By Shadi Razak, CTO, CyNation Ltd.
Until recently, privacy has been treated in a similar manner to the way security was treated 10 years ago: bolted on after the fact, rather than being embedded into day-to-day business operations. Despite all the buzz generated by GDPR (General Data Protection Regulation) in 2018, many organisations are still unclear or misguided – or both – about their responsibilities when it comes to privacy. For many, they see it as a legal requirement: something that should be taken care of by the legal team. But just as information security is not the sole responsibility of the IT team, privacy is not the sole responsibility of the legal or IT teams.
With all the drama and noise generated by GDPR last year, and just as the Y2K bug did in 2000, one would expect that by now organisations would have become more privacy aware and driven. On the contrary: it actually seems to have had a negative impact on privacy awareness. Unfortunately and ignoring the lessons of the past, many organisations approached GDPR in the same way as they did with Y2K. The thinking probably went: “OK! Let’s get someone to help us and prove that we are compliant. Let’s get it over and done with and hope we don’t get fined!”
What a lot of organisations and business leaders failed to understand was that data privacy is not only about GDPR. They need to consider jurisdictions outside the EU, which don’t have their own data protection and privacy regulations and standards. Organisations operating or offering their services and products globally, such as many Fintech start-ups, are confronted with multiple overlapping data protection and privacy laws and standards that they need to adhere to and comply with. How will they manage to do so, especially, if they don’t have sufficient resources, knowledge and budget, which is the case with many start-ups?
And just because the organisation has a user’s data or a means of obtaining it doesn’t necessarily mean they should use that data. In recent years, various research studies have shown that valuing customers means valuing their privacy. And privacy risks matter to businesses, because the individuals whose privacy they guard are their employees, customers, patients, consumers, citizens and so on. If individuals see their personal privacy violated, this may severely test their loyalty to their employer, make them less likely to purchase from a particular vendor, or less likely to trust their healthcare provider. In other words, privacy risks have clear, measurable business impacts on revenue growth, net profit margin, customer satisfaction and earnings per share.
In addition, privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must become an organisation’s default mode of operation. Embedding privacy principles into the organisation operation and data life cycle, will minimise the risks to the individuals. The risk of non-compliance will decrease, while trust in the organisation and its reputation will increase accordingly. On the other hand, if the risk to the individual is not addressed, or it actually increases, the overall risk to the business will also increase, along with reputation damage and lack of trust in the business.
For all of these reasons, it is imperative to promote privacy principles and assurance throughout the entire organisation. The underlying reason should move beyond regulatory compliance and focus on practical privacy risk management and assurance throughout the entire operation and data life cycle.
Privacy risk management does not alter regulatory rights or obligations, nor does it take away organisational accountability. Rather, it is a valuable tool for calibrating the implementation of and compliance with privacy requirements, prioritising action, raising and informing awareness about privacy risks and identifying appropriate mitigation measures. Moreover, it offers organisations a greater level of interoperability in the face of divergent national and international legal requirements for data protection and privacy.
Privacy risk management programmes help organisations to bridge the gap between high-level principles on the one hand, and compliance on the ground on the other. The programme will develop a practical framework that applies, calibrates and implements abstract privacy obligations based on the actual risks and benefits of the proposed data processing.
An effective privacy risk management framework will provide a risk-based data-centric blueprint to:
- identify and classify the different datasets collected and processed across the organisation,
- identify, assess and prioritise the business risks of mishandling or losing any of the business-critical datasets,
- define data privacy and protection policies, standards, and guidelines that detail the business, technical and security requirements to support data privacy assurance and strategic business risks mitigations.
Moreover, it will help to maintain balance between the business strategic objectives and the need to apply practical and appropriate data privacy and protection rules. As well as providing a well-defined guidance on the roles and responsibilities of the different stakeholders, and establishing clear principles of accountability.
The development of a privacy risk management framework, must be championed by the organisation’s top management, who in turn will manage and ensure the different stakeholders’ (teams and department) participation in the development process. The development process involves five essential steps:
- Realise: Develop capabilities to identify and classify sensitive and critical datasets across the organisation.
- Accurate: Ensure all personal data processed on individuals (clients and employees) is correct, accurate, relevant and serves a purpose.
- Transparent: Ensure that individuals are aware of what personal data about them is processed, on which grounds and for what purposes.
- Purpose-driven: Define a purpose-driven retention periods that are only as long as necessary, and as short as possible.
- Safe and secure: Define practical security controls and measures to adequately secure and assure the privacy of personal data as long as it is in existence.
Privacy risks are about the impact on an individual when information about them is processed in applications and systems. Such risk may materialise first and foremost in data breaches, but also in (other) situations where personal data can be accessed unauthorised, or used without a connection to predefined purposes.