By Deborah Lynne Adleman[1]
As data privacy[2] becomes one of the top risks of many organizations, compliance leaders are increasingly expected to understand what these risks are and how their organization is preventing, detecting, and responding to (mitigating) this specialized risk landscape. This chapter provides a snapshot of the privacy landscape, a road map for building or assessing the privacy compliance program, and lastly, a checklist for privacy compliance program effectiveness.
Personal Data Defined
Data privacy compliance programs are focused on how personal data are collected, used, and shared/processed consistent with the expectations of the individual and applicable laws, regulations, professional practice requirements, and contractual obligations. The first step in the data protection compliance program is understanding the nature of personal data the organization is processing.
From Europe to Canada and the United States or Asia-Pacific, there are differences in personal data definitions as countries attempt to address the expanding ecommerce ecosystem and the new types of data that could be used to identify an individual (and, if misused, create risk to the individual’s information). Below are some examples of the different definitions of personal information.
Law | Personal Information Definition |
---|---|
General Data Protection Regulation (GDPR) | “Information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”[3] pertaining to individuals in Europe.[4] |
Personal Information Protection and Electronic Documents Act (PIPEDA) |
“Personal information includes any factual or subjective information, recorded or not, about an identifiable individual. This includes information in any form, such as:
|
California Consumer Privacy Act (CCPA) | “Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal information includes, but is not limited to, [information that could be] reasonably capable of being associated with, or could be reasonably linked, directly or indirectly, with a particular consumer or household.”[6] |
Health Insurance Portability and Accountability Act (HIPAA) |
Individually identifiable health information is information, including demographic data, that relates:
|
Given the variation in these definitions, compliance professionals should begin by understanding which of these personal data types flow through their particular business environment.
General Data Privacy Principles and Risks
Privacy Principles
To demonstrate an effective data protection compliance program, compliance professionals should start by analyzing the types of personal data that the organization is processing and then understand the basic expectations or principles for how such data should be used and protected. Across this varied landscape, a common “minimum floor” of privacy principles and resulting expectations has emerged:
-
Maintain the accuracy of the data.
-
Process data consistent with only the original purpose of their collection and based on a lawful purpose reflecting the rights of individual data subjects.
-
Process only the minimum data that are consistent with that processing.
-
Limit access to, and disclosure of, the data to those persons who have a business purpose for that processing.
-
Maintain the security of the data for the duration of the processing.
-
Include appropriate contractual clauses with entities processing the data.
-
Include systems, techniques, or processes (controls) designed to reduce privacy risks; this principle is known as “privacy by design and default,” with such examples as encryption, anonymization, or other measures—all of which are designed to prevent harm. [8]
Privacy Risks
Once the compliance professional understands what personal information they are processing and the core principles for that processing, the next step is understanding the inherent risks to the personal information that can occur as a result of that processing.
Foundational Privacy Risks
Although the likelihood and/or impact of risks will differ based on geography and sector, foundational privacy risks[9] all connect to potential data breaches of some type including inappropriate use, access, loss, disposal, or disclosure of personal data. Some of those risks include:
-
Violation of legal, regulatory, professional practice, and/or contractual obligations;
-
Failure to adequately perform diligence on third parties and/or acquired entities that become the subject of a data breach;
-
Removal of the ability to do business in an industry [10] or with a regulated group;
-
Reduction of trust by stakeholders (employees, contractors, customers);
-
Significant fines, penalties, or damages; and
-
Liabilities arising from the failure to promptly notify potentially large groups of people in the event of a data breach (with its inherent complexities).
Privacy Risk and New and Emerging Technologies
Increasingly, compliance professionals should consider how they are using new and emerging technology, which can be not only helpful but valuable, in light of their inherent privacy risks.[11]
An example of these new technologies is cloud computing. As organizations create more data, their storage demands increase proportionately, resulting in the use of external solutions such as third-party cloud computing. Similarly, organizations requiring increases in processing power and/or data sources necessary to manage intelligent automation often result in the involvement of third-party suppliers. These types of technical factors can independently or in combination elevate the risk of improperly obtaining, storing, processing, and/or securing personal data whether managed internally or by a third party.
The recently updated American Institute of Certified Public Accountants privacy management framework similarly discusses privacy risks with third-party cloud computing:
“Outsourcing the management and operational support for systems and data processing to others … such as in cloud computing ... increases the complexity of an organization’s ability to address its information privacy requirements. Organizations are increasingly looking to move computing and data storage to other organizations and to outsource business processes and with it the activities related to information privacy. Organizations cannot delegate their responsibilities for protecting the privacy (of) information ... related to its business processes.”[12]
Other Privacy Risk: The COVID-19 Pandemic
The COVID-19 coronavirus pandemic has also provided a lens through which to examine privacy risk and measures designed to demonstrate compliance program effectiveness. During the COVID-19 pandemic, privacy issues are raised almost weekly, data protection authorities are issuing guidance almost as frequently, and organizations are being forced to make risk-based decisions. Some of the privacy-related issues highlighted during this crisis include:
-
The work-from-home dynamic has created new privacy risk as employees use new collaboration tools; rely on new resources for connectivity; and, in some cases, use workspaces that lead to inadvertent sharing of information with others.
-
As telehealth procedures increase and expand, organizations are challenged to confirm the strength of their HIPAA privacy and security programs.
-
Organizations are being challenged to confirm the security, and in particular the resiliency, of their third-party supplier networks.
-
Organizations are being challenged to justify their privacy protocols for collection, use, and retention of employee COVID-19-related information, such as test and trace protocols, as well as disclosure of that information to other parties.[13]
The pandemic provides a practical example of the importance not only of resilience in terms of an organization’s workforce and third-party network, but of its privacy compliance program and the ability to conduct risk assessment processes and make prompt operational adjustments.
Modern organizations must therefore strive to possess the ability to properly calibrate programmatic requirements based on the rapidly changing privacy and related technology environment given their strategy, growth, structure, sector, and geography.