When asked to describe my responsibilities as a chief privacy officer, I often say my primary function is to be an advocate for the individuals whose personal data my organization collects, maintains and processes. This response may be initially mystifying, since we often think of legal and compliance professionals as those who guard the parapets, protecting the organization’s interests at all costs. However, with a slight adjustment in perspective, it becomes clear that protecting the interests of those who have entrusted your organization with their data ultimately achieves that organizational protection goal.
How then do privacy professionals perform this advocacy role? The identification of stakeholders is vital to ensuring our organization stays on the right side of the line when it comes to privacy compliance. IT professionals across the spectrum, from information security officers to application developers to IT auditors, are among the most important contingents for privacy professionals to partner with in order to achieve our shared goals. Let’s explore a few core privacy concepts where IT skills are beneficial.
Personal Data
At privacy’s core is the concept of “personal data” or “personally identifiable information (PII).” While legal definitions of what constitutes personal data vary slightly from jurisdiction to jurisdiction, generally personal data is information that identifies a natural person. This may be possible from one data element, such as a national identification number. Other times this requires two or more data elements used together. It’s important to understand that this data requires a high level of protection, so knowing what personal data you have, where it is stored, and how it is accessed is critical. IT professionals are in an optimal position to know which strong information security controls may be implemented. Even better, if it is possible to de-identify the data at some point in its lifecycle, either through masking, encryption, or anonymization techniques, the data is no longer considered personal data.
Data Minimization
If the privacy profession had a mantra, it would be “less is more.” With the threat of ever-larger fines for privacy compliance violations, eliminating personal data minimizes privacy risk. The principle of data minimization is, therefore, exactly what it sounds like – minimize the amount of personal data that an organization collects in order to decrease the privacy risk. Clearly defining data requirements to limit the collection of personal data to the minimum necessary is the goal. Likewise, it’s equally important to know when that personal data no longer serves any purpose. Data minimization is also achieved by purging or archiving personal data at the end of its usefulness.
As data minimization may be accomplished at multiple places throughout the data lifecycle, IT professionals can be instrumental at identifying the options for business users. For example, when designing a new product or service, think carefully through the data required to be collected from a client to provide it. Personal data that is not necessary to collect to provide the product or service should be optional or simply not collected at all. Likewise, consider performing annual reviews of certain data types that exist in your data storage locations. If scanning data storage reveals a high prevalence of social security numbers from US clients, determine if there is a corresponding purpose for why this data is maintained. If that purpose cannot be identified, it may be best to purge that data.
Personal Data Breaches
The privacy topic that receives the most attention is personal data breaches, often due to the volumes of data compromised or spectacular fines (or both). Certainly, no organization wants to make the headlines as a result of a personal data breach, and considerable effort and expense is put into preventing them. While sound cybersecurity programs can prevent data breaches from external actors, another area of focus should be eliminating data exfiltration and internal threats. This is one area where IT auditors can be especially helpful, as they are often experts in finding process flaws and thinking like the “bad guy.”
Privacy is no longer a manual, legalistic, “check-the-box” attestation exercise, if it ever really was. IT professionals already possess the skills necessary to not only assist privacy officers in their objectives, but more importantly to become key drivers in building privacy protections into operations. An understanding of the core privacy concepts above help to foster collaboration between privacy and IT professionals.
Editor’s note: For additional ISACA privacy resources, find out about ISACA’s new Certified Data Privacy Solutions Engineer (CDPSE) certification and join the privacy conversation on Engage.