Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

9/8/2020
10:00 AM
Bernard Woo
Bernard Woo
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

8 Frequently Asked Questions on Organizations' Data Protection Programs

Adherence to data protection regulations requires a multidisciplinary approach that has the commitment of all employees. Expect to be asked questions like these.

The global privacy landscape has shifted significantly in recent years. Kicked off by the European Union's General Data Protection Regulation (GDPR), jurisdictions around the world are establishing their own regulations, such as the California Consumer Privacy Act (CCPA) in the US, the Lei Geral de Proteção de Dados (LGPD) in Brazil, and the Personal Data Protection Act (PDPA) in Thailand. Simultaneously, organizations are taking data protection more seriously, with Gartner research finding privacy budgets averaging $1.7 million per year.

Related Content:

With iOS's Privacy Nutrition Label, Apple Upstages Regulators

Special Report: Computing's New Normal, a Dark Reading Perspective

Adherence to data protection regulations requires a multidisciplinary approach that has the support and commitment of all stakeholders, including every employee. Here are some of the most frequently asked questions about data protection facing security and privacy leaders. Although some may seem simple at face value, it's important to provide responses that reinforce privacy regulations across the entire organization.

1. What is considered "personal data" and what does it mean to "process" it?
"Personal data" includes not only directly identifiable data, such as names, addresses, and Social Security numbers but also information that can be linked together to identify an individual, such as a salary slip that lists an employee record number as an identifier.

Any action on data may be considered processing. This includes analyzing, copying, changing, pseudonymizing, transferring, and storing it. The anonymization or destruction of data at the end of its life is also a form of processing.

With a valid purpose and proper controls, almost any data can be processed. However, specific types of personal data are considered more sensitive, such as information on someone's health, sexual preference, religious or political beliefs, and/or ethnicity. This data should be treated very carefully, and processing should be avoided when possible.

2. What is the "data controller" and "data processor?"
The data controller is the organization that determines what personal data is processed, for what purpose(s) and by what means. Part of the processing activities may be outsourced, for example, via infrastructure-as-a-service, software-as-a-service, or conventional outsourcing. Third-party providers that manage data are referred to as the "data processor." A data controller is accountable for the proper processing of personal data by data processor(s) they employ.

3. Who in the organization is responsible for privacy?
Every employee who handles personal data is responsible for its privacy. However, it's critical to place accountability where it belongs — with business leadership. The organization should appoint business process owners tasked with making risk-based decisions. Their responsibilities will include conducting periodical privacy impact and risk assessments, and addressing whether the outcome is within the organization's risk appetite.

Many leading organizations also have a dedicated privacy lead. The privacy or data protection officer (DPO) position is established not only for the protection of data but also to develop and implement the organization's privacy policies and processes. Representing the regulatory authority internally, the DPO assists organizations in complying with their legal obligations and addressing principles such as openness, fairness, and transparency.

4. What is a data protection impact assessment?
A data protection impact assessment is a tool used to identify and reduce privacy risks in any given project or program. It is a "living document" used to record the management of privacy risks at different points in time in a project's or program's life cycle. It should be conducted for every initiative that pertains to the processing of personal data.

5. Are there limits to where we can store data and for how long?
Privacy and data protection laws vary by jurisdiction and may include limitations as to where data can be transferred or stored. Personal data can only be kept until the purpose for processing it is achieved and the retention period set for it expires. Then it must be removed either by anonymization or deletion. The retention period for personal data may be prescribed or determined and justified by the organization. As time is a critical success factor for a data breach, retention periods should ideally be as short as possible.

6. Should we update our privacy policy to account for regulatory changes?
Yes. However, there is a difference between a privacy policy and privacy notice — and you should probably update both.

A privacy policy refers to the translation of the strategic documentation into tactical and operational instructions for employees on how to properly handle personal data. A privacy notice is the public-facing documentation. It should be short and comprehensible, and only revised after completion of a proper privacy assessment.

A good privacy notice should, at minimum, include:

  • An introduction of the data controller
  • An explanation of the personal data that is processed along with the associated purposes
  • An explanation for the duration of the applicable retention periods
  • A description of data processors that are involved on behalf of the data controller
  • An indication of who to contact with complaints or questions, or when a data subject wishes to exercise his or her rights

7. Our organization fell victim to a data breach. Will we be sanctioned?
Not necessarily. Organizations should assume a data breach will happen, as failproof security does not exist. However, organizations are responsible for applying sufficient measures to demonstrate proper control over personal data.

A data breach should usually be communicated to the regulatory authority and affected subjects. The subsequent investigation, or even the lack of notification to a regulator, may reveal noncompliance that could result in regulatory action.

Executive leaders should ensure their direct reports have a frequently tested response playbook ready for handling data breaches.

8. Are there technology solutions to help us manage our privacy program?
A multitude of vendors have solutions for establishing, maturing, and operationalizing a privacy management program. However, no one solution is the golden ticket to solve all privacy problems. Executive leaders should ask their direct reports to carry out exercises in collaboration with the security and risk management team to determine existing privacy capabilities within their organizations and identify potential gaps. Build a road map based on this assessment to enhance the organization's privacy posture and prioritize areas that would benefit most from technology investment.

 

Bernard Woo is a Senior Director Analyst at Gartner with a primary focus on data protection/privacy risk management and compliance programs. Additional coverage areas include data classification, operational technology (OT) security, and 5G security considerations. Gartner ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.
CVE-2020-24565
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25770
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...
CVE-2020-25771
PUBLISHED: 2020-09-29
An out-of-bounds read information disclosure vulnerabilities in Trend Micro Apex One may allow a local attacker to disclose sensitive information to an unprivileged account on vulnerable installations of the product. An attacker must first obtain the ability to execute low-privileged code on the ...