The urgency for corporations to establish a mature data privacy and security program is driven by three key factors: avoiding expensive fines for non-compliance, reducing the overall cost of data storage, and maximizing productivity.
The total volume of information around the world is doubling every two years and will reach 180 zettabytes by 2025. Storing all this data is expensive. It can cost organizations up to $2.8 million every three years to store one petabyte of data, and many large organizations are approaching or have already exceeded that petabyte threshold. Further, as data volumes rise and information is distributed throughout an organization, business users struggle to derive the best value from it.
Still, data breaches and leakage are where many organizations will face the greatest financial risk. According to the 2016 Ponemon Institute Cost of Data Breach Study, the average cost for each lost or stolen record containing sensitive and confidential information continues to rise, increasing last year from $154 to $158.
One reason for the continued cost increase in cost is that evolving regulations around the world include steeper fines for non-compliance. U.S. privacy laws include the U.S. Privacy Act, the Children’s Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), the Health Insurance Portability and Accountability Act (HIPAA), and many others. The Federal Trade Commission (FTC) has collected millions of dollars in civil penalties for COPPA violations, and the rule has been updated to address newer concerns related to social networking, smartphone Internet access, and the ability to use geolocation information. HIPAA penalties can go as high as $1.5 million, depending on several factors, such as willful neglect and speed of correction.
Notably, the EU’s new General Data Protection Regulation (GDPR), going into effect in May 2018, applies to all foreign companies processing data of EU residents, and any company whose products are sold to EU customers can be subject to fines between 2% and 4% of their global annual revenues or EUR 20 million, whichever is greater.
To curb the financial risk associated with data privacy, finance departments must become data privacy stakeholders and be involved in the development and implementation of data privacy programs. They should advocate for a comprehensive, organization-wide data privacy program and put in the effort necessary to create a solid business case.
Here are the 10 minimum foundational business and technical requirements you’ll want to consider in supporting a business case for a data privacy program:
- A Review of Existing Privacy Guidelines and the Identification of Relevant Data.
Your privacy officer and other relevant stakeholders should review existing privacy policies, risk assessments, Privacy Impact Assessments (PIAs) and data inventories. They should also identify those responsible for developing and enforcing them. An up-to-date data inventory identifies the location, movement, subject area, and organization of data, as well as the means of accessing and sharing it, inconsistencies among versions, and business value. As such, an up-to-date data inventory can also serve as the basis for a data disposal program that can dramatically reduce storage costs by identifying and eliminating all data that has no legal, regulatory, or business value.
- Private Information Categories
All personally identifiable information (PII) needs to be located and categorized. PII is any data that can directly or indirectly identify a specific individual. The locating of PII, along with the review of existing policies, procedures, and protections applied to it, establishes a baseline for measuring future progress.
- Identification of Relevant Laws and Regulations
Each organization must determine all applicable U.S. and international laws and regulations, and understand the authority of regulating agencies and the penalties for non-compliance. This is an area where the finance team can take a more active role by evaluating financial risk. Monitoring regulatory developments will give you more time to develop the appropriate cost controls for imminent changes.
- Technical and Physical Controls
A more esoteric, but nevertheless vital, concern is the development of a privacy impact assessment for all new systems and embedding it into the organization’s project management. To create a PIA, the IT and information security teams should consult industry standards and best practices, such as the ISO/IEC 27001 global specification for information security and the Payment Card Industry (PCI) Data Security Standard, which sets requirements for protecting cardholder data. Early buy-in to “privacy by design” can spare organizations the cost and inconvenience of removing or redesigning systems that can’t comply with relevant privacy regulations.
- Existing Privacy Organizations
All data privacy stakeholders should take advantage of the resources of organizations already focused on data privacy and personal protections, including the American Civil Liberties Union, Better Business Bureau, Center for Democracy and Technology, Electronic Privacy Information Center and more. In addition, the Compliance, Governance and Oversight Council’s Information Governance Process Maturity Model addresses the key processes required to reduce the costs and risks associated with data privacy regulations.
- Industry Frameworks
Several industry-specific frameworks exist that can help your organization accelerate the process of building a data privacy business case. These frameworks include policies and taxonomies not covered in existing laws and regulations. Examples include:
- American Institute of Certified Public Accountants (AICPA) and the Canadian Institute of Chartered Accountants (CICA) Privacy Framework
- Canadian Standards Association (CSA) Privacy Code
- International Organization for Standardization (ISO) 17799/BS7799
- Organization for Economic Co-operation and Development (OECD) Privacy Guidelines
- Unnecessary or Unwanted Processing of Personal Data
IT should investigate Privacy Enhancing Technologies (PETs) to eliminate or minimize the processing of personal data without compromising the functionality of information systems. Examples of these include the Platform for Privacy Preferences (P3P) and Enterprise Privacy Authorization Language (EPAL).
Industries regularly introduce new policies, practices, and technology standards for dealing with PII. For example, retailers use data masking as a compliant strategy to hide customer PII when sharing data with market researchers. For better insight and higher sales – without introducing risk – it is essential to stay abreast of data privacy developments.
- Education and Awareness
You must prioritize education and awareness-raising as a critical part of the data privacy business case and as a starting point to change management. Success is impossible unless the entire organization accepts the importance, purpose, and basic requirements of the program.
- Program Assurance Processes
Program assurance audits provide accountability and demonstrate compliance with all of the program’s specific requirements. To ensure maximum cost protections, the finance department needs to play a very active role here.
Helping your organization develop a comprehensive business case for data privacy will put you in a far better position to minimize the risks of large fines for regulatory non-compliance while controlling data storage costs.
Heidi Maher is executive director of the Compliance, Governance and Oversight Counsel (CGOC), a forum of over 3,400 legal, IT, records, and information management professionals from corporations and government agencies.