[BreachExchange] The 10 steps to achieving a data privacy compliance framework

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 24 18:43:08 EDT 2018


https://www.lexology.com/library/detail.aspx?g=4ff0c436-2438-4b0d-b6f2-
f617665049e8

The need for protection of data is becoming increasingly apparent after
several high-profile incidents involving leaks of company and consumer
data. The results of such data breeches usually include two types of
damage: first to a company’s reputation, as the public bemoans the
violation of their trust, and then financially from the fallout. The
implications can be that companies are forced to pay for credit-monitoring
services, make pay-outs for lawsuits or settlements, or even pay ransoms
for hijacked data.

Even if companies have an ‘it-can’t-happen-here’ approach to data breaches,
legislation will soon force them to take a closer look at their approach.
The General Data Protection Regulation (GDPR) is coming into force in
Europe in 2018 with potential fines of 4 percent of global revenue.

When dealing with complex topics like data privacy, it is very easy to get
lost in the details of specific requirements or to have management shift
the focus to the hottest topic of the moment. It is better to not react to
the most recent scandal or legislation and instead look at the overarching
process of data-privacy controls at the technological, compliance and
management levels.

To help those tasked with managing compliance obligations and risks,
companies need to be able to plan and prioritise over a wide range of
issues and have those priorities understood and acted upon by the business.

The 10 steps to take to structure and manage your data-privacy programme

1. Choose a framework

It is important to agree to a framework to document obligations and review
their relative importance. There should also be a method of managing the
overarching programme to deal with each of the obligations according to
their priority. The system of controls and processes can become very
complex and intricate, and companies need to build their systems on a firm
footing. There is rarely the need to reinvent the wheel when it comes to
data-privacy controls, as there are internationally recognised standards to
assist in building and organising.

The International Organization for Standardization publishes a standard,
ISO19600, aimed at general support for compliance programmes (rather than
any one specific risk). The idea behind ISO19600 is that it provides broad
guidance, based on internationally agreed best practice, rather than a
requirement standard for which is possible to be certified. Its use can
differ depending on the size and level of maturity of an organisation and
on the context, nature and complexity of the activities carried out.

2. Understand your obligations

One of the most common mistakes when building a data-privacy programme is
to jump into the technical requirements of a law or code without fully
considering what is most important to the business.

The first step should always be to understand the business necessity to
comply. This involves a careful analysis of what your obligations are, what
the risk of breaching those obligations might be and what risks your
company is willing to take — essentially conducting a gap analysis of your
legal, regulatory and reputational obligations and how your current efforts
stack up.

The obligations of data privacy for companies operating or based in Europe
may come from the European Union’s GDPR, but most countries have some form
of data-privacy legislation that also needs to be considered. Many
industries have their own codes of conduct which provide more specific
guidance about how to treat data and are often more stringent. There may
also be contractual obligations. Finally, there are also expectations of a
company’s employees about how you will treat their private personal data —
whether realistic or not.

3. Understand your risks

Once the obligations have been understood, you need to consider the chances
that a violation will occur. This involves analysis of many factors, such
as the type of data (employee or customer), how sensitive the data is, what
people have access to that data (both within your company and externally),
what your security processes are, and how you have managed breaches in the
past. This understanding will help provide clear guidance on the risks and
potential impact of breaches, and it will allow for a discussion about what
level of risk your business is willing to accept.

Technological and physical security assessments play an important role in
this risk assessment, and should cover both external access and internal
users. A breach does not have to be from hacking— inadvertent access or
alterations are far more common. Understanding social engineering, or using
the powers of persuasion and fraud to gain access to systems, is crucial to
guarding against data breaches. Technological controls can make it very
difficult to access data, but tricking an employee into sharing data can
thwart even the most stalwart encryption and data-security barriers.

4. Document your policies

Once the obligations and risks are understood, it is vital to document
exactly what your policies are to manage the risk. Not all risks are
managed in the same manner or to the same extent. A policy document needs
to provide more than a high-level statement that you take privacy seriously
— it needs to set out the appropriate guidance in key areas, such as
consent, access and breach management. Policies for data protection and
privacy may overlap with other business policies, such as security
standards, records retention policies and the management of confidential or
internal intellectual property.

5. Get buy-in

Senior management needs to agree with and sign off on your analysis as set
out in the policies. This is a key step in gaining resources for
remediation efforts, such as training, technology, or personnel, or to
acknowledge leadership’s comfort level with the risks.

There is also the important topic of setting the tone from the top — the
way leaders speak about privacy, their support of the programme, the
resources that they provide (both financial and human) and the incentives
they offer to encourage proper treatment of private information.

6. Assign responsibility

Data-privacy programmes fail when there is no clear ownership of the risk.
The topic often falls between legal, IT, HR and compliance to manage, as it
requires various skills to succeed. Each business will structure the
ownership differently, but it is vital that it is clearly understood and
that the owner has the necessary resources and influence to achieve the
agreed outcomes. It is also important that across the business, everyone is
aware of their responsibilities relating to privacy.

7. Provide training and communications

Training and communication can take many forms, including classroom
sessions, electronic learning, posters and intranet articles, but all these
should aim to ensure that all employees are competent to fulfil their job
role in a manner that is consistent with the organisation’s compliance
culture and policies.

The training programme should be focused on the risks related to the roles
and responsibilities of the employees and the known gaps in their knowledge
and competence. For most staff members, this will involve an understanding
of the data that they will have access to and how a breach may occur.

Training should be provided on a regular basis, and it ought to be
performed again whenever there are significant changes to positions,
structures, risks or obligations, or when actual issues arise.

8. Deploy the programme

Once deployed, the programme should focus on specific day-to-day tasks that
could pose a risk. These include:

- Impact assessments: Privacy-impact assessments are key tools in
understanding the risks related to any significant change in the business,
whether a restructuring, a new product or the use of new partners. When
performed at an early stage, they are useful in quantifying the risks of
the project and they also to help build in privacy as a key part of the
design.
- Interactions with people: One of the primary purposes of data-privacy
legislation is to provide rights to the individuals whose data you hold.
Under the GDPR, these rights include access to their data and requiring a
statement of consent for the processing of data or the eradication of data.
Some of these rights can place a significant burden on companies if they
have not planned and built processes for them.
- Third-party transfers: Whenever data is moved outside an entity, the risk
of a breach increases. Management of these transfers is vital; it requires
an awareness that a transfer is taking place, a review of the transfer
method, an understanding of the recipient’s privacy practices and those of
the jurisdiction, and potentially the consent of the individuals involved.
- Breach management: In many jurisdictions, legislation places an
obligation on companies to notify regulators or individuals of a breach
within a certain time period. It is therefore important to have processes
in place to manage the investigation, containment and reporting
requirements and the institution of remediation actions after the event.

For all these operational requirements, it is advisable to look at systems
and tools (whether built in-house or brought in) to support the processes
in the most efficient manner and to ensure that key activities are
documented.

9. Monitoring progress

To ensure that the programme is progressing as planned, there should be a
monitoring plan that sets out:

- What needs to be monitored and measured and why
- The methods for monitoring, measuring, analysing and evaluating
- When the monitoring and measuring should be performed
- When the results from monitoring and measurement should be analysed,
evaluated and reported.

The feedback about the performance can come from employees, customers,
suppliers, regulators, external security sources (especially for threat
assessments) or analysis of the performance of the various systems in
place. It can arrive via many routes, such as hotlines, informal
discussions, workshops, sampling and integrity testing, perception surveys,
formal interviews, inspections and audits.

Audits should be conducted at planned intervals to ensure that the
programme is effectively implemented and maintained. Part of the planning
should include decisions about the scope, criteria, frequency, methods,
responsibilities and reporting. The auditors should have appropriate
competence and be selected to ensure objectivity and impartiality. Audits
could be carried out either internally at various business unit locations
or externally at third-party operations.

Once the information has been collected, it needs to be analysed and
assessed to identify root causes for appropriate action to be taken. The
analysis should consider systemic and recurring problems for rectification,
as these are likely to carry more significant risks for the organisation.
To support the analysis, measures should be developed which focus on the
management of the specific risks. Examples for a privacy programme might
include the percentage of employees trained effectively, the number of
breaches and near misses, the number of transfers or impact assessments
completed (versus expectation), the time to investigate and report
breaches, and the time to respond to individual access requests.

Once the analysis is completed, reporting arrangements should ensure that
timelines for regular reporting are established. This reporting plan should
include a system for standard reports, where no issues have been found, as
well as exception reporting for issues. Reports may include matters in
which the organisation is required to notify the regulatory authority,
changes in external threats, incidents that have occurred, and the
subsequent analysis and corrective action undertaken.

10. Review

The overall aim of the compliance framework is to ensure that the
programmes are well managed and have continual improvement built into their
design. It is also important to perform a more formal review on a regular
basis to ensure that the programme is adjusted to meet any changes in
legislation or the business. This review will feed into process changes so
that processes are not changed too often and the impact of changes can be
tracked and assessed.

Conclusion

Managing the risks of data privacy is a significant undertaking for any
organisation, and it is only going to get more complex, given the growing
focus from regulators and the increasing amounts of data concerning
individuals that businesses hold.

It is a risk area that requires such a diverse set of skills to manage —
including technical, security, legal and compliance — that external support
will often be required. Having a framework in place to manage the
continuous nature of the programme is essential.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180424/3588a506/attachment.html>


More information about the BreachExchange mailing list