Yes, there’s a lot of data moving through organizations and hopefully the appropriate protections in place to secure that data, but there’s also a human element to how organizations handle information and the people on those teams must be equipped to do that appropriately. Modern cybersecurity and data privacy should combine people and technology best practices to give organizations the highest possible level of protection.
It’s imperative to have those two things come together to enable a next-generation approach to privacy and compliance while making it easy for people to ensure that regulations are respected.
When I look at privacy, it reminds me of how compliance and risk management departments of old operated, focusing narrowly on processes, teams, and tools specific to each type of data and regulation. This is difficult to scale while anticipating how rapidly evolving enterprises use data and account for immediate compliance requirements. A more modern privacy approach is to leverage technology, automation, and data management to create an integrated hybrid strategy for compliance.
For example, using automation to examine and identify where personally identifiable information (PII) is, which departments have access and why, the purpose of keeping that PII, when to shed the data, and having cross-functional teams that know where data is stored – and can act when housing that information becomes risky – are first steps.
There are several risk factors to consider if you think about how much outdated PII organizations and their workforce have access to. Automated processes to monitor data access and the lifecycle of that PII within a system minimize cybersecurity risk and the legal landmines accompanying compliance slips.
If a business gathers a type of PII on customers and an automated system shows that no application programming interface or business user has accessed that data in six months or more, that visibility can help you decide whether that PII should be shed, as it’s potentially doing more harm than good.
From a consumer privacy protection and compliance perspective, such revelations are a huge leap forward. Putting tools and technologies in place and empowering the individuals responsible for that data takes cross-functional team collaboration.
When it comes to cybersecurity, organizations can’t take anything for granted. We see this increasingly in the news, with nation-state and ransomware attacks spotlighting insider risk. If data is mishandled, there’s an acquisition, or an organization moves too fast and carries too much volatile data without planning, this increases vulnerability. With all the moving pieces within an organization, companies should be focused on what they can simplify. They can’t function in silos when it comes to data security, privacy, and handling PII.
What I often see in post-mortem calls examining what, when, how, and why a security incident occurred, is that people wish they had a more cross-functional team with eyes on distinct parts of the business, but with data security and compliance top-of-mid.
An effective cross-functional team should include the Chief Privacy Officer, Chief Compliance Officer, Chief Risk Officer, Chief Information Officer, Chief Information Security Officer, General Counsel, Chief Human Resource Officer, someone from logistics, and a convener to bring these groups together. Of course, who’s at the table will depend on the size of an organization, but these people, and their teams make decisions, hire third parties, onboard employees, manage contracts, testify in front state or federal governments; they’re all stakeholders in data compliance. Everyone at that table has a team of people responsible for handling data, enabling them to do that correctly is hugely important.
What happens when there’s a data breach is that organizations gather key stakeholders after an incident has occurred. Now, they’re catching each other up on who within the company handles PII and other sensitive information. At that point, from a crisis management standpoint, it can be challenging to respond appropriately and effectively when scoping a crisis takes days or weeks.
That’s why there must be a sound and tested cross-functional approach to deal with data privacy. The question is how do you enable the technology you have and empower your team? Start with giving them visibility into privacy risks within an organization. You can use internal dashboards to give stakeholders a shared view of how issues are developing. That enables them to see the same data points around existing and potential risk areas and understand how each part of the business impacts the other from a data compliance and risk perspective. This cross-functional team should also have oversight into how they enable their employee base to handle and access PII.
If there’s visibility across risk areas when stakeholders meet to respond to a significant issue there’s a built-in understanding and alignment of where the risk is, how it was exposed, and what to do next.