Positive Sum Planning for Your Privacy Program
In part one of this two-part post, we’ll look at the benefits of positive-sum planning for your privacy program and how to apply primary components of the concept to build a collaborative program that hits business objectives while reducing risk associated with personal information. Part two will focus on applying positive-sum planning to your GDPR readiness initiatives.
Privacy and data risk professionals will spend a great deal of time and effort in 2017 preparing to comply with new international regulations such as the European Union's (EU) General Data Protection Regulation (GDPR), Network and Information Systems Directive (NIS) and the ePrivacy Regulation. With well over a year until the effective date of GDPR and NIS, and the anticipated effective date of the ePrivacy Regulation, there has been an ongoing buzz of activity, with organizations pressing to build and adjust their data protection programs in advance of the new rules. It’s not unfamiliar territory to many: we’ve seen similar frenzies in the past, ahead of new rules such as SOX, PCI DSS and the HIPAA Security/Privacy rules.
In this environment, a strict compliance focus has proven sub-optimal in terms of gaining true risk management and applying innovative solutions to support business initiatives. Yet, the tremendous volume of GDPR forums, webinars and blogs, indicate time and time again that the security/privacy industry remains stuck with the same compliance focus. This approach undoubtedly worked well when organizations owned or directly controlled their data processing environments. However, as technologies such as cloud, mobile and Internet of Things (IoT) gain continually increasing rates of adoption and pervasiveness, traditional privacy/security approaches are in serious need of reevaluation.
Positive-Sum Mindset for an Effective and Sustainable Program
At the outset of a year in which there is so much to accomplish, privacy, security and data risk professionals should work assertively toward strategic decisions for key focus areas across enterprise privacy programs. Effective and sustainable management of privacy and data risk should be a top-line objective.
One of the most – perhaps the single most important factor – for building an effective and sustainable privacy program is designing a program that collaborates proactively with cross-functional stakeholders through innovative approaches to privacy risk management that support business initiatives, without compromising compliance obligations.
Taking this into consideration, the concept of a “positive sum” approach (see Privacy by Design, The 7 Foundational Principles; Ann Cavoukian, Ph.D.) in which stakeholders share a single set of objectives driving the design, development and implementation of business initiatives or technologies, provides a strategic boost toward attaining effectiveness and sustainability. And while optics are important, the real-world payoffs in terms of knowledge-sharing, teaming across functions and building strong foundations for further collaboration, are hard to deny.
Implementing a positive-sum approach and achieving downstream results is not without challenges, as it requires that privacy and data protection are viewed as business and technical requirements in the very early stages of planning and designing new initiatives and systems that support business objectives. There are four key components that will drive your efforts toward achieving a positive-sum privacy program (details pertaining to integrating positive-sum strategies into your GDPR strategy and program will be covered in the next post). These are:
Adoption of Innovation
Collaboration with Information Security, and
In order to gain that essential seat at the table in the early planning stages of new processes or technology solutions, privacy programs must demonstrate a commitment to proactive engagement with business and technology leaders. Proactive engagement results in the privacy team:
Gaining an understanding of business and technology initiatives at a stage where privacy and data protection will be viewed as functional requirements for the successful build and execution of the initiative.
Establishing status as an equal participant in and contributor to the initiative.
Establishing business and technology stakeholder confidence in privacy as a partner and enabler as opposed to a hurdle posed by bolted on legal or compliance demands.
Embedding Privacy into the design of new business processes and technology solutions (Principle 3 of the Privacy by Design 7 Foundational Principles).
A truly effective and engaged privacy program will feature a team member or members that not only embrace innovation, but possess the requisite level of inquisitiveness, experience, and thought leadership to apply innovative thinking about privacy to enhance new processes and technology. These individuals will benefit new initiatives by:
Applying new strategic approaches to meeting business or technology objectives without compromising privacy risk management or compliance objectives.
Providing the requisite leadership to drive the development of tactical implementation of those new strategic approaches.
Driving adoption of innovation throughout the privacy team in order to eliminate complacency with traditional compliance approaches and encouraging contributions throughout the team.
Collaboration with Information Security
An organization’s ability to implement effective and sustainable security safeguards for personal information has always been a key objective of privacy programs. Current trends in use of cloud, mobile computing, big data and Internet of Things make that objective not only more significant, but also much more challenging to achieve. In order to contribute to and effectively collaborate with Information Security, the privacy team should consider a number of proactive steps, including:
Incorporating information security knowledge within the privacy team. A team member with information security background is a tremendous asset to the privacy function. This team member enables deeper discussion of technical information security issues and solutions, and helps position privacy as a valued contributor to security solutions, rather than solely as a driver of greater security demands.
Sponsoring and leading a data mapping exercise focused on the flow of personal information throughout the lifecycle of existing or planned processes and systems. These data mapping exercises will produce visual depictions of data flows, identifying flows within the organization and out to its third party and cloud-based ecosystem, so that appropriate controls can be designed and built into the process or system.
Of course, when it comes to privacy and information security there remains the oft-cited conundrum that certain security objectives (e.g. in Identity and Access Management and Security Operations) can run counter to good privacy practices. The validity (or invalidity) of this point of view, and potential solutions, will be addressed in part 2 of this post.
Achieving the “positive sum” objective requires privacy personnel with deep industry knowledge and who possess requisite insight into the organization's business.
Pharmaceutical and biotechnology provides a great example of industries in which privacy professionals must pay particular attention to rules and regulations that are outside of the traditional privacy focus when planning certain processes and technology solutions. For example, the EU Clinical Trials Regulation puts affirmative obligations on sponsors of clinical research that may not always easily align with more obvious privacy obligations. Sunshine Acts (financial transparency rules and regs) provide similar hurdles. Industry expertise and an understanding of how to navigate these complexities is essential to achieving positive-sum outcomes.
The healthcare industry provides similar complexities calling out for deep industry knowledge. For example, experience with clinical workflows in a healthcare provider setting is very important in order for a privacy program to develop and operationalize good privacy controls. Privacy professionals at healthcare providers can also be more effective if they have experience supporting Electronic Health Records (EHR) environments, digital health initiatives, patient engagement efforts and so on.
Clearly, a privacy program that produces positive-sum results is a desirable outcome for nearly any privacy professional, and particularly those tasked with leading a privacy program and working across multi-disciplinary functions to achieve results. While the positive-sum outcome is reasonably easy to envision, it is far from easy to achieve. It requires planning in terms of organization and staff, and socialization across diverse business and IT functions. With proper planning and execution, a positive-sum strategic approach to privacy and data protection will produce tremendous benefits, not only to the organization, but also to those individuals who entrust their personal information to the organization.