Traditionally, lines between privacy and security have been distinct.
Until recently, in most cases, a privacy officer (PO) handled an organization’s privacy policies, procedures, and compliance as it related to local, state, and federal laws, while an information security officer (ISO) generally guided policies and procedures to ensure data security and integrity.
But an ever-growing number of new and changing laws are now blurring the lines between the two.
It’s becoming increasingly more difficult to determine where those old lines used to be and who is now responsible for what.
In a recent webinar on Privacy and Security hosted by Apptega, only 23% of attendees indicated that privacy and security are managed separately by different departments.
So how do your teams adjust to a new way of working together to ensure your organization meets regulatory and compliance standards and can successfully pass an audit for both privacy and security regulations?
It’s Not Just About Consent
Traditionally, privacy played second fiddle to security. That’s because to some, privacy was more of an abstract concept. Organizations understood, for the most part, a customer expectation that data shared with a company would remain “private,” but exactly what “privacy” meant was painted with a broad stroke that often varied from company to company, from state to state, and from country to country. What might have been considered private in a country like Canada, for example, may not have had the same protections within the neighboring United States.
Also, in many cases, other than in industries where personal health information (PHI), personally identifiable information (PII), and similar sensitive data were specifically protected, privacy faced few regulations and penalties for violations.
For organizations with less mature privacy practices, the scope of organizational privacy may have been as simple as ensuring consent to collect specific data, outlining what that data might include, and broadly outlining what might happen to that data once it’s shared with the collecting organization.
In some organizations, privacy officers had little influence or leeway in influencing business decisions and outcomes. Often, they were viewed as simple checkbox mechanisms, more like an insurance tool or insurance policy, to indicate, “OK. We’ve done what’s required. What’s next?”
Conversely, however, cybersecurity and data protection have longer been regulated and done so with fines and penalties for failure to comply. Those existing measures have become increasingly more defining—with more regulations and penalties in recent years.
Those changing regulations, coupled with attackers’ focus on cyber hacks designed to steal data, often meant cybersecurity was prioritized over privacy in many organizations.
But tougher laws—from the state and federal levels in the U.S. to those with a global impact—are more closely aligning the two and interlocking penalties and requirements where privacy and data security converge.
Why is This Happening?
No matter the industry, the adage, “data is king” rings true.
As organizations around the globe attempt to fine-tune their operational processes and build more successful businesses, they increasingly rely more on technology, data collection, and data analysis to drive important business decisions.
In many cases, these changes are fueled by increased use of machine learning and artificial intelligence as both a data collection resource and analysis tool.
Most companies have long collected data about their customers, not just those actively buying from them, but those who have interacted with a variety of touchpoints on a buyer’s journey leading up to a sale.
Historically, that included personal information including names, contact information, and buyer history, but today that can span much further to include website IP addresses, email addresses, social media engagement, and a variety of buyer attributes from age and income to favorite websites, net worth and more.
Modern organizations are working just as hard to collect data about customers while attackers are trying to steal that valuable and sensitive data. The more valuable data a company collects, the more lucrative it could be for threat actors.
Challenges exist when an organization captures, stores, and transmits that data. It’s no longer just about privacy—what data you collect, who can access it, when, and how—but it’s also about how that data is protected.
Is it secure within your organization? Is it secure against outside attacks? Do other organizations, like third-party vendors and suppliers, have access to that info? Are they keeping it safe, too?
The result? The convergence of privacy and security for organizations of all sizes around the globe. This means that legal and privacy departments are moving away from being siloed from the more technical aspects (protecting collected, stored, and transmitted data), and information technology and cybersecurity professionals are becoming more in-tune with legal responsibilities and compliance and regulatory mandates.
How successful they’ll be may depend exclusively on how well these teams learn to work together.
The convergence of privacy and security isn’t just about attacks and hacks, it’s also about unauthorized access to data—including when and how users consent to it being collected, who can use and access the data, and how it’s used.
Here’s a widely known example: Facebook and Cambridge Analytica.
Cambridge Analytica is a data collection firm used during the 2016 presidential campaign that gained access to nearly 90 million Facebook users’ data.
The driving factor was to identify and potentially influence voter behavior by mapping personality traits based on Facebook likes. That information was then to be used to target specific Facebook users with advertisements.
At the core of the data collection was a 2014 personality survey and related app that gathered private details of Facebook users including their friends lists and other on-site activity. Of the millions of Facebook users who had data collected, just a little more than a half a million actually took part in the survey and consented to the data collection for “academic use.”
That data eventually made its way to Cambridge Analytica.
Facebook has paid billions in fines and other settlements related to data privacy, including $5 billion to settle a lawsuit in the U.S., complete with having to create new terms about how it handles user data.
Even as late as 2019, Facebook still struggled getting a handle on similar issues. In November of 2019, another 100 app developers were identified as gaining unauthorized access to user data, including names and profile images, igniting the company to once again review its privacy terms.
New Regulations, Deeper Connections
Data privacy issues, like the ones at Facebook, can result in fines easily totaling in the millions.
When the Irish Data Protection Commission (who enforces the European Union’s (EU) General Data Protection Regulation (GDPR) rules) looked into possible GDPR privacy breaches, it was estimated that, based on the fining structure of 4% of global annual revenues, a fine on a company like Facebook could easily reach $2 billion.
Other companies, like British Airways and Marriott have been issued substantial GDPR penalties, including $230 million for British Airways related to a data issue affecting nearly a half a million customers and $123 million for Marriot regarding data loss of almost 340 million guest records.
GDPR went into effect in May 2018. Based out of the EU, the set of data protection and privacy rules applies to all organizations that collect, process, store, and use data within the EU, including organizations outside of the EU that provide services and goods to people within the EU.
It’s considered the most comprehensive (and therefore likely toughest) security and privacy regulation in the world, and it’s quickly becoming a framework that other governments, including state governments in the United States, are drawing upon to build their own regulations to protect citizens.
GDPR protects personal data that can range from names and addresses to ethnicity, gender, religion, political opinions, location information, biometrics, and more. It says individuals have the rights to:
- Be informed
- Processing restriction
- Data portability
- Object to processing of personal data
- Decisions about automated decision making and profiling
GDPR is the most far-reaching regulation directly influencing the convergence of data security and privacy regulations. Not only does it clearly define privacy requirements, but it also outlines technical and organizational requirements to protect private information. It requires controllers to adopt internal policies and implement specific data protect measures, which you can explore in more detail here.
State and Federal Mandates
Closer to home, many states are enacting stricter data privacy laws that include regulations about data security, similar to GDPR.
New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD) law updates the state’s previous data breach notification law by specifically implementing standards that broaden the definition of private information, expand breach and territorial scope, and impose data security requirements.
California also has a similar new law, the California Consumer Privacy Act (CCPA), which went into effect in July 1, 2020.
In simple terms, CCPA expands California residents’ data privacy rights, giving them more control of their personal information. Similar to the SHIELD law in New York, it grants rights to:
- Know what data is being collected
- Know if your data is sold or shared with others, and if yes, to whom
- Decline to have your data sold to others
- Access your collected data
- Request that organizations delete your data
- Not experience discrimination if you enact any of your privacy rights
Unlike the broader scope of GDPR, CCPA only applies to organizations that have gross annual revenues in excess of $25 million, or that buy, sell, or receive personal information of 50,000 or more consumers or households, or earn more than half of their annual revenue by selling consumer information.
As the list of states that are converging data security and privacy regulations continues to grow, you can find an up-to-date list on how your organization might be affected by checking out this list compiled by the International Association of Privacy Professionals.
It’s also important to note that protections are also being considered on a federal level. For example, the Consumer Data Privacy and Security Act of 2020 (CDPA) has been read twice in the Senate and referred to committee. If approved, its framework would be similar to CCPA and draw on some tenets of GDPR.
No Longer Just a Checkbox Exercise
These increasing and changing legal and compliance requirements for data security and privacy are effectively breaking down information and workflow silos in many organizations. That can bring about a number of positive benefits for program effectiveness, but it can also introduce new challenges. These challenges, however, can be successfully addressed by selecting and implementing the right security frameworks to build, evaluate, and mature your program over time.
Like many compliance standards, your organization has a number of options, but two good resources are the International Organization for Standardization (ISO) and the National Institute of Standards and Technology (NIST).
NIST Privacy Framework
The NIST Privacy Framework is a free resource you can use as a foundation to build your privacy program. It’s not regulatory, but it can help you integrate your privacy practices with your cybersecurity protocols. And it’s adaptable for organizations of all sizes across all industries.
You can adopt components of the NIST Framework that apply directly to your organization’s needs, starting with measures you can quickly implement and measure and then build and mature your program over time.
The NIST Privacy Framework addresses both internal privacy practices as well as ways you can address potential privacy risks that might come from outside sources, like your third-party vendors. The NIST Privacy Framework addresses three primary areas: Core, Profiles, and Implementation tiers.
NIST Core and Profiles
The NIST core outlines activities you can implement to manage privacy risks and communicate them to your teams and key stakeholders. Risk management here is outlined through functions, categories, and related subcategories. NIST Profiles also use the same functions (listed below for both core and profile) but profiles can be used to determine where you are currently in your program so you can build targets for where you want to be going forward.
NIST functions begin with Identify. Identify is where you begin to understand your privacy risks related to processing data.
Next is Govern. Govern outlines ways you can develop your program and successfully implement it, including understanding what your risk priorities to guide creation of your procedures, policies, and processes.
The third function is Control. Control helps you determine which activities you need to implement to manage your privacy risks.
The next function is Communicate, which is designed to help you effectively understand and communicate how your organization processes data, what the associated risks are, and how you’re implementing mechanisms to protect privacy.
Finally, NIST’s Protect function helps you develop and implement data processing safeguards to manage data in alignment with your risk strategies.
NIST also outlines Profiles, which include ways you can prioritize goals, understand your regulatory requirements, including best practices, set your risk management priorities, and understand individuals’ privacy needs.
One of the positives about the NIST Privacy Framework is you don’t have to implement everything all at once. NIST outlines Implementation tiers that can help you plan your privacy program based on your existing and future resources.
There are four implementation tiers for the NIST Privacy Framework:
Organizations can build stronger and more resilient programs as they progress from one tier to the next. You can learn more about these tiers here.
ISO 27701 Privacy Information Management Systems (PIMS)
Unlike the NIST Privacy Framework, ISO 27701 for Privacy Information Management Systems (PIMS) provides guidance on how you can create, implement, maintain, and improve your PIMS.
Unlike the NIST Privacy Framework, which is a tool you can voluntarily use without certification, ISO 27701 certification can be used to demonstrate your organization is in compliance with GDPR regulations. You can also map ISO 27701 to the Health Insurance Portability and Accountability Act (HIPAA), CDPA, CCPA, and more.
There are 114 ISO 27701 controls, broken down into 14 categories including:
- Information security policies
- Organization of information security
- Human resource security
- Asset management
- Access control
- Physical and environmental security
- Operations security
- Communications security
- System acquisition, development and maintenance
- Supplier relationships
- Information security incident management
- Information security aspect of business continuity
If you’re not ready to move forward with an ISO 27701 certification, you can still use it as a framework to build your program.
To start, it’s a good idea to do a risk assessment for your organization. Once you’ve determined your most critical operational functions and greatest risks, you can begin to implement your first ISO controls and increase them over time as you identify gaps, remediate those gaps, and scale as a company.
Because ISO 27001 covers people, processes and technology, it is also a great example of a resource you can use to help your teams break down silos between privacy and cybersecurity to help you build a more resilient—and compliant—program that encompasses both privacy requirements and cybersecurity standards.
Implementing Your Frameworks
While laws like GDPR, HIPAA, and CCPA, dictate how you must comply with certain standards to avoid penalties, you have more flexibility when it comes to selecting which privacy and security frameworks (or components of many) work best for your specific organizational needs.
While compliance standards, budgets, and resource availability can drive your decisions about framework adoption and implementation, here are a few recommendations you should consider before making a selection:
- Is your organization prepared to tackle this independently or could you benefit from working with an outside advisor such as a virtual CISO?
- Which resources are available within your organization?
- What are your organization’s privacy requirements?
- What are your organization’s cybersecurity requirements?
- What are your organization’s compliance requirements?
- What do your organization’s current privacy and security capabilities look like?
- Have you conducted risk assessments and business impact analyses to determine your critical functions and most pressing privacy and security issues?
- Do you have executive and key stakeholder buy-in?
- What about cross-departmental support?
- Can your key privacy and security data be shared and worked with easily across teams?
- Are you currently managing your privacy and security programs through older Governance, Risk and Compliance (GRC) tools, spreadsheets, or word processing documents?
- Are you limited and bogged down by repetitive manual tasks related to your existing privacy and security practices?
Working through this converged privacy and security paradigm will likely continue to create challenges for your teams. You may find it helpful (and ultimately more efficient and effective) to build the framework for your converged program within a single software solution that breaks down data silos and encourages team collaboration.
With Apptega, for example, you can simplify framework management by building, managing, reporting, and automating key components all within a single platform with an easy-to-understand, intuitive dashboard that helps you quickly see how well you’re meeting your program standards and what you need to do to close gaps and build a stronger program.
You can even combine multiple frameworks—including ISO 27701, NIST and many others—to create a unique, consolidated framework tailored to your organization.