Data privacy and protection is an often underappreciated aspect of information security, but in many ways, it provides the foundational groundwork for a well-established security environment that offers internal and external reassurance. However, the challenge for information security leaders can be in ensuring their team has the right information concerning data privacy and protection and know what to do with that information.
We spoke to MISTI’s Director of Instructional Technology and Innovations, Shawna Flanders, about some new developments in data privacy, protection, and policy, how your team and department may be affected, in addition to providing the best way to continue to train and further educate your team.
How an organization handles, protects, and shares data is becoming increasingly scrutinized as evidenced by the advent of the General Data Protection Regulation (GDPR), the major EU regulation that focuses on how companies handle their data.
To better understand what data privacy and protection is and how you and your team should be considering it, we’ll look at it from the perspective of an organization’s customers, regulatory bodies, and the internal organization itself.
“Everybody has certain inimitable rights to have privacy over their own data,” Flanders told InfoSec Insider.
Recent real-world developments have made the importance of how companies handle data privacy apparent. The scandals of Cambridge Analytica and other political fallout with Facebook highlight that users and customers do care what companies are doing with their data, whether or not that data is at risk.
For example, for users who log into a service, a data policy can show that passwords aren’t stored on a company’s server. For fintech companies that link to a user’s bank, their policy might show that no personal finance information is stored so that in the event of a data breach, users’ financial information is not compromised. These kinds of details are important for savvy consumers and especially important for B2B companies where data interactions are highly scrutinized by regulatory and legal bodies.
To cover it briefly, GDPR is a regulatory framework that requires companies to clearly define how data is used, secured, and shared, with an emphasis on communication to that company’s customers. It also requires companies to offer easily accessible channels that allow customers to ask for any data pertaining to them or to delete data that pertains to those customers.
Flanders also highlighted the regulations’ requirement to take an opt-in approach to customer communication. This means that companies need to ask and obtain permission from any person before they can contact them via various marketing channels.
Companies also need to have a dedicated Data Protection Officer (DPO) in place who has their own set of defined responsibilities.
The GDPR affects companies who:
What is arguably the most important detail in the GDPR is the hefty fine associated with non-compliance. A failure to comply with the regulation can result in a 2-4 percent fine of a company’s yearly revenue, or €10- €20 million, whichever is higher. (For a more detailed look at GDPR and how to set up your organization for compliance, check out our article on facing the GDPR or this one that covers a post-GDPR world.)
Such a strong push for transparency and user protection has led to the introduction of similar regulations in the US, specifically in California and NY. This has significantly expanded the scope of companies that need to comply with these regulations.
As further scrutiny and call for regulations come into play, organizations should expect to further bolster their data protection and privacy policies.
You and your team should identify what data your organization is generating, collecting, storing, sharing, and using. It starts with establishing a data classification policy, a data dictionary, and a data governance policy. These policies define your data into various buckets, such as public, proprietary, sensitive, personal data, and more. This allows you to then further define how and what your company does with each kind of data.
As Flanders explains, “[these policies] are written by the Chief Information Security Officer and Chief Privacy Officer, but not in a vacuum.”
An information security leader should reach out to different departments in the organization, such as compliance and legal to establish the minimum required security needs for each kind of data. A few questions to start with are:
This is foundational work and in order to have a comprehensive understanding of your company’s data, you must have a well-defined asset inventory and asset management a process, something we covered in a previous blog post.
It’s important for you and your team to understand that establishing these policies and complying with these regulatory requirements aren’t unnecessary hindrances and often provide a customer-centric framework which can be beneficial for your organization’s overall productivity,
“US marketing departments try to market to as many people as possible, either by buying lists or capturing information from people who reach their website,” says Flanders. “They don’t necessarily take the time to ask whether those people want to be contacted.”
With GDPR, any contact must opt-in before an organization continues to market to them. While a marketable audience will be smaller, it will be more engaged and primed for contact. If a marketing team can tailor their communication strategy accordingly, then there’s a higher likelihood of success.
Despite new regulations and new trends in the space, information security professionals can still rely on fundamental certification programs and educational courses and webinars to maintain their and their team’s knowledge and expertise when it comes data privacy and overall information security.
Many available certifications provide tactical, technical, and a foundational framework that can be applied in various circumstances despite the differences in an organization. However, there are industry-specific certifications that should be considered, especially for highly regulated industries.
These privacy-centered certifications are also important when considering the installment of a Data Privacy Officer.
Flanders also mentioned that Six Sigma certifications are also important in order to have a framework and understanding of how to more effectively work within your organization and department to put many of the discussed policies and processes in place.
When it comes to your team and your department, these certifications are helpful but ongoing education is necessary in order to keep your team up to date with best practices and any new regulatory considerations. This is true when it comes to data protection and privacy, but also in the broader information security world. Ongoing educational resources such as classes, events, conferences, training (onsite or off), and more should be a regular part of you and your team’s function.
As you and your team continue to develop your education in these areas, you’re not only protecting your organization from potential legal and compliance ramifications, you’re also ensuring the security of your organization and your organization’s customers.