Privacy Management: How to proactively manage risk and sustain compliance

“How can I manage privacy and risk of exposure of personal data from malicious attackers, or my own employees, while keeping pace with global evolving regulations?” For many organizations, this is a constant struggle made more daunting by the fact that data is siloed and processes are manual.

Both remote workers and evolving infrastructure can represent opportunities for attackers. Because personal data is so precious, it’s most likely to be stolen or exposed during an attack. The Cost of a Data Breach Report 2021¹ found:

• Remote work, with its unmanaged personal devices, unsecured home networks, and unencrypted data, has raised data breach costs by more than $1 million compared to other causes.

• High system complexity and compliance failures resulting from evolving infrastructure, value chains, and operations increased costs by $2.3 million.

• Personal data is the most sought-after data in an attack: 44% of breaches compromised customer data, another 28% involved anonymized customer data, and 26% involved employee information.

Remediating a breach that includes personal data is costly, but reputation damage or the loss of customers can be more devastating. As the amount of personal data grows, so does the risk.

Securing personal data

For better or worse, external attackers are not the biggest source of privacy risk—employees are. In fact, 59% of privacy incidents originate with an organization’s own employees. Unfortunately, while more than half are simply mistakes, 45% of these employee-driven privacy failures come from intentionally malicious behavior.²

The constantly evolving global regulatory environment offers additional challenges. The introduction of the General Data Protection Regulation (GDPR) in 2018, for example, expressly provided individuals with new and enhanced rights over their personal data, including greater transparency and control over the processing of their personal data by organizations.

Since then, 128 of 194 countries have enacted similar legislation—and 19 other countries have draft legislation in place. That’s 76% of all countries in the world.³ More regulations are springing up all the time.

Privacy management simplified

The new ServiceNow® Privacy Management application in the Now Platform® Rome release helps organizations proactively manage privacy risk and assist customers in complying with their data privacy requirements. Privacy Management is a natural extension to our risk and compliance management portfolio using the unified platform to share data and holistically prioritize and manage risk.

Privacy Management takes advantage of ServiceNow’s powerful new user experience, with a workspace that consolidates tasks, issues, and status tailored to the privacy manager’s unique role. Having all the necessary information in one place with simplified navigation improves decision-making and encourages action through real-time insights.

Privacy managers can now easily send privacy impact assessments for a single entity or group with three clicks or obtain a detailed view of processing activities, including the personal data impacted, from a single homepage.

“As our clients looked to operationalize our data privacy process recommendations for a privacy operations framework, they needed a way to provide better tracking and workflow automation for privacy impact assessments and data subject rights requests that complied with the EU GDPR and California’s CCPA regulations,” says Angela Saverice-Rohan, EY Americas’ cybersecurity data privacy and protection leader.  

“We chose ServiceNow as the foundation of our privacy offering because of its workflow automation, flexibility, and ability to support the differing needs of our clients in the retail, insurance, utility, telecommunication, and manufacturing industries.”

• Stay on top of privacy risks and evolving regulations.
  Privacy Management lets you proactively monitor your risk and compliance posture instead of reacting based on attacks and new regulations. Beyond implementing a robust privacy solution, training is also essential to help prepare employees to handle personal data. Annual employee training that includes a completion record is the best practice.

• Support privacy by design in daily workflows.
  Instead of everyone working in silos, you can provide unified and scalable enterprise-wide data privacy governance on a single platform. For example, organizations can now create a consistent process to screen new applications, projects, and vendors in the evaluation phase—not after they’ve been implemented or onboarded.

• Build trust and loyalty with customer data privacy rights.
  Manual processes and skills shortages can lead to errors and omissions when dealing with customer requests. Instead, a role-based user experience and user-friendly portals help stakeholders at all levels, including vendors, communicate and collaborate for greater visibility and effectively address issues and tasks—helping to keep personal data safe wherever it resides.

Privacy Management also works with other ServiceNow applications and integrated risk technology partners in the ServiceNow Store. It embeds privacy management into everyday activities and helps organizations protect the personal data of customers, employees, and suppliers.

Foundational process enabled by ServiceNow Privacy Management and complementary products

5 benefits of proactive privacy management

Our approach offers five important ways to help manage privacy better:

1. Identify where personal data is stored and align practices with regulatory requirements through integrations with ServiceNow Discovery or BigID. Other applications in the ServiceNow Store import privacy content such as Edgile Privacy ArC.
   
   Customers use ServiceNow Discovery to find databases deployed on premises and in the cloud and populate the CMDB. BigID reads the CMDB to understand the assets and associated data sources. 
   
   Automated scanning and discovery by BigID creates an inventory of sensitive and regulated data across the landscape. This enriches the ServiceNow CMDB with privacy and risk metadata for added visibility, insight, and action as part of the Privacy Management Workflows.
   

2. Easily send and track screening and privacy impact assessments. For business process owners, responding is simple, with drop-down menus and convenient check boxes on assessments accessed through their familiar employee service portal.
   

3. Save time with automation. Many steps have been automated through the Now Platform. For example, when a business process owner confirms that a new or updated process will impact customer data, the system automatically creates a processing activity. Similarly, when the type of personal data to be used or collected is indicated, the system maps the corresponding controls.
   
   It can also automatically send a privacy impact assessment when the screening assessment has been responded to. When an attestation is returned, the system will automatically calculate a compliance score and identify which requirements are not being met.
   

4. Intelligently manage issues. Noncompliant controls and smart issue management automatically generate issues. They can be assigned to the proper owner using AI and machine learning. Remediation can even be suggested.
   

5. Keep pace with changing regulations using ServiceNow Regulatory Change Management (part of the ServiceNow Integrated Risk Management portfolio). ServiceNow Application Portfolio Management can streamline the process when introducing new applications.

ServiceNow Privacy Management can help you identify personal data, as well as which business processes or applications collect, use, or store it. Through continuous monitoring, it can also help you manage risk and sustain compliance with applicable data protection requirements.

Learn more about Privacy Management and the other innovations in the Rome release at Now at Work.

¹ Cost of a Data Breach Report 2021, www.ibm.com/security/data-breach

² Gartner Security & Risk Management Summit May 18-20, 2020 Germany

³ UNCTAD Data Protection and Privacy Legislation Worldwide

© 2021 ServiceNow, Inc. All rights reserved. ServiceNow, the ServiceNow logo, Now, and other ServiceNow marks are trademarks and/or registered trademarks of ServiceNow, Inc. in the United States and/or other countries. Other company names, product names, and logos may be trademarks of the respective companies with which they are associated.