Privacy readiness is an ongoing problem that is growing even though there has been a global avalanche of data privacy legislation. Last year’s implementation of the EU’s General Data Protection Regulation (GDPR) sounded alarm bells across the EU and literally around the world. Other nations have passed their own privacy regulations such as Australia, Canada and the Republic of the Philippines, while states such as California are jumping on the bandwagon with the California Consumer Protection Action (CCPA).
This torrent of regulations has become mind boggling. In this paper I will give you a toolbox of 20 Questions that will help you in your ongoing journey to data privacy preparedness. Notice that I said readiness, not compliance. That is because chasing compliance is somewhat like playing whack-a-mole, it’s a constantly moving target.
Twenty Questions Regarding Privacy Readiness
Many of us played the game “Twenty Questions” as kids. One player is designated to answer while the rest of the group poses 20 questions to guess the phrase, objection or topic chosen by the answerer. The purpose of these 20 questions is to help you assess where you and your organization stands with regard to your data privacy readiness.
1. What data do you have?
You can’t manage privacy and build privacy readiness until you know what data you have. You also need to know where it is. Merely storing data in a country can trigger that country’s data protection regulations.
2. Who did you get it from and are they citizens of the EU?
While EU’s GDPR claims to protect EU citizens wherever they may be, thus far there has been no enforcement along these lines.
3. Do you have legal reason for collecting and for using the data?
Do you have consent? What for? Purpose? Time Period? If you don’t have consent, do you have other appropriate legal justification?
4. Can you find the data if the person whose data it is (the Data Subject) asks for it?
The rights of the Data Subject (the person who the data is about) are at the core of data privacy regulations and privacy readiness. As a result, you will need to be able to respond to their inquiries. Will you be able to tell that person how it is being used? Is it being used in line with consent or another legal reason? Have you considered your employees’ privacy rights as well?
5. Can you delete the personal information if requested?
The right to erasure is an important one.
6. Can you prove that you deleted it?
You might not have to provide proof of particular data elements, but you will likely need to show that your business operations include deletion of data.
7. Is the data adequately and robustly secured?
Do you have special data such as health information that requires special care and security? Do employees who are exposed to or handle the data know their responsibilities to safeguard it?
8. Do you perform a data privacy impact assessment for new applications, processes and procedures – especially those related to marketing to consumers?
Have you assessed the Personal Information collected and maintained by your cyber security technology? This is an often neglected but crucial step.
9. Are you holding the third parties that work for you to the same standards of privacy and security that you adhere to yourself?
Is this reflected in your contract terms?
10. Are you safeguarding the privacy of your employees’ personal data?
Employees are people too and the laws are clearly moving to ensure their personal data is protected, as well as that of consumers and others.
11. Do you have trusted external resources (such as attorneys, experienced Data Protection Officers, Data Protection Authority (DPA) contacts and references for privacy readiness?
Privacy regulations can be complex and several may conflict with each other; no internal organization can have all of the knowledge that may be needed to address a particular or unique situation.
12. Do you have a basic familiarity with the appropriate regulations to include their recitals and legislative history showing the intent and spirit of the law?
Understanding the intent helps you craft an organization wide privacy philosophy that can run across all departments and functions. You can find the intent of the GDPR in the Recitals that precede the actual regulation.
13. Do you have adequate and timely breach detection capabilities?
Are the right people notified quickly enough to be able to act?
14. Do you have a breach notification plan?
In addition to notifying those who might have been impacted by the breach, do you know if you are responsible to notify the national Data Processing Authority (DPA).
15. Do you test breach incident response and notification plans?
Do you document the tests, any lessons learned and measures taken in response to the lessons learned?
16. Do you have appropriate law enforcement liaisons established?
At a minimum you should designate liaison personnel for local law enforcement and allow them to build relationships in a proactive environment.
17. Are you or do you have a trusted resource monitoring on-going legislative activity?
This is another step in maintaining a proactive posture.
18. Have you formed an informal group of people who have the same or similar roles to yours at other comparable organizations to share best practices?
19. Do you have a trained and properly empowered single responsible individual for privacy matters?
Do they have an executive sponsor?
20. Do you routinely, and as a matter of policy documented through policies and procedures, destroy data that is no longer needed and/or is no longer covered by a legal reason such as consent of the data subject?
These are just some of the questions that organizations need to consider as they continue to work on their data privacy protection posture. Given the complexity of the issues, organizations would do well to focus on principles rather than a myriad of policies and procedures.
COL (R) Lawrence D. Dietz, Esq.
TAL Global Corporation
General Counsel and Managing Director, Information Security
About the author: Colonel (R) Lawrence D. Dietz is a nationally recognized expert in the areas of cyber security, cyber warfare, information security and intellectual property. Mr. Dietz is a licensed attorney and also provides litigation and legal support to our clients in these matters.
As a retired Army Reserve Colonel specializing in intelligence and PSYOPS, Mr. Dietz has over 30 years of diversified military and commercial information and cyber security experience. This unique knowledge combined with the thought leadership of academia enables Mr. Dietz to bring varied approaches and solutions to clients’ challenges.
As always, we value your feedback which helps us shape our perspective on recent events, security and the services we offer.
Feel free to send us a note and share your thoughts with our team.
Your Friends @ TAL Global