8 actions to help improve accountability
Can privacy really be protected anymore?
The pace at which new and emerging technologies are penetrating and disrupting every aspect of our lives is far outstripping the pace at which lawmakers can keep up.
As a result, regulators — and consumers — are looking to companies to assume accountability for privacy.
Today, there are eight actions companies can take to improve their accountability and become trend leaders:
- Develop KPIs for privacy
For privacy accountability to be successful, leadership and management need to be aligned in terms of both priorities and culture when it comes to managing privacy.
Organizational leaders need to understand that it’s no longer enough to know what they are tracking. They have to know why they are tracking it and which KPIs will enable them to develop a robust privacy program that zeros in on accountability, within and outside the organization.
Companies will want to consider adopting KPIs for privacy in the same way they do for any other performance-based program. These KPIs can be tied to the company’s existing GRC program.
Automating KPIs enables companies to gather and analyze accurate privacy data that they can then use to develop, implement, monitor and maintain robust privacy programs that comply with regulations, and meets increasing consumer demands.
- Build privacy impact assessments into the system development life cycle
Privacy impact assessments (PIAs) analyze how personally identifiable information is collected, used, shared and maintained. They aid organizations in identifying and mitigating privacy risks within projects and across the entire enterprises.
PIAs are not new. But where they were once optional, today they are leading practice.
We see 2016 as the year that organizations build PIAs into their development system life cycle so that they are conducted consistently for every project, every time.
- Prepare a robust incident response plan — and prepare to respond
In EY’s GISS 2015 only 7% of 1755 respondents claim to have incident response programs for cyber attacks. These include third parties and law enforcement and are integrated with their broader threat and vulnerability management function — a percentage that remains unchanged from last year.
The next question becomes, of the 7% that have incident response programs in place for cyber attacks, how many have incorporated responses to privacy breaches as part of their program? EY recommend that risk assessments should particularly focus on identifying and flagging any personally identifiable information.
Given that more than a third of EY’s GISS cybersecurity respondents say that it is unlikely that they would be able to detect a sophisticated attack, there’s a good chance that one or more people reading this is currently experiencing a cyber breach and doesn’t even know it yet.
- Monitor for insider threats
Although a healthy minority will monitor their employees’ use of data, few organizations assess their employees’ adherence to data protection requirements through their performance evaluation process.
Instead, organizations rely on more traditional, administrative mechanisms, such as computer-based education, emails, posters and agreements. Many of these mechanisms focus on communicating expectations rather than emphasizing deterrence.
Understandably, organizations want to use monitoring tools to keep an eye on their data.
However, these tools can also end up monitoring an employee’s personal information. This is particularly evident in the case of bring your own device (BYOD), which is now ubiquitous across organizations.
Moving forward, rather than monitoring employees, which is a less than ideal option for all parties, organizations may want to consider some or all of the following options to better balance privacy and regulation with the need to monitor for insider threats:
- Guest network
As the workforce becomes increasingly mobile and technologies continue to evolve, finding the right balance between personal privacy and corporate security is more important than ever.
- Know the assurance options
Service providers are often asked to obtain an independent assessment of their privacy and data security practices.
In 2011, AICPA issued a new framework — Reports on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality and Privacy (SOC 2). SOC 2 reports enable service providers to be transparent and accountable to their clients.
Additionally, organizations that outsource can use the SOC 2 reports to be accountable to their shareholders and other stakeholders.
SOC 2 reports play a different role in giving consumers, commercial customers, shareholders and the market at large the confidence that an organization is meeting a comprehensive standard when protecting their data.
- Implement identity and access management for privacy
Identity and access management for security focuses on determining what level of detail a user needs, which is determined, in part, on role. Identity and access management for privacy needs to be customized, not by role, but by customizing data elements with privacy in mind.
Organizations can be smarter about how they handle privacy by providing users with the least-specific data based on a user’s need.
The benefits of this approach are twofold: fewer vulnerabilities related to insider threats; and greater rigor for organizational accountability.
Traditional privacy notifications and choice options have largely lost their meaning. Consumers blindly click on the “Accept” button without reading or understanding their privacy rights, often because it’s several pages long and written in legalese.
A better option for organizations and consumers alike is right-on-time notification. This would require consumers to consent to each interaction.
Additionally, for each of these interactions, organizations would have to explain what they plan on doing with a customer’s information and what options consumers have with regard to that use.
Organizations should work toward making consent far more detailed and relevant to the interaction and explain the specific intent of the use it has for the data.
- Get consensus on an approach to de-identification
Loosely defined, de-identification involves the scrubbing of data until any hint of an individual’s identity is gone. The purpose is to make the data safe from a privacy perspective, but useful from a big data/data analytics standpoint.
As big data plays an increasingly important role in almost every decision a company makes, the debate over what data a company collects, stores, manages and protects will continue to escalate. It is in this context that the concept and the definition of de-identification grows increasingly critical.
Yet, the definition, particularly when it’s considered in a legal context, remains vague — which may explain why only a little more than a quarter (27%) of GISS privacy questionnaire respondents have a plan for de-identification.
In 2016, we expect to see progress by the global community in finding consensus in terms of what constitutes de-identification, and a framework to help organizations develop a plan to achieve it.