Increasing Privacy Concerns


Privacy has grabbed the attention of Boards of Directors (BoD’s) across regions as organizations look to comply with new privacy regulations and compliance mandates such as GDPR, CCPA, and others. Privacy is the new buzzword, and the potential impact is very real. Personal data were processed for political and economic reasons without users’ consent, as happened in the Cambridge Analytica event. In view of such recent incidents, the failure of the EU Safe Harbor and the Privacy Shield to provide real protection, privacy laws are now changing and have become more stringent.

After GDPR, new privacy laws are enacted such as the US California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD), India Data Protection Bill, and many more are planned. Despite new regulations, the health care privacy requirement of HIPAA continues to have several breaches and violations every year and the HIPAA HITECH fines continue to rise. It may be prudent for organizations to be more proactive and adapt measures for privacy governance to comply with such laws. Tools such as COBIT, ISO 27701, SOC 2 for Privacy can provide assurance to internal and external stakeholders as well as can help in the governance, risk management of the overall privacy program, and ensure compliance of HIPAA, GDPR, CCPA, and other privacy mandates.

Some Top Privacy Fines


Amount in $

Penalizing Agency



5 billion


Cambridge Analytica


700 million


Data Breach

British Airways

230 million


Data Breach


148 million


Data Breach


124 million


Data Breach


117.5 million


Data Breach

Google (YouTube)

200 million


Children’s Privacy Violation (COPPA)

Privacy Compliance Challenges

The majority of organizations until recently have been using the mainly legal team to manage privacy compliance. Since GDPR the situation has evolved, as privacy now is not just managing cookies or opt-ins or opt-outs. Privacy compliance requires a holistic and collaborative approach with team members from Business, IT, Security, Legal, and others. A siloed approach does not work.

Organizations need a Privacy Governance Program with a top-down approach to manage privacy risks and compliance challenges. The IAPP-EY 2019 report indicated that less than 50% of the organizations have an internal or external assurance for privacy. When there are no internal or external privacy audits, organizations may not have knowledge of their privacy maturity and they may only understand the hard way when they have a data breach. The same report also suggested that 90% of organizations use third-parties (vendors) to store or process data. Some of these vendors may also be Cloud Service Providers (CSPs).

The cloud environment is not safe either. One of the top cloud risks is the misconfigured servers that lead to data breaches. Another major risk is insecure APIs. Organizations use API’s to transfer data to the business partners without a secure architecture in place, and without conducting a proper vendor due diligence or evaluating the data flow lifecycle risks.

Privacy Compliance requirements

With increasing privacy mandates and stringent compliance requirements, organizations are feeling more challenging times ahead. The sheer amount of privacy fines being levied has created enough scare amongst the Board of Directors of large organizations.

Concepts such as Privacy by Design, Data Minimization, Data De-identification using Anonymization, or Pseudonymization encryption methods are causing several implementation challenges.

To overcome the privacy challenges, organizations need to establish a Privacy Governance Program with a senior person taking responsibility for the program by involving all organization stakeholders. Several tools discussed in our white paper can be very helpful in Privacy Governance. A periodic internal and external independent audit should be made mandatory by organizations to understand the level of maturity and of compliance towards the applicable privacy mandates.

Data Privacy Impact Assessment (DPIA)

A Data Privacy Impact Assessment (DPIA) is a type of impact assessment which is typically designed to accomplish three main goals:

  • Identify and evaluate the risks of data privacy and its impact on data breaches or other incidents and effects, should that happen.
  • Identify appropriate privacy controls to mitigate unacceptable risks.
  • To understand what aspects to monitor to ensure conformance with applicable legal, regulatory, and policy requirements for privacy for e.g. GDPR, CCPA, HIPAA, etc.

Information Flows and Data Life Cycle

To conduct an effective Privacy Impact Assessment, it is important to understand and take stock of the entire data life cycle management of the several data that the organization, collects, processes, and stores. Many organizations do not define the end life cycle of the data and keep them endlessly thus increasing the risks of a data breach in case it is not encrypted. Managing encryption keys too can be a challenge. Hence it is important for organizations to have stock of the entire organization data to define the end life as well as data deletion, procedures at the end of the data life cycle. To understand the data life cycle, it is also important to understand the data flows for every specific data set.