Making Data Privacy a Priority in 2022

Businessman sharing ideas on project to team

Making Data Privacy a Priority in 2022

Is your organization thinking proactively about the future of cybersecurity and compliance? As the year draws to a close, many are wondering what will be the next “big thing” or hot button issue that captures the attention of businesses of all sizes and across all industries.

I believe it’s important to have a well-rounded information security program that doesn’t give too much attention to a single domain or discipline while neglecting other, equally important areas. That being said, I think that data privacy will take the spotlight in 2022 as consumers become more aware of the importance of privacy, and far-reaching global regulations continue to roll out to help protect their privacy rights.

Read on to learn more about why data privacy is important and how you can prepare for the future of privacy compliance.

Why Is Data Privacy Important?

Data privacy and protection is important because mishandling personal information and allowing it to be accessed by unauthorized third parties can have serious consequences. The deployment of the European Union’s General Data Protection Regulation (GDPR) in 2018 ushered in a new era of data privacy regulations and related penalties for organizations that don’t comply with these rules.

For example, earlier this year the Luxembourg data protection authority hit Amazon with a record $888 million fine for allegedly processing personal data in an illegitimate way. As a growing number of nations — and states in the U.S. — introduce similar regulations to promote consumer data privacy, businesses are realizing that noncompliance with these laws is a serious offense.

Data privacy is also essential for building trust with consumers. High-profile news stories, documentaries, and social activism continue to bring a great deal of attention to privacy rights and the overall value of personal data. When this data falls into the wrong hands, it can be used to target users with unwelcome advertising messages or even to defraud them for financial gain.

If a person discovers that your organization is to blame for the abuse of their data, it often leads to irreversible reputational damage that can spread like wildfire. To that end, transparency about how you intend to collect, use, process, and store personal data is crucial — you don’t want someone thinking you mishandled their data when everything is above board.

How to Prepare for an Increase in Privacy Regulations

In our 2021 Compliance Benchmark Report, 40% of respondents noted that increased privacy requirements and upcoming legislation are creating additional work for their organization. Here are three ways you can get ahead of the curve when it comes to data privacy and avoid a stressful rush to get things sorted.

Create (or Refine) Your Privacy Policy

Your organization’s privacy policy is the chief mechanism you use to communicate disclosures regarding the handling of personal data. While there is not currently an all-encompassing U.S. federal law that requires businesses to have a privacy policy, there are several existing laws that mandate privacy policies for specific circumstances. As this list continues to grow, your organization would be well-advised to create or refine your privacy policy to stay prepared for the future. It should include information such as:

  • What data is being collected
  • How data is collected
  • The purpose for which the data is used
  • With whom the data may be shared
  • Disclosures to third parties
  • Contact information for questions

Keep in mind that your privacy policy is a legal document, but it should also be written in a way that is easy for consumers to understand. According to the Cisco 2021 Consumer Privacy Survey, 47% of consumers say they have switched companies or providers due to their data policies.

Map All of Your Data

To abide by all applicable rules and regulations, your organization must have a thorough understanding of the types of personal data that are being obtained and processed. By creating a data map, you can get a clear picture of the various types of data you handle, all the parties that touch that data, and possible exposures and risk factors you may face. Data mapping can involve a combination of automation (such as identifying data through software scanning) and more manual processes (such as interviewing key stakeholders to discuss their role in the data governance hierarchy).

In addition to increasing organizational awareness and data literacy, conducting a data mapping exercise allows your business to quickly respond to data subject access requests (DSARs). It can also help with certain regulations, such as GDPR, that require your organization to have a record of all data processing activities.

Conduct a Gap Analysis

Because outside guidance is often the fastest and most effective way to get businesses where they need to be with data protection, a gap analysis can prove invaluable in helping your organization prepare for privacy regulations. It can be difficult to identify essential action items and streamline necessary remediation if you are required to comply with different laws in order to serve customers in different countries or states.

These rules often have considerable overlap that can lead to unintentional and costly duplication of compliance efforts. By outlining each control or requirement involved with different privacy laws, a data protection and privacy gap analysis makes it significantly easier to manage these laws and avoid falling behind on critical initiatives.

Consider Using HITRUST to Demonstrate Commitment to Privacy

While there is no single certification that ensures compliance with every single privacy regulation in the world, there is an assessment that has proven to be a robust, versatile way to prove that an organization has suitable privacy controls in place: the HITRUST Common Security Framework (HITRUST CSF).

HITRUST was originally designed in collaboration with data protection professionals for the healthcare industry, where the protection of personal data is vital. The HITRUST CSF Validated Assessment is very flexible and evaluated controls can be mapped to various laws such as GDPR, CCPA, Singapore Personal Data Protection Act, and more.

HITRUST also recently released a new Implemented, 1-year (i1) Validated Assessment that makes this HITRUST certification more attainable for smaller organizations and those with fewer resources. At the moment, organizations can only be assessed on the effectiveness of their security and privacy controls combined.

However, in response to growing demand for organizations to be able to provide certifiable evidence of privacy compliance, HITRUST plans to release a new privacy assessment in 2022. This assessment is expected to utilize the NIST Privacy Framework, ISO 27001 Privacy Framework, APEC Framework, GDPR, CCPA, and FIPP. Stay tuned for more information about the forthcoming HITRUST privacy assessment, as I believe this will be a game changer for the world of privacy compliance.

Strengthening Your Compliance Program  

Over the past decade, businesses have learned to place an emphasis on cybersecurity to promote their longevity and stakeholder satisfaction. Now it’s time for organizations to build up cultures of privacy by putting the customer and their data rights at the center of conversations about data protection. This should involve thinking carefully about compliance risks for present-day and future legislation. Consider leveraging a strategic compliance partner like A-LIGN to conduct a privacy impact assessment and help your organization enhance privacy policies and procedures while preparing for the future of data privacy in the U.S. and the rest of the world.