General Data Protection Regulation
Privacy has grabbed the attention of Boards of Directors (BoDs) across regions as organizations look to comply with new privacy regulations and compliance mandates such as GDPR, CCPA-California Privacy Act, Colorado Privacy Act, New York Privacy Act, India Data Protection Bill, and other US Privacy laws as well as other Global Privacy mandates and others. Privacy is the trending buzzword, and the potential impact is very real. Personal data were processed for political and economic reasons without users’ consent, as happened at the Cambridge Analytics event. In view of such recent incidents, the failure of the EU Safe Harbor and the Privacy Shield to provide real protection, privacy laws are now changing and becoming more stringent. The magnitude of recent GDPR fines has added to the Privacy complexity.
After GDPR, new privacy laws are enacted such as the US California Consumer Privacy Act (CCPA California Privacy), the Brazilian General Data Protection Law (LGPD), the India Data Protection Bill, and many more are planned. Despite these new regulations, HIPAA continues to have several breaches and violations every year. The HIPAA HITECH fines continue to rise. It may be prudent for organizations to be more proactive and adopt measures for privacy governance to comply with such laws. Tools such as COBIT, ISO 27701, and SOC 2 for Privacy can provide assurance to internal and external stakeholders as well as can help in the governance, and risk management of the overall privacy program, and ensure compliance with HIPAA, GDPR, CCPA California Privacy, and other privacy mandates such as the Colorado Privacy Act, New York Privacy Act, India Data Protection Bill, and other US Privacy & Global Privacy laws.
The majority of organizations until recently have relied primarily on their legal team to manage privacy compliance. Since GDPR the situation has evolved, as privacy now is not just managing cookies or opt-ins or opt-outs. Privacy compliance requires a holistic and collaborative approach with team members from Business, IT, Security, Legal, and others. Siloed approaches do not work.
Organizations need a Privacy Governance Program with a top-down approach to managing privacy risks and compliance challenges. One IAPP privacy report indicated that less than 50% of organizations have internal or external privacy assurance. When there are no internal or external privacy audits, organizations may not understand their privacy maturity until the hard way when they have a data breach. The same report also suggested that 90% of organizations use third parties (vendors) to store or process data. Some of these vendors may also be Cloud Service Providers (CSPs).
Cloud environments are not safe. One of the top cloud risks is the misconfigured servers that lead to data breaches. Another major risk is insecure APIs. Organizations use APIs to transfer data to business partners without a secure architecture in place. They also do this without conducting proper vendor due diligence or evaluating the data flow lifecycle risks.
With the above-mentioned privacy mandates and other new expected mandates and stringent compliance requirements, organizations are feeling more challenged in the times ahead. The sheer number of privacy & GDPR fines being levied has created enough scare among the Board of Directors of large organizations.
Concepts such as Privacy by Design, Data Minimization, Data De-identification using Anonymization, or Pseudonymization encryption methods are causing several implementation challenges.
To overcome privacy challenges, organizations need to establish a Privacy Governance Program with a senior person responsible for the program. This is done by involving all organization stakeholders. Several tools such as privacy assessment tools, and the NIST Privacy Framework discussed in our white paper can be very helpful in Privacy Governance. Organizations such as IAPP and ISCAA also offer many privacy programs that help overcome privacy challenges. A periodic internal and external independent audit should be made mandatory by organizations to understand the level of maturity and of compliance towards the applicable privacy mandates.