[Privacy] Four Steps to Achieve your Effective Data Privacy Program

倾城 好物分享

With a veritable explosion of data breaches highlighted almost daily across the globe, and the introduction of heavy-handed privacy laws and regulatory frameworks, privacy has taken center stage for both IT and the business. 

This leaves leaders questioning what exactly privacy involves and how to make it scalable for their respective organization. As a facet of the business that is traditionally left to the discretion of a legal team or professional(s), this new realm of privacy and data protection is shrouded in incumbent grey area. 

But what if privacy is a little more “black and white” than what previous thought frameworks may have dictated? By taking a quantitative vs. qualitative approach to privacy management, business and IT leaders can remove some of the ambiguity around what privacy controls need to be in place and how to balance privacy integration with current business operations.

As the general public begins to take back control over data privacy so too should organizations, by taking a tactical, measurable approach to privacy and the business. 

Four Steps to Achieve your Effective Data Privacy Program

Privacy vs. Security

A common assumption is that security and privacy are one and the same. Security’s role is to protect and secure assets, of which confidential data – especially personal data – is a large focus. The consequences of a personal data breach can be severe, including the loss of customer trust and potential regulatory consequences. As a result, we often think of how we use security to protect data.
But that is not equivalent to privacy …
Privacy must be thought of as a separate function. While there will always be ties to security in the ways it protects data, privacy starts and ends with the focus on personal data. Beyond protection, privacy extends to understanding why personal data is being collected, what the lawful uses are, how long it can be retained, and who has access to it.

Privacy : Personal Data

When building a privacy program, focus on all personal data, whether it’s publicly available or private. This includes defining how the data is processed, creating notices and capturing consent, and protecting the data itself. On the converse side, an effective privacy program also enables accessibility to information based on regulatory guidance and appropriate measures.
See examples of personal data in the below charts: 

Data Controller vs Data Processor

A data controller determines the purposes and means of the processing of personal data.
A processor engages in personal data processing on behalf of the controller.
Processing involves any operation (or set) performed on personal data (such as, but not limited to, collection, structuring, storage, use or disclosure).

Data Controller: Defines Purpose and Means:
  • The data controller determines the reasons for processing personal data and the methods used to do so. 
  • Responsible for Compliance:
    They are primarily responsible for ensuring compliance with data protection laws, including those related to data subject rights.
  • Examples:
    A company collecting customer data for marketing, a government agency processing citizen information, or a hospital managing patient records. 
Data Processor: Processes Data on Behalf of Controller:
  • The data processor carries out the processing tasks under the instructions of the data controller. 
  • Examples:
    A third-party email service provider used by a company to send marketing emails, a cloud storage service provider storing data for a company, or a software company providing services that involve data processing. 

Feature
Data Controller
Data Processor
Decision-Making
Determines why and how data is processed.
Processes data as instructed by the controller.
Responsibility
Primarily responsible for compliance with data protection laws.
Primarily responsible for following the controller's instructions and ensuring the security and privacy of the data while processing it.
Control
Exercises control over the data and its processing.
Does not have independent control over the data or its processing; they act under the controller's instructions.
Obligations
Generally has more obligations under data protection laws, such as creating privacy policies and responding to data subject requests.
Generally has fewer obligations, but must ensure data is processed securely and in accordance with the controller's instructions and the relevant laws.

A Quiantitative Approach

Use risk and a metrics-based approach against a privacy framework that supports compliance while considering the custom needs of your organization.

1. Collect Privacy Requirements

2. Conduct a Privacy Gap Analysis

Phase Action Items
  • Define and document drivers
  • Establish privacy governance structure
  • Build a privacy RACI chart
  • Define personal data scope
  • Build a risk map
  • Complete the Data Process Mapping Tool
  • Compare compliance and regulatory requirements with gap analysis
  • Assess and categorize privacy gap initiatives

Phase Outcomes

      Documented business and IT drivers for the privacy program

      High-level understanding of how privacy is perceived in the organization

      Completed Data Privacy Program RACI Chart

      Data Process Mapping Tool detailing all business processes that involve personal data

      Privacy maturity ranking (Privacy Framework Tool)

      Identification of compliance or regulatory privacy gaps

3. Build the Privacy Roadmap

4. Implement and Operationalize

Phase Action Items
  • Finalize privacy gap initiatives
  • Prioritize initiatives based on cost, effort, risk, and business value
  • Set firm dates for launch and execution of privacy initiatives
  • Assign ownership for initiatives
  • Establish a set of metrics for the Data Privacy Program
  • Operationalize metrics
  • Set checkpoints to drive continuous improvement

Phase Outcomes

 • Completed Privacy Framework Tool
• Completed privacy roadmap, including timeline for initiative implementation, and cost/benefit vs. value/risk assessment 		• Customized set of privacy metrics
• Tasks to operationalize privacy metrics
• Data Privacy Report document
• Performance monitoring scheduled checkpoints

Privacy Controls with Metrics

As better privacy becomes the expectation from both B2B customers and end-consumers, expect a subsequent shift towards a strong privacy program as a competitive advantage for many organizations.
Privacy metrics take your program from a static framework to an operational model.
Select privacy metrics that are realistic and relevant for your organization, based on each of the 12 areas outlined as part of privacy control best practices.  

Privacy Control Categories: (from Info-Tech)

  1. Governance
  2. Regulatory Compliance
  3. Data Processing and Handling
  4. Data Subject Requests
  5. Privacy by Design
  6. Notices and Consent
  7. Incident Response
  8. Privacy Risk Assessments
  9. Information Security
  10. Third-Party Management
  11. Awareness and Training
  12. Program Measurement

Privacy Law

 

California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is California’s data privacy law that took effect on January 1, 2020.

The CCPA empowers California residents with enforceable rights over the personal information they generate every day online.

GDPR

CCPA vs GDPR vs CPRA

The CPRA is an amendment to the CCPA and is effectively a part of the larger California Consumer Privacy Act. These two regulations are not separate, and should not be handled as such, or ignored in favor of the other. The CPRA grants two more privacy rights to California residents.

Aspect CCPA CPRA
Consumer Rights – Right to access personal data- Right to delete dataRight to opt out of the sale of personal data – Enhanced rights from CCPA-Right to correct inaccurate personal data- Right to limit the use of sensitive personal information (e.g., precise geolocation, race, health data)
Business Obligations – Provide clear notices about data collection and use-Offer opt-out mechanisms- Ensure data security – Builds on CCPA requirements- Conduct regular risk assessments- Limit data retention periods- Implement more stringent data protection measures
Enforcement California Attorney General – California Privacy Protection Agency (CPPA)- The Attorney General retains some enforcement authority
Operational Dates Effective January 1, 2020 – Effective December 16, 2020- Provisions operative January 1, 2023]- Enforcement began July 1, 2023

Likewise, while the CCPA and the EU’s General Data Privacy Regulation (GDPR) share many components and have similar purposes, the requirements under each are not the same. Companies must take care to identify their privacy compliance needs and requirements, and then adopt the policies and practices they need to satisfy regulatory obligations. Complying with both the CCPA and GDPR involves more than complying with one or the other.

PIPEDA

PIPEDA Self-Assessment Tool

https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-compliance-and-training-tools/pipeda_sa_tool_200807/

Tools

Scytale: https://scytale.ai/pricing/
OneTrust : https://www.onetrust.com/solutions/ccpa-compliance/
Scrut: https://www.scrut.io/solutions/ccpa
Usercentrics.com
www.osano.com 
Free Cookie Consent 
  • Free: USD 0/month for 1 user, 1 domain, and up to 5,000 visitors/month
Ketch
  • Ketch Free: USD 0
Orrick’s CCPA Readiness Assessment Tool consists of five sections with questions covering the Scope of the CCPA, Notice to California Residents, CCPA California Residents Rights, Vendor Management and Contracting, and additional considerations.

References

https://blog.51sec.org

版权声明:
作者:倾城
链接:https://www.techfm.club/p/214214.html
来源:TechFM
文章版权归作者所有,未经允许请勿转载。

THE END
分享
二维码
< <上一篇
下一篇>>