Compliance Management, Data Security, Privacy

Avoid these seven sins to stay out of data privacy hell

Today’s columnist, Chad Gross of A-LIGN, reflects on the progess the industy has made with data privacy since GDPR went into effect three years ago.

Data privacy management can feel like an eternal challenge that requires rolling a boulder up a hill only to see it roll back down again. Just when business processes are under control, a new data system, or regulation causes complications.  

Companies that want to stay out of this wash-rinse-repeat cycle, need to automate data privacy management. But how? Start by building a catalog of all data systems whether they are on-premises, multi-cloud, structured or unstructured. Ideally, work with a data asset catalog that’s API driven and automated and updated as new assets are deployed in the organization.

At every step, automation can help move the team along faster and more inexpensively for the business, but first, develop a plan. A PrivacyOps framework can help the organization comply with any regulation, but regardless of which framework the company selects, avoid these seven deadly sins:

  • Limited visibility into sensitive data.

Organizations need complete visibility into all sensitive data and where it gets stored to protect it and avoid privacy breaches, compliance risk, fines, and penalties. Data constantly changes and infrequent manual data mapping approaches with spreadsheets and emails are error-prone and time-consuming. Without a real-time understanding of sensitive data, admins are flying blind in light of security risks.

  • Inability to map data to its owners.

Data privacy laws like Europe’s General Data Protection Regulation (GDPR) give consumers the right to be forgotten and the right to request their information. Security teams will have a hard time responding to data subject access requests (DSARs) and may get fined by regulators if they don’t have a way to pull together personal data from all structured and unstructured data systems in a timely manner and map it back to its owner. For example, GDPR has a 72-hour window to comply with DSARs, and if organizations do not comply they are in violation of user rights. 

  • Processing data without user consent.

Enterprises must get explicit consent from users to process their data to comply with privacy laws. Furthermore, they need to tie consent to a purpose and users should have a choice to take back consent. To ensure the company complies with the regs, ensure that consent records are maintained for privacy audits. Collecting consent doesn’t just keep the regulators away, it also improves the company’s reputation with customers. 

  • Unable to honor consent.

In an omni-channel environment, users may provide and take back consent on a number of channels such as web, mobile, or an application. Regardless of where they give or withdraw consent, organizations should capture and honor that consent. If organizations are unable to honor consent, it frustrates users, erodes trust and leads to privacy violations.

  • Limited data protection.

In the two years since GDPR, the European Union has fined companies some $332.4 million for data privacy violations. Data protection has become a universal requirement in global privacy and security regulations. Along with data protection, encryption coupled with strong key management are powerful mechanisms to render sensitive data useless to attackers even if they could penetrate data systems. It’s important for organizations to ensure their most sensitive data has reliable protection mechanisms enabled at all times. 

  • Poor visibility into third-party or vendor security practices.

The U.K. Information Commissioner’s Office’s (ICO) fined British Airways, Marriott, and Ticketmaster last year under GDPR even though the companies said it was their third-party service providers that were at fault. Between vendors and partner companies, the team may share its customer data with far more third-party organizations than intended, and the company remains liable for how its vendors secure it—or not. In multi-cloud environments, it’s equally important to review and assess the current security posture of all vendors as well as all the data that’s shared with them to ensure they are implementing appropriate security measures to protect it.

  • Failing to implement privacy by design in agile software development.

While many organizations rely on manual Privacy Impact Assessments (PIAs) and Data Privacy Impact Assessments (DPIAs), these techniques do not scale in an agile, cloud-first environment. Insights gathered during PIAs/DPIAs are outdated the minute they are completed because as newer features are developed and deployed, it may require that sensitive and personal data gets analyzed, captured, and processed. Without automation, PIAs and DPIAs will constantly play catch-up in an agile software development model, exposing the organization to security risks.  

We acknowledge that adhering to privacy regs takes a lot of work. By developing an organized approach to data privacy, companies can then leverage automation to break data silos and synchronize structured and unstructured data into a single pane-of-glass, making it easier to discover, classify and protect sensitive data. 

Rehan Jalil, chief executive officer, Securiti

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.