Ralph Villanueva (rvsvillanueva@yahoo.com) is IT Security and Compliance Analyst for Diamond Resorts International in Las Vegas, Nevada, USA.
GDPR. CCPA. LGPD. PIPEDA. Do these acronyms perplex you? If so, you must be wondering how they affect you, and the answer is: in more ways than you know.
GDPR is an acronym for General Data Protection Regulation,[1] the European Union law that protects the data privacy rights of its 447 million residents. CCPA stands for California Consumer Privacy Act,[2] which is seen as a possible model for a nationwide data privacy law.[3] LGPD, or Lei Geral de Proteção de Dados, which is the General Data Protection Law in Portuguese,[4] is the equivalent of GDPR in Brazil, the largest country in South America, with a GDP of almost $2 trillion in 2019. PIPEDA, or the Personal Information Protection and Electronic Documents Act,[5] protects the data privacy rights of 38 million Canadians. And despite the pandemic, or in spite of it, the surging wave of data privacy laws shows no sign of cresting. For instance, Panama’s data privacy law[6] took effect March 29, 2021. Though it is a small country, the fact that annual international trade worth $270 billion passes through the Panama Canal makes this law important to international trade compliance professionals.[7]
By now, you must be asking, “What does this mean for me?” As compliance professionals in your organization, you must be familiar with the Health Insurance Portability and Accountability Act, Occupational Safety and Health Administration standards, state regulations, and industry requirements. However, the onslaught of new data privacy laws elevates compliance to a new level of complexity. If unmanaged, these new standards can result in legal, financial, and reputational damage to your organization. Fortunately, these escalating levels of complexity can be managed by a combination of the right technology and qualified information technology (IT) and compliance professionals. As laws and business requirements evolve, so does the IT component of every business.
The role of IT has expanded beyond providing email and application access to company employees and third-party users. And just like the Panama Canal, the IT privacy compliance officer sits at the crossroads of data privacy laws and your company’s compliance functions, and can greatly help the compliance function meet the demands of these data privacy laws.
The IT privacy compliance officer’s role
“IT privacy compliance officer” is not a formal title; it is more a function performed by anyone in the company with the right combination of technical and regulatory knowledge. They serve as a nexus between technology, business, and compliance. They may be full-time employees, outside consultants, IT auditors or compliance officers, IT engineers, accountants, or even legal compliance officers who possess a fair knowledge of IT. The bottom line is that these key allies can provide the organization’s senior management and board with a 360-degree view of the technical aspects of compliance across various departments, segments, and locations of the organization.
Let’s look at a few examples to gain a better understanding of how these “officers” can contribute to your compliance work. Before we proceed further, please be advised that this article is not an expert explanation of privacy law, nor is it an exhaustive demonstration of the IT aspect of every provision of the law. This article is merely a demonstration of the technological aspects of some of the provisions of current privacy laws. Please consult qualified privacy law experts should you have in-depth questions.
Data security
All organizations covered by privacy laws must implement adequate technical and organizational measures to ensure adequate data protection. Article 32 of the GDPR requires implementation of appropriate technical and organizational measures commensurate to the security risk level. Nevada Revised Statutes 603A.210[8] requires implementation and maintenance of reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
While organizational privacy measures such as legal privacy policies and procedures can readily be understood and implemented, the same is not true with technical privacy measures. The IT privacy compliance officer can serve as the go-between between the privacy compliance function of the company and the IT department. For example, the IT privacy compliance officer can obtain appropriate evidence and explain it to the privacy compliance function if there is a need to see evidence of customer data pseudonymization. Need to understand if the company customer database passed the identity and access management audit? The IT privacy compliance officer can explain the authentication, authorization, and accounting controls, providing appropriate evidence and explaining how these controls prevent unauthorized computer users from getting into sensitive customer databases.
The appropriate audit evidence should not be as difficult to understand as rocket science. There are different ways of gathering evidence of compliance. Inquiries are one. Even a member of the compliance team with minimal IT knowledge can do this. Observation is another method; for example, a member of the compliance team or department can ask the IT privacy compliance officer or even the IT security engineer to display the system configuration of these authentication and authorization controls in the domain controller. They can then ask to be shown a sample of the activity logs that constitute accounting controls. The walk-through observation can be archived through time-stamped screenshots that can be presented to internal or external stakeholders as proof of compliance with this requirement.
Data subject consent
Data subjects are customers and clients who provide personal information in the normal course of business. Article 7 of the GDPR states that organizations in the EU, or those that process the personally identifiable information (PII) of EU resident and citizen data subjects, should be able to demonstrate that customers have given consent to the processing of their data. Article 8 of Brazil’s LGPD law states that the organization’s data controller should provide proof that consent was collected according to law. While the legal text is clear, demonstrating technological proof is another matter entirely and is best left to the IT privacy compliance officer. They can explain the software that logs the customer’s consent and work with IT to extract a record of electronic consent.
As is the case with the previous example, coming up with strong evidence of compliance need not be difficult. A member of the compliance team can look into the system configuration and ask for a screenshot of consent data captured. They can also ask for a log showing the same data.
Data controllers and processors
GDPR Article 4 defines data controllers as those who determine the purposes and means of processing personal data. On the other hand, processors process data on behalf of the controller. Members of the compliance team can help speed up this aspect of the compliance process by conducting inquiries with the application owner within the IT department. The IT privacy compliance officer can then demonstrate technological proof that the data controller has the appropriate rights and permissions to customer databases. For instance, a screenshot from the server hosting the domain controller can show the extent of the controller’s access to the database. Likewise, the same evidence can be used to show that the processor’s access groups and rights are limited to only processing data.
Right to be forgotten
Article 17 of the GDPR covers the customer’s right to have their data erased. A similar article in CCPA, embodied in provision 1798.105, states that consumers have the right to request deletion of their personal information. There are likewise technological aspects in fulfilling this requirement. For instance, the IT privacy compliance officer can show proof to the compliance team that this requirement was met through a before-and-after printout of a personal information database. The IT application owner can extract logs from database and application servers to show that the customer’s personal information was completely deleted. Again, inquiry and observation are tools that can be useful both to the IT privacy compliance officer and the rest of the compliance team.
The IT department is also your ally
Although the IT privacy compliance officer can easily act as a conduit between the IT department and the compliance function, the IT department can nevertheless make life easier for both teams. For instance, involving the IT privacy compliance officer in the IT department’s regular change advisory meetings can provide both sides with actionable information and insight into planned changes in both the test and production environments of various applications that process PII data. Giving the compliance team a seat at the table when planning for a new application can also provide compliance an opportunity for voicing their privacy requirements toward the IT application development, quality assurance, and support teams. But the best way to accomplish all those is for senior management to foster close collaboration and communication at the senior management levels, for instance, between the chief information officer and the chief privacy officer.
Face technology changes together
New technologies arise every day to fulfill current and emerging ways of doing business. Right now, for instance, digital currency is increasingly becoming popular in paying for both virtual and physical products, some of which may have been sourced through social media links. What are the privacy implications of buying through Facebook and paying with Bitcoin? What are the technologies for proving consent, safeguarding personal information, or facilitating deletion of personal information? Where does a company’s liability end and a social media platform’s begin in the event of a personal information data breach? While there are no clear-cut answers to these questions, you can count on the IT privacy compliance officer to help you navigate the ever-changing technological landscape. Ultimately, though, close collaboration at the senior management levels of IT and compliance will ensure that all IT aspects of privacy are addressed in a complete and timely manner.
About the author
Ralph Villanueva has spoken on IT-related topics in national and international professional conferences since 2010 and recently published an article in the February 2021 edition of CEP Magazine.[9]
Takeaways
-
All current and emerging privacy laws have information technology (IT) components since business today is predominantly dependent on IT.
-
Keeping up with these IT components is a difficult task for privacy compliance professionals who have little or no background in this area.
-
The IT privacy compliance officer can help the compliance function understand the IT components of data privacy and prove compliance from a technological perspective.
-
The IT privacy compliance officer is not a formal title, so this role can take many forms, including IT auditor and IT compliance analyst.
-
The IT privacy compliance officer can help you understand and prove the IT aspects of data privacy compliance, such as data security and data consent.