Taking advantage of technology and digitization involves more than business strategy. It requires strong data governance principles which, among other things, must align the functional demands of an organization’s cybersecurity, privacy and information management teams.
For cybersecurity folks, it’s all about data confidentiality and the integrity and availability of both data and systems. In terms of confidentiality, cybersecurity professionals are concerned about all sensitive electronic data, which extends beyond data about individuals to include corporate secrets as well. How about destructive ransomware? Well, that’s not a matter of data privacy; it’s a matter of data, period. Cybersecurity objectives also concern far more than information, and require that systems and devices remain resilient and reliable. Take, for example, the life and death concerns about protecting critical infrastructure control systems, or keeping hackers out of embedded medical devices.
Just as cybersecurity professionals have a broad mandate, so do privacy professionals. In fact, the word “privacy” hardly captures the role. The field of data privacy has grown from concerns primarily over secrecy and seclusion into a larger set of issues better described as personal data rights. While there remains a strong focus on protecting the confidentiality of information that identifies people (which aligns with cybersecurity, but extends beyond electronic records), data privacy experts also consider the lawful basis for a company’s collecting and using personal information in the first place. Privacy compliance also may require a jurisdiction by jurisdiction review of data localization and data transfer limitations (a big headache for multinational organizations); responding to government requests for personal data; limitations on automated decision making and profiling; data portability capabilities, allowing individuals to obtain and reuse personal data across different services; correction of inaccurate information; retention, archiving and destruction schedules; privacy by design product features; and data breach notifications.
Chief Information Officers, and those with “data” in their titles, are sure to focus on features, functionality and enhanced user experience. Yet, they operate with significant external constraints as they embrace the latest technologies and harness big data. Not only are they subject to a host of security and privacy requirements, they often have intellectual property rights responsibilities. They routinely struggle with faulty products, misconfigurations and user error, as well as data that must be cleaned, validated, de-duplicated and structured. They may be required to explain how automated analysis works, and protect against unlawful algorithmic bias. They must be mindful of the power of machines to easily re-identify individuals by combining data sets that, for legal reasons, were previously de-identified. Their programs may be subject to antitrust scrutiny regarding the implications of data aggregation. Finally, they can’t break the laws of math or physics.
Next time your organization considers its data and technology strategy, it’s best to ensure that data, privacy and cybersecurity professionals all have a seat at the table. Sure, they often can represent one another’s interests. But, equally often, they can’t.