Watch: Data Privacy: Are You Paying Attention?

Date February 22, 2023
Article Authors

Highlights of the February 22, 2023, HBK Risk Advisory Services webinar hosted by William J. Heaven, CPA/CITP. CISA, CSCP, Senior Director

Watch On Demand.

The National Institute of Standards and Technology (NIST) defines IT Security as, “The technological discipline concerned with ensuring that IT systems perform as expected and do nothing more; that information is provided adequate protection for confidentiality; that system, data and software integrity is maintained; and that information and system resources are protected against unplanned disruptions of processing that could seriously impact mission accomplishments.”

The International Association of Privacy Professionals (IAPP) defines data privacy as, “Privacy is the right to be left alone, or freedom from interference or intrusion. Information Privacy is the right to have some control over how your personal information is collected and used.”

Privacy focuses on the governance and use of data. Security tries to keep us from being a victim of a malicious cyber attack. They are often intertwined or confused.

Why be concerned about privacy? Our information is being captured and mined all the time. One expression of that is the suggestions or recommendations from location services on your phone.

Prominent trends in privacy

Data localization: Where is your data? You need to know where it is, especially give the multitude of cloud opportunities.

Enhancing computations regarding data, or artificial intelligence (AI):

  • How are algorithms written and what is being with them
  • Remote monitoring: trying to balance security and privacy:

  • Forty-nine percent of remote workers use their own computer hardware, creating privacy and security issues.
  • How do you delete data, when they are no longer working for you?
  • More ways to manage privacy for customers:

  • Websites request that you accept their cookies, which they use to gather information on you.
  • Data is no longer considered the new oil. It was thought data would create millionaires like oil did, but now data gathering is thought of as being a large risk, the more data the larger the risk.
  • Many states are enacting their own privacy laws. We should have some type of federal legislation on privacy, but nothing is expected any time soon.

    Globally, enforcement of the Europe Union’s General Data Protection Regulation (GDPR) continues to increase, and its influence has spread to America.

  • Amazon was fine $746 million for violating GDPR.
  • Twitter was fined $499 million, among others.
  • Another wave of legislation is expected in Europe, including legislation relating to AI. These reforms will in some way make their way to the U.S.
  • Monitoring and tracking privacy regulations

    The IAPP is an excellent resource for privacy information. Resources include reports and documents, privacy regulation tracking, and information on specific regulations.

    Privacy tracking legislation is in different phases of development, and state by state.

  • Only four have signed legislation: California, Utah, Colorado, and Virginia.
  • States are expected to ramp up as we don’t expect federal legislation.
  • California consumer privacy act models much like GDPR. And has already been amended, including by the California Privacy Rights Act, which went into effect January 1, 2023. Businesses must comply if they meet one of three requirements:

  • Gross revenues of $25 million
  • If you receive or disclose the personal information of 50,000 or more California residents annually
  • If you derive 50 percent or more of your annual revenue from selling California residents’ personal information
  • Creating Privacy Controls

    Consider privacy frameworks, such as ISACA and ISO 29100:2011

    Frameworks have privacy principles, like GDPR’s:

  • Lawfulness, fairness, and transparency
  • Limitations on purposes of collection
  • Data minimization
  • Accuracy of data
  • Storage limitation
  • Integrity and confidentiality
  • Accountability
  • ISACA has 14 privacy principles

    Principles can be converted into controls and controls can be evaluated as to how they equate to a privacy program.

    Key requirements of a privacy program:

  • Awarenees and communication: make people aware that you have a program
  • Metrics: track to see if you are following your principles
  • Maturity
  • Privacy controls are the administrative, technical, and physical safeguards employed within an agency to ensure compliance with applicable privacy requirements and to manage privacy risks.

    Sample: Choice and Consent

    Principle: To ensure appropriate and necessary consents have been obtained

    Control: What you must have where the collection of personal data takes place

    Maturity: Gauging the maturity of your program in terms of rating metrics from one to five: incomplete, initial, managed, defined, quantitatively managed, optimized

  • You can do this on your own or engage a third party.
  • This is a way to help you develop and administer a program.
  • Ways to start: inventory your data, know where your customers are, then follow the regulations. If you have privacy concerns, you can look at privacy frameworks for principles to turn into controls, create a privacy program, and measure your program’s maturity.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields