Sagi Leizerov, Executive Director, Global Privacy Leader, EY, on the drivers of privacy management that CIOs can use to help the organization improve the level of privacy accountability
Data privacy and the need to protect it has been a concern for users and organizations since the inception of digitization. Robust data governance programs and systems can help users make privacy protection a reality, but they have a long way to go. In 2016, we are hoping to see substantial development in this area and, in this post, I will talk about a few action points that can help companies improve their accountability and privacy policies.
One of the biggest concerns for organizations and individuals alike is being unclear about where personal information is stored or what the processes are outside their main systems and servers. Furthermore, the lines of separation between financial reporting, cybercrime, national security and the use of personal information — that were once viewed as distinct – are thinning day by day. Organizations need to be mindful of the impact these overlaps have and how to address the associated privacy risks.
Drivers of privacy management
While addressing the privacy risks associated with digitization, there are three drivers that can help CIOs improve the level of privacy accountability as expected by all stakeholders. The first is governance — providing a robust structure of roles and responsibilities, which demonstrates accountability and interacts with other parts of the organization that process personal information.
The second is by meeting the rigors of verification, wherein auditors, especially external auditors, are not only serving as independent verifiers of financial reporting, but are increasingly verifying the design and effectiveness of privacy related controls in cybersecurity reporting (e.g., Reports on Controls at a Service Organization Relevant to Security, Availability, Confidentiality, Processing Integrity and Privacy, commonly referred to as SOC 2 reports).
And finally, organizations can enhance their level of privacy accountability by relying on trusted third-party service providers who have verified advanced cybersecurity programs to prevent sophisticated attacks. In today’s environment, where organizations are increasingly relying on third parties (e.g., cloud service providers) to process and protect their data, verified trust in third-party service providers will be the critical foundation upon which organizations build their businesses for a digital era.
Paving the way ahead
There are eight action plans created from these drivers of privacy management that CIOs and Chief Privacy Officers (CPOs) can use to help companies improve their accountability and become trend leaders:
- Develop KPIs for privacy – adopting KPIs helps to develop a robust privacy program that zeros in on accountability, within and outside the organization
- Build privacy impact assessments (PIAs) into the development system life cycle – to analyze personal information, as well as identifying and mitigating privacy risks within projects and across the enterprise
- Get ready to respond – develop a robust incident response plan that outlines the concrete steps needed to be taken during a cybersecurity and/or privacy related breach
- Monitor for insider threats – use techniques such as partitioning, guest networks or sandboxes to better balance the need to monitor for insider threats and respect privacy and regulatory requirements with the need to monitor for insider threats
- Know the reporting options– consider whether an independent assessment of the organizations privacy and data security practices using reports such as the SOC 2 report that can help with customer transparency
- Implement identity and access management for data – to reduce vulnerability related to insider threats and increase rigor for organizational accountability
- Consider right-on-time notice of privacy policy to consumers – make consent more detailed and relevant, explaining to the consumer the specific use that the organization has for the data and what options consumers have with regard to that use
- Define the organization’s approach to de-identification – use techniques like anonymization, pseudonymization and encryption for de-identification, which involves removing the individual’s identity from the data and making it safe from a privacy perspective, but also useful from a big data or data analytics standpoint
The digital future is very close, and organizations should not wait for governments to come out with laws that address the myriad privacy issues. With the CIO’s help, organisation privacy programs will see rapid growth and maturity in 2016.
If you would like to learn more please read our latest report Privacy Trends 2016 – Can privacy really be protected anymore?
