Engineering Privacy With Lessons Learned From Security

Sameer Ahirrao -

As countries worldwide pass laws regulating data collection, businesses are now being looked at under a microscope regarding how they handle consumer data. These regulations are also requiring companies to implement a robust privacy program within an existing corporate framework. However, privacy teams do not need to develop these programs in the dark. Many challenges of implementing privacy programs are similar to previous challenges faced by cybersecurity teams. At Consero’s Chief Privacy Officer Virtual Forum held on August 4th and 5th of this year, a panel comprised of privacy officers from various industries brainstormed how companies can use the lessons learned from security programs while designing a robust privacy program. The panel was comprised of CPOs of an automobile company, a homecare company, an aerospace defense contractor, and Ardent Privacy CEO and Founder Sameer Ahirrao.

Learning from security, applying to privacy

As privacy requirements are evolving, companies have been implementing security programs for some time now. Organizational challenges such as adopting new business processes and stakeholder buy-in that existed with implementing security also exists with privacy programs. Also, the lack of awareness, resources, funding, or expertise that companies faced in implementing security, persists with privacy development. Companies can learn from past experiences and the difficulties of implementing security in crafting a comprehensive privacy policy.

One panelist stated that “privacy teams should have a symbiotic relationship with security teams.” The panel as a whole went on to explain that organizational data mapping, which is a privacy requirement, highly serves the security need of identifying critical data assets. Knowing what data you have, where your data is stored, and what third parties have access to your data makes it easier to secure and comply with privacy regulations. Data minimization, collecting and storing only what is necessary, is a privacy practice that serves security purposes. “If a business is collecting extraneous information, it needs to take steps to pay, store, and protect that unnecessary data” said Sameer Ahirrao (Ardent Privacy CEO & Founder). He also recommended that businesses adopt a “data-centric security model.” Highlighting that data privacy and security share the same core goal of protecting personal information. When developing a plan, keeping this shared goal in mind will lead to a robust system that will meet privacy and security needs.

Privacy vs. Security

Data privacy and security are often grouped together and handled by the same department. While there are benefits to combining the departments, companies need to be wary of treating privacy and security as the same thing. Another panelist stated that “treating the two as one and the same would be doing a true disservice to the demand and attention each system requires.” While both involve protecting information, there are different requirements and expectations when it comes to privacy. Panelist stated that “a simple way of framing the two systems is that security operates on a risk/reward basis.” A company may be required to establish a base level of information security, but once it is past that threshold, it falls on the company to determine how much more protection is needed. Some companies may need more security than others; for example, a small family-owned deli does not need the same level of cybersecurity as a large financial institution . A business can weigh the risks it faces regarding security, whereas data privacy is a compliance requirement. As long as a privacy law regulates a company, the company must comply with data privacy regulations to avoid fines from regulatory authorities. Responsibility and training also play a more significant role with privacy than security. Companies may have a low risk of an employee or executive hacking into the company’s servers. However, there is always a high risk of poor data management, where a worker could unintentionally share personal information with someone they were not supposed to. When establishing a comprehensive digital strategy, privacy needs to be treated as its own entity and not just assumed with security implementation.

Incorporating privacy function at an organizational level

Due to the similarities between privacy and security, it would be intuitive to combine the departments. The panelists stated that they have seen other companies have different departments work on privacy and security; however, having separate departments can lead to a slower response time to a data breach or incident. One panelist stated that “bringing the two departments together can fix this issue.” Another panelist seconded this opinion recommending “that since privacy principles can be carried out through information security practices, working with the information security team and combining forces will greatly benefit the company and prevent the departments from conflicting with one another when responding to an incident or establishing policies.”

The panelists recommended that if a company takes this approach and combines departments, it still needs to ensure that the company is on the same page regarding privacy, as there is no “one-size fits all” approach. The panelists stated that utilizing a top-down approach can best achieve this. A privacy policy should start with executives, as having leadership on the same page about a company’s privacy policy is crucial. The panel also agreed it is easier to implement a company-wide policy if it comes from the top, opposed to one specific department that the majority of the company doesn’t interact with. The panelists also highlighted the importance of having particular departments receive extra training or employing privacy professionals if that department handles personally identifiable information. For example, HR and finance often process large amounts of personal data, so these departments should receive extra privacy training. Specific departments needing additional training is also a significant difference between incorporating privacy than security. For example, a worker in payroll may not have any responsibilities when it comes to the company’s cybersecurity. Still, they certainly have privacy implications in handling employee’s personal data in tandem with financial information. While some departments and executives have to be more familiar with the privacy policy, the entire organization should be aware of the risks and responsibilities of handling personal data. While data privacy and security are not interchangeable, there is much to learn from security when developing a robust privacy program.

About Ardent Privacy

Ardent Privacy is an "Enterprise Data Privacy Technology" solutions provider based in the Maryland/DC region of the United States and Pune, India. Ardent harnesses the power of AI to enable companies with data discovery and automated compliance with DPB (India), RBI Security Guidelines, GDPR (EU), CCPA/CPRA (California), and other global regulations by taking a data-driven approach. Ardent Privacy's solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce legal and financial liability.

For more information visit https://ardentprivacy.ai/and for more resources here.

Ardent Privacy articles should not be considered legal advice on data privacy regulations or any other specific facts or circumstances.