As global privacy requirements evolve, many information security professionals are called upon to enhance or lead information privacy programs. While this transition may seem like a natural progression, I learned five important lessons when I moved from a focus on security and audit to the field of information privacy.
What Constitutes PII?
Understanding PII is essential to your team's success. Although the term may be mentioned in discussions, its meaning may not be evident to everyone. Collaboration is most effective when these expectations are established from the outset.
When I initiated the EU Data Privacy Program, I emphasized to everyone that any information that could identify an individual is regarded as PII, fostering a shared understanding and commitment to data protection.
Some teams were unsure what constitutes Personally Identifiable Information (PII). They considered things like Social Security numbers or credit card information. When I started working on a data privacy program with European customers, it was essential to explain to everyone that any information identifying a person can be considered PII.
As a security expert, personally identifiable information (PII) typically refers to sensitive information like social security numbers, driver's license numbers, or credit card details. Special categories of data like Biometrics and geolocation can also be treated as sensitive information if combined with any PII data that uniquely identifies a natural person. While collaborating in my privacy program and engaging with the information security team, I must ensure that their interpretation of PII matches that of other teams before proceeding with security mandates.
Understand the purpose and limitations
As a data security professional, my first response after discovering that personal information was being stored was to assess the security measures thoroughly. This instinct stems from my deep understanding of potential data breaches and the importance of safeguarding sensitive information.
To understand the security framework, I ask a series of critical questions. First, I would like to know the at-rest and in-transit encryption methods used to protect data. To prevent unauthorized access, it's essential to know whether strong encryption standards are being used and whether protocols are in place for managing cryptographic keys.
After I discuss the logical access controls in place, I will move on to the next step. Controls for access to sensitive information include managing user permissions, identifying who has access to the data, and restricting access to authorized personnel.
Additionally, I would explore the organization's log monitoring practices. Our real-time monitoring allows us to detect potential breaches and suspicious activity immediately. Reviewing logs regularly and in different ways is essential for detecting anomalies.
Vulnerability management is a critical concern. I want to know how the organization identifies, evaluates, and mitigates system vulnerabilities. How often are security assessments performed? What steps are taken to ensure that vulnerabilities are addressed promptly?
Understanding an organization's security posture is essential for protecting personal information. As the threat landscape evolves, I strive to evaluate and improve best practices to adapt continuously.
When I led a privacy program, I learned that the first question to ask is why we are storing the data. Knowing why personal information is collected and how it will be used is crucial. If teams can't answer this, it might mean they didn't correctly inform people or get their consent to use their personal information. These are two key principles of privacy.
Check applications and data stores
While collaborating with teams, I encountered a misconception that information security controls adequately safeguard personal information. However, as specific data repositories still require data retention, I immediately reevaluated the retention policy, particularly if the data comes from external sources. A proactive approach is needed to maintain data integrity and privacy.
It relates to the second point of understanding why the information is necessary. As part of a standard notice, one statement emphasizes that the organization will only retain personal information if needed. If the information no longer serves a purpose, it should be deleted. Failing to do so would breach the notice that has been communicated, even if the data is still protected and secured.
Collaborate closely with the legal team
When collaborating with information security teams, legal teams are often not included in conversations. However, when protecting people's privacy, they must be involved in knowledge and advice crucial for understanding the complicated laws surrounding privacy issues.
When starting a project, teams must consider what personal information they need. Right from the beginning, they should talk with the legal team to understand the rules that apply in different countries. Each country has laws that protect the privacy of its residents. The legal team can also help create clear language for privacy policies and consumer notices. Depending on where the personal information comes from and where it goes, there may be extra rules to follow, and the legal team can provide valuable insight into that.
Evaluate the processes
Personal data has become increasingly important as information collection and use expands. Data shared by different teams in different organizations often includes personal information. As personal data has become more valuable, there is a growing trend in which various teams and organizations share more data, including personal information.
As a professional focused on privacy, knowing how information is moved around and whether it's kept safe at each stage is crucial. It's also important to consider the reasons behind sharing this information in the first place. That practice should not be allowed if a group collects personal information without clearly explaining the purpose to the individuals involved.
Even when teams intend to use the most secure methods, efforts must be halted if the purpose is unclear or not aligned with the communicated notice. One main challenge I’ve encountered is explaining the difference between security and privacy. Many believe adhering to information security policies makes them eligible for access to their personal information. In the same way that they define security, they also define privacy.
Shifting Your Mindset
I have learned the importance of being patient and ready to take on student and teacher roles simultaneously. If you have been assigned to transition a security program into a privacy program, it's essential to recognize that this represents a significant change in your professional role. As with any job transition, many new concepts and differences exist to be understood.
Additionally, since privacy and security are often conflated, be prepared to educate others about their distinctions. To illustrate these differences, providing examples of situations where privacy was violated versus those where security was compromised can be helpful. Shifting your mindset from focusing on information security to information privacy can be challenging, but it is a rewarding experience.
About the Author:
Arfi Siddik Mollashaik is a Solution Architect at Securiti.ai, USA, a leading enterprise data security, privacy, and compliance firm. The firm specializes in implementing data classification, discovery, privacy, and data subject rights and protection software for organizations worldwide. Having worked with many Fortune 500 companies, he has vast experience enhancing the data protection and privacy programs of healthcare, banking, and financial companies. He can be reached at [email protected].
Editor’s Note: The opinions expressed in this and other guest author articles are solely those of the contributor and do not necessarily reflect those of Tripwire.
