacy protection needs of the organisation. 2. Privacy protection need analysis The data visibility exercise should be followed by a privacy and protection need analysis. Define your requirements and commitments to ensure that the data subject’s right to privacy and protection, of data within the organisation’s gamut. Look into the local regulatory regime in the geographies the organisation has scoped-in. Privacy protection needs may differ across countries and industries. In addition, consider the relevant published standards. Such an analysis enables making informed decisions to ensure balanced privacy protection controls. Controls today considered to be excessive may be considered essentials or vice-versa later. Thus, a periodic analysis will help strike a balance as the practice matures globally. 3. Privacy protection controls Design and adopt privacy protection controls based on privacy protection need analysis, cost-benefit analysis, regulatory requirements, the organisation’s commitments, and risk assessment. Privacy protection controls can be, but may not be limited to: Data masking, encryption, data transfer contracts, privacy policy and procedures, incident management, internal audit, information security controls, privacy notice, consent acquisition, retention and disposal policy, and more. The design and selection of controls must be aligned with data protection principles. 4. Privacy incident reporting and management Put in place an effective incident reporting mechanism that enables all stakeholders to report any privacy incident. All stakeholders must be made aware of this mechanism continuously through various communication mediums such as emails, posters, quizzes, trainings, etc. In addition, define the process for acting on the reported incidents and ensure the process includes privacy impact analysis, root cause analysis, RACI (Who’s Responsible, Accountable, Consulted, and kept Informed) matrix for the stakeholders involved, SLAs for closure, provisions for actions to be taken, documentation of learnings, and measurement of effectiveness of privacy incident management. 5. Governance A key ingredient in a robust privacy programmeme is top management involvement. This will ensure the privacy programmeme is effective at various levels in the organisation. Also, define the metrics that the organisation wants to monitor, against the thresholds, as per the organisation’s risk appetite, reflecting the health of the programmeme. Aligning the privacy programmeme to the organisation’s business goals and strategy is essential for effective governance. Every day a new outlook on privacy appears. While it is true that we cannot design and adopt a perfect privacy programmeme, we can definitely build a reasonable assurance model. Begin by keeping these five basic elements in mind and strive to improve the programmeme by building depth in activities under the design. There is no end to what can be done, so it is important for the implementer to strike a balance between protecting the interest of all stakeholders and continuously refining the programmeme to keep it relevant and friendly. Only then will it function as an enabler in achieving business goals.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Five key privacy programme elements that make it work Audrey McNeil (Sep 17)