Security

Considering all the trouble privacy professionals go through to ensure individuals’ personal data is treated respectfully, it should come as no surprise that taking adequate and reasonable security measures is an essential element of a privacy program. Most privacy regulations do not specify what exactly constitutes “reasonable security,” so it is important that organizations take steps to review their technical, administrative, and organizational security controls and their effectiveness in protecting the confidentiality, integrity, availability, and resilience of data. While privacy and security have significant overlap, each discipline benefits from specialist expertise; therefore, a best practice is to have distinct personnel focused on privacy and security, respectively, but for both team members to work closely with one another.

Less Mature

In an organization with immature security as it pertains to data privacy, there will be little coordination between privacy professionals and security and/or IT professionals. Stores of personal data will not be identified as being high risk, and personal data may be stored without encryption or access controls. Even if there is a secure location where personal data is stored, it may be copied or stored in other locations without security.

More Mature

For an organization with mature security standards, privacy factors will be taken into consideration in the overall security framework from the very beginning. There will be regular risk assessments, documented policies and procedures, continuous monitoring and improvement, and employee training. Privacy and security professionals will work closely with one another to ensure high-risk data is kept secure, and they’ll collaborate to train their colleagues on best practices. There will also be robust access controls and identity management processes in place to prevent undue access to personal data. Furthermore, the security framework will be regularly reviewed and updated to adapt to the evolving threat landscape.

Recommended Next Steps

To improve the maturity of security practices as they pertain to privacy, privacy professionals should:

• Establish ongoing collaboration with their colleagues in security.
• Consider security factors in privacy awareness and training.
• Determine baseline controls with security teams that correspond to data classifications. For example, is encryption, multifactor authentication, and/or the use of virtual private networks required for all company confidential information and personal data.
• Develop robust identity management, authentication, and access controls.
• Create written policies that specify security procedures.
• Establish a remediation plan for security incidents as part of their privacy breach response protocols.
• Regularly test and review the efficacy of security measures, including the resiliency of data from backup and disaster recovery.