In today’s digital world, companies of all types and sizes need to protect their critical data assets against cyberattacks and data breaches. Privacy obligations such as GDPR, CCPA and PIPEDA have required organizations to step up their privacy game to demonstrate compliance with mandatory privacy breach notification, reporting and record-keeping.
Although more and more organizations have implemented basic compliance exercises, many are still at a loss when it comes to managing, monitoring and reporting on their privacy obligations.
Unfortunately, Data Protection Officers (DPOs) and Chief Privacy Officers (CPOs) are often left with these critical questions:
What happens once your basic privacy obligations have been implemented?
How can you establish an effective privacy reporting framework?
How can you effectively report on your privacy risk and progress to your Board of Directors?
On February 5th, 2019, we co-hosted a webinar with our partner Nymity, a leading research-based privacy compliance software company, about how to report data privacy obligations to the Board of Directors.
During the webinar, we addressed key questions about how organizations can leverage strategic reporting frameworks to understand their inherent risks, determine their target maturity and report effectively on their various data privacy obligations.
This blog article summarizes the most frequently-asked questions of the webinar.
Disclaimer: This blog article was written by our compliance experts for general information and does not claim to provide legal advice. To understand the full context of your organization, please consult with a privacy compliance and/or legal professional.
Why is Data Privacy Reporting to the Board of Directors a Concern?
There are several liabilities for corporations and directors that require the Board of Directors and other executives to be aware of an organization’s compliance posture to privacy and security of personal data.
Data breach class actions lawsuits are increasingly frequent.
In the past, these were less threatening as courts systematically refused any damages for individuals that failed to prove the material damages and causality. For individuals who were victims of a data breach, the damages are not always obvious or quantifiable. Even where an identity theft occurs with specific damages, the frequency of the data breaches makes it difficult to prove causality.
However, courts have started to move to models where the damages are presumed. In Ontario, the court of appeal created a tort called intrusion upon seclusion which includes presumed damages.
Under GDPR, Art. 82 creates a right to compensation for material and immaterial damages suffered as a result of processing that infringes on the
regulation. Recital 146 states that the controller or processor should compensate any damages which a person may suffer, and that data subjects should receive full and effective compensation. It specifies that notion of damages should be broadly interpreted in light of the GDPR’s objectives.
Securities Fraud Class Actions can be directed at directors and/or corporation that misrepresent their compliance postures in their public statements, such as 10-K reports. The idea is that shareholders would rely on these public statements.
These are just a few examples of lawsuits. To these, you need to add the likeliness of a breach of contractual obligations allowing clients to end their contracts with cause, and often to claim damages.
And finally, don’t forget the regulators. They have statutory powers to impose fines that can be quite hefty, as we have seen under GDPR.
4. What are the Challenges of Reporting to the Board of Directors?
We used to rely on Audit to report to the Board on such matters, but now a DPO has a lot of credibility and has become very important to the Board. What the Board and the Executive Team wants to know is their organization’s exposure:
Where does the organization stand with respect to privacy compliance?
What is the status of the privacy program?
How is the organization prepared to manage data breaches?
The term “system-of-interest” comes from the Glossary of NIST SP 800-160 and is used to describe the system that is the focus of systems engineering effort.
Typically, the boundaries of a system are determined in relation to the authorization boundary, or other boundaries that can be programmatic, operational or jurisdictional. Although it is critical to determine the boundaries of a system, privacy risks can arise at any stage of PII processing from collection through disposal. In some circumstances, system owners may consider these stages to take place outside the typical authorization boundaries.
Most organizations have at least 3 systems of interest:
Sales and Marketing
Organizations that create products, software or applications have additional systems-of-interest around each of these. The key point is that an organization can be a controller under one system-of-interest, and a processor under another.
Reporting based on systems of interests allow entities to:
Identify their roles for each system of interest and corresponding obligations.
Consider particularities for each system of interest. For instance, at Hitachi Systems Security, we have a system of interest around the delivery of managed security services through our proprietary platform ArkAngel. For this system-of-interest, the notion of privacy by design entails reviewing the software development life cycle policy to ensure that it includes privacy engineering concepts, and some competencies for translating privacy into coding terms. Different systems-of-interests therefore face different operationalization concerns, that are also tribute of the business environment of the client.
Exclude some systems of interest that are not within the reach of GDPR from your reporting.
Compare the compliance postures of different departments.
Certify specific system-of-interest like your product, application or software easily.
Report on each system-of-interest, or report by average for the company.
Compare the progress of each department and empower privacy coordinators in each department to support the DPO or CPO.
How Do I Report on Data Privacy Obligations?
In order to report effectively on your data privacy obligations, you need to implement a privacy management framework that can report on your various privacy obligations such as GDPR, PIPEDA or CCPA.
For example, you could use a reporting tool such as Nymity’s Attestor™ to report. Whatever framework you decide to use, you must make sure that this framework reflects your business context and takes your available resources for deployment into consideration.
In general, there are 3 steps to leverage your reporting framework:
1. Identifying Your Target Posture
If you’ve read a law or two, you know that legal lingo tends to be somewhat ambiguous, often including terms such as reasonable or adequate. This is because these terms are more likely to evolve with new technologies and realities than a checklist of privacy or security controls.
The downfall of this approach is that it leaves it up to corporations to determine what these controls are.
And that’s not all, you must be accountable for them, and able to justify that your choice of control is in fact adequate and reasonable based on the circumstances, or as the GDPR would say, based on the nature, scope, and purposes of the data processing.
The determination of the application control often requires an interdisciplinary approach.
When we perform privacy posture assessments, we work hand in hand with our security experts. They use different level of precisions to determine what is required from a security perspective.
In some cases, we use the terms of the legislations, such as the requirements of the GDPR, and in other cases, we can even deploy the control of “secure processing” into a list of sub-controls and questions such as the 114 controls of ISO 27K.
When depending on the context or reporting model of the client, we will work with other standards such as the Open Web Application Security Project (OWASP), the National Institute of Standards and Technology (NIST), or the 20 Critical Security Controls of the Center for Internet Security.
For each of these controls, you need to reflect on your target maturity as an organization which is again determined based on the circumstances. Training and awareness are critical to this point. Where available, you should also consider the effectiveness of controls, such as through technical testing, and table top exercises.
The target posture is important, as this is how a legislation is applied to your business context.
2. Assessing Your Current Posture
Once you have identified your target position, you want to make sure that you assess your current position to determine the gap.
Again, a control is implemented when it is mature and effective. Controls must be audited and tested. They key point is accountability – you should not be filling the gaps.
In particular, you should not be doing the job of other departments as a privacy expert. You are there to advise and suggest proper controls, but you cannot single handily create, implement and test all of these controls – you would need 20 of you.
At this stage, just assess your posture as it is, pretending you are external to the organization.
Would you, as a regulator, find evidence that a control is implemented?
Are you being feed information by managers that employees are not aware of?
If you were to ask just any employees, are they aware of the procedures that you are being told to rely on?
Privacy compliance is not shell compliance. Regulators are picky, so follow their example! It will lead you to have better and more actionable recommendations.
3. Building a Remediation Map with a Risk Assessment
You know your target and current positions, so the logical outcome is that the gap is what you need to operationalize with recommendations for remediation. You need to build an implementation plan for these recommendations. Usually, this is done over a year based on the budget allowance.
One of the concerns that we see a lot is that our clients do not know where to start. They spend a lot of data discovery, when they have no data breach notification procedures, for instance. Each risk must be quantified and prioritized accordingly, then your plan can be reviewed for logical outcomes. Depending on the client, we have implemented various risk quantification methodologies, as to align with the overall Enterprise Risk Management (ERM) model of the entity
How Can I Get Funding for a Budget Dedicated to Privacy?
Often, the Board of Directors allocates budgets for compliance, legal and security matters, and privacy seems to fall between the cracks. While privacy budgets are common in the EU, other legislations are not as used to dedicating funding exclusively to privacy projects.
Here are a couple of suggestions for how to get funding for a dedicated privacy budget:
Explain to your board their liabilities for privacy-specific obligations
Create a privacy steering committee where the compliance, legal and security departments are represented, and manage it as an interdisciplinary approach, through a combined budget. A privacy steering committee can ensure that your privacy reporting aligns with your ERM model.
Demonstrate how a privacy management tool such as the Nymity Attestor™ can be used to manage all risks, including legal, compliance and security, replacing effectively a Governance, Risk and Compliance (GRC) model. You may combine forces to get budget!
If you’re a DPO under GDPR, you may need to remind your organization that they have obligations in terms of the resources that they make available to you, and failure to do so is a breach of the legislation with consequences.
How Do Hitachi Systems Security and Nymity Help?
Most of our clients do not have the proper tools to allow them to manage their compliance and privacy obligations. They face many issues in terms of reporting.
Together, Hitachi Systems Security and Nymity help our clients get an external perspective on their compliance posture, report on their data privacy obligations and communicate with their stakeholders.
Whereas Nymity supports organizations through research and by helping them map all of their obligations, Hitachi Systems Security brings an added value by allowing clients to understand their obligations in their specific legal context, and where necessary, to operationalize Nymity solutions into a specific a data management protection framework that represents the challenges of an organization.
In other words, Nymity provides the tools needed for privacy compliance; Hitachi Systems Security helps clients to make the best out of it!
Our privacy consulting services help clients understand whether some obligations apply to them, and what constitutes a reasonable privacy posture or adequate technical or organizational measures, based on true circumstances.
We also bring a unique approach to privacy consulting because security and privacy experts are working in synergy. This allows our clients to have an external and objective perspective on their current security and privacy postures.
Reporting is very powerful. If you are a small organization and don’t have resources or large organization, you still need to show your work to the board and to show it in such a way that it is meaningful to the Board members.
Without tools, you cannot explain in two minutes the importance of your work and progress with spreadsheets. You don’t have time to spend on creating sophisticated reporting in Excel (not to mention “Excel” and “sophisticated” don’t work in the same sentence!). Tools will help you keep your compliance ongoing and help you report on demand!
Organizations must ask for the resources they need to report properly. After all, you don’t know when you may need to report to a regulator instead of to your board! Make sure you understand your business and legal context, anticipate the privacy-related questions that you may receive, develop the accountability that you need to be effective.
Hitachi Systems Security is a Global IT Security Service Provider who builds and delivers customized services for monitoring and protecting the most critical and sensitive IT assets in your infrastructures 24/7