Organizations want to move from one-time privacy efforts to on-going privacy programs. Data Protection Officers (DPOs) and Chief Privacy Officers (CPOs) can’t roll-out an on-going privacy program unless they have the underlying technical and organizational infrastructure.
They rely on Chief Data Officers (CDOs) to enable the data pipeline, governance, and organizational structure needed to operationalize privacy.
In short, a successful data privacy program depends on CDOs as much as it does on DPOs. CDOs like you have a herculean task of protecting this growing complex data ecosystem inside an organization. But how do you know your organization is ready to operationalize privacy?
Here are the questions and reasons why these questions are important to help DPOs to deliver data protection.:
Have we inventoried data sources and personal data?
Unless you know what data your organization holds, you can’t track and protect it. Hence, the first step is to create complete inventory data sources, data assets and personal data stored across the company.
Do we know whose personal data we collect, hold, and process?
What privacy laws apply to you greatly vary, based on the location, age, and categories (employees, partners, customers) of your data subjects. Because of this, it is imperative to thoroughly understand the privacy laws in your country of operation.”
What external SaaS services hold our data?
Companies use many third-party SaaS services, which may potentially contain personal data. These SaaS will be considered as data processors or sub-processors. You must know what data are in those services so that you can decide what type of agreements should be in place.
Are all personal data secured and encrypted?
Any data should be encrypted at rest and transit, especially personal data. However, in a large organization, details might fall through the cracks. In many instances, personal data gets collected and inadvertently stored in unstructured sources such as production logs. Ensure all data, most importantly, personal data, is encrypted at all times.”
Do we maintain metadata about personal data?
When it comes to personal data, metadata attributes can make or break your compliance. For instance, the reason why you collect, store, and process data is important metadata. Most GDPR fines are for using data without approved legal purposes. Here are some attributes that you must track: purpose, consent, lifespan, de-identified, geography, type of data subject (employee, customers, partners, visitors, etc.), size of the data.
Do we have good data ownership/stewardship structure?
The responsibility of protecting data can’t be centralized. You must distribute the responsibility across your organization. Responsibility can be distributed by identifying and growing data custodians (people that take care of the data; otherwise stewards) across your company.
Have we mapped data flow?
Mapping how data is transferred from one system to another helps you understand how personal data moves inside your organization and identify critical privacy compliance issues such as cross-border transfers.
As data gets transformed, the context around the data gets lost. Without fully understanding the sensitivity of the data, a downstream team could be using a data asset that was derived from sensitive data. Tracking lineage helps companies track context around data assets such as sources, transformations, etc.
How often do we update our data map?
Having a stale data map might give you a false sense of data protection. Hence, you must periodically update your data map.
Have we documented who uses what data and why?
Most of the data risks are in data use. Organizations should strive to have a good map of who uses what data and for what purpose. A data asset can be used by two different teams with different privacy implications. For instance, the fraud team can use someone’s location data to prevent fraud, but a marketing team can’t use the location data to market unless they have consent to do marketing.
How often do we audit access privileges to data sets across the organization?
Privileged access accounts contribute to most data leaks. Many organizations have bloated access privileges that contain access to people who have moved out of their roles, and in some cases, moved out of the companies. Periodically auditing access privileges reduces security vulnerabilities.
These factors help you gauge your governance program’s maturity in supporting data privacy. Identifying the gaps helps you understand the effort required to operationalize privacy.