Risk based approach to data privacy can help businesses manage global data privacy risks, apply, calibrate and enforce controls based on the risk exposure, in a manner that is flexible and more agile.
Personal information has huge potential to create economic and social value for both the customers and the organizations who serve them. The ability of the organizations to acquire and use personal information to launch new products, services and enhancing customer experience has increased immensely with innovative use of technology; however, it also increases the risk to the privacy of personal information. Ensuring data privacy through every stage of information life cycle (collection, storage, processing, retention, sharing and disposal) has become very critical for organizations to stay relevant. Evidently there is a need for organizations to take a risk based approach to data privacy and protect personal information to maintain business competitive edge. Risk based approach to privacy is a process that allows organizations to identify potential high risks and focus their efforts towards high risk areas. This white paper explores a risk based approach to privacy with the intention of helping the organizations to manage data privacy effectively.
New horizons – new risks
Technology is growing in a rapid manner to enable business growth and the amount of data is proliferating at an exponential rate. The risks to privacy of personal information has been and will continue to be affected by automation and adoption of new technologies in every industry and every geography and across all functions.
Figure 1 : New Technology Adoption & New Business Models Bring Privacy Risks
The key trends that are altering the threat landscape include adoption of Cloud, expanding usage of mobile applications, social media, location based services, machine to machine communications, Internet of Things, mobile advertising, wearable devices, etc. With the privacy regulations enforcing principles like ‘Right to be forgotten’, ‘Privacy by Design’, ‘Data Portability,’ etc., a checkbox approach to data privacy is not sustainable. A paradigm shift in privacy mindset is necessary to mitigate these risks arising due to usage of these disruptive technologies.
Data privacy challenges
All the data privacy acts provide only guidelines for privacy compliance and do not contain any control framework or standards for ensuring compliance. The privacy laws are based on principles; hence, they are subject to interpretation, leaving it both to organizations to decide on how to implement these principles, and to regulators on how to interpret and impose the law.
Figure 2 : Current State of Data Privacy in a Hyper Connected Ecosystem
Data privacy challenges
Today there is no standard methodology to implement privacy controls and comply with the privacy principles obligations that are imposed by the regulators. To comply with the privacy principles, each organization has to derive their own methodology for achieving compliance. The privacy compliance becomes complicated when an organization services customers across multiple geographies where multiple country regulations come into the picture.
Risk based approach would bridge the gap between the privacy principles on one hand, and privacy controls on the other, using a methodology that would help organizations to apply, calibrate and implement privacy requirements appropriately and effectively. A risk based approach to data privacy can help organizations enforce controls based on the risk exposure, in a manner that is flexible and more agile.
Proactive approach to data privacy
Organizations must take a proactive approach to data privacy by creating a data privacy standard and privacy control framework, which can be applied consistently across all functions and geographies to minimize complexity and maximize data protection. Such a framework must provide guidance on what constitutes personal data, what are the requirements for personal data collection, process of managing consent, rules for accessing and using personal data, how to classify and protect personal data, implement the right set of processes and controls based on the risk. This should be followed by creating a data privacy strategy that would help the organizations to manage the privacy of data life cycle right from data collection, storage to disposal.
The road ahead
Data is becoming a fundamental asset in the digital transformation of economies. The increasing use of disruptive technologies has created an unprecedented flow of personal information. Data subjects are becoming increasingly aware of their privacy rights and are rightfully demanding more control over how their personal information is used, shared, and assurances that the privacy of their personal data will be protected.
Organizations across industries and geographies continue to be challenged by disruptive technologies. The boundaries of the digital world are not fully established. The data breaches continue to make headlines and data privacy has become a focal point of discussions in boardroom. Data breaches can do irreparable harm to the organizations brand equity, credibility, trust and customer relationship. It is apparent that there is no one-size-fits-all solution that is available to comply with the ever evolving data privacy regulations. There is a need for organizations to take a comprehensive risk based approach to privacy where globally defined privacy risks are identified and countermeasures are built. This would be far more effective and more likely to respond to cross-border requirements.
Ramkumar Narayanan is a Senior Practice Manager for Wipro’s Cybersecurity & Risk Services (CRS) business. He heads the data privacy and data security governance practice within CRS, and is currently responsible for making Wipro's customers succeed in their data privacy and security journey.
He can be reached at email@example.com