Companies and organizations tend to get lost in the various Data Protection laws and regulations. How can this domain be simplified and made into a competitive advantage?
Anyone can get overwhelmed by the myriad of Privacy legislation, ranging from international laws and regulations to local guidance issued by data protection authorities. By simplifying the issues and by taking the ethics-based approach and focus on protection of personal data as a human right, the pieces fall more easily into place.
What is Privacy? And how does it relate to Data Protection and Information Security?
Privacy is a basic human right – set forth in chapter 12 of the Universal Declaration of Human Rights (UDHR), dated 10 December 1948. I.e. already 72 years ago the wise people behind this declaration had a high awareness of privacy as fundamental to individual rights and freedoms. Most Privacy legislation is based on the principles from the UDHR. As famous privacy scholars put it, “the right to life has come to mean the right to enjoy life, — the right to be let alone”.
Data Protection is the legal term for safe-guarding individuals’ (Data Subjects) rights and freedoms through protecting their personal data against misuse and undesired sharing. I.e. it is not the only way of protecting this right, but obviously an imperative one in our digital age. Many countries now have separate Data Protection laws or regulations. The most known one – and what has become the global “gold standard” – is the European General Data Protection Regulation (GDPR). It took effect in all EU member states in 2016 and started to be enforced after a 2-year grace period on 25 May 2018, and in the EFTA (and non-EU) member states Norway, Iceland, and Liechtenstein on 20 July 2018. This way, all the European Economic Area (EEA) members have introduced GDPR directly or as a part of their national Data Protection laws. For Switzerland – as a non-EU and non-EEA member – their Federal Act on Data Protection (FADP) is in the process of being updated and aligned with GDPR principles and content, and is due to be published in 2020.
One very important – and often misperceived – aspect of GDPR is the “balancing principle”. I.e. GDPR was not established only to safe-guard peoples’ rights and freedoms, but also to facilitate economic growth through one single law with common implementation and interpretation. Such a law will instill confidence with its population, who subsequently tend to share data more willingly – including cross-border data transfers. In the information economy, this is crucial for growth. This principle is in other words the balance between safe-guarding peoples’ rights and freedoms against the desire for economic growth.
Information Security is the discipline of ensuring Confidentiality, Integrity and Availability of information systems. In addition, Non-Repudiation has been added to the “CIA-triad” in recent years. Administrative and Technical measures contribute to ensure mainly Confidentiality to personal data. Many other functions are contributing to a Data Protection program: Board Members, Executives, Legal, Internal Audit, Operations, Finance, Marketing & Sales, Procurement, HR and IT. Hence, Data Protection is an organization-wide effort, and not equal to Information Security – even if that function is crucial in ensuring data confidentiality.
What do these laws and regulations cover?
GDPR, FADP and similar laws and regulations cover the protection of personal data. This is data which directly – or indirectly – may contribute to identifying an individual. Hence, it is not only Personally Identifiable Information (PII – as known from the Information Security domain), but also data which in combination with other data may lead to an identification. E.g. IP address information from an internet modem, social security number, etc.
Whether data is classified as “personal data” or not can be determined by looking at a simple question: does this data help identify a person within a group? The type of data that could be “personal data” can vary depending on the size of the group. For example: information about nationality, in and of itself, is not sufficient to identify a person in the entire world. However, the same information about nationality in reference to a small group of people of different nationalities, will be sufficient to single out one individual. This is why – in data protection – organizational context is essential to establish the right data protection strategy, and what works for others may not work for your organization.
How does this all impact my organization?
Let’s be honest – it does take an effort to become compliant with the mentioned laws. The good thing is that much of it is common sense – and a direct result of treating personal data from an ethical point of view. E.g. it is data which someone else owns, which you and your organization has been allowed to borrow for a specific purpose for a certain period of time. If you lend your car to someone, you would want to know what it will be used for, where it is going, who will be using it, when you will get it back and in what condition – and not least what is the procedure if there is an undesired incident. The same goes for your personal data – which is well protected by laws and regulations.
To comply with Data Protection laws, the entire organization needs to be involved. Everyone will at some point have access to personal data and need to know their obligations and what it may or may not entail legally, administratively, operationally and financially. I.e. a certain baseline of knowledge is required, with tailored training depending on the function and level in the organization. Enforcement is also required: the best processes and procedures will be useless if it turns out they have not been communicated adequately and the people who were using the data were bypassing them.
Certain processes will need to alter to align with administrative and technical measures to protect the personal data. It will be imperative for the on-going compliance to be able to track transfers of such data, and to document these data flows. There may be a need for a Data Protection Impact Assessment (DPIA) and to hire a Data Protection Officer (DPO). The latter may be external expertise, and not necessarily a full-time occupancy. Appointing an external DPO also helps avoid conflicts of interests, which may arise if the internal DPO also covers other functions that are incompatible with its independent role.
Some organizations go for the bare minimum, by just becoming compliant: the compliance-based approach. This is based in the fear of legal consequences due to non-compliance and does not really have the interest of the Data Subjects in mind. It essentially means to implement the absolute minimum of measures to be able to “tick those famous boxes”. This type of approach can be cheaper, but it is often standardized and does not take into account specificities of the industry, especially when it comes to building and maintaining customer relationships.
Others go one step further with a risk-based approach, caring for their organizational reputation, their revenue, and potential losses in case of data breaches. This is done by analyzing the data which is collected, held, processed and shared – and the threats associated with the various types of data and the processing of these. Some also undertake a DPIA – assessing the potential threats to the Data Subjects. Especially when this is required by law – depending on the category of data, amount and frequency of processing.
In order to fully embrace Privacy as a concept of being a basic human right, organizations ought to take the ethics-based approach. I.e. safeguarding Data Subjects’ rights and freedoms because it is the right thing to do. Not because one wants to avoid legal fines, or because revenue may suffer in case of non-compliance and/or data breaches. But because one cares about customers, employees and partners – and their right to Privacy and protection of personal data. Ultimately, a company is formed by the people who run it, and the people who buy its products or services, hence it makes sense to put their rights at the forefront of company initiatives.
Once the ethics-based approach is adopted, it becomes much clearer what needs to be done. Everyone in the organization can identify themselves with the purpose of the Data Protection strategy and program, and how personal data must be perceived: just like the car we lend to someone. This approach additionally has the advantage of turning a Data Protection initiative into a competitive edge – with an improved brand equity, increased trust from all stakeholders, a stronger loyalty from customers, better data governance and management, better insights from data, higher quality business decisions and increased growth and profitability. Organizations which have taken this approach will attest to its advantages.
Are there any “quick wins”?
The answer is yes and identifying “quick wins” is one of the first action points. Certain obvious non-compliance may be swiftly rectified: erase unnecessary data (past original purpose, old, irrelevant), create a proper online Privacy Statement, publish Data Subject rights and the Data Protection complaint process, introduce identity and access management – and roles-based privileges, patch high-risk systems and remove obvious data vulnerabilities.
Great, and where do I start?
You always need to know what the present state is. A high-level rapid assessment will provide you insights into immediate priorities, potential “quick wins” and which next steps you need to take. A Data Protection strategy and program that sets you apart from your competitors is a longer-term aspiration, but it should run in parallel with implementing “quick wins”. These two tracks are inter-dependent, and both serve an imperative purpose.