8 Frequently Asked Questions on Organizations' Data Protection Programs
Adherence to data protection regulations requires a multidisciplinary approach that has the commitment of all employees. Expect to be asked questions like these.
The global privacy landscape has shifted significantly in recent years. Kicked off by the European Union's General Data Protection Regulation (GDPR), jurisdictions around the world are establishing their own regulations, such as the California Consumer Privacy Act (CCPA) in the US, the Lei Geral de Proteção de Dados (LGPD) in Brazil, and the Personal Data Protection Act (PDPA) in Thailand. Simultaneously, organizations are taking data protection more seriously, with Gartner research finding privacy budgets averaging $1.7 million per year.
Adherence to data protection regulations requires a multidisciplinary approach that has the support and commitment of all stakeholders, including every employee. Here are some of the most frequently asked questions about data protection facing security and privacy leaders. Although some may seem simple at face value, it's important to provide responses that reinforce privacy regulations across the entire organization.
1. What is considered "personal data" and what does it mean to "process" it?
"Personal data" includes not only directly identifiable data, such as names, addresses, and Social Security numbers but also information that can be linked together to identify an individual, such as a salary slip that lists an employee record number as an identifier.
Any action on data may be considered processing. This includes analyzing, copying, changing, pseudonymizing, transferring, and storing it. The anonymization or destruction of data at the end of its life is also a form of processing.
With a valid purpose and proper controls, almost any data can be processed. However, specific types of personal data are considered more sensitive, such as information on someone's health, sexual preference, religious or political beliefs, and/or ethnicity. This data should be treated very carefully, and processing should be avoided when possible.
2. What is the "data controller" and "data processor?"
The data controller is the organization that determines what personal data is processed, for what purpose(s) and by what means. Part of the processing activities may be outsourced, for example, via infrastructure-as-a-service, software-as-a-service, or conventional outsourcing. Third-party providers that manage data are referred to as the "data processor." A data controller is accountable for the proper processing of personal data by data processor(s) they employ.
3. Who in the organization is responsible for privacy?
Every employee who handles personal data is responsible for its privacy. However, it's critical to place accountability where it belongs — with business leadership. The organization should appoint business process owners tasked with making risk-based decisions. Their responsibilities will include conducting periodical privacy impact and risk assessments, and addressing whether the outcome is within the organization's risk appetite.
Many leading organizations also have a dedicated privacy lead. The privacy or data protection officer (DPO) position is established not only for the protection of data but also to develop and implement the organization's privacy policies and processes. Representing the regulatory authority internally, the DPO assists organizations in complying with their legal obligations and addressing principles such as openness, fairness, and transparency.
4. What is a data protection impact assessment?
A data protection impact assessment is a tool used to identify and reduce privacy risks in any given project or program. It is a "living document" used to record the management of privacy risks at different points in time in a project's or program's life cycle. It should be conducted for every initiative that pertains to the processing of personal data.
5. Are there limits to where we can store data and for how long?
Privacy and data protection laws vary by jurisdiction and may include limitations as to where data can be transferred or stored. Personal data can only be kept until the purpose for processing it is achieved and the retention period set for it expires. Then it must be removed either by anonymization or deletion. The retention period for personal data may be prescribed or determined and justified by the organization. As time is a critical success factor for a data breach, retention periods should ideally be as short as possible.
6. Should we update our privacy policy to account for regulatory changes?
Yes. However, there is a difference between a privacy policy and privacy notice — and you should probably update both.
A privacy policy refers to the translation of the strategic documentation into tactical and operational instructions for employees on how to properly handle personal data. A privacy notice is the public-facing documentation. It should be short and comprehensible, and only revised after completion of a proper privacy assessment.
A good privacy notice should, at minimum, include:
An introduction of the data controller
An explanation of the personal data that is processed along with the associated purposes
An explanation for the duration of the applicable retention periods
A description of data processors that are involved on behalf of the data controller
An indication of who to contact with complaints or questions, or when a data subject wishes to exercise his or her rights
7. Our organization fell victim to a data breach. Will we be sanctioned?
Not necessarily. Organizations should assume a data breach will happen, as failproof security does not exist. However, organizations are responsible for applying sufficient measures to demonstrate proper control over personal data.
A data breach should usually be communicated to the regulatory authority and affected subjects. The subsequent investigation, or even the lack of notification to a regulator, may reveal noncompliance that could result in regulatory action.
Executive leaders should ensure their direct reports have a frequently tested response playbook ready for handling data breaches.
8. Are there technology solutions to help us manage our privacy program?
A multitude of vendors have solutions for establishing, maturing, and operationalizing a privacy management program. However, no one solution is the golden ticket to solve all privacy problems. Executive leaders should ask their direct reports to carry out exercises in collaboration with the security and risk management team to determine existing privacy capabilities within their organizations and identify potential gaps. Build a road map based on this assessment to enhance the organization's privacy posture and prioritize areas that would benefit most from technology investment.
About the Author
You May Also Like
Unleashing AI to Assess Cyber Security Risk
Nov 12, 2024Securing Tomorrow, Today: How to Navigate Zero Trust
Nov 13, 2024The State of Attack Surface Management (ASM), Featuring Forrester
Nov 15, 2024Applying the Principle of Least Privilege to the Cloud
Nov 18, 2024The Right Way to Use Artificial Intelligence and Machine Learning in Incident Response
Nov 20, 2024