Increasing Privacy Concerns

GDPR, GDPR Fines, CCPA California Privacy,
Privacy Audits, Colorado Privacy Act, New York
Privacy Act, India Data Protection Bill, Privacy
Assessment tool, NIST Privacy Framework, US
Privacy laws, IAPP Privacy, ISACA Privacy, HIPAA

Privacy has grabbed the attention of Boards of Directors (BoDs) across regions as organizations look to comply with new privacy regulations and compliance mandates such as GDPR, CCPA-California Privacy Act, Colorado Privacy Act, New York Privacy Act, India Data Protection Bill, and other US Privacy laws as well as other Global Privacy mandates and others. Privacy is the trending buzzword, and the potential impact is very real. Personal data were processed for political and economic reasons without users’ consent, as happened at the Cambridge Analytics event. In view of such recent incidents, the failure of the EU Safe Harbor and the Privacy Shield to provide real protection, privacy laws are now changing and becoming more stringent. The magnitude of recent GDPR fines has added to the Privacy complexity.

After GDPR, new privacy laws are enacted such as the US California Consumer Privacy Act (CCPA California Privacy), the Brazilian General Data Protection Law (LGPD), India Data Protection Bill, and many more are planned. Despite the latest regulations, the healthcare privacy requirement of HIPAA continues to have several breaches and violations every year. The HIPAA HITECH fines continue to rise. It may be prudent for organizations to be more proactive and adopt measures for privacy governance to comply with such laws. Tools such as COBIT, ISO 27701, and SOC 2 for Privacy can provide assurance to internal and external stakeholders as well as can help in the governance, and risk management of the overall privacy program, and ensure compliance with HIPAA, GDPR, CCPA California Privacy, and other privacy mandates such as Colorado Privacy Act, New York Privacy Act, India Data Protection Bill, and other US Privacy & Global Privacy laws.

Organization Amount in $ Penalizing Agency Issue
Facebook 5 billion FTC Cambridge Analytica
Equifax 700 million FTC Data Breach
British Airways 230 million ICO Data Breach
Uber 148 million FTC Data Breach
Marriott 124 million ICO Data Breach
Yahoo 117.5 million FTC Data Breach
Google(Youtube) 200 million FTC Children’s Privacy Violation (COPPA)

Privacy Compliance Challenges

The majority of organizations until recently have relied primarily on their legal team to manage privacy compliance. Since GDPR the situation has evolved, as privacy now is not just managing cookies or opt-ins or opt-outs. Privacy compliance requires a holistic and collaborative approach with team members from Business, IT, Security, Legal, and others. Siloed approaches do not work.

Organizations need a Privacy Governance Program with a top-down approach to managing privacy risks and compliance challenges. One IAPP privacy report indicated that less than 50% of organizations have internal or external privacy assurance. When there are no internal or external privacy audits, organizations may not understand their privacy maturity until they find out the difficult way when they have a data breach. The same report also suggested that 90% of organizations use third parties (vendors) to store or process data. Some of these vendors may also be Cloud Service Providers (CSPs).

The cloud environment is not safe either. One of the top cloud risks is the misconfigured servers that lead to data breaches. Another major risk is insecure APIs. Organizations use APIs to transfer data to business partners without a secure architecture in place, and without conducting proper vendor due diligence or evaluating the data flow lifecycle risks.

Privacy Compliance requirements

With the above-mentioned privacy mandates and other upcoming expected mandates and stringent compliance requirements, organizations are feeling more challenged in times ahead. The sheer amount of privacy & GDPR fines being levied has created enough scare amongst the Board of Directors of large organizations.

Concepts such as Privacy by Design, Data Minimization, Data De-identification using Anonymization, or Pseudonymization encryption methods are causing several implementation challenges.

To overcome privacy challenges, organizations need to establish a Privacy Governance Program with a senior person responsible for the program. This is done by involving all organization stakeholders. Several tools such as privacy assessment tools, and the NIST Privacy Framework discussed in our white paper can be very helpful in Privacy Governance. Organizations such as IAPP and ISCAA also offer many privacy programs that help overcome privacy challenges. Organizations should make periodic internal and external independent audits mandatory to understand the level of maturity and compliance with the applicable privacy mandates.

Data Privacy Impact Assessment (DPIA)

A Data Privacy Impact Assessment (DPIA) is a type of impact assessment which is typically designed to accomplish three main goals:

  • Identify and evaluate the risks of data privacy and its impact on data breaches or other incidents and effects, should that happen.
  • Identify appropriate privacy controls to mitigate unacceptable risks.
  • To understand what aspects to monitor to ensure conformance with applicable legal, regulatory, and policy requirements for privacy for e.g. GDPR, CCPA, HIPAA, etc.

Information Flows and Data Life Cycle

To conduct an effective Privacy Impact Assessment, it is imperative to understand and take stock of the entire data life cycle management of the various types of data that the organization collects, processes, and stores. Many organizations do not define the end life cycle of the data and keep it forever, increasing the risks of a data breach if it is not encrypted. Managing encryption keys can also be challenging. Hence it is important for organizations to have stock of the entire organization's data to define the end life as well as data deletion, procedures at the end of the data life cycle. To understand the data life cycle, it is also important to understand the data flows for every specific data set. The NIST Privacy Tool can help organizations achieve this objective.

Our Privacy Compliance Services

  • SOC 2 for Privacy by AICPA using the Trust Services Criteria for Privacy. These were formerly known as the Generally Accepted Privacy Principles(GAPP) by AICPA.
  • ISO 27701 Certification, also known as Privacy Information Management System (PIMS)
  • HIPAA, GDPR, CCPA California Privacy Internal or External Audit Services