Key takeaways:
- Privacy by Design principles call for a preventative – not remedial – approach, but many organizations still have a large number of legacy systems and vendors to consider.
- Reviewing and retrofitting each and every vendor may not be feasible, but a comprehensive data mapping strategy will enable you to gain better oversight of your data flows and architecture.
- Privacy Impact Assessments are a crucial tool in establishing visibility and transparency over your data processing practices. Plus, in many U.S. and the EU, they’re a legal obligation.
When it comes to an enterprise data privacy program, prevention is better than cure — embedding privacy principles at the forefront of system designs is undeniably easier, and often less risky, than working backward.
Data Privacy Board member Daniel Fisher, Director of Digital and Data at Merck, said this is what separates privacy counsels from other corporate legal functions during a recent Data Privacy Board panel, Operationalizing Privacy by Design at a Large Enterprise.
“You tend to go to a lawyer when there’s a fire that needs to be put out,” Daniel said. “Myself, as a privacy legal, I’m embedded from the beginning moving forward.”
“You tend to go to a lawyer when there’s a fire that needs to be put out. Myself, as a privacy legal, I’m embedded from the beginning moving forward.”
Daniel Fisher, Merck
Still, what about the hundreds, if not thousands, of legacy systems that can exist within a large organization? Is it realistic — or even feasible — to review and retrofit each one with respect to privacy?
While corporations have long recognized the importance of data protection, comprehensive privacy programs are still relatively green. Moreover, ongoing regulatory expansions have forced many enterprises to reevaluate their processes with respect to privacy.
Retroactively implementing Privacy by Design principles into existing systems is a daunting task but essential to ensuring robust data protection, compliance, and transparency with consumers.
Gaining Oversight of Your Systems Through Strategic Data Mapping
It’s no secret that the sheer number of existing vendors presents challenges. During the panel discussion, Evan Fleischer, Legal Counsel at Bose, acknowledged, “There’s only so much purview you can have.”
“There’s only so much purview you can have.”
Evan Fleischer, Bose
Evan shared that before you can establish a game plan for an existing vendor, you have to determine what you’re working with.
To build and maintain a privacy-preserving data infrastructure, you need a certain level of foundational knowledge of how data flows within an organization.
This is why Daniel said data mapping, which he referred to as “privacy 101,” is essential to ensuring your legacy systems are aligned with privacy by design principles.
“I think a lot of times, we get caught up as privacy professionals in trying to comply with the most recent U.S. state law — with one coming out every two weeks,” Daniel said. “But you kind of forget to go back to basics sometimes.”
Only when you have a comprehensive look at how data is collected, processed, and shared can you pinpoint areas of potential privacy risk and implement the appropriate safeguards.
“The easiest way to retrofit, in my opinion, is to have a strong foundational data mapping system,” Daniel said. “Only if you have that true closed universe, can you actually effectively have a compliance program to monitor.”
“The easiest way to retrofit, in my opinion, is to have a strong foundational data mapping system. Only if you have that true closed universe, can you actually effectively have a compliance program to monitor.”
Daniel Fisher, Merck
In an article on the technical steps for operationalizing privacy by design, writer and privacy evangelist Robert Bateman also pointed to data mapping as a crucial tool for achieving Privacy by Design goals.
Robert wrote that data mapping will enable you to answer three foundational questions:
- “How and why do your products collect personal data?”
- “What types of personal and sensitive data do you collect?”
- “Which third parties can access the data you control?”
He said that dynamic data maps can serve as a foundation for conducting privacy impact assessments (PIA) and keeping accurate records of your data-processing activities.
Evaluating Legacy Systems Through Impact Assessments
Fundamentally, Robert said that a PIA is about balancing the benefits of a processing activity against the risks to individuals, and conducting regular PIAs will enable you to build more secure products.
Data Privacy Board panelists echoed this sentiment and shared why this process is so essential to operationalizing Privacy by Design enterprise-wide.
Evan said, “PIA and risk assessments allow you to take a higher-level informational gathering approach to a legacy system to figure out what the next steps are from there.”
“PIA and risk assessments allow you to take a higher-level informational gathering approach to a legacy system to figure out what the next steps are from there.”
Evan Fleischer, Bose
At Northwestern Mutual, Senior Director of Privacy Tom Holtan said PIAs are a cross-functional effort involving privacy, compliance, and legal.
While it’s true those functions bring a similar perspective, Tom shared that their collaboration helps cover various areas of complementary risks and drive alignment among the functions.
“It’s building a really wonderful rapport between our departments,” Tom said. “We’re all asking similar questions but with different outcomes.”
“It’s building a really wonderful rapport between our departments. We’re all asking similar questions but with different outcomes.”
Tom Holtan, Northwestern Mutual
But PIAs are more than just a good practice, they’re a regulatory requirement in states like California and Connecticut and under the European Union’s General Data Protection and Regulation (GDPR).
Leveraging Peer Insights to Improve Your Approach
Data Privacy Board members have turned to their confidential community of peers to benchmark and share strategies for assessing legacy systems, including tiering vendors based on risk conducting reviews in 1-3-year cycles, and leveraging data governance processes to identify unknown legacy systems.
This is just one example of how Data Privacy Board members are able to gut-check their strategies and leverage insights from fellow data privacy leaders to advance their own programs.
If you’re leading a privacy program at a large enterprise, get in touch below to learn how you could benefit from peer benchmarking.