As of mid-last year, there were more than a hundred and thirty different privacy regulations globally. That number has increased substantially since. There are comprehensive privacy laws in effect now or emerging on every continent apart from Antarctica. The number of US states that have enacted comprehensive privacy regulation has doubled from two to four over these past several months, and these are in addition to sector specific federal agency privacy regulations like HIPAA, COPPA and others, and existing state breach reporting acts. With other comprehensive state acts waiting for passage, that number may double again this year. Although there are similarities between many, differences between these and the cost of non-compliance in assumed risk and penalties are sufficient to require that any company operating globally stay aware of the laws to which they need to be responsive, and diligent in meeting the requirements of each of them. There is no one size fits all solution. And although several excellent companies provide substantial platforms, frameworks, and tools to help manage the requirements of a privacy program, inventories, discovery, assessments, rights management, communications, policies, notices and more, and these help to leverage commonalities between the laws, at best we can achieve a directionally effective privacy conformance posture, but for many to most, not full and sustainable compliance.
And it is not simply the number of laws to which we may need to comply. Privacy regulations are laws (GDPR, CCPA, LGPD, PIPL, POPIA), but not a legal problem for an operating business. For most companies it is about absorbing a complex set of divergent, complex, continually changing, and newly emerging laws into an operating business amidst all the competing attentions of globalization, digital transformation, competitive differentiation, changing markets, cyber and enterprise threats, a workforce in flux, and newly defined consumer expectations all of which hold leadership’s attentions.
Speaking at a conference last year I introduced what I called the non-compliance Dirty Dozen, a list of common reasons why privacy projects undertaken, even by some of the best of name companies, struggle or fail. Projects are undertaken, but not completed, completed, but not operationalized, there is insufficient leadership attention, inadequate resource or authority, other priorities have taken focus, gains made were lost to business change or growth, no mechanism in place to stay current with ongoing business and activities in the field, and more. And many companies, even well-known name companies, have not undertaken, completed, or maintained an inventory and catalog of the location and classification of the data in their environment, and therefore have not assessed the value and sensitivity or the business confidentiality of the data assets they collect, store or process in house, or are held or are serviced on their behalf by third parties. And if you don’t know what you have and where it is, how can you effectively protect it. And are the right controls in the right places at the right times for the consequence of the data they are to protect for a given risk? If protecting the client data base and the corporate lunch menu in the same way one or the other is improperly managed.
But is it sufficient to understand the law? We have very smart attorneys that can interpret the language and tell us what it means. But is that enough for the law to be operationalized? For instance, ‘the law requires that we have a means for individuals to see what data we are holding that relates to them and assure that it is current and correct and that we provide a means so that they can control what we can keep and how it can be used’. Well for the law to be operationalized that statement is only the beginning. What it doesn’t tell us is how best to accomplish that. Well of course a self-service portal allowing an individual to see their data and make decisions about its use, what goes, what stays and what changes will meet the requirements of the law. It could also be operationally effective in limiting the access requests to which a company needs to respond, and the infrastructure and process needed to enable that. But that requires an investment in infrastructure and that a portal application be developed. It requires that it functions well, the interface is pleasing and intuitive, and it performs sufficiently for a good experience. It correctly links to all the applications, systems and repositories of data that might hold data about the individual. It keeps pace with change. As new data is collected, or new systems engaged in processing individual data or providing them with new services, these too are properly linked and accessible. It scales to meet the demands of use. It needs effective event logging and archive to maintain a history of access, changes, and deletions. Instructions for ongoing use, the individual’s intentions, need to be logged but also put into effect. And if this portal is to satisfy individual access to their data, we also need to assure that it is available. That requires that it be protected, its security and stability monitored, and not just for the portal, but the systems, networks and storage, or micro services and storage-as-a-service provisioned in the one or many clouds in which it resides. We need active-active configurations, hot fail over, swappable drives, in house spares or support contracts to respond to failures. And what about the telecom required to reach it? Is that protected? The staffing, engineering and help desk to support it? The data backups and other offsite data replication? The recovery and continuity plans? The ongoing budget for maintenance? So yes, these are laws, but operationalizing them is not solely a legal problem. The disciplines of system development, operations, technical security, and production controls and the maturity frameworks that have been the basis for enterprise Information Technology for so long play a major role in adopting and operationalizing privacy.
But even if we can successfully operationalize how do we know if our overall privacy programs are effective? It is about the effective implementation of an ecosystem of controls. And regardless of the control, technical, privacy, behavioral, ethical, or other, it is insufficient to know that it is in place. We also need to know that it is effective, functioning or performing its role correctly, that there is a process in place to assure it, test and validate it, and that it is done routinely. It is also important to be able to assess the effectiveness of the control in the context of each area in which it is deployed, over time, at specific times, and with respect to the organization overall. It is for instance insufficient for the head of security to know that there is an incident response plan in place with expectations of the employees and staff, know its characteristics, and how frequently it is assessed and tested if that has not been communicated across the organization and internalized to the business. And how effective is the adoption or uptake of a control or process by any part of the business, has it shown improvement or degradation over time, and how does it compare to its adoption by other areas of the business so that we can know where the roadblocks are and where to apply our attentions and resources? These are principles of effective maturity in the governance of a business and business risk. Many businesses have adopted maturity frameworks and governance standards to advance enterprise and cyber security governance. We in privacy are only beginning and with so many laws on the horizon how effectively we mature will determine our success. We still have a way to go.
Martin Gomberg is a former CIO and CISO, now a privacy consultant and business advisor and author of CISO Redefined: Thoughts on Leadership, Business Protection, and the Chief Information Security Officer.