Need Help with Data Protection or GDPR?
While the potential consequences of non-compliance are substantial – financial loss, operational disruption, and reputational damage – the actions required to drive compliance, also provide significant opportunity to drive competitive advantage by improving trust and reputation through improved control and protection of personal information. The last few years set the records for both the most breaches and the most data compromised.
In addition to the number of breaches and amount of data lost the last few years have brought large web breaches - which are largely composed of accidentally exposing sensitive data to the Internet. Billions of records have compromised. For the first time in a long time, inadvertent data exposure and other data mishandling errors caused more data loss than malicious intrusion into networks.
The new EU General Data Protection Regulation (GDPR) introduces significant changes to the EU data protection designed to strengthen and unify data protection for individuals across Europe. GDPR went into force on 25th May 2018.
If you are a company that does not have EU customers and think you no longer have to be concerned, take a look at the Aetna members data breach impacting 11,887 people. An unnamed mail processing vendor working for Aetna sent letters to HIV patients, informing them of changes to the prescription fulfillment process along with highly sensitive HIV information. The incident triggered both civil lawsuits and ended with Aetna agreeing to pay $18.3 million to settle the various proceedings.
Privacy – Where to start?
Ensuring long term sustainability and maintainable steady state
DevBlue has experience in designing and delivering data privacy as well as data governance and security programs over recent years. Through that we have defined a methodology to not only focus on privacy remediation, but also to drive for personal data management within an organization for the long term.
Step 1 - Establish Baseline
The first phase is to undertake a privacy assessment study that will:
- Establish the landscape of personal information captured, stored and processed;
- Evaluate the current maturity of information governance, security controls and associated privacy processes (e.g. Privacy Impact Assessment, Subject Access Request) across the organization; and,
- Evaluate the technical and operational maturity of the organization to meet the longer term requirements of GDPR and other privacy regulations and ensure a sustainable future state.
The starting point will vary according to the current level of compliance with existing regulation and the level of data privacy awareness for the organization. Using a proven impact assessment methodology and toolset already used across Europe and the United States, an initial baseline of data privacy maturity will be determined. Further detailed Privacy Impact Assessments will be undertaken driven by the gap assessment and associated risk.
Step 2 - Compliance Roadmap
As a high-level view of the personal data landscape is established and the current level of compliance maturity determined, further detailed assessment and planning work is undertaken to create an overall compliance roadmap that:
- Considers current controls and risk landscape (from a personal data perspective);
- Identifies a set of sub projects that your organization needs to meet;
- Provides a view of the transition states for your organization’s data landscape;
- Evaluates the current level of data governance implementation;
- Evaluates the technical framework supporting privacy requirements.
This roadmap will also outline governance and delivery processes required to support execution of the roadmap (communications, scope, key stakeholders), the definition of the transition support function for the rollout of the privacy projects, and indicative costs for the end-to-end delivery of the privacy roadmap.
Step 3 - Remediation Solutions
Driven from the findings of the assessment and the compliance roadmap, implementation and enterprise rollout of the required remediation solutions typically cover the following domains:
- Updates to organizational policies and governance– e.g. data privacy policies, data protection officer role, accountabilities;
- Definition/updates to key processes to support requests under individual rights (subject access request, erasure requests etc), embedding of privacy by design into existing processes as well as data protection impact assessments into system/process development methodologies;
- IT remediation solutions - DevBlue has a number of solutions and accelerators from a range of vendors that include:
- Information security – data encryption, data erasure, database protection, breach protection
- Information lifecycle management – records management, data governance/data quality, data anonymization, information discovery, information archiving, analytics & reporting, data migration
- Supporting solution accelerators - case management frameworks (e.g. subject access request, breach notification/incident handling process), testing services, process redesign and governance framework
- Implementation change management – training and transition to business as usual privacy operating model.
Step 4 - Steady State
Critical to the long term success of any remediation implementation is to ensure that the changes are sustainable and maintainable for the future. Experience has demonstrated that the operational effectiveness can only be sustained with:
- Monitoring of key privacy-related metrics – staff training, PIAs, individual rights requests, incidents/near misses, key controls;
- Maintaining a view of personal data being processed as the business and systems change, through a well governed and managed processing register;
- Embedding key principles (e.g. privacy by design) into any new system/process workflows;
- Continuous improvement on policy, risk assessment, controls and the approach to measuring and managing their design and operational effectiveness.
- Full lifecycle of services through to steady state operations
DevBlue represents an organization that can deliver a full lifecycle of services from initial assessment through to the delivery of remediation solutions and establishment of a robust steady state capability that will drive compliance for future years.
- Top references in data protection and privacy programs
We have a deep understanding of the practical implications of the privacy legislation due to the several privacy programs we have performed for a range of clients.
- Comprehensive tooling and range of vendor independent remediation solutions
Our experience with PIA and other regulations including HIPAA bring an efficient privacy assessments on systems or processes has been developed through years of privacy-related engagements. We have a pedigree in delivery of security as well as information and data management solutions.
- Thought Leadership and deep understanding of data protection and privacy
From our engagements with clients and our own research we have developed several points of view on the topic of privacy and data protection with resources trained and knowledgeable in privacy.