Whose Breach Is It? Using Accountability to Build a State-of-the-Art Privacy Program
Ever since GDPR went into effect a little over a year ago, more and more countries (and U.S. states) have raced to adopt or change their own privacy laws. It’s a fast-paced world out there and changes to privacy regulations are coming quick — recently a colleague updated their map of U.S. breach notification laws, only to have it outdated two days later due to a change in the Texas privacy law.
Many of these proposed new laws mimic GDPR’s expansive definition of personal information to include just about any data that can identify an individual. The stringency of breach notification timelines continue to vary greatly across these changing regulations, however. Contrast GDPR’s 72-hour notification deadline with Brazil’s more ambiguous “within a reasonable amount of time.”
One thing is for certain: for companies with breaches that span multiple jurisdictions, compliance has become a lot more complicated.
View a recording of the recent webinar featuring Travis Cannon from RADAR and Paul Breitbarth from Nymity as they share strategies for building and implementing a scalable, comprehensive program that addresses the critical phases of privacy management.
A to Z documentation
No organization likes to deal with a data breach. As we all know, breaches are a “not-if-but-when” phenomenon, so every company that deals with personal data needs a privacy program.
I had the privilege of participating in a webinar with Paul Breitbarth, director of strategic research and regulator outreach at Nymity. He said that despite the almost-certain inevitability of breaches, you can do much to avoid them. It all starts with what he calls “an accountability approach to handling breaches.”
Under many regulations, organizations are required to demonstrate both accountability and compliance. Documentation and recordkeeping is essential as evidence that you are complying with all aspects of data processing. Thorough documentation lets privacy teams quickly retrieve all information on processing operations when there is a security alert or an incident report from within the organization. Documentation is also a critical aspect of proving compliance and having conducted a thorough risk assessment to determine likelihood of harm to an individual. The information is also easily available when regulators ask for it.
Organizations must also maintain a register of all incidents, whether or not they’re reportable breaches. Such a repository can be a valuable resource in addressing breach risks. Privacy and security teams can accurately identify problem areas or common scenarios within an organization that lead to a data breach—be those due to a lack of awareness, a lack of security, or just plain carelessness. Using privacy automation to document every step of the incident response process gives consistency and structure, so privacy and security leaders can better see where the true risks lie.
Structured privacy management = faster compliance
Speaking of structure, we also discussed the importance of taking a structured approach to privacy management. Specific privacy management activities must be assigned to individuals within the organization, ensuring the various aspects of a privacy program are implemented, maintained, and always up to date. This will automatically produce the evidence—i.e. documentation—required to demonstrate compliance.
“Evidence is a byproduct of running a privacy program—not the purpose of it.”
– Paul Breitbarth, Nymity and RADAR June 2019 Webinar
All the elements of an organization’s program, such as policies, procedures, and meeting minutes, can be used as evidence of a responsible privacy management program. What’s more, a demonstrably strong program may limit possible sanctions should a breach arise.
Preparing for a breach situation
Even organizations with sound privacy programs will likely experience a breach at some point—caused by, if nothing else, human error. To demonstrate accountability, GDPR requires companies to have proper policies and procedures and state-of-the-art security measures in place. Tabletop exercises can be helpful, as they may reveal any gaps.
While a single breach policy would be ideal in an organization, the varying notification deadlines and requirements can make that difficult. It’s best to establish internal policies and procedures for notifying within a reasonable timeframe for the organization. For example, if notification is provided within 72 hours in one jurisdiction, that could be deemed a reasonable timeline for another jurisdiction with a more ambiguous requirement.
Best practices for incident response management
As we’ve seen, regulations are changing at a dizzying speed. Yet keeping current with these swiftly evolving laws is foundational to compliance. To build a unified framework for global incident response, organizations need a consistent, objective, and defensible process for performing risk assessments and determining if breach notification is required under domestic and global regulations.
Privacy automation can provide that consistency, so that notification decisions are appropriately made and that organizations avoid the risk of over-reporting. In this way, organizations can establish their burden of proof and ensure their incident response process is always in compliance with the latest domestic and international laws.
Learn more best practices for building a robust privacy program by viewing the on-demand webinar: How to Build a State-of-the-Art Privacy Program.