Skip to main content

Building a Holistic Privacy Management Program

November 13, 2019

Governments around the world have been taking consumer data privacy very seriously recently, with the European privacy law (General Data Protection Regulation, or GDPR) being perhaps the most significant enacted to date. There’s also Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA – originally passed nearly 20 years ago, but getting more attention lately) and Brazil’s General Data Protection Law (LGPD), effective as of 2020.

To this we can add a host of newly enacted or proposed US data privacy laws. The California Consumer Privacy Act of 2018 (CCPA) is the most prominent, but more than a dozen other states (including Texas, Illinois, New York and Washington) have either enacted or proposed similar legislation.

This collective emphasis on safeguarding the interests of private citizens has established a new set of assumptions for organizations doing business in these countries (or with their citizens). For businesses, then, the current environment is one rife with uncertainty and concern. At an operational level, how can an organization (especially one that does business globally) make sure it’s in compliance with all these new laws?

The good news is these various regulations are more alike than they are different. Definitions of Personally Identifiable Information (PII) are pretty similar, as are the elements that fall within the regulatory scope. CCPA is more of an opt-out framework while GDPR defaults to the opt-in side, and the bar may be higher or lower from one jurisdiction to another. But the primary distinctions have to do with how and when to report incidents to the responsible governing bodies.

As such, there’s no need for organizations to focus too deeply on the minute differences from one regulation to the next. Rather than building consumer privacy programs for individual jurisdictions, it’s possible (and preferable) to develop holistic programs that address the overarching commonalities.

At its core, an effective privacy management program looks and acts like an integrated cybersecurity and risk management program.

Begin with these questions:

  • Do you know what data is relevant to privacy regulations?
  • Do you know where the data is?
  • Do you know who has access to this data?
  • Do you have the right controls in place to protect that data?
  • Can you show your work to provide due diligence?
  • How can you prioritize various privacy regulations against your other threats?

An organization that’s already doing enterprise cybersecurity risk management properly – including things like basic data management and identity and access management (in alignment with a cybersecurity and privacy management framework like NIST CSF, NIST PMF, ISO 277001 or Nymity) – is 90% of the way there. In practice, this encompasses:

Data Risk Governance: Understanding what kind of data you collect, how you use it, who you share it with, your privacy obligations and the privacy risks to individuals.

Data Classification: Establishing expectations and capabilities for users to identify data within your environment that’s relevant to privacy regulations.

Data Discovery: Using manual and technical means to discover where sensitive data lives within your environment and setting up structures for ongoing management.

Data Access: Determining who has access to the data (both structured and unstructured) and setting up the rules for ongoing monitoring and management of access.

Data Handling: Defining standards and establishing rules for storage, processing and transmission of privacy related data and enabling users to operate within the standards.

Data Protection: Planning, building and running an appropriate risk management and security program for the protection of sensitive information and preparing for the chance of an incident.

Since the regulations are pretty similar, organizations can generally prepare for them all at once, and a host of online checklist resources helps. For instance, Optiv’s comprehensive GDPR checklist distills best practice advice from multiple sources. A Google search for [ccpa checklist] returns thousands of results, including on-point guides from dozens of top analysts. The same goes for Brazil’s data privacy codes. A review of these resources reveals a number of commonalities, including maintenance of data privacy notices; procedures for responding to requests for information, requests to be forgotten and requests for erasure of data; and policies/procedures for collection and use of children and minors’ personal data, security training, etc.

So when taking on this plethora of new privacy laws, relax: they all share similarities and there are checklist resources to help you get organized. Still have questions about developing and implementing a privacy management program in your organization? Contact us.


    John Clark

By: John Clark

Executive Director, Office of the CISO

See More

Related Blogs

April 10, 2019

Indecent Proposal? When Identity, Privacy and Ethics Collide

Users expect data privacy – and regulations require it. Yet, security measures require full visibility into all data in the business ecosystem. This b...

See Details

August 20, 2019

Is Your Organization GDPR Compliant? Use a Checklist

Most major organizations are already fully compliant with GDPR. However, some may just now be launching into European markets, and others may have fai...

See Details

September 10, 2019

Privacy Programs as Foundational Security

With mounting regulations, connectivity, and an explosion in data, privacy management programs are critical components of an overall security program....

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.