The global privacy landscape has shifted significantly in recent years. Kicked off by the European Union's General Data Protection Regulation (GDPR), jurisdictions around the world are establishing their own regulations, such as the California Consumer Privacy Act (CCPA) in the US, the Lei Geral de Proteção de Dados (LGPD) in Brazil, and the Personal Data Protection Act (PDPA) in Thailand. Simultaneously, organizations are taking data protection more seriously, with Gartner research finding privacy budgets averaging $1.7 million per year.
Adherence to data protection regulations requires a multidisciplinary approach that has the support and commitment of all stakeholders, including every employee. Here are some of the most frequently asked questions about data protection facing security and privacy leaders. Although some may seem simple at face value, it's important to provide responses that reinforce privacy regulations across the entire organization.
1. What is considered "personal data" and what does it mean to "process" it?
"Personal data" includes not only directly identifiable data, such as names, addresses, and Social Security numbers but also information that can be linked together to identify an individual, such as a salary slip that lists an employee record number as an identifier.
Any action on data may be considered processing. This includes analyzing, copying, changing, pseudonymizing, transferring, and storing it. The anonymization or destruction of data at the end of its life is also a form of processing.
With a valid purpose and proper controls, almost any data can be processed. However, specific types of personal data are considered more sensitive, such as information on someone's health, sexual preference, religious or political beliefs, and/or ethnicity. This data should be treated very carefully, and processing should be avoided when possible.
2. What is the "data controller" and "data processor?"
The data controller is the organization that determines what personal data is processed, for what purpose(s) and by what means. Part of the processing activities may be outsourced, for example, via infrastructure-as-a-service, software-as-a-service, or conventional outsourcing. Third-party providers that manage data are referred to as the "data processor." A data controller is accountable for the proper processing of personal data by data processor(s) they employ.
3. Who in the organization is responsible for privacy?
Every employee who handles personal data is responsible for its privacy. However, it's critical to place accountability where it belongs — with business leadership. The organization should appoint business process owners tasked with making risk-based decisions. Their responsibilities will include conducting periodical privacy impact and risk assessments, and addressing whether the outcome is within the organization's risk appetite.
Many leading organizations also have a dedicated privacy lead. The privacy or data protection officer (DPO) position is established not only for the protection of data but also to develop and implement the organization's privacy policies and processes. Representing the regulatory authority internally, the DPO assists organizations in complying with their legal obligations and addressing principles such as openness, fairness, and transparency.
4. What is a data protection impact assessment?
A data protection impact assessment is a tool used to identify and reduce privacy risks in any given project or program. It is a "living document" used to record the management of privacy risks at different points in time in a project's or program's life cycle. It should be conducted for every initiative that pertains to the processing of personal data.
5. Are there limits to where we can store data and for how long?
Privacy and data protection laws vary by jurisdiction and may include limitations as to where data can be transferred or stored. Personal data can only be kept until the purpose for processing it is achieved and the retention period set for it expires. Then it must be removed either by anonymization or deletion. The retention period for personal data may be prescribed or determined and justified by the organization. As time is a critical success factor for a data breach, retention periods should ideally be as short as possible.
A good privacy notice should, at minimum, include:
- An introduction of the data controller
- An explanation of the personal data that is processed along with the associated purposes
- An explanation for the duration of the applicable retention periods
- A description of data processors that are involved on behalf of the data controller
- An indication of who to contact with complaints or questions, or when a data subject wishes to exercise his or her rights
7. Our organization fell victim to a data breach. Will we be sanctioned?
Not necessarily. Organizations should assume a data breach will happen, as failproof security does not exist. However, organizations are responsible for applying sufficient measures to demonstrate proper control over personal data.
A data breach should usually be communicated to the regulatory authority and affected subjects. The subsequent investigation, or even the lack of notification to a regulator, may reveal noncompliance that could result in regulatory action.
Executive leaders should ensure their direct reports have a frequently tested response playbook ready for handling data breaches.
8. Are there technology solutions to help us manage our privacy program?
A multitude of vendors have solutions for establishing, maturing, and operationalizing a privacy management program. However, no one solution is the golden ticket to solve all privacy problems. Executive leaders should ask their direct reports to carry out exercises in collaboration with the security and risk management team to determine existing privacy capabilities within their organizations and identify potential gaps. Build a road map based on this assessment to enhance the organization's privacy posture and prioritize areas that would benefit most from technology investment.