A Privacy Officer’s Work is Never Done
Thanks largely to regulatory requirements, having someone in an organization with designated responsibility for privacy has become more commonplace. It’s been universal in US healthcare for almost two decades due to HIPAA’s requirement for each covered entity to have a Privacy Official. With the advent of the GDPR, though, having at least the regulation-defined Data Protection Officer (DPO) has become common both within the EEA and in large companies that handle European data… but a DPO has specific responsibilities that are not really a good fit with also having overall scope for privacy within your organization. An increasing number of organizations now have a Chief Privacy Officer (CPO), an executive-level role with responsibility for privacy across the enterprise, in addition to DPOs and other privacy staff.
This increased focus on privacy is driven by an increased perception of the risks associated with mishandling personal data. An organization that has a breach involving personal information has always been subject to adverse publicity, consequent brand damage, and other related costs – but public reporting requirements in some regulations make these consequences more likely, and there are also regulatory fines, actions for damages, etc. Even in the absence of a breach, regulations like the GDPR, HIPAA, and California’s CCPA create (potentially huge) regulatory liability for businesses that don’t follow the rules. Honestly, regulatory risk (fines for failing to follow the rules) can be a bigger motivator than the risks of an actual incident, which makes some sense given that GDPR fines can be 4% of a corporation’s annual sales in the EEA even in the absence of a data breach.
Privacy is a Process
A Privacy Officer needs to do certain things to stay on top of their company’s data. Probably most important is to make sure that you’re at the table to make sure that personal information is handled appropriately when new products/processes, or revisions to existing ones, are being planned. The formal name for this idea is “Data Protection by Design,” and it’s required under the GDPR, the upcoming CPRA, and several other regulations. It’s practical, too: as with security, it is far more expensive to fix privacy issues late in the cycle or after the fact than it is to do things right from the start.
Other practical tips – none of which should be news to people who do this for a living, but they’re worth reinforcing – include:
• Training your workforce to respect the importance of handling personal data appropriately, understand what is and isn’t allowed, and know-how to recognize and report potential incidents (this requires regular reinforcement);
• Keeping up to date on regulatory developments across all jurisdictions and in all business sectors where your company operates (US regulations have historically been sectoral, and while this may change in the future it hasn’t yet);
• Building relationships with people in key areas within your company – you need to make sure you have a seat at the table as discussed above, and you also need colleagues to tell you about possible problems. It’s worth getting to know folks in technology, security, and any role which interacts with personal data, and being approachable so they’ll come to you with questions or concerns.
• Understanding all of the regulatory and contractual obligations your organization has, with government agencies, certification bodies, clients, and individuals whose data you’re holding, as privacy statements and user agreements create real legal obligations which are increasingly also enforced by regulation;
• Having a complete inventory of all personal information your organization handles, where it’s going, and what you’re doing with it (pro tip: organizations that deal with regulated data can have blind spots around other types of data, so dig deep). While I’m listing this last, it’s really the first thing you need to do because everything else depends on it.
That last one is deceptively easy to say, but hard to do. Knowing what’s going on with all of the data in your care is an ongoing effort as environments change constantly, and it’s even harder because today’s technology environments often include code and services from third parties.
Use the right tools
Frankly, many environments are now so complex that the old practice of approaching privacy purely from a legal, policy, and behavioral perspective, and letting your security organization handle the technology, is no longer enough. The good news is that with increased awareness of privacy’s importance has come a rapidly-evolving array of privacy-focused solutions: the IAPP’s 2020 Tech Vendor Report lists over 300 vendors in the space, with solutions in 11 different categories. Some solutions help automate tasks you would otherwise be doing manually; others give you insights you could not get without the tech. A few representative examples, and how they address key needs discussed above:
• OneTrust provides tools to help you get that complete inventory of data, with automated discovery and classification of all data anywhere within your environment, to help keep your inventories up to date in complex and constantly evolving environments.
• Osano reviews and tracks consent from individuals and legal agreements with your multitude of vendors, and notifies you of relevant changes to the vendors’ privacy notices, elevating changes you otherwise might have missed to your attention.
• Lokker maps and monitors the ecosystem of third-party services which provide a range of content, analytics, and services on your website, and shows where they are sending personal data from your users; your inventory and data flow diagrams aren’t complete without this insight.