| |
NOTE: This article originally appeared
in the June 2008 issue of Flawless Compliance, under the "Center
Stage " section. The link to the actual issue is at the bottom
of this article.
Earlier this month, I wrote an article for Quest Software entitled,
“Solving for Data Privacy”, which was a piece targeted at
IT people that introduced some concepts around how to architect a solution
for controlling data privacy. The article was inspired from a previous
webcast that I saw on GAPP ( Generally Accepted Privacy Principles ).
This is a new set of principles from the same people that brought us
the more popular GAAP ( Generally Accepted Accounting Principles ),
the American Institute of Certified Public Accountants (AICPA ) and
its Canadian counterpart, the Canadian Institute of Chartered Accountants
( CICA ).
The new GAPP rules were created in response to the growing concern
around data breaches in our country, and in the rest of the world. As
I mentioned in my Quest article, an informal poll was taken while the
webcast was going on, and nearly 50% of the respondents affirmed that
their company had experienced a data breach in the last two years. This
is astonishing. I assumed the number would be high, but to be honest,
not this high. I think it’s important for companies to start taking
data privacy a little more seriously.
The GAPP Framework contains 66 principles across 10 different categories.
From the GAPP website, located at http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/,
here are the categories, and their intent.
- Management -The first principle of the Generally
Accepted Privacy Principles (GAPP) is Management. This principle requires
that the entity define, document, communicate, and assign accountability
for its privacy polices and procedures.
- Notice - The second principle of the Generally
Accepted Privacy Principles (GAPP) is Notice. This principle requires
that the entity provide notice about its privacy policies and procedures
and identify the purpose for which personal information is collected,
used, retained, and disclosed.
- Choice and Consent - The third principle of the
Generally Accepted Privacy Principles (GAPP) is Choice and Consent.
This principle requires that the entity describe the choices available
to the individual and obtain implicit or explicit consent with respect
to the collection, use, and disclosure of personal information.
- Collection - The fourth principle of the Generally
Accepted Privacy Principles (GAPP) is Collection. This principle requires
that the entity collect personal information only for the purposes
identified in the notice.
- Use and Retention - The fifth principle of the
Generally Accepted Privacy Principles (GAPP) is Use and Retention.
This principle requires that the entity limit the use of personal
information to the purpose identified in the notice and for which
the individual has provided implicit or explicit consent.
- Access - The sixth principle of the Generally
Accepted Privacy Principles (GAPP) is Access. This principle requires
that the entity provide individuals with access to their personal
information for review and update.
- Disclosure to 3rd Parties - The seventh principle
of the Generally Accepted Privacy Principles (GAPP) is Disclosure
to Third Parties. This principle requires that the entity disclose
personal information to third parties only for the purposes identified
in the notice and only with the implicit or explicit consent of the
individual.
- Security for Privacy - The eighth principle of
the Generally Accepted Privacy Principles (GAPP) is Security for Privacy.
This principle requires that the entity protect personal information
against unauthorized access (both physical and logical).
- Quality - The ninth principle of the Generally
Accepted Privacy Principles (GAPP) is Quality. This principle requires
that the entity maintain accurate, complete, and relevant personal
information for the purposes identified in the notice.
- Monitoring and Enforcement - The tenth principle
of the Generally Accepted Privacy Principles (GAPP) is Monitoring
and Enforcement. This principle requires that the entity monitor compliance
with its privacy policies and procedures and have procedures to address
privacy-related inquiries and disputes.
If you have any familiarity with compliance programs, these categories
shouldn’t come as a big surprise. Your data privacy control program
will be very similar to the rest of your compliance programs. In fact,
when constructing your privacy program, think about how you can leverage
it into the other compliance programs ( i.e. SOX ) that you have today.
Step # 1: Start by Reinforcing your Policies and Procedures
You probably have some policies and procedures already built to comply
with other regulations. This is a great place to start. Go through
your policies and procedures, to determine where sensitive data is
collected. Then, fill in the gaps from a holistic point of view. Every
place that sensitive data is collected should be documented.
Step # 2: Build in Notice, Consent, and Retention Guidelines
Next, fortify your data privacy practices. Now that all the entry
points have been identified, ensure that proper notice is given, and
consent is obtained, whenever sensitive personal information is collected.
This can be a work in progress until the entire program is instantiated.
For instance, you can start with just the framework of a notice, then
flush things out as the program execution unfolds.
Step # 3: Reinforce your Data Systems
This is the Achilles heel of most privacy programs. You must be absolutely
sure that there are no weaknesses in the protection of your private
data. This involves physical data ( i.e. records in file cabinets
), however the biggest vulnerabilities lie in your logical data systems.
Ensure access control is adequately addressed, and that preventive
controls are in place to deny access to intruders. Although corrective
controls (controls that are put in place after the incident has occurred)
are good, preventive controls are a must. Once the data has been breached,
most of the damage has already occurred. Also, keep in mind that 80%
of your risk will come from inside your own company. Although protecting
your data from hackers is important, focus most of your energy on
avoiding inside jobs.
Step # 4; Update Your Compliance Control Plan
You do have a compliance control plan, right? Since you’re
reading this, I’m going to give you the benefit of the doubt.
Item 10 above, Monitoring and Enforcement, is absolutely critical.
Once you baseline your compliance program, you need to monitor it
to make sure it’s staying under control. Data privacy controls
are no exception. These should be folded in with the rest of your
continuous monitoring.
Data privacy is a serious issue these days. The FTC settled 14 cases
with companies that have insufficient data privacy practices. In almost
all cases, the result was a mandatory, bi-annual security audit for
the next 10 to 20 years. Don’t let this be you. Start setting
up your privacy control program today.
|
|
