Best practices and automation for data privacy

Opinion
Sep 18, 20096 mins

Your organization probably pays attention to data security, ensuring that sensitive data doesn’t leak out or get into the wrong hands. But what about data privacy? How can you ensure that your organization is adequately protecting an individual’s right to control the way you use his personal data? Now there’s a tool to help automate privacy compliance as part of your overall corporate GRC program.

Much has been written about data security, and how to protect data in a computer system to ensure its confidentiality, integrity and availability. Have you given much thought to data privacy? It’s not quite the same thing as data security. Privacy ensures the protection of an individual’s right to control the collection, dissemination and use of his personal data.

Health privacy undermined: Worst breaches of 2009

Privacy laws vary greatly around the world. The United States lags behind Canada and Europe in privacy protection, but this is beginning to change. For example, the Health Insurance Portability and Accountability Act (HIPAA) requires that an individual’s health information be kept private unless the person authorizes the release of the information, such as to another health care provider.

When HIPAA was first released, it lacked teeth because there was little enforcement. This is changing, as the Federal Trade Commission is increasing its enforcement of the law. In one recent case, three Arkansas healthcare workers pled guilty to misdemeanor violations of HIPAA when they accessed a patient’s record without any legitimate purpose. After watching a news report about a hospital patient, a doctor used his privileged status to log into the hospital’s private records to see if the report was true. This little slip of integrity could cost the doctor and his curious colleagues a year in prison, a fine of not more than $50,000, or both.

Social media tools such as Facebook and MySpace face the occasional uproar over privacy. Earlier this year, Facebook was forced to reverse changes to its rules on holding personal information after a wave of complaints from users.

These are just two cases that show that people are increasingly concerned over how their personal information is used without their explicit consent, and in some cases, there are laws to protect the individuals’ privacy rights.

What does this have to do with IT? Many IT departments are engaged with data security procedures but not necessarily the privacy of the information. One reason IT typically doesn’t get involved is that it’s hard to wrap automation tools around maintaining data privacy. Many companies simply have data privacy policies that are manually enforced, if at all.

Agiliance, known for its integrated governance, risk and compliance (GRC) platform, recently announced a tool, Privacy Manager, that’s designed to help companies manage privacy compliance, reduce risk and demonstrate due diligence by proactively assessing privacy risks. Privacy Manager provides automation assistance for the key privacy management tasks of data classification, privacy compliance assessments, privacy impact assessments, privacy policy awareness and attestation, and privacy incident management and reporting.

This tool is designed around a set of fundamental privacy principles, including the following:

* A person must be made aware of how his data is being collected and used.

* A person should have a choice and have to provide consent on having his data collected and used.

* A person must be able to access his data and contest its accuracy.

* An organization must demonstrate due diligence in ensuring the integrity of the data and prevent its loss.

* There must be a means of enforcing the above principles and mitigating a situation in the event of misuse.

Privacy Manager is one of seven GRC applications that Agiliance offers for its RiskVision Platform. The modules can be deployed independently or together.

It’s worth a look at the capabilities of the new Agiliance Privacy Manager if your organization is under mandates such as HIPAA in the United States or The European Union Directive on Data Protection of 1995 in the European Union. And certainly any large multinational corporation with operations around the world would want help in automating its privacy measures.

Meanwhile, your organization can benefit from these best practices on privacy protection provided to us by Ed King, vice president of marketing at Agiliance:

Get your IT organization involved. While privacy is not just an IT and security issue, much of the privacy risk involves IT assets and security technologies. Security teams are keenly aware of privacy needs but may see it from a more data protection perspective. Educate and get them involved because many of the privacy risks do come from weaknesses in IT processes and architectures.

Take a risk centric approach. While compliance is important and that is the mounting pressure for many organizations, at the end of the day, the purpose of having a privacy program is to manage your privacy related risks. In this aspect, privacy is not very different from security. Taking an exclusively compliance centric approach to your privacy program can leave your organization even more exposed in terms of risk because compliance can give a false sense of well being.

Focus on things that really matter. Privacy organizations are typically very lean in terms of resources. Much of the cycle today is burned on manual data gathering, reporting, and responding to incidents. To achieve scalability with the limited resources and to be proactive in managing your privacy risks, an organization must off load the mundane manual tasks so they have time to do value-add work of risk management.

Be prepared to demonstrate due diligence. Privacy protection does involve your employees and business partners understanding the policies and procedures and doing the right things. Enforcement technologies don’t yet exist to take that burden away from human beings. People will make mistakes so be ready to deal with incidents. When privacy incidents happen — and they will happen — it’s important that an organization can demonstrate due diligence and effort around privacy protection. It can be the difference maker in term of a slap on the hand or a multi-million dollar fine or lawsuit. Have you done your privacy impact assessment? Have you done the appropriate training and awareness campaigns? Do you have the tools and process to respond to privacy events to minimize impact?

Stay ahead of the regulatory hammer. Privacy protection is not something technology can solve single handedly. It involves organization maturity and awareness. It needs to be part of an organization’s operational DNA, which takes time. Privacy protection cannot be achieved by just a few individuals in the compliance office. Thus it is important to start now and not wait until the government to turn up the heat, and then scramble. There are many signs the heat is being turned on already.