Taking a Regulation-Agnostic Approach to Privacy
Don’t look now, but the next generation of privacy rules is arriving in the United States. As if privacy and security professionals didn’t still have enough trouble with the first generation.
California went first, with the California Consumer Privacy Act (CCPA) which went into effect at the start of 2020. Since then, Colorado and Virginia have enacted their own updated privacy statutes; Florida considered new legislation but didn’t adopt it; Ohio introduced privacy reforms; and California adopted yet another new law, the California Privacy Rights and Enforcement Act, that will go into effect in 2023.
Meanwhile, businesses still have federal privacy standards dictated by HIPAA (for healthcare data), PCI DSS (for credit card data), FedRAMP (for SaaS providers bidding on government contracts), and other regulations. There’s also the European Union’s General Data Protection Regulation (GDPR), other overseas privacy statutes…and, well, you get the idea. It’s anyone’s guess what will come next.
Compliance officers need a more sustainable, strategic approach to managing so many rules and requirements. That approach needs to be something that can accommodate future rules easily.
Moreover, you’ll need to keep proof of your organization’s compliance with these privacy rules to reassure skittish customers looking for assurance that, yes, your business takes data privacy seriously. To be able to provide that assurance, you will also need to take data privacy seriously by embracing privacy by design or some similar philosophy as much as possible.
What you need, then, is a “regulatory-agnostic” approach.
Where Privacy Principles Come From
Talking about the importance of privacy principles is easy— but where, exactly, do they come from? Several resources exist.
One good example is the Federal Trade Commission, which identified five main privacy principles in 1998 that still endures to this day:
- Notice and awareness
- Choice and consent
- Access and participation
- Integrity and security
- Enforcement and redress
But that’s not the only set of privacy principles available. For example, the American Institute of Certified Public Accountants and the Canadian Institute of Chartered Accountants developed their own Generally Accepted Privacy Principles (GAPP) in 2009. GAPP has 10 principles, more than the FTC’s five, but the same basic concepts of choice, consent, disclosure and enforcement permeate both.
Meanwhile, Privacy by Design (first developed by a privacy commissioner in Ontario in the 1990s) has seven principles. Those principles focus more on how privacy should work within business systems: privacy as the default; embedded into the design; security lifecycle management of information end-to-end, and so forth.
Other standards, frameworks, and sets of principles exist as well. Search as much as necessary to find whatever principles are the best match for your organization, and don’t be afraid to mix and match if that’s what works.
What a Regulation-Agnostic Approach to Privacy Is
This approach to privacy doesn’t begin by asking, “What are all the privacy compliance obligations facing our business?” because those obligations will change over time. Instead, ask a simpler, more strategic question: What are the organization’s core priorities for privacy and security?
For example, the business might want to collect less information to keep its compliance obligations low. It might want to collect lots of information (which is great for marketing, after all) while making the investment to secure that data more thoroughly. It might want to use internally built technology to reduce vendor risks or embrace SaaS providers for greater efficiency and lower costs while accepting the need for more assurance over those vendors.
Once those privacy priorities are clear, you can adopt one set of controls that implements your most important privacy principles. The NIST privacy framework, for example, is one good place to start. So are the seven principles of Privacy by Design (authored by former Information and Privacy Commissioner of Ontario Ann Cavoukian) or the ISO 27701 standard for privacy management.
The point here is that the business must define how it wants to embrace privacy as part of its daily operations. That requires senior executives to think about business objectives and strategy and how concerns about privacy fit into those larger questions. Once that understanding is clear, you can use a framework to implement a set of controls that puts those privacy priorities into practice.
Then you can get more precise, mapping those controls to specific requirements of different laws so you can ensure compliance with whatever privacy rules might crop up. But remember the bigger picture here: the organization defines and implements its own priorities for privacy first and then fine-tunes its controls to specific privacy compliance obligations.
That’s far wiser than the alternative of forcing additional controls onto the business every time a new privacy rule crops up. And you can be sure that more privacy rules will crop up.
Looking to build an effective, enterprise-wide data privacy program that allows you to comply with multiple, disparate data privacy laws around the globe?
You Have an Incentive to Do This
Another argument in favor of this approach to data privacy: businesses have a strong economic incentive to embrace effective privacy and information security frameworks.
For example, Utah and Ohio both offer liability protection for companies that suffer a data breach if the company creates and maintains a cybersecurity program modeled after certain frameworks (The frameworks include PCI DSS, NIST 800-171, FedRAMP, and a few others). To qualify for that protection, the company needs a written cybersecurity program that includes both technical and administrative controls, but the concept is clear: if you base your privacy and security program on a proven framework, the government will give you more favorable treatment in the event of a breach.
The same is also now true with HIPAA compliance, thanks to the HIPAA Safe Harbor Law passed earlier this year. If a company uses industry-standard best practices to protect personal health information, that accelerates the audits federal regulators might require and reduces the potential fines regulators might impose for a breach.
Other benefits include potentially lower insurance costs and a talking point your sales teams can use while talking to customers: that your business takes privacy seriously, and can be a trustworthy third party for customers.
Creating a Regulatory-Agnostic Privacy Program: What You’ll Need to Get Right
First, as we mentioned already, your organization will need to decide what its privacy principles are; from there you can (using frameworks) derive specific privacy policies and controls. And since those principles will intersect with business objectives, senior management really will need to sit down and think about this question.
For example, you don’t want to alienate operating units by placing too much burden on them; that could pigeonhole your compliance program as something to be sidelined and avoided. You also want to consider the privacy issues that might arise from new business ventures (including expansion into new geographic markets) or marketing campaigns. Who gets to review and approve those plans? Who gets to veto them? What process will be in place to ensure privacy concerns are part of those reviews and approvals?
Second, you’ll need to be clear about roles and responsibilities to implement whatever privacy regime you decide to implement. For example, what role will the CISO play? Who implements measures such as training, third-party contracting, or other measures that historically aren’t the CISO’s job, but are important to success? What about a regulatory compliance officer who already handles privacy issues for, say, pharmaceutical or banking industry regulators — what role does that person play?
Third, you’ll need strong documentation capabilities. That means you’ll need a single source of truth for data or evidence about your privacy program’s effectiveness, so you can promptly conjure up necessary evidence for any auditor, regulator, or sales prospect who comes asking.
Related article: Evidence Collection for Security Assurance: The Challenges and Solutions
One sensible idea I’ve heard is this: to establish privacy controls according to some proven framework you’ve decided to use. (For instance, the NIST privacy framework is one good place to start, especially if your organization is already familiar with the NIST Cybersecurity Framework). Tie specific privacy policies to those controls and tag those controls with comments or additional fields about the specific legal requirements they’re meant to address. Then, when someone asks, for example, “How are you complying with the GDPR in Europe?” you can pull up all relevant documentation with a few easy commands.
That’s a regulation-agnostic approach to privacy. That’s how you can satisfy the many privacy gods demanding attention from your business.
Get the Latest on Compliance Operations.
Matt Kelly is editor and CEO of RadicalCompliance.com, a blog and newsletter that follows corporate governance, risk, and compliance issues at large organizations; it includes the Compliance Jobs Report, a weekly update on compliance professionals moving around the industry. He also speaks on compliance, governance, and risk topics frequently.
Kelly was named as ‘Rising Star of Corporate Governance’ by Millstein Center for Corporate Governance in inaugural class of 2008; and named to Ethisphere’s ‘Most Influential in Business Ethics’ list in 2011 (no. 91) and 2013 (no. 77). In 2018 he won a Reader’s Choice award from JD Supra as one of the Top 10 authors on corporate compliance.
Kelly previously was editor of Compliance Week, a newsletter on corporate compliance, from 2006 through 2015. He lives in Boston, Massachusetts, and can be reached at mkelly@RadicalCompliance.com or on Twitter at @compliancememe.