Regulations struggle to keep up

Regulators continue to face an uphill climb when it comes to protecting privacy.

An ongoing focus on specific privacy requirements rather than sweeping regulations has some organizations responding tactically rather than strategically, while others look for the loopholes. There is no doubt that regulators have increasingly complex questions to answer.

Rapid advances in technology have directly impacted our social norms. Privacy programs need to be able to bridge these gaps — faithfully adhering to regulatory requirements while practically addressing the challenges of their organizations and stakeholders.

To achieve this balance, privacy programs need to form an integral part of an organization’s decision-making process rather than a simple check-the-box compliance exercise that only seeks to meet minimum regulatory requirements.

Privacy matures from compliance to accountability

Our 2012 privacy trends report focused on the notion of accountability. Companies taking a more strategic view of privacy and regulators requiring proof of an organization’s privacy program are two signs that privacy is beginning to mature from strictly a compliance exercise to a declaration of accountability.

As regulators around the world seek to bolster requirements for privacy program accountability, the differences among regulations continues to diminish. This is good news for organizations seeking to develop encompassing privacy programs that achieve accountability, governance and monitoring objectives.

This comprehensive approach addresses a wide range of compliance requirements, rather than focusing privacy efforts on specific, jurisdictional regulations.

Breach notification becomes a strategic imperative

In many jurisdictions around the world, breach notification regulations take a tactical approach instead of a strategic one, focusing primarily on complying with the notification requirements rather than the risks that brought about the breach.

As the pace of technological evolution accelerates, such a tactical approach increasingly leaves individuals vulnerable to aggressive organizations seeking to create competitive advantage, or criminal enterprises looking to profit from unauthorized access to personally identifiable information.

Many privacy regulators increasingly find that collaboration and discussion with organizations under their jurisdiction is proving effective. In the spirit of cooperation, leading organizations are already seeking to proactively prepare for issues before they arise.

For example, some organizations are developing incident management plans that anticipate what may go wrong, so if something does go wrong, they can react immediately. This includes having standing contracts with vendors that can provide call center, triage processing, communications and credit monitoring as soon as they are given a “go” signal.

In fact, many vendors providing breach response services allow companies to establish master service agreements (MSAs) on a fee-for-service basis so that companies only incur costs when the MSA is enacted. Organizations that do not have MSAs in place lose valuable time when an incident does occur.

Because MSAs are often sensitive in nature and have multiple requirements, there can be a lengthy legal review and negotiation process to ensure both parties are satisfied. Once the MSAs are in place, organizations need to constantly review their effectiveness, particularly after a breach to ensure an appropriate level of scope, clearly articulated roles and responsibilities, and most importantly, whether red flags are being escalated from the front lines to the right people within the organization.

Privacy by Design (PbD) needs regulation to gain traction

It has been more than two years since privacy commissioners gathered at the 32nd International Conference of Data Protection and Privacy Commissioners in Jerusalem, Israel, to discuss and endorse the concept of PbD. In that time, regulators around the world have lauded PbD as a standard that all organizations should adopt.

Yet few regulators or government lawmakers have mandated its use through regulation or legislation, and few organizations have sought to adopt it of their own accord. For PbD to gain traction with organizations, it needs that regulated mandate.

Until PbD becomes a regulated standard, organizations will continue to operate on the principles established during the early days of the internet. That is, to take advantage of the free online services an organization provides, consumers must be willing to give up some of their personally identifiable information and privacy.

However, as technology evolves, consumers are giving up more and more of their personally identifiable information, often without even knowing it. As such, it is increasingly incumbent on organizations to take greater care and responsibility for the data they are collecting.

Every organization that touches consumer data should be accountable for managing the privacy of that data. PbD would enforce that accountability.

<< Previous