Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:00 AM
Bernard Woo
Bernard Woo
Connect Directly
E-Mail vvv

8 Frequently Asked Questions on Organizations' Data Protection Programs

Adherence to data protection regulations requires a multidisciplinary approach that has the commitment of all employees. Expect to be asked questions like these.

The global privacy landscape has shifted significantly in recent years. Kicked off by the European Union's General Data Protection Regulation (GDPR), jurisdictions around the world are establishing their own regulations, such as the California Consumer Privacy Act (CCPA) in the US, the Lei Geral de Proteção de Dados (LGPD) in Brazil, and the Personal Data Protection Act (PDPA) in Thailand. Simultaneously, organizations are taking data protection more seriously, with Gartner research finding privacy budgets averaging $1.7 million per year.

Related Content:

With iOS's Privacy Nutrition Label, Apple Upstages Regulators

Special Report: Computing's New Normal, a Dark Reading Perspective

Adherence to data protection regulations requires a multidisciplinary approach that has the support and commitment of all stakeholders, including every employee. Here are some of the most frequently asked questions about data protection facing security and privacy leaders. Although some may seem simple at face value, it's important to provide responses that reinforce privacy regulations across the entire organization.

1. What is considered "personal data" and what does it mean to "process" it?
"Personal data" includes not only directly identifiable data, such as names, addresses, and Social Security numbers but also information that can be linked together to identify an individual, such as a salary slip that lists an employee record number as an identifier.

Any action on data may be considered processing. This includes analyzing, copying, changing, pseudonymizing, transferring, and storing it. The anonymization or destruction of data at the end of its life is also a form of processing.

With a valid purpose and proper controls, almost any data can be processed. However, specific types of personal data are considered more sensitive, such as information on someone's health, sexual preference, religious or political beliefs, and/or ethnicity. This data should be treated very carefully, and processing should be avoided when possible.

2. What is the "data controller" and "data processor?"
The data controller is the organization that determines what personal data is processed, for what purpose(s) and by what means. Part of the processing activities may be outsourced, for example, via infrastructure-as-a-service, software-as-a-service, or conventional outsourcing. Third-party providers that manage data are referred to as the "data processor." A data controller is accountable for the proper processing of personal data by data processor(s) they employ.

3. Who in the organization is responsible for privacy?
Every employee who handles personal data is responsible for its privacy. However, it's critical to place accountability where it belongs — with business leadership. The organization should appoint business process owners tasked with making risk-based decisions. Their responsibilities will include conducting periodical privacy impact and risk assessments, and addressing whether the outcome is within the organization's risk appetite.

Many leading organizations also have a dedicated privacy lead. The privacy or data protection officer (DPO) position is established not only for the protection of data but also to develop and implement the organization's privacy policies and processes. Representing the regulatory authority internally, the DPO assists organizations in complying with their legal obligations and addressing principles such as openness, fairness, and transparency.

4. What is a data protection impact assessment?
A data protection impact assessment is a tool used to identify and reduce privacy risks in any given project or program. It is a "living document" used to record the management of privacy risks at different points in time in a project's or program's life cycle. It should be conducted for every initiative that pertains to the processing of personal data.

5. Are there limits to where we can store data and for how long?
Privacy and data protection laws vary by jurisdiction and may include limitations as to where data can be transferred or stored. Personal data can only be kept until the purpose for processing it is achieved and the retention period set for it expires. Then it must be removed either by anonymization or deletion. The retention period for personal data may be prescribed or determined and justified by the organization. As time is a critical success factor for a data breach, retention periods should ideally be as short as possible.

6. Should we update our privacy policy to account for regulatory changes?
Yes. However, there is a difference between a privacy policy and privacy notice — and you should probably update both.

A privacy policy refers to the translation of the strategic documentation into tactical and operational instructions for employees on how to properly handle personal data. A privacy notice is the public-facing documentation. It should be short and comprehensible, and only revised after completion of a proper privacy assessment.

A good privacy notice should, at minimum, include:

  • An introduction of the data controller
  • An explanation of the personal data that is processed along with the associated purposes
  • An explanation for the duration of the applicable retention periods
  • A description of data processors that are involved on behalf of the data controller
  • An indication of who to contact with complaints or questions, or when a data subject wishes to exercise his or her rights

7. Our organization fell victim to a data breach. Will we be sanctioned?
Not necessarily. Organizations should assume a data breach will happen, as failproof security does not exist. However, organizations are responsible for applying sufficient measures to demonstrate proper control over personal data.

A data breach should usually be communicated to the regulatory authority and affected subjects. The subsequent investigation, or even the lack of notification to a regulator, may reveal noncompliance that could result in regulatory action.

Executive leaders should ensure their direct reports have a frequently tested response playbook ready for handling data breaches.

8. Are there technology solutions to help us manage our privacy program?
A multitude of vendors have solutions for establishing, maturing, and operationalizing a privacy management program. However, no one solution is the golden ticket to solve all privacy problems. Executive leaders should ask their direct reports to carry out exercises in collaboration with the security and risk management team to determine existing privacy capabilities within their organizations and identify potential gaps. Build a road map based on this assessment to enhance the organization's privacy posture and prioritize areas that would benefit most from technology investment.


Bernard Woo is a Senior Director Analyst at Gartner with a primary focus on data protection/privacy risk management and compliance programs. Additional coverage areas include data classification, operational technology (OT) security, and 5G security considerations. Gartner ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: Zero Trust doesn't have to break your budget!
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Foxit PhantomPDF User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the han...
PUBLISHED: 2021-06-16
This vulnerability allows remote attackers to execute arbitrary code on affected installations of GE Reason RPV311 14A03. Authentication is not required to exploit this vulnerability. The specific flaw exists within the firmware and filesystem of the device. The firmware and filesystem contain hard-...
PUBLISHED: 2021-06-16
Helm is a tool for managing Charts (packages of pre-configured Kubernetes resources). In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. This...
PUBLISHED: 2021-06-16
Apollos Apps is an open source platform for launching church-related apps. In Apollos Apps versions prior to 2.20.0, new user registrations are able to access anyone's account by only knowing their basic profile information (name, birthday, gender, etc). This includes all app functionality within th...
PUBLISHED: 2021-06-16
FOGProject v1.5.9 is affected by a File Upload RCE (Authenticated).