CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy
View full biography
Understanding the Costs and Complexity of Data-Privacy Compliance
Safeguarding the privacy of sensitive customer data has become a business-critical requirement for just about any company around the globe. But a lack of privacy strategies, evolving customer expectations, and intensified regulatory scrutiny make data privacy an arduous challenge for many businesses.
Companies that don’t address the privacy challenge face stiff regulatory fines, reputational damage, and loss of shareholder value. Just ask Facebook. The social media behemoth recently lost approximately $120 billion in market capitalization after noting that the EU’s General Data Protection Requirement (GDPR), a sweeping new law meant to safeguard personal data of EU citizens, is contributing to an erosion of its European user base. In fact, Facebook executives estimated that the GDPR has led to a decline of 4 million users during the first half of the year.
The EU regulation isn’t the only concern. Earlier this year, a political data firm acknowledged that it had improperly acquired—not through hacking—private information of more than 50 million Facebook users. The social network responded to the media and political fallout by taking down fake accounts used to disseminate divisive content, and announced plans to hire an additional 8,000 security and privacy workers by year’s end.
In the United States, California recently passed a state data-privacy law that gives consumers more control of their personal information, which, like the GDPR, could lessen a business’s incentive to advertise. While not as comprehensive as the EU law, the California regulation is significant because it limits how companies can collect, store, use, and share personal data—a first for the U.S.
Most U.S. companies will be hard-pressed to comply with these new data-privacy requirements. Truth is, many don’t adequately understand data ownership, storage, access rights, and transmission practices. Complicating matters, customer data often flows through cloud servers spread across global geographies, which often have disparate requirements for data privacy.
Taken together, these issues will require companies to implement intricate data-privacy technical controls and processes, including:
- Data-flow mapping of where data is stored and transmitted, and who can access this information.
- A review of privacy obligations required by global laws and regulations.
- A thorough understanding of data-use contracts, and monitoring to help ensure contracts are followed to the letter.
- Updated data-privacy breach-response plans.
- Policies to ensure that data is ethically used only for the purposes it has been collected.
- Strategies to monetize data while adhering to privacy regulations.
- Data-privacy training for employees and third-party partners.
- An understanding of public opinion and customer expectations about data protection across geographies.
Orchestrating these privacy controls and processes across the enterprise will require a privacy framework focused on data and people. These types of carefully crafted guidelines help organizations manage data collection, location, and use by organizing data by type, category, and level of sensitivity.
A data-privacy framework should address in detail customer consent. Businesses will need to gather and manage information such as how customer consent was acquired, and the purpose and duration of the consent.
An effective data-privacy framework assumes that a data breach is all but inevitable, and spells out how organizations respond to compromise or theft of sensitive information. The plan defines specific tasks and roles to be taken in the remediation process, and a method to measure the impact of the incident on data owners.
Tracking employee behavior and parameters for handling data that flows through business systems also is an important component of a privacy framework. User-Centric Security Architecture ─ a dynamically calculated security score for each user, which also monitors the activity of high-risk individuals ─ is a model that can help address insider risks by enabling IT staff to apply more sophisticated security and privacy mechanisms, such as data anonymization, automatic encryption of email or advanced authentication, to employees who rank high in certain data-privacy risks.
As a user-focused architecture, the data-privacy framework can be tightly integrated with an organization’s identity and access management (IAM) systems. IAM solutions can generate the data needed to monitor and identify patterns of suspicious activity, and provide up-to-date access rights information.
Organizations need to consider having robust contracts with their vendors and third parties. Contracts should cover terms and conditions around data security, privacy and data usage, including how, when, and for what purposes data may be used. It is equally important for organizations to follow up with the third party and business partners with periodic audits so that they can ensure that the data is not misused and the terms and conditions of the contract are not breached.
To understand just how critical it is to ensure that organizations follow through and conduct audits or reviews, look no further than Facebook. As alleged by the U.S. government, the social network had knowledge about Cambridge Analytica misusing the social network’s user data and required that Cambridge Analytica certify that the data has been destroyed or deleted. However, Facebook never followed up to verify if the data was indeed deleted or destroyed. The lack of follow up and other privacy violations led to critical public hearings before Congress, several additional rounds of reputational damage, and a significant loss of customers.
The cost? $120 billion and counting.
This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.