In the good old days, CISOs were all about security. They served as guardians at the gate and protectors of the perimeter. As technology evolved, so did the CISO’s role. One of the most significant impacts on today’s CISOs, however, has nothing to do with mobile devices, malware, or the Internet of Things (IoT).

Instead, expansive new privacy laws such as the European Union’s GDPR, California’s CCPA, and Canada’s PIPEDA often shape how a CISO sets priorities.

Failure to comply with these laws poses a significant risk to organizations, both in terms of major fines for noncompliance and the loss of prospects and customers. For example, the French data protection authority fined Google €50 Million under GDPR for failing to properly disclose to users how their data is collected to present personalized ads. And according to the 2019 IBM Cost of a Data Breach Report, the largest cost category for data breaches is lost business—representing 36% of the total average cost of $3.92 million.

Managing privacy compliance has become mission-critical to the business.

Slow incident response times adds risk for noncompliance

Under GDPR, organizations only have 72 hours to notify the authorities of a breach. That’s scant time to conduct an accurate risk assessment, which is also essential to staying compliant while avoiding the risk of over-reporting. The BakerHostetler 2019 Data Security Incident Response Report shows an average incident response timeframe to be —56 days from discovery to notification. The 2019 Verizon Data Breach Investigations Report indicated that 56% of the breaches included in the report took months or longer to discover.

IR Lifecycle Icons_Color Background_LIGHT-05Benchmarking Data From Radar: On average, U.S. incidents within Radar are risk assessed, scored, and decisioned in less than 32 days after they occur, a significant reduction over general industry practice.

Read More >

“Most companies don’t have the skills, technology, or procedures in place to detect breaches when they happen, nor report them in sufficient detail to the Information Commissioner’s Office (ICO),” says Mark Nicholls, director of cybersecurity at Redscan. “This was a problem before the GDPR and is an even bigger problem now that reporting requirements are stricter.”

We should also note that privacy compliance is about more than breaches. For example, a GDPR case law establishes what is acceptable when handling and conveying privacy information with regard to data subject rights. Ninety-one fines have already been levied against various companies.

Bottom line: For CISOs whose organizations handle personal data, privacy compliance is vital to mitigating enterprise risk.

Managing noncompliance and breach risk with privacy by design (PbD)

Although privacy by design is not new, GDPR has made it a legal requirement. And even if a company is not subject to GDPR, applying PbD’s seven foundational principles is a best practice.

According to Deloitte, “Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices.” The seven principles include:

  1. Proactive, not reactive/preventative, not remedial. PbD comes before-the-fact, not after. To reduce risk, CISOs should perform a privacy impact assessment (PIA) for an overall privacy risk assessment of how protected data is handled. Not all personal data are electronic—paper, verbal/visual, and biometric information all count.
  2. Privacy as default. PbD seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. When collecting personal data, companies must obtain explicit consent, clearly stating what’s being collected, how it’s being used, and with whom it may be shared.
  3. Privacy by design is embedded into the design and architecture of IT systems as well as business practices. CISOs should perform a data protection impact assessment (DPIA) on new processing. This principle may be challenging with regard to product development and the user experience, since privacy should be integral to the system without lessening functionality.
  4. Full functionality—positive-sum, not zero-sum. PbD seeks to accommodate all legitimate interests and objectives in a win-win manner. It’s not privacy versus security— it’s both. CISOs should ask questions such as, “What data is put in log files? Who has access? How is that data separated out or what de-identification process is used?”
  5. End-to-end security—full-lifecycle protection. Privacy by design ensures that all data are securely retained and then securely destroyed at the end of the process, in a timely fashion. This means having an explicit retention policy—keeping data forever is never an option.
  6. Visibility and transparency—keep it open. Data subjects must be given sufficient information given to data subjects about the collection and use of their personal data, possible risks, and the actions they can take to control the processing.
  7. Respect for user privacy—keep it user-centric. Above all, privacy by design requires architects and operators to keep the interests of the individual at the forefront with such measures as strong privacy defaults, appropriate notice, and user-friendly options.

Privacy by design takes teamwork

We say it over and over again here at RadarFirst: Any and every aspect of privacy compliance is a team sport. Historically, security used to pass privacy responsibilities to a small privacy team that was embedded within the larger legal department. Product development was not even in the picture.

To embrace privacy by design and thus mitigate risk, security, privacy, legal, and product teams must collaborate. They can support each other’s roles and ensure that all privacy by design principles are applied throughout the organization. Together, they can make the business more trusted, efficient, secure, and competitive—and protect the customers and employees they serve. Using automation to manage privacy incident response strengthens this collaboration and gives CISOs a structured, objective framework for managing enterprise risk.

Read other articles our CISO blog series:

  1. To Be Great Enterprise Risk Managers, CISOs Have to Be Great Collaborators
  2. To Manage Enterprise Risk, CISOs Have to Measure It
  3. Why Security Needs Privacy to Succeed on the Job (and Vice Versa)