Organizations need ‘privacy by design’

It’s helpful to think of specific policies and notifications as the tangible result of a strong data privacy culture. Policies are the concrete rules that employees must follow in order to maintain data privacy, while notifications keep employees abreast of changes to those policies. “This is important because regulations are constantly changing,” says Goyal. “People within the organization need to know what is changing and when.”

Set up explicit policies and a cadence for notifications, and circulate those policies to new employees as part of their onboarding. Designate privacy champions among individual teams throughout the organization to explain how high-level privacy goals connect to ground-level policies in terms that each group can understand and support.

Privacy controls dictate how personally identifiable information is secured and how a consumer’s privacy is maintained. Since federal and state authorities are increasingly willing to regulate privacy and security protocols, proactive self-regulation is crucial or the organization risks having to play catch-up ad nauseum. And since the regulatory landscape is changing so quickly, it’s no longer efficient—or even possible—for larger organizations to manually change privacy controls in response.

Organizations must create a simple, intuitive, and automated system for data privacy controls. Non-technical teams in manufacturing, business, and sales must be able to operate this system without consulting IT or privacy teams. The system should be embedded into each team’s work processes, so the company can easily stay compliant without adding friction for employees.

The consensus among privacy and security experts is that organizations must shift privacy and security left, meaning they should incorporate privacy safeguards as early as possible into their product-development lifecycle. It’s a consensus for good reason: It’s far easier to think about how a new system or product will protect customer privacy before it’s designed or shipped. Just as you should think about shifting privacy and security left in product development, it’s crucial to shift left operationally, too.

Think ahead about how and when your employees can—and should—access data. That’s where control points and operational activities come in. A control point is like a gate through which employees must provide credentials to “get in” and access data on the other side. Those credentials could be admin capabilities, passwords, user accounts, or policy configurations. Operational activities, sometimes called operational security, are risk management tools used by managers to evaluate operations from the perspective of a potential threat actor. Thinking about how a threat actor might exploit the system—before they actually do—allows for more secure IT infrastructure.

The General Data Protection Regulation (GDPR) gave EU citizens, and anyone who does business with EU organizations, new rights to data access and privacy. Under GDPR, such individuals can make a “data subject access request” (DSAR) to learn what an organization knows about them and how the company uses that information. The California Consumer Privacy Act (CCPA) establishes a similar right, and other states are in the process of passing acts that enable consumers to make a DSAR as well.

When planning for DSARs, there are two things to keep in mind: regulatory requirements and user experience. On the one hand, GDPR, CCPA, and other regulations govern how and when companies must hand over user data or face fines and other legal actions. On the other hand, a data subject privacy request is an opportunity to establish trust with users. By making the process as fast and smooth as possible, you can show your users that you’re invested in their privacy and security.

Responding to such requests is a complicated, multi-step, cross-functional endeavor. Organizations need to create response systems now. Such systems should automate responses so the process is streamlined and efficient, or companies will be overwhelmed by requests and face irate users.

Security breaches and data privacy incidents will occur. When managing high volumes of data, breaches are inevitable. The first step to managing them is to acknowledge that reality. Rather than aiming to plug every vulnerability in the system, build in processes to prepare for privacy incidents.

In the event of a privacy incident, move quickly and transparently. To that end, it’s a good idea to prepare the response and to practice responding to test incidents and scenarios as often as possible. In addition to responding to the incident itself, do root-cause analysis to figure out how it happened, which regulations apply to the incident, and what customers need to be notified. Prepare for a surge of data privacy requests post-incident; customers will want to know exactly what happened and whether they were impacted.

The rise of supply-chain attacks, such as the high-profile SolarWinds incident, has made third-party risk from suppliers and vendors top of mind for many businesses. Before engaging with a supplier, client, or vendor, it’s crucial for organizations to think about such risks.

Rather than kicking off a deal with a vendor and applying privacy controls post hoc, build risk assessment into the processes used to interface with third parties from the get-go. These assessments should cover the scope of data that third-party providers are allowed to handle, what they should not handle, and what they need to do when a breach occurs. “It’s almost like a vendor assessment,” says Tripp. “It enables you to ask whether your suppliers are meeting certain regulatory requirements.”

Risk assessments shouldn’t end when a contract does. In fact, after ending a contract, companies should perform an audit to ensure the third party deletes any data that no longer belongs to them.

The automation tools like those that Ernst & Young built using the Now Platform enable organizations to customize privacy-related processes that work for their business. They help automate processes, workflows, risk assessments, best practices, and frameworks—the building blocks of risk assessment and data privacy.

Since building privacy into existing processes and products is too complex to handle manually, automation tools play a substantial role in implementing and automating privacy by design.