In part one of our blog on The Intersection of Data Privacy & Risk, we discussed how organizations across the world are working with massive volumes of data constantly. The IDC predicts that the volume will grow ten times by 2025. In the absence of an effective data intelligence and privacy mechanism, organizations inevitably find it difficult to track, monitor, and control data privacy effectively both to protect their customers, as well as to minimize risk.
With privacy regulations like the GDPR requiring companies to record how they collect, store, use, monitor, and archive information, it becomes vital for organizations to break data silos to ensure optimal data classification, cataloging, risk management, data mapping, and consent management for proper data stewardship.
So, what are some of the basic first steps to ensure privacy risks are kept in check?
Determining Data Locations
A great place to start is with a data/information mapping exercise. This essentially boils down to determining where data resides, and what systems it flows to, cataloging destination and uses along the way. It is typically uncovered that personal information flows within both internal organizational and external systems for instance: cloud IaaS/PaaS servers, and SaaS applications. Third-party cloud providers are increasingly being used as outsourced information storage and processing assets, in combination with internal servers.
Discovering Existing Personal Data Stores and Flows
Following this exercise, an organization should identify and track the personal or sensitive data stores and flows within its operations. Data can (and often does) reside in both structured and unstructured forms, scattered across multiple devices, platforms, and applications within the organization. Once personal data stores and flows are identified, they are typically classified and labeled for various use cases.
Assessing Data Security and Privacy Postures
Once data assets are located and labeled, evaluation of security and privacy postures generally follows. Data needs to be scanned for any security misconfigurations, such as the absence of encryption or access control policies (where warranted). This process allows organizations to gain better visibility on data security, identify gaps, and adapt appropriate security controls for security assurance and privacy compliance.
Identifying Data Controllers and Processors
“Controllers” and “Processors” are terms that are both specifically defined in data protection laws like the GDPR and the CCPA, and are also used in a practical way to describe which individuals, teams, and organizations are making decisions about how particular data sets are to be used (Controllers) and those that are strictly following instructions (from Controllers) on what to do with the data they are contracted to collect, store, and process. Critical to the success of both roles are clearly defined access to the data. Access abuse, data leaks, and accidental data exposure are often associated with poor control access policies. Therefore, it is vital to identify roles, responsibilities, and individuals with clearly defined access rights so that the organization can track, monitor, or strengthen access controls.
Recommended Tactics to Avoid Risks
Once data is classified, labeled, and cataloged, organizations can proceed to address security, privacy, and compliance issues. Beginning with:
Control Access
Control access is an integral part of a company’s IT security environment. Pre-defined principles involving user identity management and access authorization management are typically crafted early in the IT department’s efforts. Strict policies are usually defined for adding users to the system and authorizing least privilege access to resources.
Automate Controlled Access
Roles and responsibilities for individuals change, prompting organizations to modify or reconfigure access control regularly. At times, security loopholes arise when employees leave the company, while their access control remains unchecked following their departure. This creates a security gap, giving threat actors opportunities for exploitation.
Solutions to this challenge exist though – through effective automation, organizations can automatically update, revise, or revoke access permission for employees whose job roles have changed or who have left the organization.
User Consent Collection
Privacy regulations like the GDPR require companies to collect and record specific consent for various personal data processing of user data. Increasingly, consent is required from consumers providing their personal information for only specified uses by the company they are providing their data to, and no additional uses. This is creating new challenges for companies habituated to lax data use, and it will be interesting to see how corporate data use policies and procedures are modified to accommodate these new obligations.
After mapping the data and discovering all the end-points, companies should devise effective methods to collect and record users’ consent. The consent record should contain a timestamp when consent is collected, along with source details and the policies defining consent processing for specific purposes. Companies should also have mechanisms in place to honor consent withdrawal requests from users, now often required by privacy laws.
Privacy Policy and Notice Management
Global privacy regulations mandate organizations to maintain an outward-facing privacy policy and privacy notices, containing the details regarding the organization’s data collection, processing, and retention policies.
Data Subject Request Mechanism
Various privacy regulations globally require that data subjects have the right to request copies of their personal data, records of how their data is being processed, the ability to check and correct their records (data rectification), and to have their data deleted from the organization’s systems. To honor data subjects’ requests, companies need to have easy-to-use systems in place that can collect, process and fulfill requests promptly (or within specified periods as per various data privacy laws).
Data Breach Management
In the event of a security or privacy breach, where personal information of individuals is accidentally or maliciously lost or stolen, organizations must notify regulatory authorities about the breach and the affected data subjects, within predefined timeframes. Having a comprehensive data breach response plan in place is critical to avoid costly and reputation-harming damages, and to mitigating risks.
Mitigating Third Party Risk
All globally operating organizations utilize many third parties for data collection, storage, and processing of consumers’ personal information, and need to have solid record keeping and vendor management systems in place to mitigate risk.
Automation – The Way Forward for Data Privacy, Security, and Compliance?
Organizations collect, generate, and process a staggering amount of data every minute of every day. This voluminous data is distributed across a wide variety of systems, applications, SaaS platforms, and multi-cloud networks, and causes enormous data management challenges for organizations. A term often applied to this phenomenon is “data sprawl”.
Data sprawl not only makes it difficult for organizations to keep track of their data flows, but it also leads to further organization-wide chaos, including the mishandling of information, access abuse, and excessive and unmonitored inappropriate access to data.
Given this fact of the modern world, identifying data sources, flows, and stores, as well as having robust classification, storage, use, and maintenance policies and procedures in place is critical to business success. Automation is key, tempered by human judgment in key moments and locations in the management of personal information can lead to meaningful insights while reducing wasted time, human errors, and thus, cybersecurity and compliance risks.
Conclusion
Protecting personal information within organizations is a challenging yet achievable ongoing effort. Failures in data stewardship can be related to an inability to imagine worst-case scenarios, or to understand evolving technologies and threats. Staying abreast of emerging laws, techniques and methodologies is key to ensuring successful system, product, and application launches, and having the right personnel internally and externally will be essential to ongoing organizational success.
To learn more about how Myna Partners can help with your compliance and data stewardship challenges, contact Dave Cohen at: dave.cohen@levelupconsult.com today!
Written by Amber Lesniak, Manager at Myna Partners