By Muhammad Tariq Ahmed Khan, Head of Cybersecurity Audit, Internal Audit Division, Arab National Bank
There has been a misconception about privacy that confuses many people. People tend to share seemingly related or unrelated personal information online, such as birthdays, address, contact details, marriage, and holiday plans on social media. People are also inclined to share pictures of favorite foods, people, localities, and workplaces, in addition to providing opinions on sensitive issues (religious, national, political, etc.) throughout different social media platforms. On the other hand, new and exciting technologies are emerging almost on a daily basis, and people share their information in the guise of playing games online, attending virtual worlds, and doing shopping online. Similarly, organizations also collect and store relevant personal information for business purposes. Consequently, the privacy risk increases ubiquitously with every share. The shared data, individually or collectively, can be used for malicious activities.
Before moving ahead, let’s have a clear understating of “Privacy” and related terminologies:
What is Privacy?
Privacy is the ability of individuals or groups to seclude themselves, or information about themselves, and thereby express themselves selectively. (Source: Wikipedia)
In other words, Privacy is an individual’s fundamental right to have control over the collection, usage, and dissemination of personally identifiable information.
Personally Identifiable Information (PII) – The Information that directly or indirectly identifies an individual. For instance: name, address, date, and place of birth, National Identity Number, biometrics (e.g., photo, fingerprint, iris, etc.).
What is Data Privacy?
“Data Privacy”, also called “Information Privacy,” is the technical aspect of information security that deals with the ability of an organization to handle PII, or an individual’s right to determine what kind of data can be collected/ stored in a computer system, and can be shared with third parties.
Difference between Data Privacy and Data Security?
People and organizations are sometimes confused by the differences between Data Privacy and Data Security. Both of them pertain to PII but are distinct concepts. Data Privacy is about the control (related to usage and governance) over PII, such as policies and procedures being established to ensure that PII is collected, stored, used, and shared appropriately. Whilst Data Security is about ensuring that technical controls (related to confidentiality, integrity, and availability) are implemented to protect PII from malicious cyber-attacks. In other words: Data Security is a technical aspect of PII, whereas Data Privacy is a legal aspect. In layman’s terms, privacy is the fundamental right to be left alone without any intervention.
One of the biggest challenges faced by any organization is managing privacy risks. Since privacy awareness has increased over time, people are becoming more concerned with how organizations are handling their personal information.
Moreover, with the inception of privacy regulatory laws and associated penalties, it has become mandatory for organizations to take necessary steps in establishing and implementing a strong privacy risk management framework. Inadequate, or the lack of, a risk management framework may present numerous organizational risks, such as:
1. Possible damage to the organization’s public image and reputation
2. Potential financial or operational losses
3. Regulatory sanctions and penalties/ fines
4. Loss of customers’ trust and failure to attract customers
5. Damaged business relationships
Recommended Good Privacy Governance and Controls:
Digital records of PII demand unique forms of protection at each part of their lifecycle. It is paramount for an organization to implement an effective privacy program that includes the following good privacy governance and controls in order to address the above privacy risks:
1. Have a formal corporate governing structure to determine the level of privacy risk appetite acceptable for senior management.
2. Have a privacy framework containing policies and procedures relating to the privacy of personal information address data classification, record management, retention, and destruction.
3. A Privacy Risk Management Framework should be developed to identify, analyze & evaluate, and treat privacy risks.
4. Define the roles, responsibilities, and accountability related to the privacy program during its life cycle.
5. Document the business purposes for collecting personal information to ensure PII which are not required are not collected and retained.
6. Identify what kind of PII the organization is required to collect, who will collect, how will it be collected, and who will define what is personal or private.
7. Be well aware about where all personal information is stored and who has access to them.
8. Implement a technical solution to set different permission levels for employees based on what PII they need to access such as Public, Private, and Restricted Access.
Data Confidentiality Assurance:
9. Ensure PII is encrypted at rest and in motion throughout the life cycle. PII should be encrypted at various levels — databases, networks, system platforms, application layers, and business process/functional levels.
10. Identify the disclosure rules of PII to relevant third parties and not disclosed to unauthorized entities (people and systems).
Data Governance & Education:
11. Define an awareness program to provide employees the privacy awareness training and have guidance on their specific responsibilities in handling privacy requirements, issues, and concerns. Employees who handle or have access to personal information must have undergone the required training.
12. Ensure that skilled resources are available to develop, implement, and maintain an effective privacy program.
Privacy Compliance Monitoring Framework:
13. Establish a compliance monitoring framework to periodically verify the compliance level to ensure that privacy policies and procedures are being followed and detailed enough to meet new or current requirements.
14. Perform an assessment of privacy laws and regulations currently applicable for the organization or will be applicable in the future.
Privacy Incident Response Plan:
15. Develop a privacy incident response plan in the event of a breach or attempted beaches of personal information and to report such breaches to authorized individuals or regulators or anyone who has been affected by a data breach. This includes breaches that occur on the part of third parties.
16. Establish a data-flow map that covers what kind of information is subject to transfer from one location to another, such as between departments, between individuals, to and from third parties, and through geographical borders.
Privacy Technical Solutions:
17. Any software or system or technology to be used for privacy should be fully evaluated and secured before deployment.
18. Consider deploying hyper automation to automatically redact PII from both static files and audio/ video recordings.
Key Benefits of Good Privacy Governance and Controls:
I will outline some key benefits of them:
- Protecting the organization’s image and reputation.
- Protecting valuable data of the organization and its customers, employees, and business partners.
- Achieving a competitive advantage in the marketplace.
- Complying with applicable privacy laws and regulations and avoiding regulatory penalties
- Enhancing an organization’s credibility and promoting confidence.
Protecting privacy cannot be separated from technological development, and these days, organizations are inclined to invest in security technology to reduce the risk of privacy exposure. However, there is no technology that will prevent and eliminate the risk of every data privacy breach. So, organizations should fully understand the nature of risk and take a layered approach to improve their security posture by taking the time to understand PII and re-evaluate how this privacy data can be managed and protected.
This article doesn’t cover the Data Privacy with respect to collection, usage, storage and dissemination of PII in physical form.
About the Author:
Muhammad Tariq Ahmed Khan is Head of Cybersecurity Audit, Internal Audit Division, Arab National Bank, Riyadh. He is a “Subject Matter Expert” in Technology and Cybersecurity Audits. He has more than 21 years’ experience in the Banking industry, in areas such as IT, Cybersecurity, and IT Audit. He has a solid understanding and application of Risk-Based Audit methodology, ISMS (ISO 27001), ISO 22301, NIST and COBIT, IT & Information Security regulatory compliance. To his credit, Tariq also has sound technical knowledge (as evident by his pertinent professional certifications) in various IT platforms and IT project management – with experience in Disaster Recovery and Business Continuity Management.
He has published articles on different topics of cybersecurity and he has spoken at regional and international seminars and conferences.