As of mid-last year, there were more than a hundred and thirty different privacy regulations globally. That number has increased substantially since. There are comprehensive privacy laws in effect or emerging on every continent apart from Antarctica. The number of US states that have enacted comprehensive privacy regulation has doubled from two to four over these past several months, and these are in addition to privacy focused sector specific federal agency regulations like HIPAA, COPPA and others, and existing state breach reporting acts. With other comprehensive state acts waiting for passage, including Connecticut due to be signed into law within days, that number may double again this year.
Although there are similarities between many, differences between these and the cost of non-compliance in assumed risk, reputation, and penalties are sufficient to require that any company operating globally stay aware of the laws to which they need to be responsive, and diligent in meeting the requirements of each of them. There is no one size fits all solution. Leading providers of privacy solution services offer frameworks for guidance, and Privacy Enabling Technology (PET1) platforms to help companies with their privacy requirements, whether data and process inventories, discovery, assessments, rights management, notices or other, and these do help leverage commonalities between the laws. More ‘data aware’ Privacy Enabled Technologies (PET2) with the intelligence (AI) to perform protective actions autonomously and appropriate to the characteristics of the data or risk environment are starting to emerge. Still, without better operational and cultural absorption, and a program of maturity, at best we can achieve a directionally effective privacy conformance posture, but for many to most, not full and sustainable compliance.(Note: PETS are Privacy Enhanced Technologies. The PET1/PET2distinction between PET categories is the authors)
And it is not simply the number of laws to which we may need to comply. Privacy regulations are laws (GDPR, CCPA, LGPD, PIPL, POPIA), but not solely a legal problem for an operating business. For most companies it is the absorbing of a complex set of divergent, complex, continually changing, and newly emerging regulations into an operating business amidst all the competing attentions of globalization, digital transformation, competitive differentiation, changing markets, cyber and enterprise threats, a workforce in flux, and newly defined consumer expectations all of which hold leadership’s attentions.
Speaking at a conference last year I introduced what I called the non-compliance Dirty Dozen, a list of common reasons why many privacy projects undertaken, even by some of the best of name companies, struggle or fail. Projects are undertaken, but not completed, completed, but not operationalized, there is insufficient leadership attention, inadequate resource or authority, other priorities have taken focus, gains made were lost to business change or growth, there is no mechanism in place to stay current with ongoing business and activities in the field, and more.
Emerging laws are increasingly following the European model as defined by the GDPR. These laws are ‘contextually cognizant’, fully aware that a person is biology, activity, history and experience, and that personal information is more than just directly identifying information like name, address and similar, but any data that relates to the full context of an individual’s persona, characteristics, behaviors, affinities, affiliations, associations, social identity, and more. Context in the defining of information as personal is fundamental to privacy and the privacy rights of individuals. Defining more data as personal affords individuals increased say over more of the data held by businesses that may be directly or potentially associated to them and a say in if and how it can be used. From the perspective of businesses, it expands the systems, applications, and processes likely to fall in scope to any number of laws and increases the difficulty in determining where the collection and use of data in conducting business may put them at risk.
And many companies, even well-known name companies, have not undertaken, completed, or maintained an inventory and catalog of the location and classification of the data in their environment, business or personal. They have not fully assessed the value, sensitivity, individuating character, or the confidentiality of the data assets they collect, store or process in house, or are held or are serviced on their behalf by third parties. And if you don’t know what you have and where it is, how can you effectively protect it? And are the right controls in the right places at the right times for the consequence of the data they are to protect for a given risk? If protecting the client data base and the corporate lunch menu in the same way, without a doubt, one or the other is improperly managed.
Our attorneys can interpret the language of the law and tell us what it means and what is expected for us to comply. But is that enough for the law to be operationalized? For instance, ‘a law requires that we have a means for individuals to know what data we are holding that relates to them and assure that it is current and correct and for them to dictate what we can keep and how it can be used’. Well for the law to be operationalized that statement is only the beginning. What it doesn’t tell us is how best to accomplish that. Well of course a self-service portal allowing an individual to see their data and make decisions about its use, what goes, what stays and what changes could be an effective way to meet the requirements of the law. It could also be operationally effective in limiting the access requests to which a company needs to respond, and the process needed to enable that.
But a portal requires an investment in infrastructure and that an application be developed. It requires that once built and offered it functions well, the interface is pleasing and intuitive, and it performs sufficiently to provide a good experience. It correctly links to all the applications, systems and repositories of data that might hold data about the individual. It keeps pace with change. As new data is collected, or new systems are engaged in processing individual data or providing them with new services, these too are properly linked and accessible. It scales to meet the demands of use. It needs effective event logging and archive to maintain a history of access, changes, and deletions and be sufficiently granular to clearly express the individual’s intentions.
And if this portal is to satisfy individual access to their data, we also need to assure that it is available. That requires that it be protected, its security and stability monitored, and not just for the portal, but the systems, networks and storage, or platform and storage-as-a-service provisioned in the one or many clouds in which it might reside. We need active-active configurations, hot fail over systems, swappable drives, in house spares or support contracts to respond to failures. And what about the telecom required to reach it? Is that protected? The staffing, engineering and help desk to support it? The data backups and other offsite data replication? The N-Tiers of processors involved in the delivery of the services. The recovery and continuity plans? The ongoing budget for maintenance? So yes, these are laws, but operationalizing them is not solely a legal problem. The disciplines of system development, operations, technical security, and production controls and the maturity frameworks that have been the basis for governing enterprise Information Technology for so long play a major role in operationalizing privacy.
But even if we can successfully operationalize, how do we know if our ‘operationalized’ privacy programs are effective? It is about implementing an ecosystem of maturity controls. And regardless of the control, technical, privacy, behavioral, ethical, or other, it is not enough to know that it is in place. We also need to know that it is functioning or performing its role correctly, is used with sufficient frequency, and that it adequately scales. And that a process is in place to assure it, test and validate it, and that it is done routinely. It is also important to be able to assess the effectiveness of the control in the context of the area in which it is deployed, each area (departments, entities, affiliates, third-party participants), relative to size, proportionate to risk, progressively and comparatively over time, and at specific times in the business cycle, addressing periodic, episodic, sporadic, or variably expressed risk, and with respect to other controls in place, compensating or synergistic, and the impacts to the overall organization.
It is for instance insufficient for the head of security to know that there is an incident response plan in place with expectations of the employees and staff, know its characteristics, how to use it, and how frequently it is assessed, tested, and vetted if that has not been communicated to leadership, socialized across the organization, and internalized to the business. And if successfully adopted in some areas but not in others what are the factors for success or the impediments to dissemination or uptake? Have these shown improvement or degradation over time, and specifically since the last time evaluated so that directional success or any incremental progress can be determined? What differs in its adoption by one area from other areas of the business so that we can know where the roadblocks are and where to apply our attentions and resources? These are factors of effective maturity in the governance of business risk.
And can we identify those risks that are caducous? Caducous risk is a term I coined from a biological trait as risks most easily addressed if identified early and before they develop. A business unit that says “we have our own plan” is a caducous risk best addressed early. So too are projects proposed or initiated without a prior and adequate review of risk. So too are impactful changes in the collection, processing and disposition of data or alterations in its use or care. Absent a process of early review, adequate scrutiny, management, and authorization, any of these can introduce new risk, compromise one or more lines of business, disrupt business goals and strategies, and undermine the compliance of the enterprise.
I followed a LinkedIn discussion initiated by Dr. Gabriela Zanfir-Fortuna, Vice President for Global Privacy at the Future of Privacy Forum, about a GDPR case involving a finding of insufficiency in employee training at a company in the EU that resulted in the mishandling of personal data. The courts weighed in with an adverse finding against the company. At its core having provided training to employees alone was deemed insufficient if undocumented, or records of the training were inadequate to show that it took place, who was trained, and with what frequency, and that the training given was effective, or that the training resulted in a general understanding of the GDPR principles sufficient to protect the rights of individuals as they were obligated. This is not unexpected. I anticipate that the simple presence of controls will increasingly prove insufficient. Expectations of maturity and its validation will dictate legal consequence.
Many businesses have adopted maturity frameworks and standards to advance enterprise and cyber security risk governance. We in privacy are only beginning. With so many laws on the horizon how effectively we mature will determine our success. We still have a way to go.
Martin Gomberg is a former CIO and CISO, now a privacy consultant and business advisor and is the author of CISO Redefined: Thoughts on Leadership, Business Protection, and the Chief Information Security Officer.