Today marks Data Privacy Day, and ISACA is proud to be a champion of this initiative. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. The debate over privacy seems to have shifted to a larger discussion about new types of personal information, such as location information, browsing history, Internet of Things data, individual rights and enterprise use of personal data. This expanding debate results from the proliferation of technologies, opportunities for enterprises to gain value by leveraging new data items and government’s interest in e-government initiatives. This includes taking action to protect citizens and promoting the economic opportunities that personal data use brings. The volume of personal, and often sensitive, data being collected and shared by organizations today is growing exponentially—largely because of technology advances, lower data storage costs, the rise of the Internet of Things and the emergence of major data brokerage companies.
Currently, there is a global set of privacy principles in the OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data (2013) . In the last couple of years, the principle of accountability has received renewed attention as a means to promote and define organisational responsibility for privacy protection.
To help the global community implement a corresponding privacy management program, ISACA created a Privacy Guidance Task Force. Its first task was to conduct a survey regarding enterprises’ privacy governance structures and how various privacy issues and concerns are addressed. Clearly, one of the main obstacles is the complex international legal and regulatory landscape. While everybody may be in agreement on the principles, their implementation through laws and/or regulation differs across the world and, in some cases, in the same country, by state and industry sector. Obviously, business may only influence the lawmakers to try to harmonize their position. This will be difficult as privacy is a cultural issue. ISACA’s survey was recently conducted, and results will be published in the near future.
Enterprises need to embed privacy as an integral component of their overall governance, risk management and compliance (GRC) frameworks. Embedding privacy into GRC frameworks requires a holistic approach. COBIT 5 defines a set of enablers to support the implementation of a comprehensive governance and management system for enterprise IT and information.
As a result, the next Task Force action is to create practical guidance explaining how the COBIT 5 enablers may be used for implementing privacy in practice. It will provide specific guidance related to all enablers:
- Information privacy policies, principles and frameworks
- Processes, including personal data privacy—specific details and activities
- Privacy-specific organisational structures
- In terms of culture, ethics and behaviour, factors determining the success of privacy governance and management
- Privacy-specific information types for enabling information security governance and management within the enterprise
- Service capabilities required to provide privacy and related functions to an enterprise
- People, skills and competencies specific for privacy
This will constitute a framework that can be tailored to any organization. Large companies with locations in multiple jurisdictions may need to consider different internal oversight mechanisms than small or medium sized companies with a single establishment. Similarly, programs for companies that deal with large volumes of personal data will need to be more comprehensive than those of companies who handle only limited amounts of personal data. The sensitivity of the data processed may also impact the nature of a privacy management program, as even a very small company may handle extremely sensitive personal data.
With the survey and practical guidance targeted to be published in 2015, ISACA will continue on its mission to contribute effectively to the promotion of privacy and data protection best practices.
Yves LeRoux, CISM, CISSP
Principal Consultant at CA Technologies