Solving the data privacy puzzle
The absence of uniform global legislation, regulations or standards for data privacy is posing a major data privacy puzzle for organizations faced with protecting the confidentiality, integrity and availability or personal customer and employee information. This is the conclusion of the Information Security Forum (ISF) following a detailed research project that drew on the views and experiences of its members, some 300 of the world’s leading companies and public sector bodies.
“While the changing regulatory climate has placed an increased focus on data privacy, compliance requirements can differ based on geography and industry sector,” says Simone Seth, a senior ISF research consultant. “Some countries enact regulation at a federal or state level, while other regulations such as the UK Data Protection Act are based on legal requirements. In other cases, such as the PCI DSS for payment card protection, compliance is based on industry standards; and the problems are further compounded by the increase in third-party relationships and new Cloud-based computing.”
Despite these anomalies and challenges, almost all data privacy compliance obligations, irrespective of jurisdiction or industry sector, are based on fundamental principles regarding the protection of personal information.
By ensuring that these principles are addressed using a structured and consistent approach, organizations are able to comply with their data privacy obligations and safeguard personal information. The ISF has defined a data privacy framework that focuses on four key areas to manage compliance obligations:
Governance − structuring the data privacy strategy
Policy − developing data privacy policy
Technology − leveraging technology to safeguard personal information
Business processes − assessing and managing data privacy risk
Too often, security controls are seen as the solution to privacy compliance obligations, potentially leaving organizations vulnerable to process and business related risks. Furthermore, blurred boundaries between the organizational functions of information security, compliance and privacy – where these exist separately – can make it more difficult to manage risk across the enterprise.