Insights
Cyber Security

;

Implementing an Effective Data Privacy Practice

Dhruv Gupta
Director, Cyber Security, CISM, CEH, ISO LA, DSCI DCPLA, GDPR DPO, Cyber Law, IPR

Data privacy is a matter of high importance for consumers as well as companies. Compliance to global privacy regulations like General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), Privacy and Data Protection (PDP) and incorporation of data privacy principles like data subject rights, consent management, and privacy by design are extremely critical not just for compliance and audit purposes but also for safeguarding individual interests.

An effective data protection practice helps clients better defend their operations against insider threats, data exfiltration, and ransomware, to meet compliance mandates, mitigate risk, and safely rollout innovative cloud initiatives. While most organizations have invested significantly in Data leakage Prevention (DLP) and the encryption space, an end-to-end approach to managing the security of data from source to destination is vastly missing.

3 pillars of data security strategy

A sound data security strategy comprises 3 pillars: plan, build and run.

Plan

Define what is critical data and why is it important to your organization

Identify process and data dependencies and understand the data flows

Discover and classify where sensitive data is located

Identify program gaps and prioritize the remediation options

 

Build

Implement and baseline data protection controls

Build-out and help mature the data protection program

Normalize tools and operational procedures

 

Run

Data policy and threat alert monitoring

Threat, policy and change management

Tools and device management

Incident response

 

The need of the hour is a holistic approach that begins with:

identifying data lying in legacy data stores

classifying the information discovered in various categories

defining policies on confidentiality using tools like DLP

applying filters on the information based on access rights to be given using technologies like DRM and encryption

360 degree of the privacy compliance management through activities like data subject rights management, compliance, consent management.

Typical IT services involved in implementing a data privacy practice include consulting, systems integration, and managed security services to deliver data-driven risk management programs that optimize resources to protect data. An addition of analytics and cloud expansion can give a seamless extension to the on-prem policies and the same can be achieved using technologies like UEBA and CASB.

We can also include basic security principles, such as assigning access rights based on least privilege and accounting for adequate separation of duties, advanced defense-in-depth techniques that cover technical, operational, and administrative controls, along with appropriate technical architectures that can enforce data protection measures regardless of where the data is stored, used, or processed.

Challenges in implementing a Data Privacy practice

Data provides a critical foundation for every operation in your organization. Protecting and using it securely is central to a zero-trust strategy. Unfortunately, cybercriminals also see the value of data and seek to exploit security vulnerabilities to put your information at risk. Secure data solutions, whether on-premises or in hybrid multi-cloud environments, help you gain greater visibility and insights to investigate and remediate threats, and enforce real-time controls and compliance.

A key challenge lies in protecting various types of data which vary from structured to unstructured.

Described Data: Content having matches of specific keywords, regular expressions or patterns, and file properties.

Structured Data: Account Numbers, Credit Cards, Government IDs etc.

Unstructured Data: Financial Reports, Marketing Plans, Microsoft Office documents, PDFs, etc

Intellectual Property: Source Code, Product Designs etc.

Media Files: Scanned or Electronically filled forms, images

 

The Regulatory aspect

With compliance to GDPR, CCPA and other global privacy regulations gradually becoming mandatory, organizations need to look at both a process driven and tech centric approach to look for the following aspects in managing privacy:

The role of the Data Controller/Data Processor

Data Subject Rights Management

Consent Management

Data Discovery

Data Mapping

Assessment Manager

Incident Response

Personal Data Processing

Rights of Erasure

Communication of Data Breaches

Transfer and Disclosure

In conclusion, data privacy is critical to the survival of modern businesses. Leaders should embed data privacy into all processes that have a customer touch point within your company. No matter what size the business is, how mature the compliance program is, most businesses have room for improvement when it comes to data privacy. An ideal approach would be to evaluate your company’s data privacy policies and practices at frequent intervals, to make sure you are utilizing all the resources at your disposal to protect your clients’ data, your business’ bottom line, and your customers’ trust in your company.

Related Insights

;