It's challenging enough for compliance to keep up with the multitude of constantly changing global rules and laws on information privacy; ensuring that various business units throughout a far-flung global enterprise not only remain in compliance but also manage data security risks? That's a tall order.
The task grows infinitely complex at companies with decentralized data centers and where business units collect their own consumer data, managed on their own servers, under a separate set of policies and procedures.
Managing the risks that stem from these challenges was the theme of an executive roundtable last month in Atlanta hosted by Compliance Week and TRUSTe, a provider of online privacy solutions. The event was attended by more than a dozen compliance, risk, and information-security executives from a wide range of industries.
While all agreed that information security concerns are growing more complex by the day, Scott Woodison, executive director of compliance and enterprise risk at the Board of Regents, University System of Georgia, said the overarching solution can be summed up in three steps: “Identifying critical data, figuring out where it is, and figuring out who should have access to it.”
Yet meeting these goals requires going down a long path of adopting good information security practices and policies and pushing them throughout the organization. Many participants said that getting the workforce on board is often the hardest part. “My biggest challenge right now is cultural. We do not use information to its fullest extent due to compliance uncertainty and a lack of governance to guarantee that we're treating the data that we collect ethically and intelligently,” said one attendee.
One of the problems is that companies are working to overlay data security practices on already ingrained processes. JoAnne Furtsch, director of product policy at TRUSTe, said that order needs to be reversed. She said more companies are adopting a concept called “privacy-by-design,” where privacy is planned and implemented early in the development phase of product and marketing processes.
“Business moves so fast these days that we have to always ensure we keep privacy in mind at the earliest beginnings of a new project,” said Jodi Daniels, director of privacy at Autotrader.com. “We can respond best early on in the project.”
TRUSTe Chief Executive Officer Chris Babel provided the example of a marketing team that is working to roll out a geolocation app for mobile devices. “That could present a privacy issue,” he said. If the compliance or privacy executive finds out about the product the day before it launches, any questions or concerns that may arise from that point on are “so late in the process that the team is just going to want to avoid you,” he said.
In order to change that frame of mind, compliance must make a case for how it can help the business, said Babel. “You have to approach it almost as a sales pitch,” he said. “Help them understand that you can actually help their business.” Find ways to show them, for example, how bad privacy practices damage the company's brand, and how you can help them build the brand in a positive light, he advised. He said it's up to compliance to change any lingering idea that the compliance department is there only to tell you what you can and can't do.
One solution may be to recruit the help of the legal department, because they may be able to better convince the business that privacy issues are a potential liability, and that's something the business will pay attention to, said Paige Needling, senior global IT governance lead at Recall. For others, getting buy-in from the business to get the necessary security systems implemented sometimes is more about who's footing the bill than anything else. “Generally speaking, sometimes it's more a question of what department is going to provide the budget,” said Needling.
If limited resources are an issue for the business, said Woodison, you need to determine where to put controls in place to protect the most valuable data. Such controls may include encryption, authentication solutions, limited access, or data leak protection, he said.
Failure to Communicate
Roundtable participants repeatedly said that getting everyone in the company to think collaboratively about privacy in order to better manage the risks is a huge hill to climb. No surprise, then, that all attendees spoke of the need for better communication.
“It's important for compliance to have a seat at the table when important decisions are being made,” said Courtney McBurney, compliance officer for GE Energy. “One key to that is having good relationships with business leaders and other functions so that they reach out when the situation warrants it.”
|
|
TRUSTe's Furtsch said building the relationships and procedures up front can go a long way toward facilitating good information privacy practices. “It's really establishing the lines of communications and also creating guidelines to enable the business to do these things without necessarily having to check in, or do a lengthy privacy-impact assessment,” she said.
As technology evolves and data gathering continues to grow exponentially, the tensions between compliance departments and the business could only grow—especially as cloud computing gains more traction, due to the flexibility and speed with which new systems can be implemented.
“We certainly support whatever solution is best for the company, but more risks are introduced as we increase third-party solution providers,” another executive said. “We need to make sure that the organization understands the risks, and partners with the right groups—primarily information assurance and security—when implementing cloud solutions.”
Collaboration and communication can only go so far, however, especially when dealing with third parties. Some participants recommended a more tactical solution: get it in writing. They said that whenever the business presents a contract for any new data storage or exchange, the contract must include certain compliance requirements. For example, vendors must test for security controls and further show evidence that they have programs and processes in place to test for those controls.
|
|
For the most part, when it comes to the IT department, all they want is clarity. “Telling them what they can do and can't do is fine,” said one executive. The real question is, “How do you help them make good decisions and be part of that decision?”
All data should not be treated equally, either, the group agreed. In order to implement good privacy, you need to determine what it is that needs protecting, said Woodison, whether that data is personally identifiable information, intellectual property, or financial information.
Most attendees agreed that good privacy cannot be achieved, however, unless all the various functions—including compliance, privacy, security, IT, audit, and legal—come together and really share concerns as a group to determine where privacy controls need to be implemented the most. But, stressed Needling, that takes “a lot of education, a lot of time, a lot of building relationships.”