Good practice will dictate that privacy organizations find and exploit increased synergies within:
Other trends driving the performance and success of privacy offices:
A focus on information protection ("follow the data")
Privacy as a competitive advantage
Privacy legislation closely tied to security protections
Metrics creation, measurement, communication, and improvement
Let’s explore some frameworks and integration points that demonstrate tangible value to an organization.
History & Current State
First Chief Privacy Officer position created in the late 1990s
Many CPO positions
Created after privacy/security incident
To meet requirements (GLB, HIPAA)
Similar to the rise of the Chief Security Officer
Privacy often reports into Legal
Reactive, mainly breach response
Rarely involved in product development
No substantial interactions with other departments (except sometimes compliance)
Limited external presence
But … recent talk of “convergence”…
Electronic data use exploding
Businesses have a motivation to multi-purpose data
Consumers have privacy concerns
Data accessed in different ways (SaaS, private line, Internet, batch, etc.)
Where is the line between business need and privacy concerns?
Corporate Privacy must work closely with:
Customer service/consumer interactions
Corporate Privacy must stop being a silo in order to remain viable.
Alignment and Tasks …
Product Management and Development
Information privacy/business analysis
What data is involved?
What are the privacy implications?
How does it benefit the consumer? The customer?
If the data to be used is sensitive, can it be appropriately protected? Can an alternative be found?
What controls must be placed on data? (truncation, activity monitoring, permissible purpose certifications, etc.)
What are the compliance implications of data usage? (with Legal/Compliance)
Alignment and Tasks …
IT Operations/Information Security
Information security has historically been “technology” security
Privacy department needs technology support
Security (e.g. confidentiality, encryption) is closely linked to privacy
Operations/IT/security can help solve privacy requirements (e.g. encryption to preserve confidentiality; segregation of duties; segregated development and production environments)
Privacy must leverage technology/security to implement robust privacy controls.
Alignment and Tasks …
Incident Response/HR/Customer service
Use lessons learned from incidents -> feedback to product management/information security/development
Work closely with HR on employee monitoring policies
Communication, education, and outreach both internally and externally
Privacy’s strongest interactions have historically been with these departments.
Work with Legal to understand upcoming legislation, privacy implications, and business impact to help shape company response.
Product Management/ Development Privacy Lifecycle Corporate Privacy Legal/ Compliance Policies Procedures Guidelines Information Security Communication, Education, and Outreach Compliance/ Audit Incident Response/ Operations
Rely on established internationally recognized frameworks, because of their completeness, consistency and standards-based approach. This may include:
Security standards (such as ISO 27002),
Disaster recovery guidelines (such as those from the FFIEC),
Privacy principles (e.g. fair information practices from AICPA), and
Potentially organization/situation-specific proprietary guidelines (for instance, to appropriately credential/screen customers; customer activity audits; other assessments).
Organizations that use deliberate, structured, but flexible processes to create privacy and security frameworks will benefit.
Assess your own organization for applicability …
Know where privacy sensitive information (e.g. consumer Personally Identifiable Information (PII)) is stored and processed on their information systems.
A periodically updated inventory of privacy sensitive information.
Documented procedures, tools and associated training to control access to privacy sensitive information, and assist authorized employees in protecting privacy sensitive information during receipt from customers and consumers, transmission (e.g., via e-mail) and storage.
Discuss … Who does this? How? Lessons learned?
WHERE is privacy sensitive information in the enterprise?
Credentialing is an essential component and should focus on: (1) employees, (2) customers and (3) vendors/third parties.
Through credentialing, an organization is able to mitigate the risk of fraud, and ensuring permissible regulatory purpose and legitimate business purpose for accessing information products, systems and data.
In the privacy and information security context, accountability is critical. Establish a governance model.
Technology solutions to help safeguard information and effectively implement privacy related controls
Masking/Non-display of privacy sensitive information
Firewalls, IDS, IPS, etc.
Data leakage detection and response
WHO is allowed to have access to privacy sensitive information?
Meaningful audit and compliance programs to measure usage of privacy sensitive information.
Fraud and anomalous use detection
Permissible purpose and appropriate use audits
Customer and consumer audits (as appropriate)
Third party provider safeguards (MA regulations …)
Federal and state law compliance (e.g. FCRA, GLB, state privacy laws)
WHAT do authorized users do with privacy sensitive information?
Training, education and internal/external outreach. Ensures that all constituencies are aware of the framework’s components and responsibilities that accompany those components.
For employees, regular mandatory training will help keep privacy and information security top of mind. Additionally, regular privacy and information security reminders and alerts keep employees abreast of current and emerging trends and risks.
Outreach to external audiences educates customers, consumers, stakeholders, advocacy communities and others on the good practices of your organization and creates transparency that fosters communication and trust.
Documented, tested plans and procedures around responding to incidents and breaches.
Roles and responsibilities
Post incident response (privacy related)
Dry-run testing of procedures (similar to DR testing)
Privacy training compliance percentage (with HR)
Privacy breaches, costs, responses, and remediation steps taken (with Incident Response/Security)
User privacy awareness in action (e.g. what percentage of email sent with sensitive information is appropriately protected) (with Security)