Understanding data privacy: A compliance strategy can mitigate cyber threats
Data privacy compliance in the legal world requires more than just following government regulations.
Organizations must develop solid data security policies and practices to help prevent serious incidents including data security breaches involving customers and employees. Having robust data privacy policies and practices also helps avoid potential lawsuits and regulatory investigations involving data security. It also provides significant reputational benefits if an organization can avoid data security incidents.
With the increasing threat environment, your legal team must know your obligations to protect customer and employee personal data. You must understand the risk of breaching those obligations, and the security measures needed to remedy any deficiencies.
Challenges of privacy compliance in today's legal arena
In the U.S. alone, there were 1139 total data breaches with 174,402,528 records exposed in 2017 according to the Identity Theft Resource Center. The total costs to a company are staggering when potential regulatory fines are added to the dollar losses caused by a breach.
Companies handling data outside of the US must also protect against international data breaches. A Ponemon Institute report finds that 42% of U.S. corporations have not taken steps to prepare themselves for an international data breach.
Deciphering the gamut of US and international privacy laws can be bewildering especially because privacy laws often cover different data sets. For example, the Health Portability and Accountability Act (HIPAA) protects US health data and the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) (effective May 25, 2018) broadly protects personal data processing of EU individuals.
Many U.S. legal and compliance departments are not familiar with the intricacies of data privacy laws or how to comply. Moreover, as laws become more numerous and expansive, the risks of penalties for non-compliance increases dramatically.
An international effort
Europe has taken the lead in data protection and privacy. The overarching GDPR imposes stiff fines on companies for non-compliance such as unlawful processing and disclosures of personal data. Australia’s Privacy Act, Argentina’s Personal Data Protection Law, and Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) are further examples of countries with comprehensive data protection laws. In the United States, a patchwork of privacy laws exist at the federal and state level based on industry and types of data.
Legal and compliance departments must determine which laws and regulations apply at the state, national, and international level. Where do you begin?
Set up a systematic compliance effort for your organization or firm
A good framework that guarantees data privacy for your clients and employees will have these components:
Having an Overall Compliance Strategy
Many organizations do not have a comprehensive, integrated, measurable, and centralized strategy for achieving data privacy compliance. This is achieved by having a high-level set of principles and documentation defining measures the organization will take with respect to personal data (as defined by applicable laws). All key stakeholders and areas in the organization must be represented.
Having Compliance Subject Matter Experts (SMEs)
No one can be an expert in the myriad of regulations needing compliance. Assigning and training SMEs to be experts for a specific regulation such as HIPAA or GDPR is one option. This strategy ensures a single source of expertise to develop legally compliant policies and practices. Dedicated SMEs can be the drivers of all compliance documentation in your area..
Inventorying and Assessing Personally Identifiable Information (PII), or Sensitive Personal Information (SPI)
Personal data must be identified and tagged when it is collected. and companies must provide a method to track it. This will help you locate and appropriately protect personal data in accordance with legal and recommended standards.
Establishing Data Protection Policies and Procedures
A privacy compliant organization provides solid administrative, technical, and physical security safeguards to ensure confidentiality, integrity, and availability of data. This includes the effective ability to detect and prevent unauthorized or inappropriate access to data. Information security must constantly be assessed, monitored, and updated to meet new threats. Data sharing must also have a strict set of controls and policies.
Developing a Response Strategy and Plan
No system is perfect despite full adherence to compliance policies. Cyberattacks and data breaches continue to outsmart some of the best systems. The impact of an intrusion can be mitigated through an effective data breach response plan and escalation process. Employees responsible for breach response should be trained on these plans and the use of escalation channels. The corrective actions in the response plan must be implemented and documented as proactive preventive measures against a repeat incident.
Keeping Proper Compliance Documentation
Compliance plans and processes should be properly documented. A variety of content management systems are available such as Microsoft SharePoint, OneDrive for Business, and others to house and track all documents, reports, and records. An employee dedicated to managing document security and compliance is ideal.
Guaranteeing Proof of Compliance
It's not just enough to know you are data privacy compliant. You must be ready to present your conformance for external or internal inquiries. Compliance should be clearly verifiable & readily accessible through reports and documentation. Your organization should have a process for reporting non-compliance as well as a clearly defined escalation path. Continual adherence to confidentiality principles should be verified through appropriate monitoring, auditing, and use of controls.
Fast forward data privacy compliance concerns
Whole new dimensions of the technology and business landscape are emerging that will compound the issues involved in protecting personal data. Big data and its huge datasets will pose problems for controls and management. International data transfers have increased exponentially and will require new security measures in networks and Internet infrastructure. On the legal and regulatory horizon tighter consent requirements are emerging. Individuals will have increased control over what personal data is used and how. The GDPR has many U.S. companies still needing to understand how the regulation applies to them and what new technologies they need to be compliant.
Protections and challenges revolving around the use of private information will only increase in 2018 and beyond. By fully understanding the legal landscape affecting personal data thoroughly, and adopting a comprehensive compliance system to conform with it, your legal team can know it's fully meeting its data privacy obligations.