It’s Time to Implement a Strategic Data Privacy Plan
When the EU’s General Data Protection Regulation (GDPR) went into effect May 25, 2018, it triggered a wave of privacy legislation around the globe. And businesses everywhere have been scrambling to prepare.
Every organization doing business in the EU must comply with GDPR requirements. In addition, other regions—Brazil, Australia, Japan and Turkey, to name a few—have passed new privacy laws that businesses worldwide also now must follow. In the U.S., California announced the California Consumer Privacy Act (CCPA), which will go into effect Jan. 1, 2020. Other states are following suit with regulations as well.
While the U.S. has yet to initiate a nationwide privacy policy, the Federal Trade Commission (FTC) began a series of probes into the practices of various large, high-tech companies. The scrutiny and resulting congressional hearings related to Facebook and Google highlighted just how much personal data is now out there and how much of it is being bought and sold, unbeknownst to consumers. In recent weeks, the FTC expanded its probe to include internet service providers AT&T, Comcast, Verizon and T-Mobile, which could signal a national privacy regulation is not that far off and should spur organizations in all industries to start making data privacy a priority—if anyone is still dragging their feet.
The sheer number of regulations that companies must comply with has rapidly increased in a short period of time, with geographically specific policies adding layers of complexity to most organizations’ data security operations. Businesses everywhere are waking up to the need to bolster their approach to how they handle employee and customer data. GDPR compliance was really just the beginning.
Consumers too are spurring organizations into action, demanding to know that their data is being treated securely. These consumers have raised the bar in terms of what they expect from organizations. Failures now mean class action lawsuits, as British Airways discovered after a hacker stole payment card data associated with 380,000 transactions. The GDPR not only requires organizations to notify authorities within 72 hours when they suspect a breach, but it also gives Europeans compensation rights.
Data Privacy: How to Get Started
Thinking about information policies is one thing, but knowing how to begin to refine them is another entirely. Adding to the complexity in global regulations is the enormous amount of data that your organization generates daily. Business is built on and carried out with information. We draw up plans and presentations and spreadsheets. We write reports and send emails, all of which can contain sensitive business information as well as personally identifiable information (PII). Some of it belongs to the business itself, some belongs to employees or to our customers.
Information-handling has gotten cumbersome for most organizations. Businesses are generating so much data that companies don’t even know where all their data resides or what type of information all those files and folders contain. While structured data—such as credit card information and Social Security numbers—can be fairly easily tracked and protected, unstructured data is much more difficult to safeguard.
Unstructured data is information buried deep within the documents and emails mentioned above. It includes details about people and business sometimes written in prose or as notes, so it’s not easily plucked out and secured. One of the biggest obstacles to a well-defined information-handling strategy is that many organizations struggle to accurately identify sensitive data as employees use and share it in their day-to-day work.
Organizations need to create and deploy reliable processes for improving information-handling to help people understand what data they’ve got, where it is stored and how sensitive it is. They also need tools to help ensure that it is protected.
The risks of poor information handling are enormous, from enabling a large-scale hack to allowing unfortunate employee errors. So what can organizations do to avoid fines, customer liability and expensive breach recoveries?
5 Things Businesses Can Do
Organizations need to nurture an internal culture for data categorization and risk assessment. Executives and business stakeholders as well as IT leaders must fully understand the security and privacy risks associated with the data they create, consume and handle. Everyone needs tools and processes built into their day-to-day workflow to help easily recognize privacy risks and deploy safeguards.
Here are five basic ways organizations can implement stronger information-handling policies and prepare to meet the complex range of privacy regulations out there:
Understand the regulations: In short – Do your homework. Get to know the regulations your organization must follow. How does each regulation define personal information? What are the safeguards they require? Where are the commonalities between regulations? Use these details as a starting point for developing a global privacy policy that considers sensitive data from all angles and all regions.
Know where PII resides: Because so much structured and unstructured data is created daily, it can be difficult to know where personal information is located. As noted earlier, unstructured data is usually buried in emails, Word files, presentations and other documents. According to a recent article in the Harvard Business Review, 80% of data analysts’ time is spent simply discovering and preparing data and less than 1% of an organization’s unstructured data is analyzed or used at all. Without knowing what personal data employees generate and where it resides, organizations will have difficulty complying with regulations.
Understand internal politics around data: Different companies have different organizational structures. That said, most have a data team that may be led by a chief data officer (CDO). These executives are tasked with responsibility for the complete life cycle of organizational data. Additionally, they typically understand its value and they know how it functions within the business. Most companies also have a data security team, led by a chief information security officer (CISO). These executives oversee locking down data and systems to ensure sensitive information is not stolen or inadvertently shared publicly. They are ever-alert to the next big malware attack and work to keep security technologies up to date across the company. They also manage employee access rights and other internal data security initiatives.
But when it comes to regulations, who oversees what? Regulation requirements can be confusing, and compliance will require a collaboration between data and security teams. It is critical to understand what the company needs to do to meet regulation requirements and then work together to design a path toward compliance. It is essential to name executive ownership of the data privacy program and map out how that person will ensure regulation compliance across the organization. That person will ultimately be accountable in the event of regulatory questions, punitive consequences or data breaches.
Implement data security solutions that streamline compliance processes: Privacy regulation compliance begins by getting a better handle on data. Data identification and categorization tools can provide an understanding what types of data is within an organization; how sensitive each type is and also how each type should be treated to comply with data privacy policies. Rather than add another layer of complexity onto operations, these tools should streamline processes by integrating with any other security tools your organization already uses—such as data loss prevention (DLP) technologies, cloud access security brokers (CASB) and enterprise digital rights management (EDRM) tools.
Consider tools that employ machine learning: It may sound complicated, but machine learning can have the opposite effect on consistent implementation of privacy policies consistently across an organization. With these types of tools, a data steward trains machine learning algorithm to help users identify and label data as they create documents and send emails. Based on the type of data a user is dealing with, the tool then gives an instruction for how to handle the information according to regulations and policies. As policies evolve, the data steward retrains the algorithms to help make the data categorization tools more effective. As the tools become smarter and smarter, certain aspects of policy management can be automated.
Ultimately, businesses must be able to identify sensitive information across their enterprise—at creation and at rest. They need to encrypt and protect that information when it is in motion, whether it’s being emailed or uploaded to a cloud repository. And they need to apply identity and access technologies to ensure that all data is being shared with the appropriate people.
By getting ahead of the game and implementing a foundation of data privacy policies that include identification and categorization for better information-handling, organizations can ensure they will be ready to meet any regulations regardless of which region initiated them.
