Updated: 12 May 2023
Editor’s note: The ISACA Now blog featured a weeklong series providing tips for success in 2023 for practitioners in various digital trust fields. This post details advice for privacy professionals. For additional insights into the privacy sphere, download ISACA’s latest Privacy in Practice report.
Privacy is like a data breach; it is not a matter of if but when new laws will be passed. Since 2018 there has been an increase in privacy laws proposed each year. According to the IAPP state privacy tracker, all but 10 US states have proposed or passed privacy legislation in the past five years, and new privacy regulations also are taking effect around the globe.
Laws cover all areas of privacy, including but not limited to student privacy, social media, consumers and biometrics. 2023 has brought the reintroduction of privacy bills and the proposal of new ones. In the US, many are hopeful in 2023 we will finally have a national privacy regulation similar to the American Data Privacy and Protection Act (ADPPA).
The year 2023 marks a pivotal milestone for privacy as five state privacy laws become effective. This forces companies to face the fact privacy is not going anywhere; it is time to implement privacy programs. Here are five areas that are gaining momentum in 2023 to which privacy professionals will need to become more deeply attuned.
1. Privacy Cyber Warfare – The Weaponization of Personal Data
Attackers are doing all they can to target organizations and individuals. They are weaponizing data and holding it hostage until a ransom is paid. To combat this, privacy professionals and organizations should ensure they are implementing strong data protection controls, including data minimization and anonymization.
Meanwhile, consumers should think about what information they are posting online. Putting private details such as employer, address, email, phone number, etc., in social media profiles visible to anyone enables others to use OSINT techniques to learn all about us. Such data are then used against us through phishing and other targeted attacks. The less data people or an organization publish, the smaller the risk.
2. Regulatory Convergence – Privacy and Risk Management
Companies are overregulated, creating challenges managing compliance. Many companies have compliance footprints of 100+ laws and regulations they must adhere to and, to make matters worse, often those are in direct conflict. This is nearly impossible to manage, so then companies often do nothing – not a solution!
It is no longer necessary to have laws specific to industry – instead, HIPAA, FERPA, PCI, etc., all deal with personal data and should be treated equally, harmonizing the requirements for companies and reducing the risk of non-compliance.
Organizations struggle to understand how much privacy risk they are willing to accept. Privacy risk appetite is seldom discussed among boards and leaders. Privacy leaders should make sure their programs include a focus on privacy risk management programs, privacy risk appetite, privacy risk tolerance, privacy key performance indicators, privacy key risk indicators, privacy metrics and reporting. 2023 has heightened these needs as the compliance landscape continues to evolve.
3. Zero Trust Privacy and Data Governance
Data is the foundation of privacy and the forgotten component of zero trust programs. Starting with the overarching protection surface and understanding inventory down to the data element level, data mapping and data-processing activities will support cross-functional organizational objectives. Data governance is critical to the organization, ensuring that data is not transmitted to countries or regions of the world in violation of privacy laws.
Cross-border data transfers have presented challenges for years. Countries are issuing their own guidance and rules for storage and cross-border transfers of data. This drives the need for privacy professionals to prioritize zero trust privacy with data governance.
4. Rise of the Privacy Engineer – Privacy and Transparency in SDLC and APIs
Privacy engineers help align business, legal and technology controls. Privacy engineers support data governance strategies by identifying solutions and working with developers to implement them. Privacy by design is not a step-by-step guide for implementation, which is where the privacy engineer is crucial. Professionals can open up numerous career opportunities by gaining the technical knowledge to be an effective privacy engineer.
Engineers help developers and the business understand the privacy requirements and potential solutions to meet compliance. When organizations procure tools and solutions, most want a way to integrate them with existing internal systems, most commonly through APIs. Yet they fail to evaluate the data transmitted through the API, creating significant risk to the organization.
5. ComPriSec – Privacy is Everyone’s Responsibility
ComPriSec is the convergence of Compliance, Privacy and Security. It takes the collaboration and partnership of all three teams across the organization working together to ensure security controls meet compliance and privacy obligations. Privacy cannot do this alone. Compliance cannot simply dictate laws and regulations then hope security understands. Implementing strong privacy and security programs that complement each other based on industry standards such as the NIST Privacy Framework and NIST Cybersecurity Framework require involvement and a focus on cross-functional collaboration from all areas of the organization. Effective privacy functions require a strong security foundation to protect personal data.
Privacy has become more important than ever for many organizations as the regulatory landscape continues to evolve. This increased privacy risk will drive the need for everyone to be involved to solve the problem, including regulators simplifying the burden with overarching privacy laws that are not industry-specific.
This is just the beginning of the privacy journey for many organizations. There are always opportunities to evolve and advance privacy across the organization. Just start somewhere. Privacy is complex and multi-disciplinary. It is not about getting it right, but instead just starting somewhere. No matter what happens, one thing is certain: privacy is here to stay as an important digital trust discipline. Climb aboard for a journey that will be similar to what security has gone through over the past 20 years.