Each year, Data Privacy Day is an opportunity for organizations of all sizes to think about their privacy posture.
Over the years, consumer and corporate awareness of data privacy has grown and with each high-profile hack, data breach, or new regulation, the importance becomes clearer. The recent high-profile SolarWinds hack catapulted data security back into national mainstream headlines, and many organizations are paying even closer attention to key privacy regulations, such as the California Consumer Privacy Act (CCPA), the European Union (EU)’s General Data Protection Regulation (GDPR), and others.
Of course, one of the challenges with privacy in the U.S. is that there is no uniform privacy regulation across federal and state lines with which companies can comply. Instead, there are disparate federal and state regulations that must be identified and contended with individually. While forward-thinking states like California have passed the CCPA (and now the California Privacy Rights Act (CPRA) as it gets put into effect over the next couple of years) and both SOC 2 and ISO 27701 offer provisions around data privacy, the federal government has not issued any sweeping rules, as the EU did with its GDPR.
However, we at A-LIGN believe further U.S. regulation around data privacy is a matter of when—not if. In addition, there are new privacy measures on the horizon overseas, such as the pending ePrivacy regulation in the EU. Organizations in the U.S. and overseas need to be planning ahead around data privacy.
We encourage leaders to make privacy part of their organization’s compliance programs by leveraging the frameworks built into SOC 2, ISO 27701, and HITRUST. Privacy is more than just a policy statement—it’s a comprehensive program that ensures an organization’s employee, client, and other stakeholder data is protected. In this post, we discuss four core areas of data privacy management that companies of all sizes can tackle.
Map Your Data
Organizations can only manage what they are aware of. They receive data, process it, and ultimately use it in many different ways depending on their industry, business model, size, and many other factors. However, all organizations can benefit from completing a data mapping exercise.
A data mapping document can assist with the requirement of the GDPR to have a record of processing activities, as well as other privacy frameworks and regulations. It can also assist organizations in meeting data subject access requests—also known as DSARs—if and when they are received.
Importantly, a data-mapping exercise helps companies understand what kinds of data they work with, who else touches their data, the different possible exposures they face, and other risk management factors. While there is no one-size-fits-all approach, the goal of this exercise is to understand key elements, such as:
- How data flows into the company’s environments
- Where the data is stored
- How the data is used or processed
- What kind of information is flowing in (e.g. Financial information, protected health information [PHI], other protected personal information [PPI])
A data-mapping exercise involves not just your organization, but anyone you work with who also touches the data. That includes vendors and partners, some of which may be well-known tech companies and tools such as Google, AWS, etc., while others may be smaller scale vendors. (We’ll cover this in more depth below.)
PRIVACY ACTION PLAN: Perform a data mapping assessment
Evaluate Your Cookie Usage
Cookies and consent have been a topic of discussion ever since the GDPR passed. If someone located in the EU visits your website and information is collected, then your organization may be required to comply with the GDPR. Many companies have added granular descriptions to their websites, asking consumers to opt–in to the various types of tracking tools before perusing the site. Further legislation is likely to come down the pike, such as the aforementioned ePrivacy Regulation in the EU.
PRIVACY ACTION PLAN: Document how you use cookie data, even if you aren’t in the EU
Create a Vendor Accountability Program
Data privacy goes beyond your organization’s four walls – or the digital equivalent of that metaphor.
When companies that gather data (the controllers) share data with other companies or vendors who process or otherwise work with the data (the processors and/or sub-processors), the web of who has access expands significantly.
It is the responsibility of the company that originally collected the data to ensure a secure chain of custody over that data and accountability for privacy obligations throughout the supply chain. To ensure privacy protections are in place at all steps, organizations should create requirements for anyone that interacts with their data and put in place a data processing agreement (DPA). This applies to all processors and sub-processors, not just well-known partners such as Microsoft Azure or Amazon Web Services (AWS). Generally, vendor accountability programs cover two tiers of vendors:
- Tier A: Reputable organizations that are well-known for having a strong security posture and can demonstrate compliance with SOC, ISO, and other frameworks.
- Tier B: Smaller organizations that may not be as secure. Typically, these types of organizations are harder to verify.
The GDPR requires vendor accountability for data privacy. Now, in the event of a data breach or a breach of policy, regulators will likely ask to see your vendor program documentation. However, this kind of documentation is helpful beyond the implementation of a privacy program and may extend to other compliance or breach situations, where auditors, lawyers, regulators, or other authorities may investigate.
PRIVACY ACTION PLAN: Catalog your vendors and determine what accountability agreements exist with each
Prove Your Ability to Demonstrate Compliance
With the exception of ISO 27701, there is no true “privacy certification” out there today, even for regulations such as the GDPR. In other words, organizations cannot become GDPR or CCPA certified. The most organizations can do today is ensure that they can demonstrate compliance with the requirements of the GDPR or the CCPA—in other words, prove that they’ve implemented controls and policies to safeguard data and satisfy regulatory requirements—and be aware of the risks of a privacy breach, which now include significant fines.
This can mean:
- Putting policies, procedures, and controls in place
- Conducting and documenting audits either internally or with a third-party assessor
- Creating a risk management assessment to understand your areas of exposure, and then correcting those issues.
Ultimately, it comes down to asking, “Have we done our due diligence?”
PRIVACY ACTION PLAN: Conduct a risk management assessment with a third-party auditor or assessor
Privacy Regulations on the Horizon
If we were to pick a watchword for data privacy in 2021, it would be enforcement. The train is coming, so now’s the time to step up your privacy controls and make privacy a part of your overall compliance program, whether that’s through GDPR, CCPA, or other frameworks including SOC 2, ISO 27001, HITRUST, or otherwise. Ultimately, there cannot be privacy without strong cybersecurity.
Organizations who do not proactively manage their data privacy risk are at greater exposure for fines and penalties, liability, and reputational damage. We encourage all organizations to think about privacy as more than a policy, and to take a more proactive stance on privacy in 2021.
This post was authored by A-LIGN privacy experts Chad Gross and Mike Kurek, who guide hundreds of our clients through the challenges of today’s global privacy landscape.
Make Privacy a Core Part of Your Compliance Program. Contact us today to complete a risk assessment.