Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 450 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Building a Holistic Privacy Management Program
Governments around the world have been taking consumer data privacy very seriously recently, with the European privacy law (General Data Protection Regulation, or GDPR) being perhaps the most significant enacted to date. There’s also Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA – originally passed nearly 20 years ago, but getting more attention lately) and Brazil’s General Data Protection Law (LGPD), effective as of 2020.
To this we can add a host of newly enacted or proposed US data privacy laws. The California Consumer Privacy Act of 2018 (CCPA) is the most prominent, but more than a dozen other states (including Texas, Illinois, New York and Washington) have either enacted or proposed similar legislation.
This collective emphasis on safeguarding the interests of private citizens has established a new set of assumptions for organizations doing business in these countries (or with their citizens). For businesses, then, the current environment is one rife with uncertainty and concern. At an operational level, how can an organization (especially one that does business globally) make sure it’s in compliance with all these new laws?
The good news is these various regulations are more alike than they are different. Definitions of Personally Identifiable Information (PII) are pretty similar, as are the elements that fall within the regulatory scope. CCPA is more of an opt-out framework while GDPR defaults to the opt-in side, and the bar may be higher or lower from one jurisdiction to another. But the primary distinctions have to do with how and when to report incidents to the responsible governing bodies.
As such, there’s no need for organizations to focus too deeply on the minute differences from one regulation to the next. Rather than building consumer privacy programs for individual jurisdictions, it’s possible (and preferable) to develop holistic programs that address the overarching commonalities.
Begin with these questions:
An organization that’s already doing enterprise cybersecurity risk management properly – including things like basic data management and identity and access management (in alignment with a cybersecurity and privacy management framework like NIST CSF, NIST PMF, ISO 277001 or Nymity) – is 90% of the way there. In practice, this encompasses:
Data Risk Governance: Understanding what kind of data you collect, how you use it, who you share it with, your privacy obligations and the privacy risks to individuals.
Data Classification: Establishing expectations and capabilities for users to identify data within your environment that’s relevant to privacy regulations.
Data Discovery: Using manual and technical means to discover where sensitive data lives within your environment and setting up structures for ongoing management.
Data Access: Determining who has access to the data (both structured and unstructured) and setting up the rules for ongoing monitoring and management of access.
Data Handling: Defining standards and establishing rules for storage, processing and transmission of privacy related data and enabling users to operate within the standards.
Data Protection: Planning, building and running an appropriate risk management and security program for the protection of sensitive information and preparing for the chance of an incident.
Since the regulations are pretty similar, organizations can generally prepare for them all at once, and a host of online checklist resources helps. For instance, Optiv’s comprehensive GDPR checklist distills best practice advice from multiple sources. A Google search for [ccpa checklist] returns thousands of results, including on-point guides from dozens of top analysts. The same goes for Brazil’s data privacy codes. A review of these resources reveals a number of commonalities, including maintenance of data privacy notices; procedures for responding to requests for information, requests to be forgotten and requests for erasure of data; and policies/procedures for collection and use of children and minors’ personal data, security training, etc.
So when taking on this plethora of new privacy laws, relax: they all share similarities and there are checklist resources to help you get organized. Still have questions about developing and implementing a privacy management program in your organization? Contact us.
Let us know what you need, and we will have an Optiv professional contact you shortly.