Taming Privacy Debt

“Damn! We can’t find it , we don’t know where it is, and what are the risks?”

Privacy Debt is the not too subtle realization that the laxative management of customers’ private information and sensitive intellectual property is not sufficient. This effluvia can too easily slide your business down a large financial hole. It can become very apparent during a data breach. A malevolent event such as a data breach is expensive. Corporate response costs increase substantially as too many operational resources are exhausted in chasing data location and identity owners rather than defending the company.

Say whoa! to privacy debt…

• If you collect too much data - you have privacy debt
• If you don’t know how your machine learning is eating your Big Data - you have privacy debt
• If you store your data forever - you have privacy debt
• If you don’t know where your data goes and where it flows downhill - you have privacy debt
• If you can’t royally be bothered to answer consumer (paying customers) data requests - you have privacy debt
• If you have shared your data with a 3rd party, and are not sure how they handle it - you have privacy debt
• If you are in no hurry to report a data breach, or just wear blinders - you have privacy debt

Taming the tiger

First set up a project team composed of members from the IT department, business products lines, service lines and sales. Elect a liaison to ensure senior management support and budget approval. This is necessary to ensure the executive tone-at-the-top fully supports the project.

Next the project team will investigate and discover what data their business units have collected. This data includes structured databases and loosely managed data in spreadsheets, PowerPoint presentations, reports (Tableau, SalesForce, ServiceNow, etc.), data buckets and cloud services. All of it must then be centrally managed.

Then your project team must locate the owners of the corporate data. This is a key question: what responsibility does each department’s manager, staff employees and their IT technical support team have? After discovery, analyze the results and decide the best actions to take. Then the project team must document these decisions, and perform an annual review of these findings to keep it relevant to the business.

Your project team empowers the building of new workflows and processes that strengthens data privacy protections. They assign roles, authorizations, and access rights to corporate data and systems. These deliverables should work together cohesively to strengthen the businesses key risk management while not hindering the business’s profit making workflows.

The project team enables better corporate data security and privacy protections, permitting senior management and legal to handle data retention policies. Using minimally required data increases compliance for core financials, Human Resources, and protection of intellectual property. Non-essential data should not be kept for long term storage; it should be deleted regularly and securely to reduce the risks of managing toxic data and storage costs.

Finally after the internal governance and compliance structures are in place the project team can extend their scope of work. External business partners and cloud services should be audited. The project team will need to review the audit of cloud and 3rd party corporate user accounts, databases, data storage and data access rights. These external service providers must be vetted for legitimate usage and proper data security and privacy protections by the project team. Security and compliance certifications should be required for acceptance by the project team.

Commonly the ISO 27001, 27017, 2018, 27701, and FedRamp are often used as proof of compliance to laws and security requirements being met by the Cloud service providers. Every company needs to implement the right processes to protect the business from bad data security protection habits that break security and threaten customer privacy.

Are we done yet? We started with the definition that privacy debt is the product of neglecting the maintenance , privacy and protections of customers, and corporate data. Growing successful businesses knows this is a never ending process.

The goal of the project team is to reduce privacy debt. It is a means to improve corporate risk management, and reduce costs. This increases the corporation’s ability to respond quicker to any possible security incidents. It benefits both customers and the business.

It is a win-win prize.

Best of success to you all.