Sanity: Implement a Privacy Framework
For privacy professionals attempting to implement privacy and data security programs, it’s a tumultuous journey. Existing regulatory requirements are changing – consider the amendments made to the CCPA by the CPRA and those recently passed for the VCDPA. New US state or country laws continue to dominate the headlines to the extent that even privacy tracker apps have a hard time keeping up. Privacy experts can’t escape the constant change and the adjustments needed to keep privacy and data security programs compliant. Is there a “work smarter, not harder” way to bring some sanity to the struggle?
This may be the year many privacy professionals implement a privacy framework as their work smarter, not harder solution. Privacy frameworks provide a structure upon which to base program fundamentals. They don’t diminish the need to understand laws and regulations applicable to the business. However, with a framework in place, companies can document their policies and procedures for protecting customers’ and employees’ personal information. Frameworks can address today’s requirements and allow companies to quickly pivot to meet tomorrow’s ever-changing business, technology, and regulatory environments.
The following are several benefits identified by ISACA to applying a privacy framework to the processing of your organization’s personal data:
- Streamlined compliance
- Measurable results
- Reduced costs
- Improved risk mitigation
- Effective program evaluation
- Alignment with enterprise strategy
- Unification of privacy, security, and compliance efforts
- A sustainable privacy program
Even when implementing a privacy framework, work must still be done to complete a data map for the personal and sensitive data processed to fully support the privacy program.
To leverage a privacy framework, it’s important for an organization to have a clear understanding of the specific information requirements of the organization based on the industry within which the organization operates. Fortunately, there are several privacy frameworks from which to choose:
- Fair Information Practice Principles
- Generally accepted Privacy Principles Maturity Model
- National Institute of Standards and Technology Privacy Framework
- Organization for Economic Cooperation and Development Privacy Framework
Download How-to Guide: Implementing and Maintaining a Privacy Compliance Program
Utah has become the fourth US state to pass comprehensive data privacy legislation known as the Utah Consumer Privacy Act (UCPA). The Act is like those of California, Virginia, and Colorado but most closely mirrors Virginia’s. The Act does not create a private right of action for consumers, and complaints must first go through the Division of Consumer Protection within the Utah Department of Commerce before being referred to the State Attorney General’s office. Click for a comparison chart with more details.
Currently, legislation is the most searched privacy topic, so here are some highlights from recent US State activity:
- Wyoming Governor signed into law the Genetic Data Privacy Act on March 8, 2022, and it takes effect on July 1 of the same year. The bill requires businesses that collect genetic data to provide clear and complete information regarding the company’s policies and procedures for the collection, use, or disclosure of genetic data. It also requires businesses to obtain express consent from an individual before collecting the genetic data and separate express consent for transferring or disclosing the consumer’s genetic data to any person other than the company’s vendors and service providers.
- Virginia’s privacy regulation has yet to take effect; however, lawmakers there have passed 4 VCDPA amendment bills.
- Two states have privacy legislation in cross committee: Florida and Oklahoma
- 18 states have bills in committee
- The Colorado Attorney General office announced it is soliciting informal comments on rulemaking under the Colorado Privacy Act. Comments will be part of an information gathering process but won’t be included as part of the rulemaking record. Click here to access the comments submission form.
- The California Attorney General’s office issued a first-of-its-kind interpretive opinion on the CCPA’s application. Assembly Member Kiley presented the following question, “Under the California Consumer Privacy Act, does a consumer’s right to know the specific pieces of personal information that a business has collected about that consumer apply to internally generated inferences the business holds about the consumer from either internal or external information sources?” The opinion states that unless an exception applies, a consumer has the right to know internally generated inferences about that consumer. Click to read the full interpretive opinion.
Cybersecurity threats are top-of-mind concerns for organizations of all sizes and from every industry. Today’s decentralized workforce has heightened these concerns and forced organizations to implement solutions to ensure short-term viability during the pandemic but also shape the future of the organization’s data protection strategy. Here are a number of tools cybersecurity professionals are leveraging to protect the organization’s data and infrastructure.
Private web browsers
When browsing with a traditional web browser, the browser stores information about the user such as each URL the user visits and the cookies encountered while visiting those sites. In turn, these cookies are shared with third-parties to further track users. Alternately, when a user opens a private browsing window or uses a standalone private web browser, the browser session is isolated from the main browser and information is not shared with the main browser. A private browser does not save a user’s browsing history and any cookies generated during the browser session are cleared when the user closes the session. One of the primary uses for private web browsers is to prevent others from seeing another user’s web activity.
HTTPS is a more secure version of HTTP, which is the protocol used to transfer data between a web browser and any given website. Data transfers over HTTPS are encrypted providing a higher-level of security in situations where privacy is required. Most modern browsers will flag websites that do not use HTTPS as not secure and restrict user access. The primary benefit of HTTPS is that a bad actor monitoring a user’s web session will only be able to see what website is visited not the activity that occurred on that site.
VPNs also encrypt data, but they do it so differently than HTTPS. A VPN connection hides a user’s IP address by rerouting it through a server operated by a remote host. The VPN server becomes the source of the data rather than the machine. The advantage of VPNs is they hide the user’s data from both the user’s Internet Service Provider and any other third-parties who might want to monitor the data and they hide the user’s location. The primary benefit of using a VPN is it creates an encrypted tunnel between a server and a remote device shielding any data flow through the tunnel from third-parties. Thus, a VPN allows an employee to work remotely and still securely connect to and communicate within a corporate network.
None of these tools are risk-free. Cybersecurity professionals continue to work hard to implement and configure solutions that adequately balance security and risks while allowing remote employees to access organizational resources to do their jobs.
IAPP Global Privacy Summit 2022
The world’s premier privacy and data protection conference focusing on international topics, policy, and strategy.
April 12 – 13, 2022
The AIIM Conference
Re-designed for optimum engagement, AIIM22 is an event where work gets done – together – to solve information-centric issues.
April 27 – 29, 2022
MER Conference 2022
MER equips information governance practitioners to better impact their organization’s business objectives
May 10 – 12, 2022
Unleashing the Power of Sensitive Data & Mitigating Risks
Privacy-Enhancing Technology Summit North America
May 18 – 19, 2022