Only a few days ago a major corporation has admitted to two massive breaches in a row: first in 2013, then second in 2014; both finally detected in 2016. The consequences were substantial: over a billion accounts breached. Company share prices did not respond significantly. However, the most interesting thing here is that Yahoo - the mentioned corporation - is now in the process of acquisition talks. How might such incidents affect the final price or the entire deal? Beyond the immediate material loss, such events bring very negative publicity and may lead to a significant loss of trust.
This vivid example highlighted - for the first time - how security and privacy breach can have real business impact. In corporate terms, security, privacy and data protection become important factors influencing, for example, acquisition talks and other business development processes. The risks related to security, privacy and data protection are becoming very broad and it is crucial for C-level leaders to understand their importance well, especially in the light of incoming legislative changes.
Starting in 2017, privacy and data protection will bring additional uncertainty thanks to upcoming regulations in Europe, which are having worldwide consequences - in the US and beyond. Why has this happened? Regulatory bodies finally realized the importance of privacy and data protection and how these relate to business and consumer confidence and trust. Society is increasingly recognizing the risks and dangers that threaten us because of recklessly designed Internet of Things (IoT) and its many flaws. Consumers do not expect their IoT-enabled toasters being part of massive internet botnets.
A lack of industry standards or government regulations around security and privacy design flaws has led to tangible, measurable damage to businesses (in both financial and reputational loss). Fortunately, there are promising changes on the horizon.
Privacy and Data Protection - the New Standard
In May 2018, a landmark regulatory framework will come to force in European Union. It will mark a milestone for privacy and data protection. The framework -- General Data Protection Regulation (GDPR) -- will be complemented by additional ePrivacy regulation. This legislation will meaningfully increase the standards of privacy and data protection. Any company operating in Europe or having users based in Europe will be bound to comply. And by all accounts, GDPR regulation effectively has a worldwide impact. The regulations are strict and will be enforced. Companies not caring enough risk fines up to 20 million Euro (or 4% organization’s worldwide annual turnover for the preceding year - whichever is higher).
Although GDPR comes to force in 2018, it would be wise to begin making preparations as soon as possible. Adhering to this legislation is a complicated process demanding resources -- not only people (privacy engineers and analysts), but also time and proper understanding of risks related to data protection and privacy.
What You Need To Consider
The key points any organization or company needs to understand to follow GDPR regulation are:
Consent management becomes a thing of great importance. Any organization managing personal data must be able to demonstrate that they handle it with users’ awareness and actively given consent. *Are your users aware that you store or process their data?
A Privacy by Design approach will be one of the most striking and decisive points of the new frameworks. In simple terms, this means that privacy and data protection will need to be considered in the early stages of each project or product, basically privacy controls and risk processes will need to be "first-class citizens" into product and system life-cycles. A key question: did your business implement the process?
Privacy Impact Assessment (PIA) will be present as a standard process in maintaining and ensuring the relevant privacy and data protection levels. Regulatory frameworks will require organizations to perform this process in projects dealing with personal data in order to evaluate the risks. *Can your business show that a PIA process has been conducted?
Privacy and data protection level will be measured and managed. This is the role of Privacy Impact Assessment: measuring privacy and data protection, designing, developing, updating and maintaining applications, systems and products considering privacy. Privacy will be included into software development lifecycle.
Privacy Impact Assessment
A Privacy Impact Assessment (PIA) is an involved process reviewing the assumptions, requirements and designs of a product in order to measure the level of privacy and data protection. It is an assessment that identifies and assesses privacy and data protection risks and provides guidelines for mitigations. This risk-based approach helps organizations to produce better products, and requires organizations to guarantee that privacy and data protection has been considered from the project start.
Persons and teams conducting Privacy Impact Assessments need to be proficient in security and privacy and often be able to think outside-the-box, especially when assessing projects on the early stages of planning.
Privacy Impact Assessment is becoming increasingly relevant worldwide; in the U.S., for example it is now recommended by NIST (the US standardisation body for federal systems) for systems dealing with personal data. Another strong indication that PIA is gaining broad attention and traction on a wide scale is the fact that a standard PIA process is currently being formally developed by the international standards body ISO. Historically, such ISO standards are widely recognized and used in many industries by corporations and other organizations; compliance with ISO standards is widely regarded as a crucial aspect of business operation and business continuity, often to identify and reduce risk. The ISO Privacy Impact Assessment standard is expected to be finalized in May 2017. What that means is that the PIA process will soon have a very real business relevance to U.S. and global businesses.
Privacy Impact Assessment is a versatile and powerful tool and it leaves a considerable flexibility as to how it can be tailored for many different projects, depending on the organization’s business needs. Within the European Union, the new regulatory framework GDPR will require conducting a variant of Privacy Impact Assessment called Data Protection Impact Assessment (DPIA), for most new and existing projects that carry substantial risk (i.e. either use of new technology, or private user data). Data Protection Impact Assessment is not that broad as PIA is and it measures what privacy and data protection risks are identified in a project. It’s also much more specific and technical.
One important aspect of a PIA is that it affords a hedge against a a high-risk negative-privacy finding. In this case, the project’s plan may be reassessed. However, organizations are free to accept the risks and move forward in launching a system or product with negative-privacy project. Should an unexpected event arise - for example, a massive data breach - an organization will be expected to show that a PIA has been conducted in order to prove that all necessary, feasible and reasonable risk-avoiding measures were in place. Organizations not able to demonstrate a formal PIA process has been conducted will risk fines.
In this way, a PIA processes can be understood as a risk-reducing measure. This also suggests another possible development arising due to new regulatory frameworks. PIA process will become of great importance during acquisition negotiations. The potential buyer, aware of possible fines due to regulation, might want to know how the new acquisition handles risk. How? They will want to see a Privacy Impact Assessment. And this PIA will be assessed by people competent in privacy and data protection process; most likely, those teams will want to conduct their own assessments as well - or at least assess the validity of PIA as it affects material risk.
In the near-term, expect to see a growing number of Business Privacy Advisor consultants offering their services. And sooner, rather than later.
I often say that privacy is a process, not a product -- and we will soon start to treat it in this way. I am already helping big organisations with Privacy Impact Assessments. Leaders would be wise to start understanding privacy and taking data protection very seriously, and view them as the business factors they are. And we will all benefit from that.