Governments & Privacy

Governments & Privacy

When the words “government” and “privacy” get put side-by-side, the knee-jerk reaction is usually harmful. Since the days of Orwell, governments have been poking their noses into citizens’ business. History suggests the association is not without merit.

Protectors of Privacy Rights

In the last decade, whistleblowers like Edward Snowden have shown the communication boom of the internet era accompanied by an increase in government monitoring and privacy abuses. For example, by the likes of the NSA, the Department of Homeland Security, and other bureaus. A charitable explanation of these practices is that, like many during the era, these actors didn’t fully grasp the full cost and legal implications of the shiny new toys they could access. The less charitable explanation is that they did grasp, but didn’t care enough to stop.

Nevertheless, the truth remains that government institutions are the most important protectors of the digital privacy rights of individual citizens. Businesses must play by the rules that governments make. Also, digital privacy has become a critical governmental concern in recent years. It directly reflects the concerns of the general populace.

A high-profile case in point was Mark Zuckerberg’s congressional testimony in April 2018. Zuckerberg was called in front of Congress to speak on his company’s questionable data practices, particularly relating to the 2016 presidential election. The hearings made two things clear: first, there was a newfound abundance of concern and regulatory intention from the elected officials questioning Mr. Zuckerberg. Second, there was a striking lack of understanding or technical know-how from the same officials. The majority of these legislators are not digital natives, and even if they were, understanding the fine-grains of digital privacy in this day and age requires time and attention to detail that no legislator could realistically afford to spend.

Future-proof Data

At Ethyca, we accept that warts and all, governments are the chief protectors of digital privacy. However, in the fast-moving technology sector, they will always be playing catch up. For SMEs, particularly those that aren’t digital-first, this creates a nightmare scenario of repeated, costly infrastructure overhauls. Doing a one-time, future-proof data infrastructure upgrade is an investment that, over more extended periods, can prove very shrewd indeed.

Published from our Privacy Magazine – To read more, visit privacy .dev

A Framework for Privacy Risk Self-assessment

A Framework for Privacy Risk Self-assessment

With the recent raft of worldwide privacy legislation and much more to come, organizations of all shapes and sizes are becoming forced to evolve the way they do business. Those SMEs that can’t bring their operations into compliance with the GDPR, CCPA and other data privacy laws worldwide will be at a significant competitive disadvantage, and may even find that continued non-compliant operation merely is unsustainable. 

In this “adapt or die” scenario, the essential first step to getting compliant is for SMEs to perform a rigorous self-assessment of their present-state data operation.

There are three basic formats to self-assessment:

  1. Business units can analyze their practices.
  2. Different groups within the agency can review and analyze each other.
  3. A single appointed party can assess each unit in the business.

At Ethyca, we believe in empowering a Data Protection Officer to be a real focal point for all data-related business operations. So if scale permits, we recommend delegating full responsibility for the exercise to a DPO. Of course, each organization’s privacy self-assessment will be inherently different. However, the following aims to provide a framework that will serve as an excellent starting point for any business looking to evaluate its path to data privacy compliance: 

First: Plan the Objective of the Assessment

Is your organization trying to determine whether existing policies ensure regulatory compliance? Deciding the specifics of what to assess is a critical first step. 

Second: Conduct a Personal Information Inventory Check Across All Business Units 

It involves answering the following questions: 

  • What personal information does the business unit collect?
  • How do you collect personal information and in which situations?
  • Why do you collect personal information?
  • Who in the company uses personal information?
  • Who has access to it?
  • Where and how do you store personal information?
  • What methods are used to ensure it is secure?
  • Is it disclosed outside the company? If so, to whom and why is it disclosed?
  • How long is the personal information kept, and when and how is it disposed?

Only by answering these questions can businesses understand the work needed to bring themselves into a state of regulatory compliance. It’s vital to cross-check these answers against provisions in the GDPR, CCPA, and other relevant pieces of regulation by the DPO. Additionally, you should actively cooperate with internal or retained legal counsel proficient in privacy law. The exercise should result in a set of tasks or processes to accomplish to reach the desired level of privacy compliance. 

Last: Review Past Privacy Complaints 

Finally, we recommend reviewing privacy complaints as part of a privacy self-assessment. Especially those that have arisen in the recent past, three years is a sufficient window. It will give you insight into where potential privacy pain points exist between your business and the consumer. That way, you can pay extra attention to these areas as you’re revamping them to be regulation-compliant. So if your organization doesn’t keep logs of such complaints, we’d like to say congratulations! You’ve uncovered another process that needs revamping to survive in the new competitive landscape! 

Published from our Privacy Magazine – To read more, visit privacy .dev

How To Assess Vendors For Data Privacy Compliance

How To Assess Vendors For Data Privacy Compliance

When small-to-medium enterprise (SME) team members begin to consider how the business landscape is changing to increased data privacy regulation, the procurement process is not usually high up on their list of answers. However, SMEs focusing too purely on in-house practices miss a key point. Both the GDPR and CCPA place new responsibilities on data controllers. In other words, the company or another body determines the purpose and means of personal data processing. They need to ensure all third-party vendors who touch their data are behaving in a compliant manner. 

In short, the controller continues to hold responsibilities for compliance, even when outsourcing processing duties. The in-house compliance will not suffice. It’s now incumbent on SMEs to ensure that the vendors they work with also adhere to worldwide privacy standards. 

Furthermore, the auditing process should optimally take place upfront in the procurement stage. Contracts signed without the requisite due diligence can be difficult to back out of if it later. Especially if it becomes revealed a third-party vendor is operating in an incompliant fashion. Businesses with deep existing ties to third-party vendors may not be able to start this audit process from a procurement stage. Although, experts highly recommended that existing relationships be revisited and assessed from a compliance perspective. 

With all that said, here are some of the questions that all SMEs should be asking their partners, whether it be during procurement due diligence or in the revisiting of an existing relationship:

First: Does the vendor have a Data Protection Officer?  

Under GDPR, DPOs are now legally required for companies processing large amounts of data. It’s almost a certainty that vendors who specialize in data processing infrastructure are operating at a scale to necessitate a DPO. Failing to cover off on this necessary compliance measure should be a disqualifying red flag in any SME’s procurement process.

Second: How often are the vendor’s policies for storing and processing data on behalf of partners reviewed and updated? 

Data compliance is rapidly changing and continually evolving. A telltale sign that a vendor lacks data privacy rigor is a lack of process for regular policy updates. This field is the opposite of “set it and forget it.” SMEs should be on the lookout for this when auditing vendors for suitability.  

Third: Does the vendor use their sub-processors for the work they do on your behalf? 

If so, what measures have they taken to ensure those entities operate in a compliant fashion? The data privacy chain extends to every processor that runs underneath the data controller umbrella. It includes “partners of partners.” If a vendor has others to help them do their work, they should be able to demonstrate the partners’ compliance. 

Fourth: Does the vendor have tools in place to rapidly identify and communicate a data breach? 

Under the auspices of GDPR and CCPA, data controllers now have a strict obligation to respond to data breaches concerning their data subjects, but if third-party vendors are slow to recognize and report a violation, controllers may have no chance of handling data breaches in a compliant fashion. Thus, reaction and response time is a crucial concern when evaluating a partner for suitability. 

Last: What happens to data ‘subjects’ information at the end of the partnership? 

Without a clear-cut process for erasing subject data in a compliant fashion, it’s a possibility a data controller gets stung by vendor negligence, even after their business relationship has ceased to exist. For this reason, it’s essential to have data sunsetting processes built into third-party agreements upfront. Otherwise, controllers have no legal recourse if vendors mistreat their data after completion of the contract. 

Published from our Privacy Magazine – To read more, visit privacy .dev