The array of proposed and adopted privacy laws across the globe, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA), reflect growing concerns around privacy. People are concerned about their personal data being collected, processed and shared with both governmental and commercial organizations.
In the United States, there have been more changes to privacy laws/regulations in the past 18 months than there were in the previous 100 years. The current COVID-19 pandemic shines an even greater light on the handling of personal information, specifically health-related data, under the various contact tracing and health checking regimes implemented by both governments and businesses. Data subjects want to know that an organization that has stewardship over their data appropriately uses and protects that information. For many businesses, these various laws and supporting regulations are simply additional compliance requirements that must be met. However, this environment provides a great opportunity for forward-looking businesses to proactively pivot and embrace privacy to differentiate their organizations.
As required by many recent laws and regulations, organizations have had to institute various privacy practices to ensure compliance and not run afoul of regulatory bodies. In some cases, these practices are implemented as more of a stop-gap measure without taking a more holistic view of privacy across the business, which often leads to disjointed approaches to implementation. As a first step to leaning into privacy, a business must clearly define how it views data privacy at the executive level, especially with respect to personal data. Apple’s view on privacy is made clear in these excerpts from its privacy statement: “Privacy is a fundamental human right … We design Apple products to protect your privacy and give you control over your information.” Having a clear organizational understanding of privacy will inform how the operational integration will occur across core business functions. Taking a thoughtful and considered approach to privacy may ultimately result in impacts to product/service design and business operations. However, these impacts may allow for novel opportunities for differentiation by refocusing from simple compliance to leveraging data privacy as a business driver.
Once an organizational view of privacy is established, moving to adopt an industry-recognized framework, such as the NIST Privacy Framework, will allow for the establishment and/or maturity of an organizational privacy program supported by best privacy practices. At the core of these best practices are privacy impact and risk assessments that ensure that organizational privacy goals are aligned with business and security practices. From a more tactical standpoint, the results of these assessments would be integrated into the product/service engineering process, allowing privacy to be considered on the front end of engineering decisions. For example, a data minimization decision might be made to only capture a yes/no response when determining if an individual is of legal age versus the full date of birth if that personal information it is not necessary for the functionality of the product/service. This allows for a consistent approach to privacy engineering across the business based on an established framework that is aligned with established privacy objectives. As future privacy laws and regulations are enacted, a privacy-proactive business will be poised to more quickly tailor, calibrate, and mature their privacy practices to ensure continued compliance.
Finally, with respect to informing customers of privacy practices, many businesses have the mandated privacy statements with endless pages of “legalese” to meet regulatory requirements. Customers are generally concerned about what personal data is collected, who has access, how it is protected, and where the data is stored. However, few privacy statements boil the language down into concise and consumable elements. Businesses that have made concerted efforts to build and enhance their privacy program have an opportunity to display these privacy values openly via their products/services and communications. Businesses that can succinctly highlight these key customer concerns and describe how they have been thoughtfully considered under a defined privacy program have an opportunity to be viewed as a data privacy champion. Ultimately, data privacy is not just good for your customers, it is also good for your business.
Editor’s note: To find out about ISACA’s new technical privacy certification, visit https://www.isaca.org/credentialing/certified-data-privacy-solutions-engineer.