Management, compliance & auditing

How to implement a data privacy strategy - 10 steps

Claudio Dodt
August 1, 2018 by
Claudio Dodt

Ensuring data privacy is one of the biggest challenges organizations face. A quick look at the statistics related to personal data leaks in 2017 is more than enough to prove that a single incident can have a massive impact to a company’s reputation and finances.

The most notorious recent example is, of course, the Equifax leak, affecting over 146.6 million people, which had their Social Security numbers, names, birthdates and addresses stolen. But that is just one drop amidst a sea of poorly secured private information cases. From a public database exposing 198 million American voter records, to Fedex leaking 119,000 scanned passports, driver’s licenses and other personal documentation on a publicly accessible server, this list seems to be endless.

And yet, this is just one side of the story; after all, even if the mentioned companies are guilty of following poor security practices, they had no intention of misusing private information. This is quite different from the way Facebook treated customers’ data in the Cambridge Analytica case.

The hard truth is that, considering the evolution of cybercrime and the emerging data protection laws all around the world, it is quite clear that every company should create (and follow) clear rules for the protection of private data. However, for most organizations, this will require a significant change in corporate culture, which is not feasible without a strategy appropriate to the corporate context.

Here are a few steps that every company can take in order to adopt a Data Privacy Strategy.

1) Ensure that you have support from the upper management: As Mr. Drucker used to say, culture eats strategy for breakfast. This quote may be somewhat dated, but it remains perfectly true. To put it simply, without senior executive support, your efforts will most likely fail. So, a great first step is making sure the upper management understands the need for an updated Data Privacy Strategy. If your organization is required to comply with a regulation such as GDPR, this step can be much smoother, but if resistance is expected, a good approach is creating a custom business case – as mentioned before, there is no shortage of real-world examples.

2) Appoint a Data Protection Officer (DPO): Depending on your organization’s size, or on the sort of data it collects/stores, some regulations such as the GDPR will require a formal DPO, but even if this is not mandatory, doing so will make creating a solid Data Privacy Strategy much easier.

There are a number of reasons to appoint a DPO – for instance, it will demonstrate how serious the company is taking this matter. But on more practical terms, having a person in charge of your Data Privacy Efforts will make sure the next steps (creating a data inventory, mapping requirements, analyzing risks, creating both policies and procedures, monitoring compliance) are adequately executed.

3) Know your data: It is not possible to protect that which you do not know. Once you have the approval for your new Data Privacy Strategy, someone (or even a whole team) should be assigned the task of creating a data inventory. This should include every piece of information stored or processed by your company, both electronically and/or hard copies. The idea is understanding what sort of data is collected, where and how it is stored, what is it used for, if it is shared with another organization or group, and how long is it kept before being disposed.

4) – Understand your requirements: Now that you know your data, it is time to understand its privacy requirements. Requirements will be dependent on what sort of data your company is storing/processing and your line of business. For example, since May 2018, the General Data Protection Regulation (GDPR) is mandatory for any organization (including the ones located outside of the EU) that offer goods or services to, or monitor the behavior of, EU data subjects.

Of course, the GDPR is not the sole privacy regulation – several other countries are in the process of passing data protection laws and accountability mechanisms, so for your strategy to be effective, your best bet is getting help from your legal department (or from a consultancy agency) and identify legal requirements within all jurisdictions your organization operates. Also keep in mind that in some cases, customers will enforce privacy requirements in contracts, and these should also be included in your list.

5) Analyze your data privacy risks: A risk-based approach is your safest bet for making sure every data privacy vulnerability, threat source, and their joint impact is properly understood so it can be adequately treated.

By combining the data inventory, privacy requirements and using a proven risk management framework such as ISO 31000 and ISO 27005, you should form the basis for a corporate data privacy policy and any necessary procedures and security controls.

Here is where the corporate cultural changes really start, what takes us to the next step…

6) Create a Data Privacy policy: A corporate policy is usually defined as a documented set of broad guidelines, formulated after an analysis of all internal and external factors that can affect a company’s objectives, operations, and plans. Putting it in simpler words, a policy will function as the voice of your board of directors/senior management stating in a clear way how the company and its employees are expected to behave regarding a specific subject.

A good Data Privacy policy should include a statement of the organizational context, the basic Data Privacy rules, and a clear definition for roles and responsibilities regarding data protection within the organization.

7) Create a Data Privacy procedures: While your Data Privacy policy should focus on strategic aspects, procedures will help with any day-to-day tasks. These will vary according to each company’s Data Privacy requirements, but should at least include some common procedures such as the necessary steps for customer consent, retention of records, secure data disposal, international data transfer, and complaints, amongst others.

8) Implement the necessary Data Privacy controls: As an output of your earlier analysis, you should have a list of risks, organized by impact. Depending on the company’s Data Privacy requirements and risk appetite, a set of controls is necessary in order to either mitigate, avoid, transfer, or accept the risks. This will most likely include both technical and non-technical controls. For example, moving private/sensible customer information to a more secure server, doing an access review to limit how can access private data, acquiring cyber insurance.

The best approach is compiling every necessary control in a Risk Treatment Plan, and making sure they are implemented as necessary.

9) Initiate Data Privacy training and awareness: It is not possible do have significant corporate cultural change without educating every involved party. For instance, while normal employees should at least understand the basic requirements for working with private data, some specialized functions, including IT staff, Security team, Legal, Auditors, and even the DPO, may require advanced training, especially if they are expected to follow specific procedures.

10) Monitoring and compliance: The last step for implementing a Data Privacy Strategy is simply realizing there is no actual last step. Making sure that data is protected should not be thought of as a project; it is instead a process which should include continuous monitoring for compliance, new risks and chances of improvement.

A good idea is including Data Privacy in the company’s annual risk assessment plan, but is also important to perform regular checks in order to make sure the corporate policy and procedures are being followed as expected. Likewise, the DPO should keep an eye for regulations updates or new privacy requirements from customers.

Conclusion

While there are few organizations that do not handle private information, it seems that there are an abundant number of business that forgets privacy is a fundamental human right, recognized in the UN Declaration of Human Rights.

New Data Privacy regulations, such as the GDPR, should function as a beacon pointing companies in the right direction, but they must not be the only driving force. For any business to succeed in the coming years of our information age, it is necessary to understand the facts: People are becoming completely aware of their rights pertaining their information, cybercriminals know the market value of personal data and craft attacks specially designed to steal it, and legislators are listening to the cries for help, passing new laws all around the world.

Right now, defining and implementing a solid Data Privacy Strategy may represent the entire difference between being resilient to internal and external threats and becoming the next company to have its brand (and stock prices) thrown in the mud.

Claudio Dodt
Claudio Dodt

Cláudio Dodt is an Information Security Evangelist, consultant, trainer, speaker and blogger. He has more than ten years worth of experience working with Information Security, IT Service Management, IT Corporate Governance and Risk Management.