Why data privacy is much more than compliance

The idea of data privacy and protection isn't something new. However, we believe it has become a lot more complicated since businesses started embracing cloud technologies and increasing the volumes at which data is collected and shared across the hybrid multicloud environment. Today, privacy extends to a wide range of personal data and information that may be stored on personal digital devices, in corporate data centers, and in multiple cloud platforms. Compounding that complexity are ever-demanding data privacy regulations and consumer views on privacy — all of which need to be aligned to as companies look to avoid the penalties of getting privacy wrong, from heavy fines to angry customers.

If penalties for non-compliance and customer defection represent the punitive side of privacy, there’s also a positive side — namely, that customers may be more likely to do business, and may even do more business, with companies they trust. Put another way, privacy isn’t simply a must-do mandate, but an important part of your business strategy that can do a lot to help boost your brand and your bottom line. We’ll explore how building customer trust can help your business differentiate and grow in this privacy-conscious world and focus on the principles that can help form the foundation of a sound privacy strategy.

Privacy can be an important part of your business strategy that can help boost your brand and your bottom line.

Sometimes privacy compliance highlights the animal tendencies of a business. Some businesses, like turtles, may be slow to adopt new compliance measures. Others, like ostriches, may hide their heads in the sand and ignore them. Still others may believe they can outfox regulators with partial compliance. But companies that don’t take compliance seriously could face serious consequences.

New and more rigorous data privacy regulations are passed every year by major markets around the world. The European Union’s General Data Protection Regulation (GDPR) has become the gold standard of privacy laws, and many other countries are creating and refining their legislation around data privacy to resemble GDPR more closely. Examples include Brazil’s Lei Geral de Proteção de Dados (LGPD) and the California Consumer Privacy Act (CCPA) which was recently revised and expanded with the California Privacy Rights Act (CPRA). These and many others have the power to levy substantial fines and disrupt business.

At this point, compliance is simply the cost of doing business. The question on the mind of companies should be on how to align compliance with their business roadmaps and to turn privacy into a business driver.

This question, in turn, should lead to a broader cross-enterprise discussion that answers:

• Where are the synergies and/or efficiencies in the data security measures we’re taking today, and the privacy security measures we’ll need to take tomorrow?
• How do we continuously track and adapt to new regulatory requirements and growing pressure from consumers to make privacy transparent?
• What actions can lead us to being recognized as a data privacy leader in our industry?
• How do we leverage our privacy practices to deliver trusted customer experiences and drive better business results?

Businesses need to look beyond compliance and to the role that privacy can play in helping build brand equity and better customer relationships. Start building a strong privacy program today by:

1. Assessing your personal data landscape to understand where you have data, it’s risks, and the responsibilities you have towards customers and for regulatory compliance
2. Protecting your personal data using a zero trust approach to apply appropriate data privacy protection
3. Responding swiftly to customer requests and compliance requirements with unified data privacy and security workflows and automation

“In 2020, 44% of security decision-makers say their companies build in security and privacy considerations from the start when they develop services, products, or apps.” ¹

The first step toward a strong data privacy program begins when you stop seeing privacy as a security problem and start seeing it as a strategic advantage. Privacy isn’t a security box to be checked off, but should be a continuous part of the checks and balances that comprise all your business processes. How can you try to build data privacy and security into every new product or process? Follow these tips to help build a foundation for your strategy:

Step 1: Data privacy requires cross-department alignment and collaboration

Privacy is a team sport. It is an enterprise-wide initiative. Data privacy requires action and input from every part of the business that personal data touches, so seek out relevant stakeholder and executive support from the very beginning. This team may include members from marketing, operations, legal, product development, and others, in addition to security and IT groups. Data privacy compliance is a continuous process that needs to adapt, which means cross-team collaboration is necessary from planning to executing to operationalizing.

Step 2: Do some serious personal data soul-searching

If your privacy program has holes, don’t hide them – find them! Do a thorough and honest privacy risk assessment of your personal data to understand what data you have, how the data is being used, and what data privacy protection you currently have in place. Start to understand what risks you face right now and what your obligations are to customers, employees, partners, and regulators. This can help you to start building out a roadmap to your desired privacy maturity.

Step 3: Consider compliance and customer demands on data privacy to be moving targets

Privacy rules and requirements are constantly changing and evolving. As soon as you address compliance, you might be at risk of falling out of compliance if there’s a shift in regulations. Often times, regulations shift in response to individuals demanding greater data protection and privacy. That’s why it’s important that businesses view their privacy strategy as an ongoing journey – get where you need to be today to satisfy customers and regulators and be prepared to move tomorrow as customer attitudes and new regulatory changes are introduced.

Step 4: Your assessment should inform your strategy and technology investments

Once you have a good idea of where your personal data is and its risks, you should feel better prepared to start executing on your data privacy goals and business objectives. This visibility into the data landscape allows you and your stakeholders to tweak your internal data privacy standard for handling personal data, as well as other aspects of your data privacy and security strategies. Look to see what existing security, privacy, and data tools you can extend to cover privacy gaps. Then, start identifying where additional investment in technology should be prioritized.

“Now more than ever before, data security and privacy is much more than cost reduction and compliance. It is a driver of resilience, revenue, and growth.” ¹

Typically, personal and other sensitive data is pervasive; it doesn’t live on an island but is interspersed throughout your organization. Businesses therefore should consider implementing privacy measures that extend data protection across the entire enterprise.

As you consider which data privacy solutions best meet your needs to preserve data privacy, you can consider a zero trust or least-privileged access model as a guiding framework. A zero trust approach to data privacy and security never assumes that any user, application, device, or process is trustworthy. Instead, you must continuously evaluate whether or not someone or something should have access to sensitive data based on contextual information.

This context comes from assessing your data landscape with the help of a data discovery and classification tool or a solution that tracks data lineage, which provides information on the data’s origin, evolution, and where it flows. This context can also come from the results of setting up policies to monitor user access and data activity, which can be customized to monitor compliance to specific privacy regulations to detect outlier or suspicious behavior. This can help you to gain visibility into how users, data, and applications typically interact to form a baseline of what is normal versus potentially risky behavior. Together with advanced analytics, you can surface hidden data risk, evaluate its potential impact on business, and escalate cases for further investigation.

Other types of data privacy protection at the data source are also necessary to help preserve privacy while the data is at rest, in transit, or in use. Data encryption, whether for files, databases, or applications, can help prevent unauthorized users from viewing personally identifiable data. Controls such as tokenization and data masking can help minimize the sensitivity of the data and preserve privacy while it is shared and used. These capabilities often come with user access controls and activity logging that reduce mishandling of data that can potentially violate privacy.

With data privacy solutions in place and a data privacy standard established for handling personal data both internal and external to the organization, the next step is to operationalize various customer-facing privacy requirements. In a world where personal data moves at the speed of microseconds, automation and orchestration help to reduce both human error and time spent on compliance-related tasks.

Businesses should work towards unifying data silos under a common “data security hub” that allows for broad visibility into security, compliance, and audit data. By continuously discovering, classifying, and collecting such data in one place, you can be positioned to dynamically adjust your privacy standards and to react to potential threats and changing compliance requirements with the necessary contextual insight. In combination with a security orchestration, automation, and response (SOAR) solution, you can simplify many manual tasks in a secured and consistent manner – through unified workflows for critical security and privacy tasks – that can demonstrate to your customers that you are treating their data with transparency and respect. Additional potential benefits include:

• Addressing and notifying data privacy and security breaches and other incidents, within required timeframes, with cross-team collaboration
• Pulling the necessary data to create audit reports quickly that can be shared with executives and regulators
• Identifying suspicious behavior and potential threats and responding with appropriate controls and case/ticket management
• Handling data subject access requests (DSAR), as well as consent management, in a coordinated manner that scales with the volume of customer interactions and consistently reflects customer preferences

Privacy isn’t just an important part of your IT security posture. It can be an integral part of your corporate DNA. It can help define your brand, determine your customer relationships, and may ultimately drive your bottom line.

It’s no secret that many businesses today struggle to navigate an increasingly complex landscape of changing privacy regulations and shifting consumer sentiment. But businesses don’t have to face privacy issues alone. IBM can help — with our people, our solutions, and our experience.

Learn more about IBM Security for data privacy.