Making Sense of Data Privacy CLAUSES
Privacy considerations are rising in business significance, and not simply as a matter of data breach liability. As you already know, the European Union recently invalidated the transfer of European citizen data to the United States under Safe Harbor principles that had been in place for over 15 years. This geopolitical result occurred without regard to the business implications for multinational corporations, and provides us with two clear takeaways. First, privacy (like cybersecurity itself) is a key business driver in today’s digital world. Second, the evolution of privacy norms and requirements must be reviewed continuously and anticipated, not simply because they change over time but because they can change overnight.
For those readers tracking these considerations within the NIST Framework, you’ll recall that privacy is an integral part of cybersecurity governance (see the October 2015 Cyber Tactics column). Separately, NIST has developed a draft privacy framework for federal information systems, which includes engineering objectives and privacy risk modeling.
Regardless of what laws apply to your particular industry, this month’s column offers a new acronym to help you assess and formulate a solid approach to data privacy: the CLAUSES.
Collection. The most important aspect of all data privacy is determining and potentially restricting the types of data you collect in the first place. If your company likes metadata because it never met a data it didn’t like, think again!
Location. Consider your ability to pinpoint the location of the data you collect. First, data is easily replicated. Companies would do well to map the flow of personal (and confidential) information in its original, derivative, duplicate and shared form. Second, geographic location may matter. Certain data might be restricted from being stored in, or even accessed from, specific geopolitical boundaries.
Access. It’s only obvious that for data to remain private, it requires some form of access control (whether technical, physical and/or administrative) in order to restrict who sees it and to ensure they understand and abide by all accompanying data restrictions.
Use. Just because your company holds private data, does not mean it has the right to use it for any purpose. Many organizations by law or policy provide specific assurances to data subjects regarding limitations on how personal data will be collected, accessed, used, shared and retained.
Security. Organizations should determine whether they hold specific kinds of personal data that are subject to additional security requirements (think banking, healthcare, credit cards and student records as examples), to include any emerging requirements for corporate employment records containing sensitive information.
Eradication. Whether voluntarily or as required, companies often are faced with the need to destroy, de-identify or correct private data either upon request or after a set period of time.
Standards. Organizations would do well to compare their privacy approach against either mandated or recognized standards and guidelines and, in this way, determine their compliance levels and risk posture. By considering the privacy CLAUSES, your company will be off to a great start.