In a world where data are pervasive and increasingly connected, for security professionals, protecting the privacy of individuals and organizations could be compared to trying to put an octopus into a string bag: a constantly changing, wriggly challenge.
A breach of privacy not only puts the individual and organization at risk, but it can also damage an entire country’s global reputation. For this reason, compliance and privacy laws are updated on an ongoing basis, and privacy professionals must keep up with the changes.
In its simplest form, there are 2 key elements to privacy: the data that must be collected and how those data are protected. In other words, privacy and security are codependent and professionals in each domain must work together to achieve optimal outcomes for an organization.
In fact, a security professional must begin implementing a security and privacy governance process by asking the following questions:
- “What data are being collected?”
- “Where are they held?”
- “For what purpose are they used?”
- “Are they being used for the intended purpose?”
- “How are they being protected?”
It is essential that this process is implemented in conjunction with privacy professionals so that the specifics of the data being collected are understood across both areas of specialization.
Privacy Is a Team Sport
In the ISACA® Privacy in Practice 2022 global report, most privacy teams surveyed were comprised of legal/compliance practitioners, risk professionals, security professionals and technical IT staff. Interestingly, most organizations stated that the chief information security officer (CISO)/chief security officer (CSO) (25%) or privacy officer (21%) were primarily held accountable for privacy.
Privacy accountability methods identified in the report include development of privacy strategy, training and awareness, privacy governance, reporting, risk assessment, incident response, controls and processes, establishing security safeguards, risk management, monitoring compliance and analyzing privacy laws and regulations.
From the security side, in addition to the privacy controls, an organization is legally required to implement, privacy best practice requires encryption (76%), identity and access management (74%) and data security (71%).
Ensuring that privacy regulations and best practices are adhered to requires a team approach and it is essential that security and privacy professionals collaborate. While privacy professionals understand the data that are being collected and the purpose for which the data will be used, security professionals play a critical role in guiding how the data are harvested and, ultimately, ensuring the data are protected.
Ensuring that privacy regulations and best practices are adhered to requires a team approach and it is essential that security and privacy professionals collaborate.
Where the Workforce Meets Data Privacy Practices
It may be the privacy team’s responsibility to ensure data privacy and achieve compliance with privacy laws and regulations, but it is important to recognize that all staff with access to critical data must be trained in protecting data privacy and held accountable for their use of the tools and processes in place.
Privacy and security teams can provide vital direction to others within the organization by working together to create data capture policies that have intentional and enshrined privacy built in from ideation. For example, an organization’s marketing team, which is often a source of data collection through various loyalty programs and digital campaigns, could be asked, “Are these data necessary? How do you intend to use them?”
It is also important to make privacy solutions accessible to small business owners, who often lack the workforce and budgets necessary to keep specialists on staff, making them more exposed to risk. In addition, there should be resources available for consumers to understand both their privacy rights and responsibilities.
Without a doubt, privacy challenges will grow exponentially as the digital economy grows. Privacy and security professionals are critical in ensuring that enterprises adhere to privacy laws and regulations and protect the personal data of customers, suppliers and staff.
Editor’s Note
Hear more about what the author has to say on this topic by listening to the “Where Privacy Meets Security” episode of the ISACA® Podcast.
Jo Stewart-Rattray, CISA, CRISC, CISM, CGEIT
Has more than 25 years of experience in the security industry. She consults on risk and technology issues with a particular emphasis on governance and IT security in businesses as the director of technology and security assurance with BRM Advisory. Stewart-Rattray regularly provides strategic advice and consulting to the banking and finance, utilities, healthcare, manufacturing, tertiary education, retail, and government sectors.