By: Muhammad Tariq Ahmed Khan
July 29, 2021
Data Privacy Good Privacy Governance and Controls
By: Muhammad Tariq Ahmed Khan
July 29, 2021
There has been a misconception about privacy that confuses many people. People tend to share seemingly related or unrelated personal information online, such as birthdays, addresses, contact details, marriage, and holiday plans on social media. People are also inclined to share pictures of favorite foods, people, localities, and workplaces, in addition to providing opinions on sensitive issues (religious, national, political, etc.) throughout different social media platforms. On the other hand, new and exciting technologies are emerging almost daily. People share their information in the guise of playing games online, attending virtual worlds, and shopping online.
Similarly, organizations also collect and store relevant personal information for business purposes. Consequently, the privacy risk increases ubiquitously with every share. The shared data, individually or collectively, can be used for malicious activities.
Before moving ahead, let's have a clear understating of "Privacy" and related terminologies.
What is Privacy?
Privacy is individuals' or groups' ability to seclude themselves or information about themselves and thereby express themselves selectively. (Source: Wikipedia) In other words, Privacy is an individual's fundamental right to have control over the collection, usage, and dissemination of personally identifiable information. Personally Identifiable Information (PII) – The Information that directly or indirectly identifies an individual. For instance: name, address, date, place of birth, National Identity Number, biometrics (e.g., photo, fingerprint, iris, etc.).
What is Data Privacy?
"Data Privacy," also called "Information Privacy," is the technical aspect of information security that deals with the ability of an organization to handle PII, or an individual's right to determine what kind of data can be collected/ stored in a computer system, and can be shared with third parties.
Difference between Data Privacy and Data Security?
People and organizations are sometimes confused by the differences between Data Privacy and Data Security. Both of them pertain to PII but are distinct concepts. Data Privacy is about the control (related to usage and governance) over PII, such as policies and procedures being established to ensure that PII is collected, stored, used, and shared appropriately. Data Security ensures that technical controls (related to confidentiality, integrity, and availability) are implemented to protect PII from malicious cyber-attacks. In other words: Data Security is a technical aspect of PII, whereas Data Privacy is a legal aspect. In layman's terms, privacy is the fundamental right to be left alone without any intervention.
One of the biggest challenges organizations face is managing privacy risks. Since privacy awareness has increased over time, people are becoming more concerned about how organizations handle their personal information.
Moreover, with the inception of regulatory privacy laws and associated penalties, it has become mandatory for organizations to take the necessary steps in establishing and implementing a strong privacy risk management framework. Inadequate, or the lack of, a risk management framework may present numerous organizational risks, such as:
- Possible damage to the organization's public image and reputation
- Potential financial or operational losses
- Regulatory sanctions and penalties/ fines
- Loss of customers' trust and failure to attract customers
- Damaged business relationships
Recommended Good Privacy Governance and Controls
Digital records of PII demand unique forms of protection at each part of their lifecycle. It is paramount for an organization to implement an effective privacy program that includes the following good privacy governance and controls to address the above privacy risks:
- Have a formal corporate governing structure to determine the level of privacy risk appetite acceptable for senior management.
- Have a privacy framework containing policies and procedures relating to personal information privacy address data classification, record management, retention, and destruction.
- A Privacy Risk Management Framework should be developed to identify, analyze & evaluate, and treat privacy risks.
- Define the roles, responsibilities, and accountability related to the privacy program during its life cycle.
Data Collection 5. Document the business purposes for collecting personal information to ensure PII are not required and are not collected and retained. 6. Identify what kind of PII the organization is required to collect, who will collect, how it will be collected, and who will define what is personal or private.
Permissions 7. Be well aware of where all personal information is stored and who has access to them. 8. Implement a technical solution to set different permission levels for employees based on PII they need to access, such as Public, Private, and Restricted Access.
Data Confidentiality Assurance 9. Ensure PII is encrypted at rest and in motion throughout the life cycle. PII should be encrypted at various levels — databases, networks, system platforms, application layers, and business process/functional levels. 10. Identify the disclosure rules of PII to relevant third parties and not disclosed to unauthorized entities (people and systems).
Data Governance & Education 11. Define an awareness program to provide employees with privacy awareness training and guidance on their specific responsibilities in handling privacy requirements, issues, and concerns. Employees who have access to or handle personal information must have undergone the required training. 12. Ensure that skilled resources are available to develop, implement, and maintain an effective privacy program.
Privacy Compliance Monitoring Framework 13. Establish a compliance monitoring framework to periodically verify the compliance level to ensure that privacy policies and procedures are followed and detailed enough to meet new or current requirements. 14. Assess privacy laws and regulations currently applicable to the organization or applicable in the future.
Privacy Incident Response Plan 15. Develop a privacy incident response plan in the event of a breach or attempted breaches of personal information and reported such breaches to authorized individuals or regulators, or anyone affected by a data breach. This includes breaches that occur on the part of third parties.
Data-Flow Map 16. Establish a data-flow map covering what kind of information is subject to transfer from one location to another, such as between departments, between individuals, to and from third parties, and through geographical borders.
Privacy Technical Solutions 17. Any software or system, or technology to be used for privacy should be fully evaluated and secured before deployment. 18. Consider deploying hyper-automation to automatically redact PII from both static files and audio/ video recordings.
Key Benefits of Good Privacy Governance and Controls
I will outline some key benefits of them:
- Protecting the organization's image and reputation.
- Protecting valuable data of the organization and its customers, employees, and business partners.
- Achieving a competitive advantage in the marketplace.
- Complying with privacy laws and regulations and avoiding regulatory penalties
- Enhancing an organization's credibility and promoting confidence.
Protecting privacy cannot be separated from technological development, and these days, organizations are inclined to invest in security technology to help reduce the risk of privacy exposure. However, no technology will prevent and eliminate the risk of every data privacy breach. So, organizations should fully understand the nature of risk and take a layered approach to improve their security by taking the time to understand PII and re-evaluate how this privacy data can be managed and protected.
This article doesn't cover Data Privacy regarding collecting, usage, storage, and disseminating PII in physical form.