Two years ago, organizations were rushing to comply with the European Union’s (EU) General Data Protection Regulation (GDPR). After a flurry of activity and changes to privacy settings and disclosure, many felt they could move on once they had checked that compliance box. But things have not remained static from a regulatory standpoint. In May, the European Data Protection Board published yet another update to GDPR implementations related to cookies preference management (Article 29). This is just the latest in a series of GDPR updates that have been issued over the last two years. Other circumstances have evolved as well, including the ongoing pandemic and work-from-home changes organizations have adopted.
It seems timely for organizations to survey data privacy regulation in general, evaluate challenges arising from COVID-19, and explore best practices for data privacy programs under any jurisdiction. Since the GDPR, other data privacy measures have been under discussion or put into effect; many businesses will be subject to more than just one regulatory body. Violations of any data privacy regulation, unwitting or otherwise, could mean fines, reputational damage and expensive remediation activities.
COVID-19
In a short time, COVID-19 changed many business practices and raised more questions with regard to data privacy than answers. For example, would records related to employees’ daily wellness checks and staff notifications of coworkers testing positive for the disease be subject to privacy regulations? Remote working arrangements have added data privacy risk, too. An employer’s monitoring of employees working from home could be subject to data privacy regulation. When a transition to remote work is abrupt and unplanned, employees might work from unsecured environments; they may maliciously or unwittingly misuse customers’ personal data. Home environments facilitate such behaviors in a way that the office setting does not.
As of 1 June 2020, the U.S. Senate was preparing bipartisan legislation to require applications for contract-tracing and exposure notification to be deployed only in collaboration with public health authorities. As health officials try to help Americans establish whether they’ve come into contact with an infected person, the Exposure Notification Privacy Act would bar private businesses from releasing any application not approved by public health authorities, and establish other prohibitions and rights as well.
Your Data Privacy Program
A data privacy program is best built centrally within an enterprise to establish a pervasive culture of privacy that is consistent with the organization’s risk appetite. More businesses are designating a data privacy officer (DPO) role to drive data privacy from the top down. Smaller organizations that may not have dedicated DPOs may have trouble meeting the dynamic demands of privacy compliance without some form of outside assistance.
Compliance with privacy regulations centers on understanding how data is collected, processed, stored and transferred across the organization – and the globe. (The GDPR’s term for this data activity is a Record of Processing Activities [ROPA]; for other data privacy regulations, the concept is the same.) To have an effective ROPA, businesses need to understand how the data flows within and outside of the organization. Data mapping is not mandatory for building the ROPA, but it’s a powerful technique to understand key data processes within an organization.
To operate an effective data privacy program, organizations must:
- Develop a complete, detailed understanding of what the personal data is and how it is collected, processed, stored and transferred
- Use inventory data processing operations and supporting systems that collect, process and store the data
- Explore how personal data flows throughout the organization
- Identify current practices for protecting the data and ensuring that it complies with current data privacy policies
- Demonstrate in a public way that privacy is a top priority
- Build internal agreements and a customer-friendly communication plan to respond to consumer inquiries about privacy. (If the business expects a high volume of requests, automate these processes.)
Learn more about data privacy and associated recent changes in the full article from KnowledgeLeader.
This article was excerpted with permission from Protiviti’s KnowledgeLeader, a subscription-based website that provides audit programs, checklists, tools, resources and best practices to help internal auditors and risk management professionals save time, manage risk and add value. ISACA® members receive a discount on an annual subscription to the service.