Shockwaves Coming For Businesses Facing New Data Privacy Laws
States are passing data privacy laws at a steady clip, and there could even be a federal data privacy law soon. For many small and medium enterprises (SMEs), this could be their first exposure to having government regulation come into direct contact with their day-to-day operations.
That's because many boards and executives may be surprised to find that the personal data being regulated has quietly seeped into the nooks and crannies of their companies' operations and technology while they weren't looking.
Inevitably, someone in the organization is going read a news article or social media post and come to the realization that... you know…
Among their many provisions, these new laws require businesses to control the collection, storage, use and transfer of certain types of data.
See, the way some companies have been combining data and cooking up data products has left a sour taste in the mouths of the public and its lawmakers. New privacy laws require businesses to conduct themselves in a way that is more palatable.
Any chef will tell you that what ends up on the palate is the result of many different choices made or ignored by the kitchen. Delivering these improved data practices will be the same.
Unprepared businesses could be in for a jolt.
That’s because reliably gaining control of our data is a finished good — a deliverable, a key result — that only happens at the end of several big organizational activities. In my years of consulting, it was common for SMEs to put many, or all, of those activities on the backburner.
Here's a visualization of the ingredients; I'll call it the Pyramid of Data Privacy.
Information Security
To start with, the direct parent of data privacy must be a successful information security practice. We know this intuitively. Try it for yourself: write down something sensitive that you wouldn't trust most people with knowing. When you're finished, it's a solid bet you'll quickly start thinking about what to do with your document to protect it. We all know private information won't be private for long, if it isn't secured!
If companies cannot demonstrate control over their underlying information systems, then the data stored and processed by those systems can never be said to be under control, either. No privacy officer, privacy project or privacy policy will matter if an adversary can simply remove data from our environments and then do with it as they please.
领英推荐
Attempting to implement data privacy in the absence of information security controls will ensure repeated cycles of waste and disappointment.
But the information security landscape shifts every day; it's tough to know if yesterday's security efforts will protect us tomorrow. So, our information security program will only be as reliable as the service management program that nurses it.
Service Management
Service management encompasses all the activities that give breath and blood to our technology operations. It tells us what how many people should be on our team, and it tells us what kind of work they should be doing. Service management tells us, for example, if our asset management function is operating, what results our service desk is achieving, and yes, whether our information security program is reliable.
Let's bring this back to data privacy compliance. To comply, we'll have to demonstrate control over the processes that result in data privacy. On exactly which assets is data stored, and how do we change access controls of our data, when required? Is our data properly backed up, and is the data that is restored from backup still compliant? This list of considerations would go on to cover data considerations within all 34 practices of the information service management domain.
Due to the complexity of managing the IT services, and the rapid pace of change within the information security practice, it is impossible to achieve 100% control or coverage. Small and medium businesses all know: they have to pick and choose carefully where to invest.
Risk Management
We all choose investments, as ever, based on risk. We often talk about it as "risk/reward," which is perfectly true. When we embrace real risk assessments and risk management, we can help executives demystify what the next most important investments should be.
For example, if the risks of litigating data privacy complaints, or enforcement actions, are projected to hit a continuous upward trajectory starting in January 2023, investments into our service management practice, targeted at information security and data privacy controls, may add substantial mitigation of those risks, while also setting up parallel benefits for our company in the process. Reduce legal risk, while also improving our team's productivity through technology? That decision could be an easy call.
Risk management, IT service management, information security. These are not new domains. It's the laws requiring the finished goods — data privacy outcomes — that are new. Those laws continue to grow in scope and number.
To comply, many of us will find ourselves back in the C-suites or boardrooms, tinkering with the recipes of our businesses to gain more control over information operations than we ever previously attempted. Be warned: the ripples from these technology changes can either bring a team closer together, or cause departmental walls to go up.
In future posts I’d like to share observations from within all levels of this data privacy stack, as we all explore together what tactics are working for SMEs who are embracing their responsibilities under these new laws. Drop me a reaction or a comment if that sounds interesting.