Building a data protection strategy that considers the nuanced interplay between data security and data privacy can certainly seem daunting, especially when budgeting and resource restraints do not allow for a team of privacy experts, but there are practical steps that InfoSec teams can follow to get started. And with privacy set to remain a hot topic over the next few years, our Head of Risk & Compliance and DPO at Trūata, Christabel Ebrill, has outlined 5 recommendations and best practices that will help you to bake privacy into your information security strategy.
1. Look towards recognized certifications and frameworks
While there are many great privacy frameworks that you can turn to when designing your privacy program, I would highly recommend ISO27701 – which is a privacy extension – for organizations that already have the ISO27001 certification in place. This certification sets the standard for international privacy, and companies that have already attained the ISO 27001 certification for their Information Security Management System (ISMS) would already be familiar with the format; therefore, it would be easy to implement as an organization.
ISO 27701 outlines how you can create a Privacy Information Management Systems (PIMS) and this can be folded into your information security management framework. Not only would it help your organization to understand the GDPR and weave privacy by design into operations, but it would also get you a huge step further in being GDPR compliant. And in today’s privacy-conscious world, the certification also serves as a useful differentiator, particularly for B2B branding and marketing teams. Even when selecting a product or vendor for supply chains, 82% of organizations say they now view privacy certifications as a key buying factor.
2. Strengthen data security controls as far as possible
As the value of data continues to rise, the number of threats and attacks on data assets will follow on the same upward trajectory. In fact, if we are to look at recent stats on data breaches and cybercrime, the question for most companies is not if they experience a data leak or attack, but when. This is why companies are heavily investing in data-centric security strategies and privacy-enhancing technologies.
Dealing with the aftermath of a data breach can be hectic and the repercussions can be severe, with hefty monetary penalties for non-compliance with privacy regulations. However, having strong security measures in place is always beneficial, even if you are unfortunate enough to be handling a breach. Data security measures are a critical foundation in protecting personal data, and regulatory authorities often take this onboard when investigating a breach. For example, Ireland’s Data Protection Commission (DPC) will take your security controls into consideration when deciding on the size of the regulatory fine. It’s important to remember that tackling data privacy and data security is not an either/or decision; the two should work in tandem to fortify a robust data protection strategy, so staying up-to-date as technologies evolve is critical.
3. Don’t just protect your data
While InfoSec teams are focused on how best to protect data, they are now required to pay particular attention to how their organization governs the data. While data security measures are put in place to create a guarded perimeter that prevent attacks from the ‘outside world’, data privacy measures require teams to consider what is happening on the inside. This means looking at data flows and asking questions such as:
- What data do we have?
- What do we do with data as a company?
- Who is sharing the data?
- Where is it moving from and where is it going?
- Who is accessing the data?
To ensure the right governance controls are in place, you first need to know what you’re protecting and how. When you understand the inner workings of where business critical data resides and how it is used, you can plug the data protection gaps that exist by putting additional safeguards in place.
4. Utilize DPIAs by adding a prerequisite security review
With so many companies struggling to allocate resources to dedicated privacy teams or DPOs, many InfoSec leaders are taking on the responsibility for being key contributors to Data Protection Impact Assessments (DPIA), and I foresee this becoming a trend given the difficulties of finding the right people in an organization to take it on.
DPIAs require companies to look at the risks of processing personal data, and they present a real opportunity for InfoSec teams to add another ‘quality gate’ into their procedures and processes. While the DPIA has to be conducted for compliance, adding a prerequisite security review can help to outline the kinds of risks that exist when your company processes personal data, so that you can minimize those risk as early as possible. This security review can be fed into the section of the DPIA that handles ‘organizational security controls’ while simultaneously serving as a reassurance that the necessary due diligence has been carried out.
5. Integrate privacy into your standard security procedures
For InfoSec teams, it is beneficial to build ‘privacy-first thinking’ into everyday security matters; this will ensure you develop a team culture of pro-active problem solving that keeps privacy top of mind for all. For example, when looking at security risks within an organization, start vocalizing the question: is there privacy risk associated with this security risk? This is a good starting pointing that will encourage your team to assess which security risks involve personal data and, therefore, pose a privacy risk to the company. InfoSec teams that are following a security incident procedure can also default to this pre-emptive question to foresee knock-on privacy implications and tackle them ahead of time.
Companies, particularly those operating across jurisdictions, will find that they are much better equipped to navigate the ever-evolving regulatory landscape when they shift from a reactive data privacy strategy to a proactive data privacy strategy that is intertwined and embedded in their approach to security. In order to modernize and implement zero-trust initiatives that will future-proof businesses, InfoSec professionals should be building out programs on the foundations of security and privacy-by-design principles to ensure that it is sustainable for the long run.
To learn more about privacy risk management, check out 7 benefits of plugging a privacy risk assessment tool into your data stack. For lean teams with limited resources, learn how you can get instant visibility of your data privacy risks. Got a question? Get in touch!