Around the world, governments are responding to the massive trove of personal data companies and healthcare entities are amassing and a rash of data-security breaches with new, strict guidelines, regulations, and laws. In response, privacy and compliance programs are increasingly at an intersection.
Unfortunately, working together is often easier said than done, and the regulatory focus on data raises an abundance of questions. Should compliance oversee privacy, or must they be independent? What defines a healthy working relationship among those involved, including compliance, IT, marketing, and the board? What is the prescription when these separate interests are at loggerheads? A panel of privacy experts addressed these questions, and others, during a session at the Compliance Week Europe Conference in Brussels last week.
Build Bridges
A key to bringing compliance and privacy together lies in diplomacy, Jennifer Aikins-Appiah, regulatory compliance officer for CPA Management Services, said. When implementing a privacy program, even one with top-level sign off or executive sponsorship, departmental silos need to be broken down.
“There is no point implementing something that no one is going to buy into,” she said. “Ultimately these are going to be the people who ensure compliance among their staff. They are going to be your gatekeepers.”
“It’s a lot of work, but you have to start somewhere. You have to put together a country-by-country, state-by-state matrix of all the breach rules, including how they define sensitive information.”
Jose Tabuena, Chief Compliance Officer, Next Health
Reaching out to middle management and IT and privacy corners of an organization, rather than issuing marching orders, is far more effective in getting buy-in and much-needed help, Aikins-Appiah said. However, compliance officers shouldn’t fear standing their ground when the need arises. “Sometimes you do have to be a little confrontational,” Aikins-Appiah said. “I don’t mean put on your boxing gloves and wage world war within your organization; what I mean is to have open conversations. Some of the concerns may actually be justified and valid because the people you are talking to have more experience with the departments you are trying to reach and the things you are trying to implement. Their advice will help your policy go much further.”
After a privacy program is implemented, a compliance officer should maintain his or her charm offensive,” Aikins-Appiah said. “Don’t become invisible,” she said. “You have a privacy-by-design program you want everyone to abide by, but then go and sit at your desk all day where no one can see you? Put yourself out there. Try to engage not just with the managers but all levels of staff.” This outreach will help give the CCO a better view of what is happening in these various entities. “You want to be on the forefront of any potential risks around data breaches,” she added.”You need to be on the ball.”
Watch the Headlines
Being on the ball also requires knowing what is happening around the world, not just within company walls, Aikins-Appiah said. When Canada passed its new anti-spam law it had implications on marketing efforts, and those issues had to be dealt with immediately. Enforcement matters must also be keenly watched as they give a sense of governmental priorities and help set company risk weights.
Other developing trends include E.U.-wide privacy rules that, although delayed, could go into effect by 2017; the continuing U.S. crackdown on healthcare data breaches; and the growing concern over Big Data.
Multiple Hats, or One?
Should privacy and compliance be melded together? Uwe Fiedler, global privacy officer for Parexcel International, a pharmaceutical research company, sees value in keeping the various efforts within each function separate.
PRIVACY VS SECURITY
The excerpt below from Jose Tabuena’s slides at CW Europe illustrates the 7 privacy principles.
Source: CW Europe.
“It is helpful to have separation,” he said, explaining that the role of both compliance and privacy officers is to report risks to the board and leave the matter in their hands. To ensure that the board takes matters such as privacy and breach notifications seriously, he suggests a firm recitation of all the executives and board members who have either lost their job or gone to jail for their negligence.
“One of the issues is of size and scale,” countered Jose Tabuena, chief compliance officer for Next Health (and a Compliance Week columnist). “At smaller, mid-size companies it is probably too much to have a chief in every area—chief information security officer, chief information governance officer, chief anti-trust officer. All of these to typically fall under the risk domain of compliance, which is the overarching framework. In most of my experience the chief compliance officer is also the chief privacy officer.” At his company, a healthcare start-up, he serves as the compliance officer and has a privacy specialist who reports to him. That specialist and has more day-to-day responsibility for privacy issues.
Tabuena did concede, however, that in some industries the “privacy risk might be so large that you start having to put more resources in that area.”
What’s on the Horizon?
The need for compliance, privacy, and IT to work cooperatively will only become more pronounced in the months ahead.
At the conference, Sophie Nerbonne, deputy director for legal affairs and director of compliance at France’s Commission Nationale de l'Informatique et des Libertés, discussed the state of privacy protection measures in France and throughout Europe. CNIL is an independent regulatory body that oversees the application of privacy law to the collection, storage, and use of personal data. It is comprised of 17 members from various government entities in France, including four from its parliament.
In January, CNIL issued a ruling that Google’s privacy policy did not comply with French data protection laws and issued a fine of €150,000. More recently, CNIL was behind a September “cookie sweep,” a series of not-so-surprise company audits to assess compliance with French and European Union rules requiring websites to obtain user consent before installing cookies, those tiny bits of data that get popped onto your hard drive every time you visit certain websites. Users must also have the ability to know how cookies are used and to opt-out of the data collection.
Nerbonne updated the audience on the status of long- delayed EU-wide personal data protection legislation. Negotiations will soon restart on a new law that would consolidate the data protection regulations of individual EU member nations. An ongoing point of contention among business leaders is that the new law may demand breach notifications within 24 hours of an infiltration, without any safe harbor for data encryption.
Other measures likely to be included in the legislation are the right to portability of personal information, the “right to be forgotten,” requiring a project- and product-based Privacy Impact Assessment; and fines €100 million or 5 percent of global turnover for companies that transmits personal data outside the EU without a customer’s permission. “A lot of work has been done and there are just a few points to clarify,” Nerbonne said. “We are still hoping that by the end of the first part of next year it will be done and then it will take two years to put the new regulation into application.”
“The challenge with the U.S. Health Insurance Portability and Accountability Act and other standards are that, on one hand, they are flexible and agnostic in terms of technology,” Tabuena said. “On the downside: They are flexible. They don’t really give you a lot of specifics on what it means to be secure and what is a reasonable control. That is where I am going to need to rely on the IT and information security experts to help me out.”
Their assistance, and the help of the legal department, can help map out what threats exist and the priority status that should be placed on them. “It’s a lot of work, but you have to start somewhere,” Tabuena said. “You have to put together a country-by-country, state-by-state matrix of all the breach rules, including how they define sensitive information.”
No comments yet