Aligning Privacy Strategy with Cybersecurity Strategy
Even the most secure networks can potentially be compromised in this highly connected world.
Legislators worldwide have introduced stricter privacy laws, knowing it’s more about ‘when’ than ‘if’ data security breaches will happen.
Cybersecurity analysts predict that by 2024, at least 75% of the world’s population will be covered under modern privacy regulations, putting more pressure on organizations to prove they have an effective cybersecurity strategy.
As the world’s most wide-reaching privacy legislation – and one of the toughest – the European Union’s General Data Protection Regulation (GDPR) has heightened consumer expectations on how data is handled.
With fines of up to €20 million, there’s additional pressure on your organization to stay one step ahead.
Your preventative measures need to become more sophisticated, with a multi-layered approach to cybersecurity and ongoing risk management.
Roles of the Chief Information Security Officer and Chief Privacy Officer
Many organizations that do not have a dedicated privacy team led by a chief privacy officer (CPO) put the responsibility for managing privacy and GDPR compliance under the watch of the chief information security officer (CISO).
In some organizations, the CPO and CISO roles are filled by the same person. However, while some of the responsibilities are connected, there are some important distinctions:
Chief information security officer – core focus on protecting the organization from information security threats to company-managed networks.
The CISO is responsible for managing the organization’s data governance and the security of its data-related infrastructure.
Chief privacy officer – core focus on protecting the privacy rights of individuals and external entities when their data is collected and stored on company-managed networks, as well as any transmission of that data.
The CPO manages the organization’s legal compliance with data privacy protection regulations such as the GDPR.
This responsibility includes managing data breach response plans to minimize data loss. Under the GDPR, organizations must report major breaches within 72 hours.
Are Cybersecurity and Privacy Controls the Same?
Before the GDPR and other privacy legislation came into effect, organizations’ data protection measures might have focused more on security than privacy – and it’s certainly possible to have strong data security without privacy.
But it’s not possible to have strong data privacy protections without strong cybersecurity.
Cybersecurity controls across the ISO-OSI model
Cybersecurity controls are applied in every layer of data communication managed by an organization, typically defined in the seven layers of the ISO-OSI model (the International Organization of Standardization model for Open System Interconnection):
- Physical
- Data link
- Network
- Transport
- Session
- Presentation
- Application.
Cybersecurity controls are designed to address threats to the security of data as it moves across a network (and any interfaces with devices) by performing the following functions:
- Monitoring
- Testing
- Detecting
- Analyzing
- Correlating
- Responding
- Reviewing
- Reinforcing
- Defending.
Privacy controls and GDPR compliance
While cybersecurity controls are designed to identify and respond to potential threats to the security of data, privacy controls are firmly focused on protecting personally identifiable information (any data that can be traced back to an individual).
Under the GDPR, privacy controls must also address an individual’s right to informed choice, and consent to the collection of their personal data. It includes controls to support their choices about what personal data they permit organizations to collect and how that data is managed and shared.
The GDPR also includes rules about giving individuals the choice to consent to or block various kinds of data collected in cookies.
Privacy controls include cybersecurity tools to protect personally identifiable information, plus measures to manage the right to informed choice, including:
- Minimization (collection, retention, distribution, manipulation, transfer)
- Obfuscation (encryption, hashing, pseudonymization, anonymization)
- Informed choice (basis for consent, cookies and tracking, cookie wall, legitimate interests)
- Individual data rights (view, access, correct, limit, stop, erase, withdraw consent)
- Privacy by design.
Protecting Data Privacy Under the GDPR
The GDPR gives individuals the right to know if an organization holds any data on them.
If an organization has collected their personal data, the GDPR gives people rights to view, access, correct, limit or stop processing that data, and ask that it be erased or returned.
The GDPR legal text includes nearly 100 references to expectations for organizations to protect the privacy of personal data with “appropriate technical and organizational measures”.
However, these measures are not precisely defined. When planning your organization’s cybersecurity and privacy controls, consider the following:
- Although GDPR data privacy measures are undefined, are our organization’s privacy protections risk-aligned?
- Are our privacy controls proportional to the privacy protection need and the investment?
- Where data privacy controls are lacking, are the compensating controls applied sufficiently to the risk?
- Personal data privacy protection measures can include technical devices, technical processes, staffing, structure, and procedures.
These measures need to address data privacy monitoring, testing, detecting, analyzing, correlating, responding, reviewing, reinforcing and defending; authorized use and behavior; and privacy controls.
Examples of “reasonable measures” to protect the privacy of personal data
Technical measures for privacy control
Reasonableness should apply to:
- Defenses
- Investment in infrastructure
- Monitoring, testing and detecting private data
- Developing protections and responses, including processes and procedures.
Organizational measures for privacy control
Reasonableness should also apply to:
- Adequate staffing to manage privacy control
- Authorization of access and use (dictating who has access to specific data, what they are authorized to do, whether it can be transported, and the protection required).
GDPR Compliance Plan: Seven Recommended Steps
Step 1: Perform an inventory.
To understand what private data your organization holds, you will need to map the networks, systems and tools used to manage data, and identify which records contain private data covered by the GDPR.
Then, you’ll need to create an inventory catalog that includes details about what data is contained in each location, its purpose, who in the organization ‘owns’ the data, who else has access, and what controls are in place to protect access and use (such as license agreements and contracts).
Step 2: Assess gaps in compliance with the GDPR and other data privacy laws.
Perform a gap analysis to find out how the organization’s business processes related to data address compliance with the GDPR and other laws. The information you collect during this analysis will help shape your data privacy risk mitigation plan.
Step 3: Map business processes and movement of data.
Under the GDPR, you need to maintain accurate and up-to-date records of how data is handled across the organization. This map will provide an audit trail identifying which data is personally identifiable information.
A data map also comes with records of when data was collected, where it was collected, how it was/is processed and analyzed, and the purpose for which the data is used.
Step 4: Risk-assess data and system assets.
Not all data is high risk. Your risk assessment needs to consider the risk level for each type of personal data record.
For example, high-risk categories include data on vulnerable populations, data containing financial information, and other sensitive information such as health records.
Other risks to assess include the adequacy of corresponding levels of protection available for low, medium and high-risk data.
Step 5: Evaluate contracts and disclosures.
Review all legally required agreements you have in place for how data is collected, managed and used, including disclosures such as privacy statements and terms of service.
Under the GDPR, individuals have the right to make informed choices about what private data is collected and how it is used.
Step 6: Review data owner choice, privacy rights and controls.
Evaluate the effectiveness of your communications and controls in place to ensure individuals can make informed choices about exercising their data privacy rights.
Under the GDPR, you must inform consumers about your intention to collect personal data and give them options for consenting to and controlling the collection of some (or all) data.
Consumers need to know what your organization plans to do with their data and how their data privacy rights will be protected.
Along with simple tools to exercise their rights such as reversing consent, taking back their data and/or limiting how your organization uses it.
Step 7: Correct deficiencies in data privacy protection and GDPR compliance.
A thorough GDPR compliance assessment by an independent third party can help you identify and correct any gaps in your data protection processes, procedures and policies.
TrustArc GDPR Assessment
Get a GDPR Assessment that’s conduct by expert privacy consultants, with deep expertise in identifying gaps, assessing risks, and designing prioritized step-by-step implantation plans for GDPR compliance.
Our GDPR compliance experts are supported in their work by the powerful TrustArc Privacy Management Platform, which helps ensure the assessment is comprehensive, complete and accurate.