As countries worldwide pass laws regulating data collection, businesses are now being looked at under a microscope regarding how they handle consumer data. These regulations are also requiring companies to implement a robust privacy program within an existing corporate framework. However, privacy teams do not need to develop these programs in the dark. Many challenges of implementing privacy programs are similar to previous challenges faced by cybersecurity teams. At Consero’s Chief Privacy Officer Virtual Forum held on August 4th and 5th of this year, a panel comprised of privacy officers from various industries brainstormed how companies can use the lessons learned from security programs while designing a robust privacy program. The panel was comprised of CPOs of an automobile company, a homecare company, an aerospace defense contractor, and Ardent Privacy CEO and Founder Sameer Ahirrao.
Learning from security, applying to privacy
One panelist stated that “privacy teams should have a symbiotic relationship with security teams.” The panel as a whole went on to explain that organizational data mapping, which is a privacy requirement, highly serves the security need of identifying critical data assets. Knowing what data you have, where your data is stored, and what third parties have access to your data makes it easier to secure and comply with privacy regulations. Data minimization, collecting and storing only what is necessary, is a privacy practice that serves security purposes. “If a business is collecting extraneous information, it needs to take steps to pay, store, and protect that unnecessary data” said Sameer Ahirrao (Ardent Privacy CEO & Founder). He also recommended that businesses adopt a “data-centric security model.” Highlighting that data privacy and security share the same core goal of protecting personal information. When developing a plan, keeping this shared goal in mind will lead to a robust system that will meet privacy and security needs.
Privacy vs. Security
Data privacy and security are often grouped together and handled by the same department. While there are benefits to combining the departments, companies need to be wary of treating privacy and security as the same thing. Another panelist stated that “treating the two as one and the same would be doing a true disservice to the demand and attention each system requires.” While both involve protecting information, there are different requirements and expectations when it comes to privacy. Panelist stated that “a simple way of framing the two systems is that security operates on a risk/reward basis.” A company may be required to establish a base level of information security, but once it is past that threshold, it falls on the company to determine how much more protection is needed. Some companies may need more security than others; for example, a small family-owned deli does not need the same level of cybersecurity as a large financial institution . A business can weigh the risks it faces regarding security, whereas data privacy is a compliance requirement. As long as a privacy law regulates a company, the company must comply with data privacy regulations to avoid fines from regulatory authorities. Responsibility and training also play a more significant role with privacy than security. Companies may have a low risk of an employee or executive hacking into the company’s servers. However, there is always a high risk of poor data management, where a worker could unintentionally share personal information with someone they were not supposed to. When establishing a comprehensive digital strategy, privacy needs to be treated as its own entity and not just assumed with security implementation.
Incorporating privacy function at an organizational level
Due to the similarities between privacy and security, it would be intuitive to combine the departments. The panelists stated that they have seen other companies have different departments work on privacy and security; however, having separate departments can lead to a slower response time to a data breach or incident. One panelist stated that “bringing the two departments together can fix this issue.” Another panelist seconded this opinion recommending “that since privacy principles can be carried out through information security practices, working with the information security team and combining forces will greatly benefit the company and prevent the departments from conflicting with one another when responding to an incident or establishing policies.”
About Ardent Privacy
Ardent Privacy is an “Enterprise Data Minimization and Privacy Technology” solutions provider based in the Maryland/DC region of the United States and Pune in India. Ardent harnesses the power of AI to enable companies with comprehensive data management and automated compliance with CDPA (Virginia), CCPA/CPRA (California), FERPA (Education), COPPA (Children), and GDPR (EU), and other global regulations by taking a data-driven approach. Ardent Privacy’s solution utilizes machine learning and artificial intelligence to identify, inventory, map, minimize, and securely delete data in enterprises to reduce privacy, functional, and legal liability in their digital transformation and journey to the cloud.
Ardent Privacy articles should not be considered as legal or technical advice on data privacy regulations or any specific facts or circumstances. This article is written to express the opinion of the writer and nothing else.