Here’s Why, Here’s How
Any business that has customers. Any healthcare provider who has patients. Any professional who has clients. Any government agency that serves citizens. All collect personal information about individuals to one degree or another. (Hint: The degree doesn’t matter.)
Organizations collect Personally Identifiable Information (PII) in virtually every transaction that occurs for a commercial, governmental, or social purpose today. And after they collect it, they may also process, transfer, share, and store that information themselves — or with a third party acting on their behalf. (Hint: It doesn’t matter which.)
Every organization that possesses PII needs to conduct a privacy risk assessment periodically, beginning with a first-time or baseline assessment. For those governed by privacy regulations, it’s a must. For the rest, it’s just good business management.
Let’s look briefly at some of today’s most notable privacy regulations.
The European Union enacted a milestone law in 2016 with the General Data Protection Regulation (GDPR). This regulation governs the protection and privacy of individuals’ personal data in the European Union and European Economic Area (EEA), as well as the transfer of personal data outside these areas. One of its primary purposes is to simplify the regulatory environment for international business within the EU.
The United States has taken a slightly different approach to privacy protections, enacting industry-specific privacy laws, such as those for healthcare, financial services, and credit cards, for example. In addition, several states have enacted their own privacy laws, led by the California Consumer Privacy Act of 2018.
The first federal legislation in the U.S., the Privacy Act of 1974, established a code of fair information practices to guide federal agencies in maintaining personal data. The Act governs the collection, maintenance, use, and dissemination of personally identifiable information maintained in agency records systems, which may be databases or data processing ecosystems. The law derived from concerns that PII could be misused or mismanaged to the detriment of the individual.
Passed in 1996, the Health Insurance Portability and Accountability Act (HIPAA) is sweeping, complicated legislation designed to regulate health insurance. In addition to provisions related to health insurance, the Act also addresses data privacy in its Privacy Rule. HIPAA applies to all healthcare providers who deal with Medicare, which includes virtually every hospital, medical center, and healthcare practice in the U.S.
Enacted in 1999, the Gramm-Leach-Bliley Act (GLBA) modernized the financial services industry and addressed concerns relating to the privacy of consumer financial information. The Act gave the Federal Trade Commission responsibility for enforcing the Privacy of Consumer Financial Information Rule, commonly known as the Privacy Rule.
In 2004, the Data Security Standard was established within the payment card industry in order to reduce credit card fraud by creating procedures, processes, and other controls to protect the privacy and security of cardholder data. The 12 requirements of the PCI DSS govern the entire payment card ecosystem, including merchants, banks, and card brands, and enforcement is performed by members of the payment card industry.
California Consumer Privacy Act
In 2018, the State of California enacted a landmark piece of legislation called the California Consumer Privacy Act (CCPA). Its goal is to extend consumer privacy protections to include the Internet, and it is arguably the most comprehensive Internet-focused data privacy legislation in the U.S. today.
Implementation and Enforcement
These and other laws and regulations were created to help protect the privacy of personally identifiable information that is collected in virtually every transaction that occurs for business, governmental, or social purposes — and which then may be processed, transferred, shared, and stored by the original collector or a third party acting on its behalf.
However, legislation is worthless without thorough implementation and consistent enforcement, and without penalties applied for serious violations. Demonstration of implementation begins with an assessment of an organization’s current state of compliance.
Privacy Impact Assessment - Government Agencies
In 2002, the E-Government Act recognized that the explosive growth of computers, electronic systems, Internet use, online databases, and software programs were making enormous volumes of individual information available in online government records.
Section 208 of the Act requires that federal agencies assess all systems that touch personally identifiable information to ensure that sufficient data privacy protections have been implemented. The proscribed method is the privacy impact assessment (PIA).
The PIA applies to the entire data processing ecosystem. It applies to data systems that are developed in-house, and those that are purchased or leased. And it applies whether they collect, store, maintain, use, share, transmit, or otherwise manage or process the personally identifiable information.
A sample template of one agency’s privacy impact assessment specifies that an assessment should be conducted in the following scenarios:
- When a new data system is introduced (regardless of whether paper or electronic)
- When a planned system update might substantially impact the data
- When changes are planned to an existing system to accommodate new data
- When collecting data from a new source or for a new purpose is planned
- When a data system or system component is going to be outsourced
- When a change of service providers will require the transfer of data
- When a new data-sharing agreement, or change to an existing one, is planned
The federal privacy impact assessment is comprehensive and well-considered, which is why its elements have been adopted by many private sector organizations.
NIST Privacy Framework - All Organizations
In an effort to further formalize privacy management activities for organizations, including government and business, the National Institute of Standards and Technology (NIST) developed the NIST Privacy Framework.
The prevailing version 1.0 of this voluntary tool was introduced in January of 2020, and in less than a year the privacy framework has been adopted by more than a quarter of survey respondents, according to a report by the International Association of Privacy Professionals (IAPP) and FairWarning, a nonprofit investigative news organization.
The framework helps organizations in identifying privacy risks and establishing privacy risk management programs, including data privacy protections, throughout an entire data processing ecosystem. The NIST Privacy Framework is designed to:
- Be compatible with existing domestic and international legal and regulatory regimes,
- Be widely usable by organizations of all sizes and types, regardless of their roles in the data processing ecosystem,
- Be agnostic to any particular technology, sector, law, or jurisdiction, and
- Encourage cross-organization collaboration among different teams, including executives, legal, IT, and cybersecurity.
Below is an outline of the first two levels of the NIST Privacy Framework structure, which is available in its entirety in PDF form on the NIST website. This outline helps to describe the scope of the framework.
Develop the organizational understanding to manage privacy risk for individuals arising from data processing.
- Inventory and Mapping: Data processing by systems, products, or services is understood and informs (i.e., drives or guides) the management of privacy risk.
- Business Environment: The organization’s mission, objectives, stakeholders, and activities are understood and prioritized; this information is used to inform (i.e., drive or guide) privacy roles, responsibilities, and risk management decisions.
- Risk Assessment: The organization understands the privacy risks to individuals and how such privacy risks may create follow-on impacts on organizational operations, including mission, functions, other risk management priorities (e.g., compliance, financial), reputation, workforce, and culture.
- Data Processing Ecosystem Risk Management: The organization’s priorities, constraints, risk tolerance, and assumptions are established and used to support risk decisions associated with managing privacy risk and third parties within the data processing ecosystem. The organization has established and implemented the processes to identify, assess, and manage privacy risks within the data processing ecosystem.
Develop and implement the organizational governance structure to enable an ongoing understanding of the organization’s risk management priorities that are informed by privacy risk.
- Governance Policies, Processes, and Procedures: The policies, processes, and procedures to manage and monitor the organization’s regulatory, legal, risk, environmental, and operational requirements are understood and inform the management of privacy risk.
- Risk Management Strategy: The organization’s priorities, constraints, risk tolerances, and assumptions are established and used to support operational risk decisions.
- Awareness and Training: The organization’s workforce and third parties engaged in data processing are provided privacy awareness education and are trained to perform their privacy-related duties and responsibilities consistent with related policies, processes, procedures, and agreements, and organizational privacy values.
- Monitoring and Review: The policies, processes, and procedures for ongoing review of the organization’s privacy posture are understood and inform the management of privacy risk.
Develop and implement appropriate activities to enable organizations or individuals to manage data with sufficient granularity to manage privacy risks.
- Data Processing Policies, Processes, and Procedures: Policies, processes, and procedures are maintained and used to manage data processing (e.g., purpose, scope, roles and responsibilities in the data processing ecosystem, and management commitment) consistent with the organization’s risk strategy to protect individuals’ privacy.
- Data Processing Management: Data are managed consistent with the organization’s risk strategy to protect individuals’ privacy, increase manageability, and enable the implementation of privacy principles (e.g., individual participation, data quality, data minimization).
- Disassociated Processing: Data processing solutions increase dissociability consistent with the organization’s risk strategy to protect individuals’ privacy and enable the implementation of privacy principles (e.g., data minimization).
Develop and implement appropriate activities to enable organizations and individuals to have a reliable understanding and engage in a dialogue about how data are processed and associated privacy risks.
- Communication Policies, Processes, and Procedures: Policies, processes, and procedures are maintained and used to increase the transparency of the organization’s data processing practices (e.g., purpose, scope, roles, and responsibilities in the data processing ecosystem, and management commitment) and associated privacy risks.
- Data Processing Awareness: Individuals and organizations have reliable knowledge about data processing practices and associated privacy risks, and effective mechanisms are used and maintained to increase predictability consistent with the organization’s risk strategy to protect individuals’ privacy.
Develop and implement appropriate data processing safeguards.
- Data Protection Policies, Processes, and Procedures: Security and privacy policies (e.g., purpose, scope, roles, and responsibilities in the data processing ecosystem, and management commitment), processes, and procedures are maintained and used to manage the protection of data.
- Identity Management, Authentication, and Access Control: Access to data and devices is limited to authorized individuals, processes, and devices, and is managed consistent with the assessed risk of unauthorized access.
- Data Security: Data is managed consistently with the organization’s risk strategy to protect individuals’ privacy and maintain data confidentiality, integrity, and availability.
- Maintenance: System maintenance and repairs are performed consistent with policies, processes, and procedures.
- Protective Technology: Technical security solutions are managed to ensure the security and resilience of systems/products/services and associated data, consistent with related policies, processes, procedures, and agreements.
The NIST Privacy Framework and the privacy impact assessment together form a solid foundation upon which to build a robust privacy risk management program, including a privacy risk assessment.
Privacy Risk Assessment – All Organizations
A good privacy risk assessment combines privacy impact assessment principles with the NIST Privacy Framework and other best practices to create a thorough view of the vulnerabilities that could compromise personally identifiable information within an organization.
A privacy risk assessment will identify and analyze privacy risks at the organization, application, and process levels to ensure a complete evaluation. It will assess existing as well as planned processes that touch personal data, whether collecting, transmitting, sharing, storing, or otherwise processing it.
Privacy risk assessments for healthcare providers, for example, will also evaluate privacy protections and privacy vulnerabilities through the lens of the HIPAA Privacy Rule. Similarly, privacy risk assessments for financial institutions will also evaluate protections and vulnerabilities through the lens of the GLBA Privacy Rule.
The same applies to privacy risk assessments for organizations in the payment card industry and others governed by specific privacy regulations.
A privacy risk assessment will also assist an organization in developing and implementing policies, procedures, and privacy controls to manage identified risks and meet compliance requirements.
Every organization that in any way touches personally identifiable information or other sensitive individual data, whether subject to formal privacy regulations or simply governed by good business sense, should schedule a privacy risk assessment to be completed before year-end.
Organizations collect personally identifiable individual information (PII) in virtually every transaction that occurs today, enabled in large part by the efficiency of the Internet and myriad software applications.
Many organizations are governed by data privacy regulations and laws, including federal agencies, financial services providers, healthcare organizations, and payment card processors. For regulated industries, as well as for others who desire to protect the privacy of individuals’ data, the NIST Privacy Framework and privacy impact assessment establish a solid foundation for a robust privacy risk management program and risk assessment.
Every organization that touches PII needs to conduct a privacy risk assessment periodically, beginning with a baseline assessment. For those governed by privacy regulations, it’s a must. For the rest, it’s just smart management.