Organizations need ‘privacy by design’

In today’s world, privacy safeguards must be baked into every process and product

Learn the 9 steps to implement data privacy by design into your organization.

This story originally appeared in Workflow Quarterly: The Resilience Issue

Widespread digitization has given organizations access to more data—and more types of data—than ever before. Businesses now routinely store massive amounts of information about their employees, customers, partners, vendors, and suppliers: onboarding and interview data, data from in-home smart devices, data about transactions, supply chains, and more. While data is the lifeblood of most organizations, it also poses a substantial liability.

As countries, states, and cities continually pass new governance and compliance measures, the regulatory landscape is becoming increasingly difficult to navigate. Businesses are now beholden to a complex web of governance, risk, and compliance laws. And as hybrid and remote work become the norm, the threat landscape is growing and changing quickly. Companies are processing and storing data from new digital services that saw rapid uptake during the pandemic. At the same time, threat actors are changing their tactics in response to shifts in work habits.

For those responsible for safeguarding the ever-increasing volume of data and making sure their organizations are resilient in the face of such threats, how can they maintain an effective data privacy program?

To answer these questions, Workflow sat down with two senior managers at Ernst & Young—Ishant Goyal, senior manager and ServiceNow architect, and Tori Tripp, senior manager of data protection and privacy. Using the Now Platform, Ernst & Young built automation tools that enable organizations to customize privacy-related workflows. When onboarding a new vendor, for example, instead of manually checking whether the vendor is using inventory software that is compliant with local and federal regulations, the system can help check automatically.

[Read also: The rising threat of privacy debt]

Goyal and Tripp believe the key to a good program is “privacy by design.” Rather than attempting to secure products and services after they’re launched, privacy by design bakes privacy protection into the development process.

What came out of this conversation were nine steps that executives can take to implement privacy by design in their organizations.

1. Create a culture of privacy with stakeholders

While the privacy team might understand the importance of security, other teams might not have the same level of understanding. Nevertheless, getting buy-in from the company as a whole is crucial. After all, it isn’t just the privacy team that keeps the organization secure—it’s everyone. Since anyone could potentially fall prey to a phishing attack, store their data improperly, reuse passwords across devices and applications, or commit an error that leads to a data leak, everyone must be on board with privacy initiatives.

Creating a culture of privacy starts with the leadership team.

Educate leadership on the importance of strong privacy protection so that they can set the tone for the organization. No team, from marketing to sales to product, should have a conversation without talking about how privacy fits into what they’re doing. “Creating a culture of privacy starts with the leadership team,” says Tripp. “Getting leadership buy-in and having that tone come from the top down is crucial.”

2. Invest in data classification strategies

Organizations that process a high volume of data often lose visibility into the types of data they’re storing. If no one knows what data is being stored and where it’s coming from, then it can’t be secured.

Data classification assesses the data that an organization has stored and figures out whether it’s properly secured. New tools and technologies make this a simple and effective process. For example, BigID, a data management company, makes online tools for managing private data. Tools like BigID connect to the company’s network and parse its data into types, so execs can decide which controls must be put in place to secure company assets.

3. Manage policies and notifications

It’s helpful to think of specific policies and notifications as the tangible result of a strong data privacy culture. Policies are the concrete rules that employees must follow in order to maintain data privacy, while notifications keep employees abreast of changes to those policies. “This is important because regulations are constantly changing,” says Goyal. “People within the organization need to know what is changing and when.”

Set up explicit policies and a cadence for notifications, and circulate those policies to new employees as part of their onboarding. Designate privacy champions among individual teams throughout the organization to explain how high-level privacy goals connect to ground-level policies in terms that each group can understand and support.

4. Create consistent privacy controls

Privacy controls dictate how personally identifiable information is secured and how a consumer’s privacy is maintained. Since federal and state authorities are increasingly willing to regulate privacy and security protocols, proactive self-regulation is crucial or the organization risks having to play catch-up ad nauseum. And since the regulatory landscape is changing so quickly, it’s no longer efficient—or even possible—for larger organizations to manually change privacy controls in response.

Organizations must create a simple, intuitive, and automated system for data privacy controls. Non-technical teams in manufacturing, business, and sales must be able to operate this system without consulting IT or privacy teams. The system should be embedded into each team’s work processes, so the company can easily stay compliant without adding friction for employees.

5. Enable control points and operational activities

The consensus among privacy and security experts is that organizations must shift privacy and security left, meaning they should incorporate privacy safeguards as early as possible into their product-development lifecycle. It’s a consensus for good reason: It’s far easier to think about how a new system or product will protect customer privacy before it’s designed or shipped. Just as you should think about shifting privacy and security left in product development, it’s crucial to shift left operationally, too.

Think ahead about how and when your employees can—and should—access data. That’s where control points and operational activities come in. A control point is like a gate through which employees must provide credentials to “get in” and access data on the other side. Those credentials could be admin capabilities, passwords, user accounts, or policy configurations. Operational activities, sometimes called operational security, are risk management tools used by managers to evaluate operations from the perspective of a potential threat actor. Thinking about how a threat actor might exploit the system—before they actually do—allows for more secure IT infrastructure.

6. Plan for customer data requests

The General Data Protection Regulation (GDPR) gave EU citizens, and anyone who does business with EU organizations, new rights to data access and privacy. Under GDPR, such individuals can make a “data subject access request” (DSAR) to learn what an organization knows about them and how the company uses that information. The California Consumer Privacy Act (CCPA) establishes a similar right, and other states are in the process of passing acts that enable consumers to make a DSAR as well.

When planning for DSARs, there are two things to keep in mind: regulatory requirements and user experience. On the one hand, GDPR, CCPA, and other regulations govern how and when companies must hand over user data or face fines and other legal actions. On the other hand, a data subject privacy request is an opportunity to establish trust with users. By making the process as fast and smooth as possible, you can show your users that you’re invested in their privacy and security.

Responding to such requests is a complicated, multi-step, cross-functional endeavor. Organizations need to create response systems now. Such systems should automate responses so the process is streamlined and efficient, or companies will be overwhelmed by requests and face irate users.

7. Prepare for privacy incidents now

Security breaches and data privacy incidents will occur. When managing high volumes of data, breaches are inevitable. The first step to managing them is to acknowledge that reality. Rather than aiming to plug every vulnerability in the system, build in processes to prepare for privacy incidents.

[Read the Workflow Guide: Cyberthreat control and management]

In the event of a privacy incident, move quickly and transparently. To that end, it’s a good idea to prepare the response and to practice responding to test incidents and scenarios as often as possible. In addition to responding to the incident itself, do root-cause analysis to figure out how it happened, which regulations apply to the incident, and what customers need to be notified. Prepare for a surge of data privacy requests post-incident; customers will want to know exactly what happened and whether they were impacted.

8. Manage third-party risk

The rise of supply-chain attacks, such as the high-profile SolarWinds incident, has made third-party risk from suppliers and vendors top of mind for many businesses. Before engaging with a supplier, client, or vendor, it’s crucial for organizations to think about such risks.

Rather than kicking off a deal with a vendor and applying privacy controls post hoc, build risk assessment into the processes used to interface with third parties from the get-go. These assessments should cover the scope of data that third-party providers are allowed to handle, what they should not handle, and what they need to do when a breach occurs. “It’s almost like a vendor assessment,” says Tripp. “It enables you to ask whether your suppliers are meeting certain regulatory requirements.”

Risk assessments shouldn’t end when a contract does. In fact, after ending a contract, companies should perform an audit to ensure the third party deletes any data that no longer belongs to them.

9. Leverage automation

The automation tools like those that Ernst & Young built using the Now Platform enable organizations to customize privacy-related processes that work for their business. They help automate processes, workflows, risk assessments, best practices, and frameworks—the building blocks of risk assessment and data privacy.

Since building privacy into existing processes and products is too complex to handle manually, automation tools play a substantial role in implementing and automating privacy by design.