Considering all the trouble privacy professionals go through to ensure individuals’ personal data is treated respectfully, it should come as no surprise that taking adequate and reasonable security measures is an essential element of a privacy program. Most privacy regulations do not specify what exactly constitutes “reasonable security,” so it is important that organizations take steps to review their technical, administrative, and organizational security controls and their effectiveness in protecting the confidentiality, integrity, availability, and resilience of data. While privacy and security have significant overlap, each discipline benefits from specialist expertise; therefore, a best practice is to have distinct personnel focused on privacy and security, respectively, but for both team members to work closely with one another.
In an organization with immature security as it pertains to data privacy, there will be little coordination between privacy professionals and security and/or IT professionals. Stores of personal data will not be identified as being high risk, and personal data may be stored without encryption or access controls. Even if there is a secure location where personal data is stored, it may be copied or stored in other locations without security.
For an organization with mature security standards, privacy factors will be taken into consideration in the overall security framework from the very beginning. There will be regular risk assessments, documented policies and procedures, continuous monitoring and improvement, and employee training. Privacy and security professionals will work closely with one another to ensure high-risk data is kept secure, and they’ll collaborate to train their colleagues on best practices. There will also be robust access controls and identity management processes in place to prevent undue access to personal data. Furthermore, the security framework will be regularly reviewed and updated to adapt to the evolving threat landscape.
To improve the maturity of security practices as they pertain to privacy, privacy professionals should: