Privacy Programs as Foundational Security

Privacy Programs as Foundational Security

Twenty years ago, the privacy world was much more straightforward. There were privacy concerns regarding technology, but the speed and velocity at which information was accessed was much slower and one dimensional. We had firewalls on floppy disks, the threat and vulnerability landscape was manageable, and there were only a few technologies to evaluate when thinking about securing our data – and very few privacy-related regulations. Step forward to today and the world is vastly different.


Today’s Environment


Data is everywhere; technology permeates our lives, the threats and exposures of personal information seem infinite – perhaps only overshadowed by the number of technology vendors and security solutions we can consider. And we cannot ignore the expansion in regulations and standards focused on privacy. This last point is critical to understand. A good friend of mine often says that we have seen a swing in the pendulum from a focus on personal financial data (i.e., PCI) to a keen focus on personally identifiable information. The reason for this transition might not always seem clear, but if we think of individual personal data attributes as a raw material in designing solutions and services for consumers the issues become much clearer.


In her book The Age of Surveillance Capitalism, Harvard Professor Shoshana Zuboff describes how “We are now able to impede on individuals’ decision rights through extraction of the human experience for profit and influence.” In 2012, data scientists manipulated the Facebook news feeds of several users in what has become known as the Facebook Contagion experiment. The data scientists were able show that they could legitimately influence a user’s mood and interaction with the Facebook platform based on the display of positive or negative content. More negative news feeds led to more negative status messages, as more positive news feeds led to positive statuses.


The information that can be collected on individuals, combined with the power of social media, has enabled a brave new world of digital interactions with consumers. Marketers are now able to place specific ads, at precise times based on behavioral analytics, intended to maximize the probability that a subject will interact with the ad and make a purchase. This is both pretty cool and insidious.


It is this abundance of data which can be collected and misused from unaware consumers that led to the introduction of the European Union General Data Protection Regulation (GDPR), which has become the template by which many other privacy regulations globally are being drafted. These new privacy regulations are forcing organizations to enact transparency in how they collect and use personally identifiable information (PII) where there was none before. Unfortunately, we find that many organizations do not have a good idea of where their data is or any visibility into what is being collected, who has access to it, and where and how it has been used.


Building Sustainable Programs


We are at a point that attempting to tactically address individual privacy regulations and requirements is no longer sustainable. By building the right framework to guide our privacy programs and utilizing thoughtful technology deployments, we can establish a sustainable privacy program that can be applied to privacy regulations with minimal change.


When thinking about how to build a program, we have to understand that privacy affects multiple parts of an organization and one team cannot do it all. This is a business challenge that requires teamwork and collaboration across many functions such as risk management, cybersecurity, IT, legal and other key stakeholders to enable a program that can address these challenges. A well-structured privacy program will help us:


  1. Maintain an understanding of what data we have that is relevant to various privacy regulations, and catalog where data is stored and who has access to it
  2. Extend the cybersecurity program to ensure the right controls are in place to protect data



Additionally, risk management and internal audits will support our ability to show due diligence in how we collect and handle the data.


It is the privacy program, and the partnerships it builds across the organization, that enables us to articulate the real risks we need to mitigate, as well as understand the prioritization of the correct control capabilities.


If these challenges sound familiar let Optiv help you maximize the value of your Privacy Program. Download our Privacy and Governance service brief to learn more.