By Andrew Henderson, The Red Flag Group®
The need for protection of data is becoming increasingly apparent after several high-profile incidents involving leaks of company and consumer data. The results of such data breeches usually include two types of damage: first to a company’s reputation, as the public bemoans the violation of their trust, and then financially from the fallout. The implications can be that companies are forced to pay for credit-monitoring services, make pay-outs for lawsuits or settlements, or even pay ransoms for hijacked data.
Even if companies have an ‘it-can’t-happen-here’ approach to data breaches, legislation will soon force them to take a closer look at their approach. The General Data Protection Regulation (GDPR) is coming into force in Europe in 2018 with potential fines of 4 percent of global revenue.
When dealing with complex topics like data privacy, it is very easy to get lost in the details of specific requirements or to have management shift the focus to the hottest topic of the moment. It is better to not react to the most recent scandal or legislation and instead look at the overarching process of data-privacy controls at the technological, compliance and management levels.
To help those tasked with managing compliance obligations and risks, companies need to be able to plan and prioritise over a wide range of issues and have those priorities understood and acted upon by the business.
The 10 steps to take to structure and manage your data-privacy programme
1. Choose a framework
It is important to agree to a framework to document obligations and review their relative importance. There should also be a method of managing the overarching programme to deal with each of the obligations according to their priority. The system of controls and processes can become very complex and intricate, and companies need to build their systems on a firm footing. There is rarely the need to reinvent the wheel when it comes to data-privacy controls, as there are internationally recognised standards to assist in building and organising.
The International Organization for Standardization publishes a standard, ISO19600, aimed at general support for compliance programmes (rather than any one specific risk). The idea behind ISO19600 is that it provides broad guidance, based on internationally agreed best practice, rather than a requirement standard for which is possible to be certified. Its use can differ depending on the size and level of maturity of an organisation and on the context, nature and complexity of the activities carried out.
2. Understand your obligations
One of the most common mistakes when building a data-privacy programme is to jump into the technical requirements of a law or code without fully considering what is most important to the business.
The first step should always be to understand the business necessity to comply. This involves a careful analysis of what your obligations are, what the risk of breaching those obligations might be and what risks your company is willing to take — essentially conducting a gap analysis of your legal, regulatory and reputational obligations and how your current efforts stack up.
The obligations of data privacy for companies operating or based in Europe may come from the European Union’s GDPR, but most countries have some form of data-privacy legislation that also needs to be considered. Many industries have their own codes of conduct which provide more specific guidance about how to treat data and are often more stringent. There may also be contractual obligations. Finally, there are also expectations of a company’s employees about how you will treat their private personal data — whether realistic or not.
3. Understand your risks
Once the obligations have been understood, you need to consider the chances that a violation will occur. This involves analysis of many factors, such as the type of data (employee or customer), how sensitive the data is, what people have access to that data (both within your company and externally), what your security processes are, and how you have managed breaches in the past. This understanding will help provide clear guidance on the risks and potential impact of breaches, and it will allow for a discussion about what level of risk your business is willing to accept.
Technological and physical security assessments play an important role in this risk assessment, and should cover both external access and internal users. A breach does not have to be from hacking— inadvertent access or alterations are far more common. Understanding social engineering, or using the powers of persuasion and fraud to gain access to systems, is crucial to guarding against data breaches. Technological controls can make it very difficult to access data, but tricking an employee into sharing data can thwart even the most stalwart encryption and data-security barriers.
4. Document your policies
Once the obligations and risks are understood, it is vital to document exactly what your policies are to manage the risk. Not all risks are managed in the same manner or to the same extent. A policy document needs to provide more than a high-level statement that you take privacy seriously — it needs to set out the appropriate guidance in key areas, such as consent, access and breach management. Policies for data protection and privacy may overlap with other business policies, such as security standards, records retention policies and the management of confidential or internal intellectual property.
5. Get buy-in
Senior management needs to agree with and sign off on your analysis as set out in the policies. This is a key step in gaining resources for remediation efforts, such as training, technology, or personnel, or to acknowledge leadership’s comfort level with the risks.
There is also the important topic of setting the tone from the top — the way leaders speak about privacy, their support of the programme, the resources that they provide (both financial and human) and the incentives they offer to encourage proper treatment of private information.
6. Assign responsibility
Data-privacy programmes fail when there is no clear ownership of the risk. The topic often falls between legal, IT, HR and compliance to manage, as it requires various skills to succeed. Each business will structure the ownership differently, but it is vital that it is clearly understood and that the owner has the necessary resources and influence to achieve the agreed outcomes. It is also important that across the business, everyone is aware of their responsibilities relating to privacy.
7. Provide training and communications
Training and communication can take many forms, including classroom sessions, electronic learning, posters and intranet articles, but all these should aim to ensure that all employees are competent to fulfil their job role in a manner that is consistent with the organisation’s compliance culture and policies.
The training programme should be focused on the risks related to the roles and responsibilities of the employees and the known gaps in their knowledge and competence. For most staff members, this will involve an understanding of the data that they will have access to and how a breach may occur.
Training should be provided on a regular basis, and it ought to be performed again whenever there are significant changes to positions, structures, risks or obligations, or when actual issues arise.
8. Deploy the programme
Once deployed, the programme should focus on specific day-to-day tasks that could pose a risk. These include:
- Impact assessments: Privacy-impact assessments are key tools in understanding the risks related to any significant change in the business, whether a restructuring, a new product or the use of new partners. When performed at an early stage, they are useful in quantifying the risks of the project and they also to help build in privacy as a key part of the design.
- Interactions with people: One of the primary purposes of data-privacy legislation is to provide rights to the individuals whose data you hold. Under the GDPR, these rights include access to their data and requiring a statement of consent for the processing of data or the eradication of data. Some of these rights can place a significant burden on companies if they have not planned and built processes for them.
- Third-party transfers: Whenever data is moved outside an entity, the risk of a breach increases. Management of these transfers is vital; it requires an awareness that a transfer is taking place, a review of the transfer method, an understanding of the recipient’s privacy practices and those of the jurisdiction, and potentially the consent of the individuals involved.
- Breach management: In many jurisdictions, legislation places an obligation on companies to notify regulators or individuals of a breach within a certain time period. It is therefore important to have processes in place to manage the investigation, containment and reporting requirements and the institution of remediation actions after the event.
For all these operational requirements, it is advisable to look at systems and tools (whether built in-house or brought in) to support the processes in the most efficient manner and to ensure that key activities are documented.
9. Monitoring progress
To ensure that the programme is progressing as planned, there should be a monitoring plan that sets out:
- What needs to be monitored and measured and why
- The methods for monitoring, measuring, analysing and evaluating
- When the monitoring and measuring should be performed
- When the results from monitoring and measurement should be analysed, evaluated and reported.
The feedback about the performance can come from employees, customers, suppliers, regulators, external security sources (especially for threat assessments) or analysis of the performance of the various systems in place. It can arrive via many routes, such as hotlines, informal discussions, workshops, sampling and integrity testing, perception surveys, formal interviews, inspections and audits.
Audits should be conducted at planned intervals to ensure that the programme is effectively implemented and maintained. Part of the planning should include decisions about the scope, criteria, frequency, methods, responsibilities and reporting. The auditors should have appropriate competence and be selected to ensure objectivity and impartiality. Audits could be carried out either internally at various business unit locations or externally at third-party operations.
Once the information has been collected, it needs to be analysed and assessed to identify root causes for appropriate action to be taken. The analysis should consider systemic and recurring problems for rectification, as these are likely to carry more significant risks for the organisation. To support the analysis, measures should be developed which focus on the management of the specific risks. Examples for a privacy programme might include the percentage of employees trained effectively, the number of breaches and near misses, the number of transfers or impact assessments completed (versus expectation), the time to investigate and report breaches, and the time to respond to individual access requests.
Once the analysis is completed, reporting arrangements should ensure that timelines for regular reporting are established. This reporting plan should include a system for standard reports, where no issues have been found, as well as exception reporting for issues. Reports may include matters in which the organisation is required to notify the regulatory authority, changes in external threats, incidents that have occurred, and the subsequent analysis and corrective action undertaken.
The overall aim of the compliance framework is to ensure that the programmes are well managed and have continual improvement built into their design. It is also important to perform a more formal review on a regular basis to ensure that the programme is adjusted to meet any changes in legislation or the business. This review will feed into process changes so that processes are not changed too often and the impact of changes can be tracked and assessed.
Managing the risks of data privacy is a significant undertaking for any organisation, and it is only going to get more complex, given the growing focus from regulators and the increasing amounts of data concerning individuals that businesses hold.
It is a risk area that requires such a diverse set of skills to manage — including technical, security, legal and compliance — that external support will often be required. Having a framework in place to manage the continuous nature of the programme is essential.