Privacy breaches are on the rise. Most (or all) of you reading this have likely received notice that your personal data has been breached. Some of you may have fallen victim to identity theft. Regardless, it’s unnerving when a company notifies you that your personal information has been accessed or stolen by an unauthorized party. In the age of digital transformation, privacy awareness is on the rise and related legal obligations have taken center stage. Thus, a solid privacy and data protection program will help better protect personal information, builda foundation to mitigate data risks and establish trust with data subjects and consumers.
For those in the United States, privacy has been understood as an individual’s fundamental right for many years and, in a broad sense, is the right to be left alone.However,information privacy is a new concept. Information privacy is concerned with establishing the rules that govern the collection, use, disclosure, retention and disposal of personally identifiable information (PII). It provides an individual the right to have some control over how their personal information is collected and used, which means that data identification, classification, governance, IT controls and information lifecycle management are critical to mitigating data and privacy risks
When building a data protection program and associated policies and standards, it is a good practice to institute Fair Information Practice Principles (FIPPs), which are a set of guidelines for handling, storing and managing personal information. FIPPs are organized into four categories and can serve as a foundation to protecting personal data:
• Rights of individuals – the company provides clear notice, choice and consent to how personal data is used, and the ability for an individual to request access to their data
• Controls on the information – the company ensures that there is a level of care around information security, IT controls, and that the data maintains its integrity and quality
• Information lifecycle–the company has defined collection practices, uses the data for legitimate purposes, retains data for legal, business or compliance purposes that are aligned with regulations, and data is destroyed when it should be
• Management – the company has a plan to manage and administer their privacy program, can monitor the program to ensure they are meeting their compliance obligations, and can enforce their program’s policies.
To build a holistic data protection program, it is important to first determine what the organization considers PII, particularly as it relates to applicable law. Typically, personal information includes name, gender, postal address, telephone number, email address, age and data of birth, marital status, citizenship, and governmentissued identification numbers. In certain jurisdictions, PII may also include other information that can be reasonably linked to an individual, such as IP address, location, and other device data. Then, the organization needs to determine what they consider sensitive information, such as health information orfinancial data. Once those terms are defined, the project team should build their Data Protection Framework.
Above is BDO Digital’sData Protection Framework, which allows an organization to manage individual rights and data protection obligations by looking at the organization’s obligations from a holistic perspective. Outlined below is a checklist to get started.
•Governance There should be a culture of compliance, accountability and ownership of policies, combined with a tone at the top that supports data protection and compliance initiatives.
• Privacy Operations The program should not only include a Global Privacy Office and should also involve supporting business units and operations to support privacy needs. This is a good area to consider outsourced operations and technology to drive down cost.
• Privacy by Design Each process and system that collects, stores and/or uses personal data should be designed with privacy in mind –preventative not remedial, privacy as a default setting, privacy embedded into the design, full functionality despite increased privacy controls, end-to-end security, as well as visibility and transparency for the users.
• Notice Ensure that public notices describe how the organization collects, uses, retains, and discloses personal information. It is critical that the organization follows the guidelines they publish.
• Consent Management The organization’s websites or apps should empower the individual to obtain consent when information gathering is required.
• Rights Requests & Complaints Under many laws, such as the EU General Data Protection Regulation (GDPR), it is required that you allow individuals to gain access to or request deletion of their personal records. Additionally, the organization must allow individuals to file a complaint if they suspect that their individual rights have been violated.
• Data Management At the core of any good data protection program is data management. A holistic data protection program’s data management platform should ensure that the company can identify personal data sources located on their systems, where the data goes (in flows and out flows), builds upon the stated privacy policies, communicates uses of data, and can be monitored to ensure there is appropriate data classification schemas and retention programs in place. Additionally, the data should only be used for its intended purposes and should have a legitimate reason for being stored for a certain period.
• Data Security Handling personal data and the controls that are implemented to protect personal data is essential to any good data protection program. Remember to ensure that appropriate access controls, encryption, data loss prevention strategies and appropriate authentication mechanisms have been implemented, and always map to required data security laws and regulations.
• Incident Management Incident response is a critical element of any data protection program. Without a sound incident response program, it is likely that the organization could be fined as a result of poorly managing the incident. This program not only requires a strong investigative and forensics team, it also requires a sound communications plan, crisis management team, and incident notification capabilities.
• Vendor Management Data that flows to third parties should be reviewed and the practices that those vendors employ are extremely critical to fulfilling the organization’s holistic data protection program. Consider how data is handled when it is collected, stored or analyzed by a vendor.
• Training & Awareness If your employees don’t understand their responsibilities, then it is likely the program will fail. Train team members regularly, especially those that handle personal information and regularly communicate regulatory changes so each associate understands the company’s obligations.
• Regulations & Change Manging change is a challenge for any organization – monitoring regulatory changes is even more challenging. Build a program that implements monitoring on a regular basis and consider employing outside resources (technologies, service providers, consultants) that can track and manage your new obligations.
At the core of any program will be the organization’s ability to manage, maintain and govern personal data to ensure that it is protected and accessible. And, once the holistic program is developed, the company can consider taking a cyclical approach to complying with varying regulations. Often companies approach regulations from a linear perspective (e.g., GDPR, CCPA, PIPEDA) versus cyclical maintenance (e.g., identify regulatory changes, review current status of privacy program, create or update as needed). The combination of a holistic program and continuous monitoring allows the organization to better manage an individual’s rights, comply with regulations and laws, and respond to potential incidents.