Security and privacy leaders face some critical decisions in the years ahead to ensure their organization is completely safeguarding data. The risk of not securing data and protecting privacy is too great. But, many leaders are not sure where to start. Data privacy and information security can be daunting, and their teams are already overwhelmed!
Here are 20 important data privacy questions your team can start reviewing now to build a strong data privacy and security practice.
1. Are we prepared for a data breach?
While it's a broad question, it’s probably one of the most important when it comes to protecting data and safeguarding your customer data. You can probably surmise the answer to this question once you’ve successfully answered most of the questions we cover below.
In today’s threat landscape, you need to be able to handle security incidents and events with a well-documented strategy and process. It also helps to practice handling data breaches with your team during regular tabletop security exercises. These exercises help your team gauge and improve the ability to handle security incidents and data breaches in the future.
2. Do we incorporate ‘privacy by design’ into our IT systems?
If you take a ‘privacy by design’ approach to security, you approach your security projects by incorporating privacy and data protection from the start. Leveraging this approach helps your organization when complying with global data privacy regulations.
Consider incorporating ‘privacy by design’ when:
- Deploying any new IT infrastructure that stores or processes personal data
- Implementing new security policies or strategies
- Sharing any data with third parties or customers
- Using data for any analytical purposes
By incorporating ‘privacy by design,’ you are helping to minimize the risk of data loss. If you design your projects, processes, and systems with privacy in mind, you can identify problems early on and raise the level of awareness for privacy concerns in the organization.
3. Have we conducted a Privacy Impact Assessment (PIA)?
A PIA is a beneficial tool used to identify and reduce the risk of poor privacy practices in your organization. These assessments reduce your risk of mishandling personal data.
Key stakeholders are involved in a PIA interview which results in identifying potential privacy problems and offers recommendations on how to address challenges. Ultimately, a PIA will help an organization and security team develop better policies and systems for handling sensitive personal data.
4. Are we able to measure and demonstrate compliance with global data privacy regulations?
Demonstrating compliance with global data privacy regulations is a long-term outcome of implementing the right privacy and security controls with your people, processes, governance and technology. It requires a steadfast approach to each of these areas.
Unfortunately, managing data privacy can't be treated as a check-box exercise. Global data privacy regulations are often loosely structured and can be interpreted in many ways. There’s no defined standard of security controls on how an organization should handle personal data and privacy. In reality, managing data privacy is about creating a comprehensive governance framework that’s suited to your business alone.
5. Have we identified and inventoried our data assets and processes used to process and store personal data?
If you don’t know what data assets you hold, it’s difficult to assess what impact you might have from a data breach. You must identify and confirm with key stakeholders what data the organization stores or processes. This can be done via interviews that determine where your data repository locations reside.
Make sure you investigate the following areas where data typically resides:
- Applications (e.g., email, web, OS, etc.)
- Folders (e.g., shared network, local)
- Cloud and Third Parties
- Removable media
- Physical locations (e.g., cabinets, safes)
- Test and Development networks
And, make sure you inventory data across the following areas:
- Information Technology
- Application Logs
- Database Logs
- Endpoint Data
- Customer Cardholder Data
- Operational Data
- Supplier Contracts
- HR & Payroll
- Employee Personal Data
- Employee Payroll Data
- Employee Medical Records
- Acquisition and Divestment Information
- Third-Party Litigation Files
- Legally Privileged Information
- Company Tax Returns
- Investor Information
- Shareholder Reports
- Customer Service & Sales
- Customer Contracts
- Company Pricing
- Customer Data
Scanning your entire network for data in these areas will help you assess and categorize what data could be impacted by a breach. This data mapping exercise can also help you categorize data according to sensitivity.
6. Have we classified our data according to risk (high, medium, low)?
After completing the data mapping exercise noted above, you can begin to rank your data according to risk and sensitivity. You might discover that if certain data is stolen or lost, it could significantly damage your relationship with customers or your own business operations.
Having a sense of what data is at risk during a breach also helps your security team harden defenses and strategize how to protect organizational data. If they know that certain data is at risk, they can prioritize their time on a solution to protect these assets. They can also setup alerts using various security technologies to know if unusual activity occurs with these data types.
7. Who has access to our various data assets?
Another important question to ask is who has access to this information and is their access necessary for business operations. You may find that some of your end users have privileged access to sensitive data that they should not hold. You may also discover that these users are transmitting or storing sensitive data that poses a high risk for loss.
With this information, you can begin to revise your security policies to remove privileged access to sensitive data sources. You can also protect your endpoints from data exfiltration with appropriate security technologies. Or, if users need access to sensitive data and you are still concerned about a threat actor stealing these assets, you might deploy a data masking or encryption tool to hide sensitive data.
8. Have we calculated the financial impact of high-risk data if leaked?
It’s important to know the financial impact of a potential data breach. If you want to estimate the probability of a data breach and its financial impact on the business, consider using the Ponemon Institute’s report on average breach costs. See Figure below on average per capita breach costs in each industry.
The average cost per capita for US companies in 2016 was $221. The probability of a breach that would carry a cost equivalent to a 10,000-record loss in the United States is 24% over the next 24 months – 26% globally. You can take this information and calculate the cost of records stolen or lost using this information. Check out our US Technical Director’s example on how to use Beckstrom’s Law with Ponemon Institute’s report to calculate a data breach cost estimate.
9. Do we have the processes and resources in place to support data access requests from individuals?
Under the General Data Protection Regulation (GDPR) legislation, individuals can now request access to their data, find out if their data is being processed, and request a transfer of their data to another system. You must put in place a mechanism by which to retrieve all their data and securely transfer the data to the individual.
This information must be provided free of charge and without “undue delay.” You should also consider who will be designated to handle these requests. Some firms may need an appointed Data Protection Officer while others will need someone that can simply handle these requests.
10. How are we capturing data? Do we have the right level of consent?
With new global data privacy laws, organizations need to take an in-depth look at how they acquire personal data of all types. This even includes basic personal data such as first and last name. Any personally identifiable information could be used by threat actors to compromise your network. And, under global data privacy laws, you can be fined heavily for a data breach with significant impact to individual data subjects.
Organizations need to review the methods of acquiring personal data and confirm if all information is necessary. Organizations should not ask for more data than is necessary for successful operation.
11. Have we updated our privacy notices and privacy policies?
When is the last time you updated or even read your privacy notice? Probably a long time ago, right! With new global data privacy laws, it’s a requirement that personal data is processed in a transparent manner.
12. Do we have up to date records of all data processing activities?
Like the points above, your organization needs to keep a record of how and when data records are processed. Find out what systems use personal data records for processing and storage. This will help your security team understand how systems need to be protected and they can create a strategy for layered threat defense and protection.
Not only for your internal team, but the data processing register may also be required by EU authorities if there is a data breach investigation by authorities. You want to have this in place, so you can share where and when data is processed. The data processing register is also helpful to document any new processing activities as well as implement a process for every department that collects personal data.
13. How long do we keep data? Do we have a data retention schedule in place that in line with legal and regulatory compliance?
A data retention schedule or records retention schedule is another document or mechanism your organization needs to have in place to safeguard personal data. The retention schedule defines how the organization aligns with legal and compliance recordkeeping requirements. Therefore, it defines how long data records are kept on file and when they are disposed of in a controlled manner. The data retention schedule also helps inform employees on the appropriate methods for destroying or deleting data that is beyond the retention schedule.
By not having a data retention schedule in place, you may be putting your organization at risk for data loss or theft. If your organization has completed the data mapping and classification exercises, you can then associate each risk type completed during your data mapping exercise with an associated retention period.
14. Do we have mechanisms in place to destroy or delete data if requested to do so?
Once you’ve defined your data retention schedule and you know when data records can be deleted, you then need to understand how data should be properly deleted or destroyed. Your employees need to know how and when to destroy or delete data. Your security department should also follow an industry standard like NIST’s Guidelines for Media for sanitizing and clearing storage devices.
15. Do we have a regular or ongoing data audit process set up for the future?
At least once per year, your team should evaluate your data retention schedule and determine if it aligns with legal and regulatory requirements for your industry. You might find that you need to shorten or lengthen the amount of time data is kept within your recordkeeping system.
The data audit is also a time when you can answer questions about your data such as what data are we collecting now, where are we storing data, how are we protecting data, what’s the process for a data access or deletion request, and who takes responsibility to respond to data requests. The situations and outcomes to all the questions will likely change over time. You may have a different method for collecting information, or you may have someone that leaves who handles data access requests. It’s important that you stay ahead of these changes and make sure your business adapts.
16. Do we regularly review and monitor applicable security controls for securing data?
Your security team should be lockstep with the organization in setting up security controls to protect and secure personal data. Much like the review of your data audits, the security team should be responsible for regularly reviewing the security controls in place to secure data. These controls include anti-malware, SIEM and log management, endpoint protection solutions, encryption, data masking, and any other applicable security tool or technology responsible for securing data and detecting data breaches.
If would also be beneficial for your security team to regularly review how their security practices stack up against an industry best practice standard, e.g., NIST, SANS, ISO, COBIT, etc. You can try out a self-assessment tool like this one to get a maturity rating on your current operations.
17. Do we have a way to monitor and detect security incidents continuously?
Organizations can now be fined if they don’t report a security incident to authorities under global data privacy laws. Therefore, it’s important that your security team can quickly monitor and detect security incidents as soon as they happen.
According to FireEye, the average dwell time for a cyber breach is 146 days, nearly five months. Having the ability to monitor and detect threats in real-time is a game changer. The risk of not detecting various cyber threats puts your organization at risk for a major data breach.
18. Have we set up appropriate incident management procedures to handle a security incident?
Once you’ve detected a security incident, it’s even more important that extensive triage, breach reporting, containment, and threat eradication occur. An incident response plan helps clarify the course of action when handling security incidents.
Global data privacy law now mandates that organizations implement a mechanism to ensure ongoing confidentiality, availability, and resilience of data processing. Therefore, incident response is a means of protecting personal data across all these areas. Hackers will try all avenues to reach sensitive personal data. A data breach involving any personal data that results in destruction, alteration or unauthorized disclosure could put your organization at risk. It’s important that your security team also regularly reviews their incident response plan and playbook.
19. Do we know who and how to notify an impactful security breach?
The financial penalties for not reporting a data breach or having inadequate technical or organizational measures in place can be extreme. The team handling incident response needs to understand breach reporting requirements under new global data privacy legislation.
The team must also come forward and report a breach if any significant amount of personal data was lost, altered, or disclosed without authorization. A notification to the supervisory authority should be included in the incident response plan and the data subjects should be notified as well. The major point here is that organizations need to have an incident response plan for proper breach notification. If the organization doesn’t have a formalized incident response plan it's more likely to face severe penalties.
20. Do we need to appoint a Data Protection Officer?
Lastly, your organization needs to determine who will handle data access and deletion requests. Under the GDPR specifically, you may need to appoint a Data Protection Officer (DPO) who handles these requests and communicates with EU supervisory authorities directly. A DPO helps the organization monitor GDPR compliance, advise on data protection obligations, advise on Data Protection Impact Assessments (DPIAs), and acts as a point of contact with the supervisory authorities and data subjects.
Under the GDPR, there are three situations that mandate the appointment of a DPO:
- A public authority is processing personal data
- A controller or processor conduct regular and systematic data processing on a large scale
- A controller or processor conducts large-scale processing of sensitive data
A large-scale processing of personal data means that your organization considers the number of data subjects, the volume of data, duration of processing, and the geographical extent of processing. It’s also worth noting that a DPO can be appointed internally or to an outside source. Lastly, if your organization doesn’t appoint a DPO, make sure you document WHY you decided to not appoint one.
As you can see, there’s an abundance of questions involving data privacy now and in the years ahead. Consider all facets and answers with these questions – leave no stone unturned. The more transparent you are across your data privacy and security practices the better!