Working as a data privacy consultant: Cleaning up other people’s mess
My biggest task as a consultant is picking up the mess left from other projects. I don’t mean that horribly, its more that during the rush to become “GDPR compliant,” many organizations missed the point and essentially paid organizations to do a “gap analysis” and remediation projects that resulted in a “tick list” approach to complying with a single privacy law as an external threat to the business.
This approach results in the worst kind of management approach to data protection, one that is a point in time reassurance of “getting to green,” focusing on a legal compliance approach without any thought of longer-term management of data, protection of individuals, and the realization of the benefits good data governance can bring.
Get your free course catalog
Data privacy should enhance business, not hinder it
No wonder data protection is often looked at as a “cost” for a business that “gets in the way” of operational delivery. It creates a false dichotomy: Your data protection is a barrier to an effective business (privacy vs. functionality) rather than a complimentary gateway to it (good data governance). It’s also pretty narrow, as most “GDPR projects” focussed simply on that regulation and not broader privacy laws that may be relevant for your sector, nation or the wider world.
It also created an unrealistic evaluator of success. Looking at the GDPR as a business threat meant evaluating success through “lack of regulatory penalty” or “having a defensive evidence base” by May 25th, 2018, the date when all organizations were expected to be compliant. Indeed better indicators of success are “continual improvement,” a better risk management stance, improved data governance, improved awareness of the issues you face and, ultimately, better protections for individuals (the entire point and the point most often missed!)
It also meant that organizations “finished their GDPR project” in May 2018. They stopped, let go of their private resources, went back to business as usual, and were happy they had “finished the job.” It’s the equivalent of letting go of your information security department because you’re “secure” today. That’s plain ridiculous, as to “comply,” you have to meet Article 24, which at least requires an organization that “measures shall be reviewed and updated where necessary.” Projects are bounded by a beginning and end date.
Data privacy is about risk management, not compliance
You could even argue that no one “complies” with the GDPR. It just isn’t that sort of law. There are too many principle-based areas and are open to risk management decisions. Where a business has decided, for example, on something being a “high risk” or what “appropriate” security is, it may be that the regulator or the data subject feels differently. Their opinion and risk management decision may be different, leaving an opening to challenge.
In every privacy training course I run, I always ask organizational representatives to answer a straightforward question: “Can you honestly tell me that you have not one bit of personal data in your organization that is held beyond its established retention period.” So far, not one organization has answered that they comply with that single data retention principle, and I suspect their answers are similar to others. Data protection is shades of grey risk management for an organization and an ongoing management issue, rather than a simple binary yes/no compliance issue.
Data privacy is continuous, not a one-time checklist
Too often go into organizations that “had a go” at GDPR compliance in 2018 and haven’t delivered anything since. They have fallen behind, as their GDPR project focused on the wrong outcomes, a tick list against the articles of the GDPR, rather than delivering a “privacy management system” that delivers a continual improvement of data governance for the organization over time.
One that doesn’t just look at the GDPR, but also relevant local, sectoral and international laws impinge on data governance. One that ensures data protection is viewed as a benefit rather than a cost, an investment in organizational data, rather than the threat of regulatory action. One that ensures management visibility ongoing, rather than sweeping it away if there is no regulatory attention. One that puts the individuals and their rights at the center, investing in ongoing privacy by design and protections for the human.
Want to learn more about privacy? Check out my privacy courses on Infosec Skills.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- Working as a data privacy consultant: Cleaning up other people’s mess
- Is AI cybersecurity in your policies?
- The top security architect interview questions you need to know
- Federal privacy and cybersecurity enforcement — an overview
- U.S. privacy and cybersecurity laws — an overview
- Common misperceptions about PCI DSS: Let’s dispel a few myths
- How PCI DSS acts as an (informal) insurance policy
- Keeping your team fresh: How to prevent employee burnout
- How foundations of U.S. law apply to information security
- Data protection Pandora's Box: Get privacy right the first time, or else
- Privacy dos and don'ts: Privacy policies and the right to transparency
- Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
- Data protection vs. data privacy: What’s the difference?
- NIST 800-171: 6 things you need to know about this new learning path
- 6 ways that U.S. and EU data privacy laws differ
- Navigating local data privacy standards in a global world
- Building your FedRAMP certification and compliance team
- SOC 3 compliance: Everything your organization needs to know
- SOC 2 compliance: Everything your organization needs to know
- SOC 1 compliance: Everything your organization needs to know
- Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
- How to comply with FCPA regulation – 5 Tips
- ISO 27001 framework: What it is and how to comply
- Why data classification is important for security
- Threat Modeling 101: Getting started with application security threat modeling [2021 update]
- VLAN network segmentation and security- chapter five [updated 2021]
- CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
- IT auditing and controls – planning the IT audit [updated 2021]
- Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
- Cyber threat analysis [updated 2021]
- Rapid threat model prototyping: Introduction and overview
- Commercial off-the-shelf IoT system solutions: A risk assessment
- A school district's guide for Education Law §2-d compliance
- IT auditing and controls: A look at application controls [updated 2021]
- 6 key elements of a threat model
- Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
- Average IT manager salary in 2021
- Security vs. usability: Pros and cons of risk-based authentication
- Threat modeling: Technical walkthrough and tutorial
- Comparing endpoint security: EPP vs. EDR vs. XDR
- Role and purpose of threat modeling in software development
- 5 changes the CPRA makes to the CCPA that you need to know
- 6 benefits of cyber threat modeling
- What is threat modeling?
- First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
- How to make cybersecurity budget cuts without sacrificing security
- How to mitigate security risk in international business environments
- Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
- NY SHIELD Act: Security awareness and training requirements for New York businesses
- Time to update your cybersecurity policy?
- Ultimate guide to international data protection and privacy laws
Management, compliance & auditing
Management, compliance & auditing
The top security architect interview questions you need to know
Management, compliance & auditing
Management, compliance & auditing