Increasing Privacy Concerns

Accedere Inc

Privacy has grabbed the attention of Boards of Directors (BoD’s) across regions as organizations look to comply with new privacy regulations and compliance mandates such as GDPR, CCPA, and others. Privacy is the new buzzword, and the potential impact is very real. Personal data were processed for political and economic reasons without users’ consent, as happened in the Cambridge Analytica event. In view of such recent incidents, the failure of the EU Safe Harbor and the Privacy Shield to provide real protection, privacy laws are now changing and have become more stringent.

After GDPR, new privacy laws are enacted such as the US California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD), and many more are planned. HIPAA fines continue to rise too. It may be prudent for organizations to be more proactive and adapt measures for privacy governance to comply with such laws. Tools such as COBIT, ISO 27701, SOC 2 for Privacy can provide assurance to internal and external stakeholders as well as can help in the governance, risk management of the overall privacy program, and ensure compliance of HIPAA, GDPR, CCPA and other privacy mandates.

Some Top Privacy Fines

Organization

Amount in $

Penalizing Agency

Issue

Facebook

5 billion

FTC

Cambridge Analytica

Equifax

700 million

FTC

Data Breach

British Airways

230 million

ICO

Data Breach

Uber

148 million

FTC

Data Breach

Marriott

124 million

ICO

Data Breach

Yahoo

117.5 million

FTC

Data Breach

Google (YouTube)

200 million

FTC

Children’s Privacy Violation (COPPA)

Privacy Compliance Challenges

Majority of organizations until recently have been using the mainly legal team to manage privacy compliance. Since GDPR the situation has evolved, as privacy now is not just managing cookies or opt-ins or opt-outs. Privacy compliance requires a holistic and collaborative approach with team members from Business, IT, Security, Legal, and others. A siloed approach does not work.

Organizations need a Privacy Governance Program with a top-down approach to manage privacy risks and compliance challenges. The IAPP-EY 2019 report indicated that less than 50% of the organizations have an internal or external assurance for privacy. When there are no internal or external privacy audits, organizations may not have knowledge of their privacy maturity and they may only understand the hard way when they have a data breach. The same report also suggested that 90% of organizations use third-parties (vendors) to store or process data. Some of these vendors may also be Cloud Service Providers (CSPs).

The cloud environment is not safe either. One of the top cloud risks is the misconfigured servers that lead to data breaches too. Another major risk is insecure APIs. Organizations use API’s to transfer data to the business partners without a secure architecture in place, and without conducting a proper vendor due diligence or evaluating the data flow lifecycle risks.

Privacy Compliance requirements

With increasing privacy mandates and stringent compliance requirements, organizations are feeling more challenging times ahead. The sheer amount of privacy fines being levied has created enough scare amongst the Board of Directors of large organizations.

Concepts such as Privacy by Design, Data Minimization, Data De-identification using Anonymization, or Pseudonymization encryption methods are causing several implementation challenges.

As seen in the privacy challenges, organizations now need to establish a Privacy Governance Program with a Senior person taking responsibility for the Program by involving all organization stakeholders. Tools discussed later can be very helpful in Privacy Governance. A periodic internal and external independent audit should be made mandatory by organizations to understand the level of maturity and of compliance towards the applicable privacy mandates.

Data Privacy Impact Assessment (DPIA)

A Data Privacy Impact Assessment (DPIA) is a type of impact assessment which is typically designed to accomplish three main goals:

  • Identify and evaluate the risks of data privacy and its impact on data breaches or other incidents and effects, should that happen.
  • Identify appropriate privacy controls to mitigate unacceptable risks.
  • To understand what aspects to monitor to ensure conformance with applicable legal, regulatory, and policy requirements for privacy for e.g. GDPR, CCPA, HIPAA, etc.
Accedere Inc
Accedere Inc

Data Flows and Data Life Cycle

To conduct an effective Privacy Impact Assessment, it is important to understand and take stock of the entire data life cycle management of the several data that the organization, collects, processes, and stores. Many organizations do not define the end life cycle of the data and keep them endlessly thus increasing the risks of a data breach in case it is not encrypted. Managing encryption keys too can be a challenge. Hence it is important for organizations to have stock of the entire organization data to define the end life as well as data deletion, procedures at the end of the data life cycle. To understand the data life cycle, it is also important to understand the data flows for every specific data set.