A 10-Step Checklist for Security Teams
Strong privacy programs are built with security at the foundation. This checklist walks you through key elements to consider when partnering with privacy practitioners to build customer trust and outsmart business risk.
Step one: Know Your Processing Environment
Successful privacy programs start with a solid grasp of their processing environment. Why? Personal data isn’t just a confidential business asset, it’s a specially regulated class of data.
Your whole company is responsible for handling personal data lawfully, transparently, proportionally, and securely throughout its entire lifecycle, while also protecting it from unauthorized access, alteration, or destruction. In some cases, this means not having the data in the first place.
To apply the right safeguards to the right data, you need to know where the data lives and understand what it’s used for. According to Okta’s “Businesses at Work 2023” report, large companies (2,000 or more employees) use an average of 211 different software applications across operations. Can you confidently say you know every application any employee in your organization has ever used?
An effective privacy and data protection program can help cover your blind spots with system and data discovery that relates the information through data mapping. This is a foundational activity that benefits privacy and security practitioners.
Step two: Identify Your Privacy Collaborators & Cooperative Model
Accountability requires a suitably empowered individual or group to be responsible for an organization’s security and privacy efforts. Start by identifying a privacy lead and a model for ongoing information sharing and cooperation.
Possible data governance models can range from a top-down pyramid led by C-level leaders to a flat team of privacy and security champions embedded throughout the business.
A smaller or mid-level organization could benefit from a joint Security & Privacy Risk Steering Committee, a roundtable of representatives from different departments working together to identify and manage privacy- and security-related business risks. This committee would be responsible for cross-functionally developing and maintaining the privacy and data protection program, and reporting their findings and activities to the CEO and/or the Board. This model allows for a more holistic approach but may lead to increased decision-making complexity.
Step three: Understand How Privacy Laws Impact Security Management
Aligning your program with The National Institute of Standards and Technology’s Cybersecurity Framework and Privacy Framework is useful and laudable. Many security and privacy teams do. However, nuances in privacy and data protection laws like Europe’s General Data Protection Regulation (GDPR) and California’s Consumer Privacy Act (CCPA) can introduce particular concerns for security teams.
- CCPA — California Consumer Privacy Act
- CPA — Colorado Privacy Act
- CPRA — California Privacy Rights Act
- GDPR — General Data Protection Regulation
- LGPD — Lei Geral de Proteção de Dados Pessoais
- PIPEDA — Personal Information Protection and Electronic Documents Act
- PIPL — Personal Information Protection Law
- VCDPA — Virginia Consumer Data Protection Act
- UCPA — Utah Consumer Privacy Act
- CTDPA — Connecticut Data Privacy Act
The original CCPA allowed Californians to sue an organization for data breaches resulting from preventable security failures via the private right of action. Proposition 24, the California Privacy Rights Act (CPRA), expanded and amended the CCPA, and also expanded what qualifies as a breach within the state. CCPA 2.0 now includes email addresses paired with a password or security question and answer as information that if “subject to an unauthorized access and exfiltration, theft, or disclosure” would subject a company to broader litigation risk.
The CISO’s Guide to CPRA
Since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, millions of Californians have exercised their privacy rights under this law.
With potential statutory damages in California ranging from $100 to $750 per consumer per incident, and breaches often involving hundreds of thousands — or even millions — of users, these types of claims could be staggering.
Step four: Align Data Retention & Privacy Policies
Today’s data-driven economy incentivizes businesses to collect and hold more data for some future possible value. Yet, these inclinations conflict with the principle of proportionality enshrined in the GDPR, CCPA, and other modern privacy and data protection frameworks.
Practicing data minimization and storage limitation is an essential part of privacy by design. These principles prompt an organization to step back and consider what personal data is essential to collect, store, and disclose, to what degree, and under which circumstances.
Regularly reviewing company data processes against business needs and retention commitments also supports security by default practices. Less data means less data exposure, reduced data storage costs, and quicker disaster recovery timelines.
Step five: Advise Reasonable Data Subject Identity Verification
Modern privacy laws like the GDPR, CCPA, and VCDPA codify a rights-based approach to data protection. Today, more individuals than ever can exercise control over their personal data through consumer privacy requests (known as Data Subject Requests or “DSRs” in Europe).
Requesters can ask to access, correct, port, and in some cases, erase their data. They can also knowingly permit, object to, and, in some cases, restrict how a business uses their data — all while being protected by law from unfair treatment and retaliation. Above all else, the interaction should be easy and effective for requesters.
The DSR process must be safe for businesses and individuals. The security adage of “trust but verify” applies.
By law and sound practice, you must validate that the requester is who they say they are, and has rights to the data in question. To thwart the efforts of those who intend to request and obtain valid credentials illegally, it’s best practice to verify the identity of a requester within seven (7) days of the DSR submission date.
However, collection limitation and data minimization principles also apply. Do you really need a copy of someone’s passport? DataGrail’s knowledge-based Smart Verification tool is a viable, proportional alternative.
Step six: Contribute to Privacy/Data Protection Impact Assessments
PIAs and DPIAs are indispensable parts of any privacy and data protection program. They’re flexible tools to systematically analyze, identify, and minimize privacy risks and tradeoffs from products, projects, and other activities involving personal data.
A PIA/DPIA helps organizations be more aware of and intentional about the personal data they collect, store, share, sell, or otherwise transfer. Privacy assessments also help determine the contractual, organizational, or technical safeguards to implement for risk mitigation.
No assessment is complete without input from security specialists. Safeguarding personal data using appropriate technical and organizational security measures is crucial. Should access be need-to-know? Will data in transit be sufficiently encrypted? Will existing incident response protocols suffice?
Step seven: Validate Security Promises in Privacy Statements
A privacy policy is the central tent pole of any privacy program. It plays an important role in your organization’s public and regulatory relations by making certain privacy and security promises.
Privacy policies commonly have a section explaining the measures taken to protect personal information from unauthorized access, alteration, or destruction. Using language like “commercially reasonable” or even “industry-leading” is permissible.
Organizations have no obligation to disclose trade secrets or other information that may compromise organizational security, but their statements must be truthful. Regulators like the Federal Trade Commission, the California Privacy Protection Agency, and UK Information Commissioner are empowered to fact-check privacy policy statements.
From the FTC’s Privacy and Security Enforcement webpage
Step eight: Holistically Manage Third-Party Risk
Modern organizations rely on third-party vendors and outsourced services for their infrastructure and software supply chain. While these partnerships achieve operational efficiencies (e.g. better tools, reduced hardware costs), they can also introduce potential data protection risk questions:
- Privacy angle
- What kinds of personal data will the system or service utilize? How? Why?
- Are there any possible out-of-context uses?
-
Security angle
- Does the third party provide a secure and trustworthy environment for personal and other company-confidential information?
-
Legal angle
- Are data protection and service delivery in line with applicable legal/regulatory requirements and associated contractual commitments?
A sound Third Party Risk Management (TPRM) program blends the three angles to provide a comprehensive view of a vendor. TPRM programs ensure:
- Thorough pre-partnership vendor risk assessments and regular re-evaluations
- Considerations for privacy and security risks, and any needed regulatory reporting
- Appropriate contractual controls and restrictions
- Accurate third-party performance monitoring
Step nine:
Train The Company
Convincing everyone in the business to care deeply about data privacy and security can be challenging, and let’s face it, you and your security team are extremely busy.
Again, make it a team effort:
- Train during onboarding and recertify at least annually
- Bring in marketing and enablement pros to help gamify training and increase employee engagement
- Set the tone at the top — seek buy-in and socialization help from senior leadership
- Reinforce how employees can be part of the solution, rather than inadvertently introducing risks due to a lack of awareness
Step ten:
Improve, Iterate, Evolve
It’s important to remember the current regulatory environment isn’t static and neither are threats to the personal data under your care. It’s critically important to ensure your privacy and data protection program is flexible and future-proof.
That flexibility will enable you to painlessly bring your company into compliance with new regulations and always keep sensitive data secure.
You should review and adjust your privacy and data protection program when internal or external events like the following occur:
- New or updated privacy regulations applicable to your company
- Entering a new market
- Merging with or acquiring another company
- Materially changing your data practices
Conclusion
DataGrail is the data privacy company for this era. We help brands minimize risk, stay a step ahead of consumer and employee expectations, and safeguard their reputation. Our complete, enterprise-grade data privacy platform is powered by patented Risk Intelligence technology that detects shadow IT and makes vulnerable data visible so brands can proactively manage risk. Leveraging responsible automation at scale and the largest integration network in data privacy, DataGrail automates privacy workflows across systems to perform risk assessments, accelerate data subject request (DSR) fulfillment, and optimize resources.
Headquartered in San Francisco, the world’s most trusted brands partner with DataGrail on their data privacy journey, including Salesforce, Dexcom, Databricks, Instacart, amongst others. It has 4.8/5 stars on G2 and is backed by leading VCs and strategic investors, including Third Point Ventures, Felicis Ventures, Next47, Cloud Apps Capital Partners, Operator Collective, HubSpot, Okta Ventures, and American Express Ventures.
To learn more about DataGrail, please visit www.datagrail.io or follow DataGrail on Twitter and LinkedIn.