[BreachExchange] 8 Frequently Asked Questions on Organizations' Data Protection Programs

[Destry Winant]

https://www.darkreading.com/risk/8-frequently-asked-questions-on-organizations-data-protection-programs/a/d-id/1338803

Adherence to data protection regulations requires a multidisciplinary
approach that has the commitment of all employees. Expect to be asked
questions like these.

The global privacy landscape has shifted significantly in recent
years. Kicked off by the European Union's General Data Protection
Regulation (GDPR), jurisdictions around the world are establishing
their own regulations, such as the California Consumer Privacy Act
(CCPA) in the US, the Lei Geral de Proteção de Dados (LGPD) in Brazil,
and the Personal Data Protection Act (PDPA) in Thailand.
Simultaneously, organizations are taking data protection more
seriously, with Gartner research finding privacy budgets averaging
$1.7 million per year.

Adherence to data protection regulations requires a multidisciplinary
approach that has the support and commitment of all stakeholders,
including every employee. Here are some of the most frequently asked
questions about data protection facing security and privacy leaders.
Although some may seem simple at face value, it's important to provide
responses that reinforce privacy regulations across the entire
organization.

1. What is considered "personal data" and what does it mean to "process" it?
"Personal data" includes not only directly identifiable data, such as
names, addresses, and Social Security numbers but also information
that can be linked together to identify an individual, such as a
salary slip that lists an employee record number as an identifier.

Any action on data may be considered processing. This includes
analyzing, copying, changing, pseudonymizing, transferring, and
storing it. The anonymization or destruction of data at the end of its
life is also a form of processing.

With a valid purpose and proper controls, almost any data can be
processed. However, specific types of personal data are considered
more sensitive, such as information on someone's health, sexual
preference, religious or political beliefs, and/or ethnicity. This
data should be treated very carefully, and processing should be
avoided when possible.

2. What is the "data controller" and "data processor?"
The data controller is the organization that determines what personal
data is processed, for what purpose(s) and by what means. Part of the
processing activities may be outsourced, for example, via
infrastructure-as-a-service, software-as-a-service, or conventional
outsourcing. Third-party providers that manage data are referred to as
the "data processor." A data controller is accountable for the proper
processing of personal data by data processor(s) they employ.

3. Who in the organization is responsible for privacy?
Every employee who handles personal data is responsible for its
privacy. However, it's critical to place accountability where it
belongs — with business leadership. The organization should appoint
business process owners tasked with making risk-based decisions. Their
responsibilities will include conducting periodical privacy impact and
risk assessments, and addressing whether the outcome is within the
organization's risk appetite.

Many leading organizations also have a dedicated privacy lead. The
privacy or data protection officer (DPO) position is established not
only for the protection of data but also to develop and implement the
organization's privacy policies and processes. Representing the
regulatory authority internally, the DPO assists organizations in
complying with their legal obligations and addressing principles such
as openness, fairness, and transparency.

4. What is a data protection impact assessment?
A data protection impact assessment is a tool used to identify and
reduce privacy risks in any given project or program. It is a "living
document" used to record the management of privacy risks at different
points in time in a project's or program's life cycle. It should be
conducted for every initiative that pertains to the processing of
personal data.

5. Are there limits to where we can store data and for how long?
Privacy and data protection laws vary by jurisdiction and may include
limitations as to where data can be transferred or stored. Personal
data can only be kept until the purpose for processing it is achieved
and the retention period set for it expires. Then it must be removed
either by anonymization or deletion. The retention period for personal
data may be prescribed or determined and justified by the
organization. As time is a critical success factor for a data breach,
retention periods should ideally be as short as possible.

6. Should we update our privacy policy to account for regulatory changes?
Yes. However, there is a difference between a privacy policy and
privacy notice — and you should probably update both.

A privacy policy refers to the translation of the strategic
documentation into tactical and operational instructions for employees
on how to properly handle personal data. A privacy notice is the
public-facing documentation. It should be short and comprehensible,
and only revised after completion of a proper privacy assessment.

A good privacy notice should, at minimum, include:

An introduction of the data controller
An explanation of the personal data that is processed along with the
associated purposes
An explanation for the duration of the applicable retention periods
A description of data processors that are involved on behalf of the
data controller
An indication of who to contact with complaints or questions, or when
a data subject wishes to exercise his or her rights

7. Our organization fell victim to a data breach. Will we be sanctioned?
Not necessarily. Organizations should assume a data breach will
happen, as failproof security does not exist. However, organizations
are responsible for applying sufficient measures to demonstrate proper
control over personal data.

A data breach should usually be communicated to the regulatory
authority and affected subjects. The subsequent investigation, or even
the lack of notification to a regulator, may reveal noncompliance that
could result in regulatory action.

Executive leaders should ensure their direct reports have a frequently
tested response playbook ready for handling data breaches.

8. Are there technology solutions to help us manage our privacy program?
A multitude of vendors have solutions for establishing, maturing, and
operationalizing a privacy management program. However, no one
solution is the golden ticket to solve all privacy problems. Executive
leaders should ask their direct reports to carry out exercises in
collaboration with the security and risk management team to determine
existing privacy capabilities within their organizations and identify
potential gaps. Build a road map based on this assessment to enhance
the organization's privacy posture and prioritize areas that would
benefit most from technology investment.