People everywhere are impacted by privacy, or more accurately, the lack of a common, global set of standards, guidelines and laws to help people understand what privacy is, what it means to them and how to take steps to ensure the privacy of information related to individuals, communities, societies and the enterprise.
Privacy is defined by ISACA® as the rights of an individual to trust that others will appropriately and respectfully use, store, share and dispose of her or his associated personal and sensitive information within the context, and according to the purposes, for which it was collected or derived.
New research from ISACA indicates that more than 25% of organizations believe it is difficult to understand all their privacy requirements, and 40% say they lack competent resources to implement a successful privacy program, which requires expertise in technical implementation that goes beyond awareness of regulatory requirements.
The following questions should be asked to help improve understanding of privacy:
- Is there a difference between “data privacy” and “data security”? The answer is, most definitely, yes. Data privacy is the right of individuals to control the collection, use and disclosure of their personal information. The laws defining data privacy vary from country to country; you should verify the definition in your country as well as the countries in which you do business. Data security includes the mechanisms (e.g., controls, policies, procedures, roles, accountability, training) that ensure privacy. Aligning what you say in your data privacy policies with what you do to ensure the protection of the information establishes trust with your customers and employees.
- Do you collect more information than you need to serve your customers? How do you know? A privacy impact assessment combined with an accurate data flow mapping of where information is collected, stored, transmitted and processed can aid in understanding the gaps between policy and practice. For those of you who certify using ISO/IEC 27001, there is privacy guidance in ISO/IEC 27701:2019 that can help with establishing a privacy information management system (PIMS) in your organization.
- Are you taking a holistic view of privacy by design rather than a compliance-based approach? Privacy engineering is ultimately about implementing privacy-by-design principles, ensuring that sensitive personal data is secured adequately throughout its lifecycle and that the rights of data subjects and consumers are ensured. Failing to take a comprehensive view of privacy and privacy technology exposes organizations to levels of risk that could be existential, where widescale data breaches occur.
Privacy-related programs must extend beyond those aspects of privacy that overlap with data or cybersecurity, to include protective measures that focus on capturing, preserving and enforcing the choices customers have made with respect to how and when their personal information may be collected, processed, used and potentially shared with third parties. In many ways, privacy technology has a whole-of-enterprise impact, with departments such as human resources, sales and marketing, infrastructure and operations, legal, and security all required to understand how privacy regulations and responses to them drive technology decisions. For more information about privacy and ISACA’s privacy certification, visit the Privacy page of the ISACA website or the ISACA Engage privacy community.
Lisa Young, CISA, CISM, is the past president of the ISACA West Florida (Tampa, Florida, USA) Chapter and a frequent speaker at information security conferences worldwide.