Many of our clients are being impacted by new regulations and standards around consumer or citizen privacy. Privacy groups in these organizations have a list of necessary objectives they must meet, and they would be well served to follow the hard-trodden path of peers from other departments who have conducted or are conducting similar efforts related to personal data. It also helps to not silo efforts — we know that privacy initiatives are significantly more likely to succeed if privacy leaders partner strategically with information security professionals.
Privacy Benefits From Information Security Experience
The privacy role traditionally authors internal policy, builds frameworks, and advises the organization on best practices. In some organizations, they take a more active and authoritative role, but often the execution of privacy mandates are handled in the business. Requirements — like the often cited “right to be forgotten” require that privacy has a better understanding of the systems and processes in the organization. In most organizations, privacy departments are building capabilities (either internally or with outside expertise) to identify, track, monitor, and take action against consumer data.
Even if these tasks are just being performed at the strategic level to direct policy development, it is important for these teams to communicate with their peers in information security, information technology, legal, and records management. While the specific requirements vary, these functions have been involved in the necessary data mapping, system inventory, data and content clean-up, and analytics work required to execute against other policy requirements. In many cases, the internal controls that have been created by information security, for example, will already cover a majority percentage of the requirements brought on by the new privacy standards. At the very least, there are likely previous projects that have been conducted in these groups that can provide a solid foundation of documentation on which privacy initiatives can begin building. This is especially true when privacy begins to think about the technology capabilities that are required to assess the data and content that exists in the organization today.
Finding Synergies in Information Security and Privacy Tools
Regardless of the reason for identifying data and content, many of the existing tools are capable of doing a sufficient job in multiple use cases. For example, if information security is using a content analytics tool to identify sensitive information in the environment, it is very likely that the same tool can be used to meet the needs of privacy.
Privacy practitioners should also speak with their peers who have done data analysis to better understand how the existing tool sets can help execute against policy and where they will struggle. For example, searching for regular expressions like social security numbers can be done easily by telling the tools to look for a number in the format of “xxx-xx-xxxx.” But if the document or data were not appropriately tagged to begin with, the tools don’t understand more complex queries — such as “find all data that…” — for data covered by a particular corporate policy, or even a specific security designation.
Structuring Cross-Department Collaborations for Success
Leading organizations have realized that there are common challenges facing multiple internal functions like privacy , information security, compliance, records management, etc., so they formed cross-functional groups to share learnings and best practices. These can be useful if there is executive sponsorship and collaboration is incented. But it can easily turn into just another meeting on the calendar that is ignored in favor of more urgent matters. To avoid this attempt to clearly define roles and responsibilities on the team, focus the sessions on mutually-beneficial tasks such as creating and maintaining a policy cross-walk to identify overlap in particular policy requirements.
Doculabs has worked with organizations at each step along this journey and would value the opportunity to discuss the specific challenges of your organization and how our team can help.