The EU General Data Protection Regulation is only months away, and more organizations are beginning to contemplate what they need to do for compliance. Many will begin their efforts with survey-based privacy impact assessments because for many privacy professionals that is what they are most familiar with.
However, as the “DP” in GDPR will attest to, the foundation of the new regulation is data protection: data security and data accountability. Neither is achievable simply by conducting surveys. Satisfying both requires detailed data knowledge and the ability to monitor for changes, risky activity, and potential violations of applicable regulations.
PIAs have their place, however, when it comes to privacy by design and privacy operationalization, but only data-driven continuous compliance will do.
Going beyond good intentions
In response to almost epidemic data breaches and repeat incidents of personal data misuse, legislators and regulators have instituted myriad measures to better protect data and return control back to data subjects. Many of these rules are impossible to implement without a detailed accounting of data being stored for individuals. In many ways, this represents a sea change to how organizations safeguard their most sensitive information assets.
Privacy professionals historically were accountable to the business for ensuring compliance through better policies and processes. PIAs were in some ways a means to measure conformance with a policy and process. However, as evidenced by escalating frequency and breadth of reported breaches and associated liability exposure, survey-based approaches have not proven effective at ensuring compliance with either data protection or privacy policies and regulations. Mitigating data risk is nearly impossible when the measure of said risk is dependent on often subjective and incomplete survey responses. Managing risk starts with precise and objective measurement.
Data risk, evolved
A very similar evolution towards objective measurements of risk took place in recent years in the field of assessing third-party and vendor-risk management. Historically, third-party risk was also assessed through forms and surveys. However, this limited the repeatability, objectivity and predictability of the assessments. Consequently, third-party risk measurement has become more programmatic, so that the resulting evaluations provide consistent scoring and guidance to anyone looking to reduce risk. A similar evolution is now taking place in data-risk assessment.
With the introduction of new data governance tools to find, map and analyze personal data, it’s become possible for organizations to shift from qualitative and subjective survey-based assessments for risk and compliance validation to precise data-driven continuous compliance. Knowing whether data collection and processing exceeds defined legal or business policy thresholds becomes a function of monitoring the data. Data compliance and risk mitigation shift from "guesstimation" to always-on measurement.
Putting the “ops” back in operationalization
Regulations like the GDPR increasingly encourage companies to operationalize privacy and ensure privacy by design from development through production. This requires continuous monitoring and measurement of data risk, and conformance from “build time” to “run time.” Surveys can make an organization feel better about their compliance, but it’s a false sense of security. To truly operationalize privacy you have to be data aware and measure compliance on a continuous basis across development and production.
photo credit: Brittany Greene You Turn Me On via photopin(license)