Data Privacy Program from Zero to Hero
By Cecil Pineda | Senior Director of GRC vCISO at CRITICALSTART
As I promised last week, here’s a short article on Developing and Implementing a Data Privacy Program. I hope you will like it and share it with your teams and colleagues.
It’s Data Privacy Day Again! Not sure if we can use “Happy Data Privacy Day” because almost every day, much of our personal information is getting compromised. It’s hard to identify a company that has not been breached. And like almost every American, our information is out there – and being sold to the highest bidder. Some are sold illegitimately and some legitimately marketed by data brokers (because we let them, or we likely didn’t read the terms and conditions).
Let’s start from the beginning.
The First Privacy Program Was an Accident
In 2008, my leadership at a small Boeing outfit in Dallas Fort Worth asked me to develop our privacy initiative to meet the United States Department of Commerce’s US Safe Harbor Privacy Principles. This initiative was intended to prevent private organizations (in the US and EU) from disclosing personal information. Unfortunately, in 2015, Safe Harbor was deemed inadequate and GDPR was launched – which we won’t discuss in this article.
As we began developing this set of privacy initiatives (striving to meet the 7 data privacy principles), we were inspired by the early works and articles written by Rebecca Herold and Bruce Schneier – Data Privacy and Information Security pioneers.
In 2008, there were very few privacy resources and no “privacy blueprint” that we could use as a reference. We surveyed 20 companies (both large and mid-size) uncovering a set of privacy policies, notices, and some ad-hoc processes. We had to start from scratch.
The Generally Accepted Privacy Principles (GAPP) and the EU Safe Harbor Principles helped us develop our first corporate privacy framework. Since I was given plenty of time to work on this with blessings and support from my leadership, I embarked on a journey that gave birth to my first data privacy program.
Why is Developing a Data Privacy Program Challenging?
The majority of organizations today are adhering to some form of a data privacy program. It is very challenging to develop and operate a complete program because it’s a particularly complex problem with oftentimes equally complex solutions. But it can be simplified.
This 10-Point Privacy Plan is an evolving framework that started 12 years ago by working on several large enterprise-wide programs to small-scale data flow mapping projects. With the advent of GDPR and CCPA (and soon CPRA), this plan has evolved multiple times over the years to reflect those changes and new requirements.
Here are some of the most common data privacy challenges that most organizations have to address:
- Lack of Data Governance – Almost every modern company is a data hoarder. We collect it, store it in a variety of places, process it, and share it (with 3rd-parties and they reshared it to other parties – never ends). It is not easy to delete data as they can be used later for compliance, investigations, or for other record-keeping purposes.
- Data is Everywhere – It’s on our phones, our computers, network shares, work email, personal emails, cloud storage, 3rd-parties, data brokers, social media, and just about anywhere you can store data. Controlling the flow of data is hard but it can be managed.
- Access to Data - This is an old problem that has become more challenging in the modern digital world. Restricting access limits the ability of companies to process data quickly. Organizations tend to over-share and provide excessive access to ensure operational continuity.
- Threats are Increasing - For the last 20 years tracking data breaches and major security incidents, it feels like there’s nothing that can stop the bad guys. Did you see the events from the last few weeks– Sonicwall, BuyUCoin, and MeetMindful? We have only seen what’s being published out there; these threats are in our front and backyard right now. Some of them are probably even in our kitchen eating our dinner without our knowledge.
- Data Breaches are Getting More Expensive - According to a recent IBM Security report, compromised organizations are now spending around $3.86M for every breach. In many cases involving large companies, the cost is hovering around $20M or above. This doesn’t even include the long-term effect on the brand and the remediations involved.
- Privacy Legislations are Getting Tougher - Twelve years ago, I wrongly predicted that tougher Data Privacy Regulations will be enacted and will force organizations to follow these requirements. I was off by quite a few years. GDPR, CCPA, and the upcoming CPRA will require many organizations to comply with stringent data protection requirements. Still, today many organizations are on a wait-and-see data privacy strategy. Organizations should start today, not when a data breach or regulators are knocking on the door.
- Privacy Resources and Tools are Scarce (and Expensive) – Enterprises are having difficulty hiring and keeping data privacy resources. There are not enough data privacy experts around and, if you do find one, they’re already working elsewhere and getting paid a lot more to stay. Tools are also not cheap and require people to configure, manage, and maintain them.
So, when is the right time to start addressing data privacy? Today. Don’t wait for any second. But do it well.
Developing and implementing a Data Privacy Program depends on several factors – the size of your organization, the type, and volume of personal information, location of your business, the residency of that personal information you collect/store/process/share, and many others.
I hope you have found this content beneficial. Please contact me for guidance. I’m here to be a resource. You can find me at https://www.criticalstart.com/contact/ (mention CeciltheCISO) or on Linkedin @CecilPineda.
Learn more about CRITICALSTART’s Cybersecurity Consulting Services.
References and Resources:
Senior Director of GRC vCISO
Cecil is the Senior Director and Program Leader for vCISO and Cybersecurity Consulting at CRITICALSTART. He is an active member of the Dallas Fort Worth CISO community and a variety of professional cybersecurity organizations, including ISC2, ISACA, and IAPP. Cecil is an experienced keynote speaker in the industry and is currently serving as a member of the advisory board for local institutions, including Tarrant County College and Collin College. He previously served as the CISO for DFW International Airport and held leadership positions at GameStop, TXU Energy, CVS Health, and Boeing.
You may also be interested in…
- Consumer Education(39)
- Consumer Stories(2)
- Cybersecurity Consulting(10)
- Data Breaches(15)
- Data Privacy(43)
- Incident Response(9)
- MDR Services(64)
- Penetration Testing(16)
- Press Release(64)
- Research Report(9)
- Security Assessments(16)
- Thought Leadership(17)
- Threat Hunting(9)
- Vulnerability Disclosure(3)