When asked to describe my responsibilities as a chief privacy officer, I often say my primary function is to be an advocate for the individuals whose personal data my organization collects, 维护和处理. 这种反应最初可能会让人感到困惑, since we often think of legal 和 compliance professionals as those who guard the parapets, protecting the organization’s interests at all costs. 然而, 稍微调整一下视角, it becomes clear that protecting the interests of those who have entrusted your organization with their data ultimately achieves that organizational protection goal.
How then do privacy professionals perform this advocacy role? The identification of stakeholders is vital to ensuring our organization stays on the right side of the line when it comes to privacy compliance. 各行各业的IT专业人士, from information security officers to application developers to IT auditors, are among the most important contingents for privacy professionals to partner with in order to achieve our shared goals. Let’s explore a few core privacy concepts where IT skills are beneficial.
个人资料
At privacy’s core is the concept of “personal data” or “personally identifiable information (PII).” While legal definitions of what constitutes personal data vary slightly from jurisdiction to jurisdiction, generally personal data is information that identifies a natural person. This may be possible from one data element, such as a national identification number. Other times this requires two or more data elements used together. It’s important to underst和 that this data requires a high level of protection, 知道你有哪些个人数据, 存储在哪里, 如何获取信息至关重要. IT professionals are in an optimal position to know which strong information security controls may be implemented. 甚至更好的, if it is possible to de-identify the data at some point in its lifecycle, 要么通过掩蔽, 加密, 或者匿名化技术, 该数据不再被视为个人数据.
数据最小化
If the privacy profession had a mantra, it would be “less is more.” With the threat of ever-larger fines for privacy compliance violations, 消除个人资料可将私隐风险减至最低. 数据最小化的原则是, 因此, exactly what it sounds like – minimize the amount of personal data that an organization collects in order to decrease the privacy risk. Clearly defining data requirements to limit the collection of personal data to the minimum necessary is the goal. 同样的, it’s equally important to know when that personal data no longer serves any purpose. Data minimization is also achieved by purging or archiving personal data at the end of its usefulness.
As data minimization may be accomplished at multiple places throughout the data lifecycle, IT professionals can be instrumental at identifying the options for business users. 例如, 在设计新产品或服务时, think carefully through the data required to be collected from a client to provide it. Personal data that is not necessary to collect to provide the product or service should be optional or simply not collected at all. 同样的, consider performing annual reviews of certain data types that exist in your data storage locations. If scanning data storage reveals a high prevalence of social security numbers from US clients, determine if there is a corresponding purpose for why this data is maintained. If that purpose cannot be identified, it may be best to purge that data.
个人资料外泄
The privacy topic that receives the most attention is personal data breaches, often due to the volumes of data compromised or spectacular fines (or both). 当然, no organization wants to make the headlines as a result of a personal data breach, 和 considerable effort 和 expense is put into preventing them. While sound cybersecurity programs can prevent data breaches from external actors, another area of focus should be eliminating data exfiltration 和 internal threats. This is one area where IT auditors can be especially helpful, as they are often experts in finding process flaws 和 thinking like the “bad guy.”
隐私不再是一本手册, 法律, “复选框”认证练习, 如果它曾经是真的. IT professionals already possess the skills necessary to not only assist privacy officers in their objectives, but more importantly to become key drivers in building privacy protections into operations. An underst和ing of the core privacy concepts above help to foster collaboration between privacy 和 IT professionals.
编者按: For additional ISACA privacy resources, find out about ISACA’s new Certified Data 隐私 Solutions Engineer (CDPSE) certification 和 加入Engage上的隐私对话.
