Today’s reality for organizations includes more data privacy protection laws and regulations coming into our lives, changing customer demands for greater privacy and control, and unfortunately, ever-so-scary data threats and breaches. Given this, business leaders have increased pressure to know and mitigate their data privacy risk.
A data protection program is one critical way leaders address and respond to their data risk – for privacy as well as for the business overall.
Given the context, how can you work better, more simply, to protect the personal data you process?
Defining Data Protection
It may seem intuitive and obvious, but what do we mean when we say data protection?
Let’s start with the European Union’s General Data Protection Regulation (GDPR). It defines data protection as the process of ensuring the security, confidentiality, and integrity of personal data.
In the United States, we generally talk about data privacy, not protection. We don’t have a single umbrella law covering data privacy; we have a patchwork of federal sectoral laws and regulations plus a number of US State laws.
Let’s create a working definition from the combination of the GDPR and US usage. In a nutshell, data protection means the ways in which we protect information from loss, theft, corruption and unauthorized access and use. In technical terms, data protection covers processes such as backing up and restoring information, archival and storage. In security terms, data protection means data security in various contexts.
For example, data could be on a website, in a cloud application, in a local network database, on a laptop or mobile device. It covers processes such as encryption, access control, threat detection and data breach recovery.
In terms of data privacy, data protection is often viewed exclusively as a legal construct: covering data rights and protections for citizens about information that identifies and/or is personal to them.
For example, it means that organizations have specific requirements in how to classify and handle personal information of individuals (real people) they collect and process in the course of their business.
You undoubtedly know that you must meet certain regulatory and legal requirements in handling personal information. To do this, you must have policies, procedures and contracts in place that address data privacy. And, you must demonstrate working practices.
Increasingly in the US, you must have a justifiable reason to collect and use personal information. These include, for example, getting permission (consent), executing a contract or fulfilling a legal obligation. Before you can address data privacy adequately, you must first have effective ways to handle data (the operational and technical processes) and protect data (the security processes).
These practices work in the context of enduring trust and integrity with the people you serve – your customers, employees, suppliers, investors, etc.
Our definition of data protection at reThink Trust, encompasses all three areas: technical, security and privacy. And privacy in particular refers to information that can identify or be combined to identify a person. Our understanding of privacy varies by culture and in the US, it is often stated as a ‘right to be left alone’. Note that this is only one perspective of privacy and that data protection and data privacy – often used interchangeably – reflect a variety of values and principles depending on the context (cultural, legal, etc.).
The goal of data protection is not only compliance with a particular law or regulation.
The goal is to have comprehensive data management that is flexible enough to meet various external privacy requirements – including current and evolving data protection laws and regulations – while advancing your business goals. And do this with a handful of straightforward practices. We do this by adopting three key principles:
1. Does it work for your grandmother?
2. Avoiding the “Hollywood House Effect”
3. Stop the “Whack-a-Mole”
Does it work for your grandmother?
Imagine if each of us asks this question before we design a business process. Especially when it pertains to connecting with a potential or current customer, employee or another stakeholder. This principle breaks down into two ways:
· Is what we are trying to do easy to understand and do?
· Can we live with ourselves – in integrity – if we do this?
Applying these two discerning questions consistently in your data privacy practices can do wonders for your relationships and make your processes manageable.
Avoiding the “Hollywood House Effect”
Have you ever seen a movie set of a city block that looks gorgeous…from the front…only to discover that if you peek around the corner, that block is just a façade, propped up by a bunch of steel bars? Businesses often inadvertently do the same thing.
Many companies start with creating (or collecting) a set of data-related security and privacy policies. This is commendable.
What could lead to trouble, though – placing your organization at risk – is not having ways to show that you are actually managing your data processes and controlling who does what with that data.
Some call this ‘security theater’ or ‘privacy theater’.
Ditto with copying a privacy policy or notice for your website. You need more than a handful of paper policies.
Working privacy management means that you keep the promises you make regarding data privacy and can trace your team’s actions to data management practices and their associated processes and policies.
For example, you have a data handling policy that states you encrypt your confidential data, a corresponding set of procedures for when and how you encrypt that data, and check to make sure that your team and your cloud vendors actually encrypt the data as instructed. And, you have a data processing agreement with each cloud vendor which clearly states who does what with the personal information.
It also means that what you state on your public-facing and employee privacy notices is true and current. If something is amiss, you could not only incur a legal liability, but face ‘trust erosion’.
By doing the work, over time, you demonstrate to your customers, employees, investors, regulators and the public that you have made real, good-faith efforts to protect personal data and respect the privacy of individuals you serve. These individuals are called ‘data subjects’ in many data privacy and protection regulations and laws.
Stop the “Whack-a-Mole”
As we grow our businesses, we naturally tend to add all sorts of initiatives, processes and projects to our operations. We are focused on growing our business and meeting the demands of customers.
Compliance is often the last thing most businesses want to focus on; yet focus they must.
Important data privacy regulations and laws that are apply to many businesses include GDPR (EU), CCPA (California), CPA (Colorado) and US Federal regulations such as HIPAA and GLBA.
New legislation is proliferating at an accelerated rate around the world and more recently in the US via 17 recent state statutes, e.g., CPRA (California), CPA (Colorado) and VCDPA (Virginia).
We often see that organizations recognize that they must address compliance requirements of these data privacy laws. They likely respond to new requirements by starting a new “project” and bolt on these new requirements to their business like barnacles on a sea rock…without stepping back to see how best to embed the processes in a cost and time effective and elegant way.
If we simply react to every emerging requirement – whether from a regulator, customer demand or other market change, we end up with a “barnacled sea rock” instead of a streamlined set of data protection practices.
If you adopt these three principles, along with sound data privacy practices, you eliminate the ‘whack-a-mole’ practice and build a sustainable privacy program that can meet requirements without creating a bunch of loose ends in your operations.