In May of 2020 I was honored to speak at the MERv conference with John Frost of Box on the topic of Using Information Governance with a Privacy Compliance Plan as the Fulcrum for Data Privacy and Continuous Compliance. Below are some excerpts from my transcribed remarks.
ON KEY PRIVACY ISSUES TODAY…
What’s important to remember here, overall, is that making your privacy plan a key component in your compliance program isn’t just helpful. These days it’s really a strategic imperative. That’s not only because it’s a hot topic or because it’s a growing regulatory requirement, but because it naturally enhances the way our organizations, and specifically our compliance and infosec groups, treat and value ALL of the data they’re responsible for testing and for securing, and in validating and protecting PII, we’re actually adding a layer of assurance that improves both internal operations and the customer experience.
Privacy makes data governance ethical and tangible, and compliance leaders understand that. Today, what we’re going to walk you through is what that awareness and proactive approach look like through the eyes of project leaders during three stages of compliance, prevention, maintenance, and retrospective.
What’s important to remember here, overall, is that making your privacy plan a key component in your compliance program isn’t just helpful. These days it’s really a strategic imperative.
I just want to point out that privacy, conceptually, is, of course, ancient really. People tend to forget that. I mean it has been written into legal codes even before the constitution as a Records and Information Governance community we’ve been dealing with it, from HIPPA to SOX, in one form or another. What’s different today at least in the business world is that the thresholds that trigger compliance these days aren’t industry-specific. Instead, they’re related to annual revenue and the number of data subjects you interact with, so that’s why we see a broader cut of industry’s being looped into these new demands of GDPR and the CCPA.
ON UNDERSTANDING TODAY’S REGULATORY COMPLEXITIES…
Privacy leaders have been asked about the volatile regulatory environment and a clear majority of privacy leaders rank keeping pace with the new regulatory landscape as a pretty important factor in their strategy…. Research also that a minority also are not confident that they have a framework for helping them adjust to that change. So, that’s what we’re aiming to address here today in terms of strengthening that IG program so that it helps buttress or even drive your privacy goals.
[Another] insight we’re sharing with you involves metrics. And we all know metrics is the heart and soul of compliance to a large degree. And we see that finding those metrics to measure their programs is somewhat lacking for the majority of those surveyed. And that results in the majority of leaders being unable to effectively report on their program outcomes.
So why is that? I think partly because we’re only a few years out from GDPR, so we’re still building out these metrics, right. And the GDPR is quite robust, but perhaps that’s where organizations are having trouble, in flushing out, or determining the metrics that are right for them. I think that in the case of stateside laws, where the prescription and regulations are perhaps more manageable, those metrics can be better defined. But again, this is not a one size fits all need. And that’s why I think John is going to discuss some of the baselines and benchmarking approaches necessary for organizations like yours to establish in your IG programs, in order to efficiently tackle these regulations. In my opinion, that’s why the planning stages are so important, especially when we’re seeing so much crossover in these various laws.
ON 7 CORE COMPONENTS OF EFFECTIVE COMPLIANCE PLANS…
…7 components are utilized across a range of industries and I’d expect some of you are already using most of these as pillars to support your existing compliance frameworks.
Some other components here… internal monitoring and auditing. That’s critical of course because organizations need to be familiar with their lines of defense, especially when it comes to the stage where you’re defending your practices to a regulator. If you can’t convince your own audit group, you’re going to have trouble with the external regulatory bodies, right?
ON THE 3 STAGES OF COMPLIANCE…
Now whether it’s HIPPA compliance or SOX, any burdensome regulation really, you’re trying to scale the program, and prepare yourselves to move from one that’s reactive to proactive. This has never been more important than with privacy and the threat of data breaches. And when we think about a data breach…. private data, that of your company, your customers, your employees, that’s the first, well the ultimate victim in an incident like that. It can put a company out of business. So, patching a hole reactively isn’t going to cut it in this brave new world. Just think about ransomware. By the time that happens you’re literally negotiating with terrorists. John brought to my attention just the other day an IP ransomware threat affecting Boeing, and Spacex that was just devastating, with consequences that you can’t just put back in a box.
So the key really is being proactive from a sobering privacy perspective and we’re going to tell you what that means when it comes to your compliance strategy.
ON ACHIEVING COMPLIANCE…
Step one in compliance program development is putting together your overarching strategy based on your risk tolerance… which should be very low when it comes to PII. A data breach of PII can literally put you out of business as I noted. Yes, major institutions can weather the storm, but even they will suffer major long-term damage to their reputation and the remediation sometimes takes years.
So, in Achieving compliance, the prevention stage, we want you to consider 3 things.
1 – Capture and store relevant information. Take time to talk to your business about your needs versus their wants and be clear that your policies match up with what you’re actually collecting from customers.
Number 2 – Implement the types of controls that you can feasibly implement and maintain. That’s not just the IG framework, and reporting or governance aspects, but having the toolset and infrastructure to match it. John will get more into this as he discusses the role of technology a bit later.
And finally, 3 – document your procedures so that you can rely on them as you defend your process, as you revisit policies and strategy related to your data. Spending a little time upfront designing those processes, that’s going to reduce your risk exposure in the long run. It will become a lifesaver when demonstrating how your people and data governance investments have lived up to the language in your legal contracts and notices.
ON PROVING COMPLIANCE…
…This takes us to the third stage and again this is where leveraging privacy in your program, early on, proactively, is going to lead to a better outcome… and perhaps a better finding from the regulator, or maybe a lower fine, because you’re able to pull the right transactions, and trace the artifacts that you’ve planned for and consistently maintained throughout the year, and over the years.
So, like any regulatory activity, with privacy regs, you need to be able to trace transaction histories and decision-making processes… because those are the types of things regulators are going to be looking for. Again, and I can’t stress this enough. In the case of the CCPA, which we might begin seeing actions taken as early as next month, there are a number of areas in the law regulators are going to be checking. It could be documentation concerning your data subject requests, it could be updating your policy, it could be proving that you’ve educated your employees on the areas specified by the law. Without seeing some of these actions, it’s difficult to predict where the regulators are going to come down hardest. But as they do, and as you stay abreast of those fines and actions, you’ll be able to revisit your program, and update your privacy program within the framework to support those areas.
That last bullet here, the need to retrieve and present evidence… This is really essential because we’re talking about laws that, in some cases, force you to dispose of consumer data. What does that look like? Obviously, you can’t show them evidence of consumer data if you’ve had to destroy it, so you need to be able to run the types of reports that show, for example, that a consumer request to delete data has been completed. That documented set of procedures, and control over the systems that process that data, is going to go many miles in helping you walk the regulator through your process and ultimately prove your compliance.
SESSION QUESTION – How does privacy change for consumers and employers post COVID?
I’ll try to speak to [that question] on two fronts, one as it regards the EU which has actually put out some guidance and two regarding efforts in the United States. And I think most of you might be familiar with the issue of contact tracing which arises as a major privacy challenge in the aftermath of COVID and where we have major tech companies like Microsoft and Google very much involved in these solutions.
And the recent Statement adopted by the European Data Protection Board addresses this in a greater context and specifically discusses contact tracing. They have issued guidance on the lawfulness of processing data post-COVID, the use of Mobile Data and issues regarding employment. And the guidance is kind of wishy-washy so to speak. On the one hand, the EU is expecting employers and governments to abide by GDPR recitals but on the other is making sure to note that specific statutes that member states pass to address the challenge really take precedent. So this is pretty interesting because I see it as the EU yielding to the states, which might be the right thing to do, but nevertheless weakens the law overall as its faced with a crisis. Do we just abandon the gains made by the GDPR in a crisis… well according to the document they released it’s pretty much up in the air. They’ve basically asked member states to try their best to anonymize data, whether its telecom or location data or employment data.
In the case of employment data, they’re also kicking it back to state laws but asking governments and employers to respect the employee and to notify them before they share information about them with others…
In the US we have a patchwork quilt of laws and I expect this issue to probably drive a lot of the discussion over the next couple years. It might even serve as a catalyst for a national law, something which has been stalling. We do have a Senator, Senator Wicker introducing COVID privacy legislation…
They’re trying to ensure that personal health information, geolocation, and proximity data is not misused while allowing entities to track the spread, signs, or symptoms of COVID-19; to measure compliance with social distancing guidelines or other COVID-19-related requirements imposed by federal, state or local governments; and to conduct contact tracing of cases of COVID-19.
In general, information that is aggregated, unidentified, or publicly available would not be considered “covered data” under the law. Information from education records that is already subject to the Family Educational Rights and Privacy Act, as well as health information already subject to the Health Insurance Portability and Accountability Act, would both be exempt from the regulation.