Sophie Chase-Borthwick, Director of Data Ethics and Privacy, Calligo
Privacy is essentially just a data security problem, right? Surely, the requirement to act more responsibly with personal and sensitive data equates to protecting it better, encrypting it and preventing hacks and leaks?
Many financial businesses assume exactly this, and that data privacy, whether GDPR or California’s new CCPA, is merely an IT security problem. However, it goes far wider than that.
For the chief information security officers (CISOs) that have been assigned responsibility for privacy within their organisation, it can often be seen as an unenviable task. Few boards and and executive teams understand the detail of what is required for GDPR adherence or Privacy by Design to assign enough or the right resource to the task.
In fact, we regularly hear stories from financial services organisations of all sizes about shoddy approaches to data privacy, especially GDPR, with some assuming that just because they have a data security function, adherence is a given.
However, as an experienced CISO, you will understand that privacy is not as simple as ring-fencing your data. You will appreciate that because GDPR in particular requires the responsible management and use of data, just as much as its responsible protection, that a privacy strategy needs involvement from every part of a financial organisation, including marketing, HR, sales etc.
But many businesses did not think like this. Or more accurately, many CISOs were fully aware of the extent of the task, but were not given the time or resource to address it appropriately. Many were forced to focus on the parts they could fix the fastest and the easiest, predominantly technology and data protection, leaving major gaps in processes and people – the two other equally-important pills of adherence.
Others were bending over backwards to cover the basics of the new requirements, but saw their wider security strategies either derailed or delayed in the process, leaving many financial businesses more susceptible to security breaches than they were before. These are real scenarios that we have seen time and again amongst our clients.
So, how is it possible to balance data privacy with wider security strategy? Many argued when GDPR came into force that it represented a huge opportunity for those in CISO roles to change the perception of their input and value to a business; from simple data protection to instead safeguarding data across its entire lifecycle.
But how can you put this into practice? How can a CISO build the strategy that achieves the immediate data privacy goal, while enhancing – not weakening – wider data security initiatives, and their own standing?
Assess your business holistically
There are eight domains that require addressing for a successful privacy strategy: governance and accountability; risk management; security management; third party management; incident management; personal information management; rights of data subjects; and finally, understanding the scope of your organisation as it pertains to the relevant legislation.
The most obvious observation for many CISOs will be that many of these areas are outside their traditional scope. However, they all need equal attention and they are all unavoidably part of the project they are leading. The trick is to not let yourself focus on only the more easily-addressed “home turf” security areas, nor be drawn by the business too far into the non-security areas.
Ask for help
For some, this will be one of the hardest steps – either personally or politically – but it is essential. As mentioned above, there are eight areas that need addressing equally. This means that assistance from experts across the wider business is vital. No one expects a CISO to be well-versed in the legal rights of data subjects, or in how to build a perfect Privacy Policy, but you will need to recruit support from the internal subject matter experts who are, then act as the intermediary between them all, and lead from the front.
Perform a GAP analysis
Before you can even think about aligning your organisation to a privacy strategy, you must identify your baseline and areas of improvement. What are the minimum requirements within each of the eight areas for your business to be in line with the legislation facing you? And, what constitutes particularly robust observance? Finally, where on this spectrum are you aiming for and how does that compare to your current state?
Present your action plan
The GAP analysis will have provided you with a starting point and a series of non-conformances to address. The next step is to prioritise the remedial tasks required and plan how they will be executed. It is however imperative to demonstrate that the plan is tied to, but not wholly based on, the security strategy. Sales, marketing, HR, IT etc. must all understand that they have equal parts to play, and be equal in their accountability.
Secure wider resource
The final part of the process is to identify the most suitable individuals to assist. This controlled delegation maintains the CISO’s position as the lead on the project, ensures good project management and execution, while also safeguarding the security team’s resources.
It’s clear that a privacy strategy is an organisation-wide initiative and encompasses all areas of technology, people and processes. It requires far more than building higher walls around your data, or simply gaining renewed consent from customers. However, it’s important to remember that this will not be widely understood, and given it is commonplace post-GDPR for CISOs to be handed responsibility for privacy, you will need to take the initiative on a whole host of procedures and processes that span your entire enterprise – and may not be within your comfort zone.
However, get it right and you will engender more trust from within your customer base – an important commercial outcome that you can take no small amount of credit for.
