The complex dynamics of compliance with privacy regulations
Recently, high-profile cases involving breaches of privacy have pointed the spotlight at the ongoing need to ensure that personal information is properly protected. The issue is multidimensional, involving regulations, corporate policies, reputational concerns and developments in technology. "Every time data is handled there is an opportunity for a privacy mishap to occur," says Sam Pfeifle, publications director at the International Association for Privacy Professionals (IAPP). "Moreover, technology is moving quickly in terms of the ability to collect data, and the laws are not keeping up with how data is managed."
Companies often seem to have an uneasy truce with privacy regulations, viewing them as an obstacle to the free use of customer information that might help the organization in some way. But like many compliance and governance issues, managing privacy well can also offer benefits, protecting companies from breaches that violate laws and damage an organization's reputation. A holistic view is beneficial. "Just because an action is legal doesn't mean it's a good idea," Pfeifle says.
Elements of privacy compliance
Rather than being in conflict with the business mission, privacy should be fully integrated with it, according to Mary Ellen Callahan, who established the privacy and information governance practice in the Washington, D.C., office of the national law firm Jenner & Block (jenner.com). "Privacy should be integral to the mission and an essential part of the data management life cycle," she says. "Rules- and roles-based access to enterprise information should be determined with privacy in mind."
According to Callahan, who previously served as chief privacy officer of the Department of Homeland Security, privacy is sometimes seen as an administrative function, but it is in fact a linchpin. "Privacy is one of the building blocks of a knowledge management program," she says, "especially in this world of big data, where information may be kept for a long time."
An effective privacy program has three major components: Clear policies should be established, operations should be in compliance with those policies, and oversight provided to ensure accountability. "Compliance involves asking questions like whether data is being shared with third parties, whether a merger or acquisition has implications for privacy and other contextual questions," Callahan explains. "Oversight may involve remediation or asking broader questions such as why the information is being collected and what is being done with it."
The biggest mistake that organizations make in handling privacy, according to Callahan, is to collect data without a clear purpose. Given the ease of collection, the temptation is strong. "This is more of a detriment than a benefit, though," she says. "You should know not just how you are protecting personal information but also why you are collecting it in the first place."
The international angle
Increasingly, organizations must consider the different regulations that apply in countries throughout the world, as well as the fact that the regulations are changing. For example, on March 12, 2014, the Australian Privacy Principles (APPs) will replace the existing National Privacy Principles and Information Privacy Principles. The new principles will apply to all organizations, whether public or private sector, and contain a variety of requirements including open and transparent management of personal information. Of particular relevance to global companies are principles on the use and disclosure of personal information for direct marketing, and cross-border disclosure of personal information.
Expertise about privacy compliance varies widely across industries, correlating to some degree with the size of the organization. Although large companies are far from immune to privacy violations, they are at least aware and knowledgeable about the issue, including the subtleties of international laws. "Very large multinationals are keenly aware that data privacy law is a hot topic in many parts of the world," says Stewart Room, partner at London-based Field Fisher Waterhouse. "There is also plenty of reason to believe that the topic is escalating up to the board agenda. The difficult question for these organizations is how to achieve compliance on the international stage, and whether to select different procedures for different countries."
Role of technology
The market for privacy-enhancing software products is still relatively small, according to Room, and not as mature as the market for security technology. "However, the market is likely to grow rapidly over the coming years," he says. For one thing, the legal reform agenda relative to privacy has expressed a need for such technology. "In the European Union, the current reform process for data protection has enshrined a need for privacy-enhancing technologies into the draft legislation," he explains. "There is also considerable reform-oriented activity in the United States."
Products from companies such as Compliance 360 (compliance360.com) automate the process of testing the risk for breaches, which is required for the audits mandated by the Economic Stimulus Act of 2009. That act expanded the Health Insurance Portability and Accountability Act (HIPAA) of 1996 requirements through its Health Information Technology for Economic and Clinical Health (HITECH) provisions, which include increased requirements for patient confidentiality and new levels of enforcement and penalties. In the absence of enabling software products, organizations must carry out the required internal audits and other processes manually, which is time-consuming and subject to errors.
Enterprise content management (ECM), business process management (BPM) and business intelligence (BI) technologies have important roles in privacy compliance because content, process and reporting all are critical aspects of managing sensitive information. As generic platforms, they can be customized, which has both advantages and drawbacks. On the plus side, they have a broad reach throughout the enterprise, and can be used for many applications beyond privacy compliance. However, they are generally higher priced and require development to allow them to perform that function.
"Although privacy-enhancing technology is not a core business for the technology industry, that is certain to change," predicts Room. "In the not too distant future, the market is likely to become massive."
Privacy in the cloud
Cloud applications and data storage have raised concerns about security in general, and personally identifiable information (PII) in particular. Although many customers of cloud services have concluded that cloud security is as good or better than the security they provide in-house, the idea that personally identifiable information could be "out there" is anxiety producing.
PerspecSys offers a solution for handling sensitive data used in cloud-based applications that allows storage in the cloud while filtering out personal information and replacing it with an indecipherable token or encrypted value. "In a typical medical record, there might be 100 data fields," says Michael Morrissey, CTO of PerspecSys, "but only 20 percent or so are sensitive." PerspecSys' AppProtex Gateway provides processes to identify the sensitive data fields and apply protection policies against those data assets so they never leave the enterprise's environment in their original form.