Privacy Compliance and Technology Disruption (Part 2)

Part two of a three-part seriesby James Howard, former Chief Privacy Officer and Chief Data Officer at KPMG. Read part 1 of the series  Part 1

The State of Risk and Privacy Activities Today
Today, risk management and privacy are heavily manual. Risk management and privacy groups are relatively compartmentalized and often viewed as necessary but imposing layers of bureaucracy. Risk and privacy requirements are often viewed as disruptive and costly, and as a result, are addressed late in the process after all other business requirements are met.

Whereas “Privacy by Design” seems like an obvious enabler -- a holy grail of sorts, passionately embraced by privacy practitioners -- it’s often downplayed (or ignored) by business and development teams. Privacy by Design allows developers to weave security and privacy into their applications and works well if data remains confined to the application. But we now live in a world of cloud applications where data does not stay limited to a single application anymore. It traverses applications, networks, and organizations, adding to the data sprawl that has gone unhindered for years. This sprawl has introduced the “Shadow IT” phenomena in companies where business can bypass internal IT by subscribing to best-of-breed cloud applications. These application subscriptions not only add to the data sprawl but create a data quality problem for companies since there is usually no sync between various applications. Internal IT struggles to keep pace with, let alone control, an ever-widening net of cloud applications adopted by the business.

The other major challenge with privacy by design, and the reason it is a holy grail, is that to be truly effective, it must be inherent and pervasive throughout the enterprise. This means that everyone in the business must accept and adhere to privacy by design principles, incorporating them into their processes and operations. However, their priorities and focus are often on driving business results, launching new services and applications very quickly, and pursuing high-impact – and highly visible - strategic initiatives.

What is needed is to go beyond privacy by design to Privacy by Default. Tag data that enables the management of data flows. Operationalize privacy across the organization in a means that facilitates and supports business initiatives and allows the organization to function effectively. By default, then, the actions of the organization support privacy objectives.

Information security would also benefit greatly as a key source of risk is employee access to data. Often the response by information security is to restrict users’ access and use so they can’t cause problems. Utilizing effective personal data management capabilities restricts the flow of secure, consented, and quality data to only those processes and applications that are appropriate and align with the preferences associated and attached to that data.

The process is largely manual
From establishing privacy policies to ensuring trigger points within processes (including changes in preferences and consent) to testing controls, processes around privacy and risk are manually intensive and are, at best, supplemented or partially enabled by tools such as GRC applications.

And while the enabling tools and applications help, these processes are only linearly scalable – meaning, increases in the number of in-scope processes and applications require a proportional increase in resources — people — to accomplish the risk and compliance activity. Moreover, while the most effective privacy programs distribute the activity across the business constituents and can gain some leverage and economies of scale, the costs fundamentally increase fairly linearly.

The technology, data, business and regulatory environment is evolving rapidly, getting more complex, and becoming more critical for the continuing success of the organization. Traditional privacy risk and compliance practices are heavily manual, reactive, burdensome and difficult to scale. In combination, it’s clear that costly and damaging issues will continue to arise and that the tension between the execution of business strategy, managing risk and maintaining compliance will become even more pronounced.

What is changing…
In order to become better embedded and get ahead of business developments that leverage data, the privacy function needs to understand how the business plans to gather, manipulate and store personal data, and overlay the risk and compliance requirements for its treatment and handling – which should result in certain adjustments to the business strategy.

The privacy team has to understand all aspects of information risk management (leveraging an auditor’s playbook) to judge sufficiency of control and be able to interface with the business, IT, IT security, legal, audit and compliance stakeholders, as well as with regulators.

An important dimension of this is to have a framework for accepting residual risk. This framework must resist the “group-think” temptation to be either blinded by competitive pressure or the promise of fantastic profits or lured into the “risk elimination” mode. Instead, it should allow for the analysis of risk, the mitigating effect of controls, and a transparent mechanism to accept residual risk that escalates upwards through leadership, depending on the overall risk/benefit balance.

But as discussed above, data “events” are bound to happen — whether breaches, losses or abuses — and privacy professionals too often are reactive.

Stay tuned for article 3 of this series, which will discuss fundamental and disruptive change.

Leave a Comment