Three Ways Your Approach to Privacy Is at Risk

At the federal (or national) level, the risk associated with outdated privacy laws has received good coverage.^{1, 2, 3, 4, 5} What has received less coverage is how outdated—and, therefore, risky—organizational approaches to privacy can become, in spite of the old approaches being periodically updated with privacy legislation changes. While there are many areas where this risk occurs within an organization, there three areas of particular importance to consider.

Unmaintained Privacy Impact Assessment Templates

Privacy impact assessments (PIAs) present a structured approach to assessing the potential privacy consequences of a diversity of organizational initiatives. PIAs can provide privacy officers with a well-defined and repeatable means to analyze not only the use of sensitive data in enterprise projects, but also the impact of the initiative on people and organizations, and even on organizational communication. Although they can be an excellent general privacy risk control, PIAs need to be kept current.

It is important to consider when last you evaluated the appropriateness of your organization’s PIAs in the context of rapidly changing societal and legislative privacy requirements and expectations. It is helpful to ask the following questions:

• Is the original driver or terms of reference of your PIA⁶ still valid?
• Is the applicability of the PIA well defined, or is it blurred across multiple activities, the variety of which may better be served by individual PIAs?
• Is the PIA only performed at project initiation, or is it performed at multiple milestones within the project given how projects evolved during their life cycle?
• Where the initiative impacts external organizations or people, to what extent are those external stakeholders consulted as part of the PIA?
• Is the frame of reference for the PIA only the reigning legislation, or does it consider the reigning political climate as well, the ignorance of which could incur reputation risk?

Further, what criteria have been used to determine the completeness of the PIA template(s)? In other words, what is the risk of omission of a line of inquiry from a PIA template, and to what extent does your privacy officer have the experience to interpret the information provided in the PIA from a privacy risk perspective?

It is important to consider when last you evaluated the appropriateness of your organization’s PIAs in the context of rapidly changing societal and legislative privacy requirements and expectations.

Regulatory Compliance Is the Goal

Privacy compliance is the minimum expectation of organizations. These requirements differ widely between countries and can even differ between provinces or states within a country. Good corporate governance will ensure the periodic assessment of the organization’s entire privacy framework and its associated activities for each country in which the organization operates.

Board directors have a fiduciary duty to the organization’s stakeholders to act in the best interests of their organization and, as such, have a duty to pursue privacy well beyond mere compliance. As seen through an ethics lens, examples of these duties include:

• Ensuring that the organization’s privacy milieu accommodates its customer’s cultural differences across countries
• Ensuring that customers do not feel they need to take on new privacy risk in order to receive a benefit from the organization
• Realizing that an organization’s customer data reflects a snippet of a person’s life, and that, as such, personal data should be treated with respect and not merely as an asset to be exploited
• Not taking liberties with a customer’s data, even under consent, in the case where limited or no alternatives for the product or service exist. This would then, in effect, be a case of coercion rather than of consent.
• Ensuring PIAs are up to date and completed at multiple checkpoints in the life cycle of the organizational initiative as part of ensuring a sustainable response to privacy by design

There are other examples of privacy beyond compliance, an outline of the need for it and of the role of the board in ensuring it in the ISACA^® white paper, Privacy: Beyond Compliance.

Assuming an Organization’s Data Are Safe

The majority of people have personally engaged with Facebook, Amazon, Apple, Google, Microsoft, or Twitter, and possibly with their subsidiaries, Whatsapp and Instagram, as well. But Facebook,⁷ Amazon,⁸ Apple,⁹ Google,¹⁰ Microsoft,¹¹ and Twitter have had data breaches.¹² Whatsapp¹³ and Instagram¹⁴ have also had data breaches.

That not to mention the numerous data breaches of banks, insurers, credit bureaus and retailers around the world. We are all affected. If these giants—each with very large budgets for cybersecurity—have all been breached, what hope is there for smaller organizations with much more limited cybersecurity budgets? Given this, it is highly likely that your data is already “out there.”

This does not mean that privacy is irrelevant, but it does require different ways of thinking about and of effecting privacy, such as a hybrid model of identity solutions and enterprise information accountability.¹⁵ Ultimately, it could be argued that it is only a matter of time before every organization suffers a data breach in spite of its best efforts.

Conclusion

It is clear that not only do federal and provincial (or state) privacy laws need constant updates to keep them current with rapidly changing data, personal and organizational and communication milieus, but organizational approaches to privacy themselves need regular updates as well for the same reasons. This is a critical activity to help ensure that the very mechanisms meant to protect privacy do not themselves become an enterprise privacy risk.

Guy Pearce, CGEIT

Has served on governance boards in banking, financial services and a not-for-profit, and as chief executive officer (CEO) of a financial services organization. He has taken an active role in digital transformation since 1999, experiences which led him to create a digital transformation course for the University of Toronto School of Continuing Studies (Ontario, Canada) in 2019. Consulting in digital transformation and governance, Pearce readily shares more than a decade of experience in data governance and IT governance as an author in numerous publications and as a speaker at conferences. He received the 2019 ISACA^® Michael Cangemi Best Author award for contributions to IT governance, and he serves as chief digital transformation officer at Convergence.Tech.

Endnotes

¹ Boutilier, A.; “Canada’s Outdated Privacy Laws Are Posing an Economic Risk to Companies, Federal Watchdog Says,” The Star, 10 December 2019
² Boland, H.; “Europe's Privacy Laws Are Already Outdated, Warns Nokia Boss,” The Telegraph, 9 October 2018
³ Orcutt, M.; “The U.K. Pleads With Congress to Change an Outdated Privacy Law to Help Fight Terrorism,” MIT Technology Review, 26 May 2017
⁴ Sachs, S.H.; “The Supreme Court’s Privacy Precedent Is Outdated,” The Washington Post, 26 November 2017
⁵ Impact PR, “Kiwi Consumers at Risk from Outdated Privacy Law—Expert,” SCOOP Independent News, 17 June 2015
⁶ Wright, D.; “Should Privacy Impact Assessments Be Mandatory?” Communications of the ACM, vol. 54, iss. 8, p.121–131, August 2011
⁷ Isaac, M.; S. Frenkel; “Facebook Security Breach Exposes Accounts of 50 Million Users,” The New York Times, 28 September 2018
⁸ Brignall, M.; “Amazon Hit With Major Data Breach Days Before Black Friday,” The Guardian, 21 November 2018
⁹ Matthews, K.; “Incident Of The Week: Apple iPhones Affected By Data Breach Discovered By Google’s Project Zero Security Researchers,” Cyber Security Hub, 6 September 2019
¹⁰ Schwartz, M. J.; “5 Million Google Passwords Leaked,” Bank Info Security, 10 September 2014
¹¹ Winder, D.; “Microsoft Security Shocker As 250 Million Customer Records Exposed Online,” Forbes, 22 January 2020
¹² BBC News, “Twitter Apologises For Business Data Breach,” 23 June 2020
¹³ Paul, K.; J. Schectman; C. Bing; “WhatsApp Security Breach May Have Targeted Human Rights Groups,” Reuters, 14 May 2019
¹⁴ Whittaker, Z.; “Millions of Instagram Influencers had Their Contact Data Scraped and Exposed,” TechCrunch, 20 May 2019
¹⁵ ISACA^®, Privacy: Beyond Compliance, USA, 2020