With the enactment of the California Consumer Privacy Act (CCPA) and the ever-evolving COVID-19 pandemic, Data Privacy has been at the forefront in 2020 and will remain an important challenge that organizations must take head-on as the way the world works continues to change. Stringent data privacy controls are an essential measure organizations need to take to not only ensure compliance with data privacy regulations but also to maintain customer trust and loyalty in the expanding digital world.
Let’s take a look at 5 best practices to help organizations approach data privacy.
Align Security and Privacy
As we say at Stealthbits, data privacy and data security are two sides of the same coin. Data privacy regulations ultimately require the appropriate security controls to be put in place in order to ensure the appropriate handling of personal data. This is typically achieved through an iterative process that involves data discovery and classification, monitoring, and risk assessment and remediation.
- Create a data map to document where data exists and who has access to the data
- Discover sensitive data to understand where PII or other sensitive information exists
- Identify Data Owners to help streamline data access governance workflows
- Monitor how data is moving and being shared throughout the environment
- Identify and remediate data risks
Read more about how Data Privacy and Data Security align in our blog post.
Least Privilege Access
A sound data security approach will involve the implementation of a Least Privilege Access model to ensure data access to sensitive data is minimized. Least Privilege Access is a fundamental principle that every organization should implement as part of their security practices stemming from the idea that users should only have access to the resources that they need so they can adequately perform the duties that they are required to do.
This principle becomes even more important when Data Privacy is considered. Regulations such as the GDPR require PII to be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing” indicating that access to PII must be minimized to only necessary parties.
Any risk assessment should involve the identification of excessive privileges through an iterative discovery, analysis, and monitoring process in order to deploy and maintain a Least Privilege Access model.
Privacy by Design
Data Privacy should be kept at the forefront of any project whether that be a system development or business process, being considered from the onset and built into the very foundation. The Privacy by Design (PbD) framework asks organizations to not look at privacy measures as an “add-on” and instead adopt a systematic approach to embedding privacy into the design as an essential component of any functionality being delivered.
In order to ensure Privacy by Design, organizations should:
- Perform regular risk assessments to ensure in order to minimize any impact or risk to privacy
- Collect the minimum amount of personal data necessary, ensuring data retention policies and data security measures are in place
- Provide transparency to end-users through adequate notifications and granular opt-in capabilities
To keep it simple, privacy should be considered at every stage of the development lifecycle.
Automate at Scale Using Technologies
Maintaining data privacy is an iterative process that needs to be reviewed and revised on a regular basis. As more projects are launched, or applications and data sets are introduced, organizations need to have an ongoing understanding of where PII is being stored, what security controls are in place to protect that data, and how that data is moving throughout the organization. More importantly, they will need to continuously monitor for any inconsistencies or risks, and remediate as necessary.
Automation and technology should be leveraged as much as possible to provide a consistent and repeatable process for privacy. The following categories of technology are examples of types that can be leveraged to provide automation for many of the key processes involved:
- Data Access Governance
- Active Directory Security
- Privileged Access Management
- Threat Detection & Response
Education and Awareness
Data security and privacy have to be ingrained into a company’s culture. Employees should be provided with adequate and continuous training on data security principles and best practices, cybersecurity threats, data privacy, and evolving compliance standards. Employees should be aware of internal security policies and basic cybersecurity best practices.
Organizations should also explore going beyond traditional training such as performing internal phishing campaigns and similar exercises to help ensure that security training is getting across and identify additional training opportunities.
Conclusion
Data Privacy will continue to be an important consumer right in the modern data-driven world so organizations will need to get a handle on their PII and ensure they are prepared with the appropriate processes and practices in place. A proper set of data privacy-focused policies and procedures will help organizations avoid fines and more importantly, maintain a positive brand image for their focus on their customers.
Learn more about how Stealthbits can help to provide and streamline many of the functions necessary to ensure data privacy through data security.
Farrah Gamboa is a Director of Technical Product Management at Stealthbits – now part of Netwrix. She is responsible for building and delivering on the roadmap of Stealthbits products and solutions.
Since joining Stealthbits in 2012, Farrah has held multiple technical roles, including Scrum Master and Quality Assurance Manager. Farrah holds a Bachelor of Science degree in Industrial Engineering from Rutgers University
Leave a Reply