We’ve all been there. Sitting around the conference room with our compliance teams, droning on about scheduling conflicts, procedural details and strategy about strategy. Here are some actual substantive ideas, initiatives and approaches to privacy, data governance and cyber-security that can get the ball rolling next year.
1. Policies aren’t just documents you keep around in case you might have to show them to a judge one day. Start putting them to work and leveraging their authority to cut costs and reduce operational risks!
- Privacy policies, now required to be updated annually by the State of California, can actually help drive data mapping exercises, leading to new insights into structured and unstructured data systems. Use those insights to help patch gaps in your IT infrastructure and even retire costly, redundant systems, classify shadow IT and discard unused shelfware.
- Retention policies can be used as virtual blueprints to justify and destroy, costly, over-retained paper records and electronic data lingering around the office and waiting to be discovered… by your adversaries!
- Cyber-security policies like those required by the New York DFS can be used to help IT decision makers prioritize strategic investments in your cyber-defense software.
2. Chief executives realize audits are necessary to continually optimize business processes, but even the sharpest leaders sometimes forget the most sobering, useful assessments are conducted by outside parties who don’t have an inherently biased interest in determining the findings.
Executives need to make sure they are told what they need to hear, not what they want to hear.
3. One of the reasons assurance departments like compliance, risk and internal audit struggle with their annual reviews is because of a lack of policy organization within their OWN departments.
Lack of procedural consistency, ownership of policy and overlap and confusion over a directives authority in can create even more conflict, risk and uncertainty for an organization. But relying on institutional knowledge and spreadsheets just doesn’t cut it anymore. That’s why every regulated company needs a strong technology backbone in the form of a GRC or governance risk and compliance software.
4. These days the risk is not just internal. With so much of our data in the cloud and managed by other parties, some of the greatest risks have moved outside of the firewall.
Organizations need strategies and tools to help them prioritize and manage those vendor risks effectively. Sophisticated and affordable tools that address consumer data privacy requests can also be used to map and streamline an organizations external data, whether it’s private in nature or otherwise.
5. Finally, risk is not a one size fits all problem. Investment needs to be proportional to the exposure. That’s why it’s important to spend enough time planning your long-term strategy rather diving headfirst into solutions that promise the moon and end up creating more infrastructure dependency than you bargained for.
Rafael Moscatel is Managing Director of Compliance and Privacy Partners, a consulting firm specializing in data governance and privacy solutions. He is an award-winning Information Governance Professional (IGP), Certified Records Manager (CRM), Certified Information Privacy Manager (CIPM). Rafael has spent the last twenty years developing large-scale Information Management Programs for the Fortune 500 including Paramount Pictures and Farmers Insurance. Reach him at 323-413-7432, follow him on Twitter at @rafael_moscatel or visit http://www.capp-llc.com to learn more.
What is the CCPA and why should you care?
In response to recent stateside efforts to enshrine data protection including the California Consumer Privacy Act (CCPA), organizations are revisiting the efficacy of their Data and Information Governance (IG) programs. Laws and regulations vary by industry and company size. Yet each intend to protect consumer’s personal data by prescribing technical and governance standards backed by stiff penalties for non-compliance.
What you need to know and do to ensure compliance with California’s new Consumer Privacy Act
New regulations governing use of customer and personal data needn’t be burdensome. Rather, they help reduce expenses and monetize the information lifecycle, identify opportunities for better governance to avoid fines and litigation exposure and foster trust to enhance customer experiences. Download this FREE detailed CCPA roadmap to see how you can get your company on the path to compliance.
Our CCPA and GDPR engagements include:
- Data and resource mapping
- Conducting gap and risk assessments
- Controls evaluation to standards
- Establishing governance with clearly defined roles and responsibilities
- Policies and procedures review
- Domestic and International legal review of privacy and security policies to fit the organization’s risk profile and culture
- Consumer data request and delivery mechanism (including website notices)
- Providing education and training
- Design of role-based access control (RBAC) rights
- Privacy impact assessment (PIA/DPIA) during product design
Third Party Due Diligence Support
- Pre-contract due diligence and consulting
- Cloud services guidance
- Managed security services (build or buy guidance)
- Third-party management program/policy
Our consulting and software solutions enable clients to comply with CCPA provisions 1798.110(a)(4), 1798.100, 1798.105, 1798.110, 1798.120, 1798.145, 1798.140, 1798.150
Call us today to see how we can help you with:
- California Consumer Privacy Act of 2018, Amendments and Rulemaking
- HIPAA/HITECH Security, Privacy and Breach Notification Rules
- Generally Accepted Privacy Principles (GAPP)
- EU’s General Data Protection Regulation (GDPR)
- ISO/IEC 27001-2:2013
- CIS Top 20 Critical Security Controls (CA AG requires)
- SEC OCIE Cybersecurity Initiative
- NIST Cybersecurity Framework
- U.S. Sentencing/DOJ/OIG Guidelines for Effective Compliance (program foundation)
- Applying Risk Management Program Management and Principles
Rafael Moscatel, managing director at CAPP, joins GRC & Me to discuss how his background in law and consulting ultimately led him to the world of GRC. He shares how one tweet led to a watershed moment in compliance and privacy, and tells his deeply personal connection to California adoption records. Rafael also explains how CCPA should be viewed as a blessing that helps better understand what’s “under the hood” of your company.
Top 3 Quotes
- “The more that you can show your customers that you’re being a good steward with their data, the more they’re likely to trust you. And from a reputational standpoint and a branding standpoint, that’s always one of the best benefits and one of the reasons that consumers will choose one product or service over the other.”
- “And I think if you look carefully, the CCPA is quite a blessing. It helps reduce expenses and monetize the information life cycle because you have a better understanding of what’s under the hood in your company.”
- “…you know there’s not one silver bullet when it comes to preparing data for an information governance strategy, IG is essentially a multidisciplinary type of approach.”
[01:28] Rafael’s background in law and consulting
[02:35] Discussing Rafel’s company and beginnings
[04:36] The “Olympics of Privacy”
[05:59] A watershed moment in Compliance and Privacy
[08:05] Rafael’s personal connection to records in California
[09:05] The incredible moment Rafael received his birth records
[12:00] The “blessing” of CCPA
[14:11] Rafael’s personal opinion of CCPA
[16:19] Best practices for privacy and policy management
[19:30] Policy management systems
[21:04] How to read more about Rafael’s thoughts on these issues
[22:58] The Little Girl With The Big Voice
[24:03] Vendor Risk Management
[25:00] Being mindful of what’s outside your company walls as well as what’s within them