Maximizing Data Utility Under GDPR

31 January 2017
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe

Trying to solve a problem, determine the optimal course of action or make a critical decision in the absence of meaningful data not only is frustrating – it can yield undesirable outcomes. It’s like driving without a map or hiking without a compass, let alone precise GPS. Or, like trying to communicate with a friend, whose last name you don’t remember how to spell, without a phone number, email address or Twitter handle.

In recent years, many business leaders have realized that connected devices, systems and sensors are generating more and more data that can be invaluable to making better business decisions. Yet, they still are deciphering how best to leverage all of the data to drive better business decisions. With impending compliance obligations under the GDPR, they may forfeit those data opportunities if they don’t implement solutions that enable ongoing authorized use of those data.

Last month, I blogged that privacy leaders can be business enablers by supporting the business in maximizing net data value in two key ways: (1) partnering with other data leaders in the organization to establish an integrated approach to data governance that enables data benefit and risks to be evaluated in a holistic way, and (2) driving consistent evaluation of the value and costs associated with the acquisition, storage, use and re-use of data.

This month, Mike Hintze and Gary LaFever published a white paper, Meeting Upcoming GDPR Requirements While Maximizing the Full Value of Data Analytics in which they tackle the new frontier of “data protection by default” under Article 25 of the GDPR. The concept of data protection by default permeates the regulation and expands upon traditional notions of data minimization or minimum necessary data to prescribe – subject to fines up to 4% of global revenue – implementation of technical and organizational mechanisms for ensuring that only the specific personal data necessary for each specific processing purpose – whether collection, scope of use, length of storage, or accessibility – actually are processed. Hintze and LaFever present a compelling case for companies to proactively implement a robust technical approach to the GDPR’s data protection by default requirements in order to both maximize data value and minimize compliance risk and liability.

As privacy professionals, we spend countless hours with business teams identifying and classifying data elements, determining the processing purposes and the legal basis for any proposed processing, evaluating data retention periods and proposed data transfers. We create data inventories and data flow maps in order to determine whether data minimization, proportionality and onward transfer requirements are met. We are startled when the hours fly by and our analyses are ongoing, and we recognize that the only way we can support goals like maximizing net data value is to rely on technology to scale our work, make it more efficient and ultimately, more effective. With GDPR’s data protection by default requirements in just 15 months, we can no longer put off plans to implement new technology to help us comply.

Fortunately, Hintze and LaFever present solutions based on a concept of “controlled linkability” that refines data so that it can be used for a range of purposes while preserving privacy and protecting the data from unauthorized processing. Controlled linkability thus facilitates extraction of the full value of data, enabling both GDPR and other regulatory compliance as well broad data utilization. In order for businesses to preserve and enhance the value of their data beyond the next 15 months, however, the time to plan for effective implementation of these technology solutions is NOW.

Since so many businesses rely on big data analytics, as increasingly artificial intelligence, to fuel innovation and growth, it has become essential to know how to ensure compliance in a way that allows your data assets to be utilized. Hintze and LaFever are sharing about their approach today in an IAPP webinar on “Unlocking Big Data Value Under the GDPR” featuring Gwendal Le Grand, the Director of Technology and Innovation of La Commission Nationale de l’Informatique et des Libertés (CNIL). You can learn more at www.anonos.com/bigprivacy.

 

 

Top Topics of 2016

2016

We would like to thank all of our blog subscribers and visitors for a great 2016. This year has had many monumental privacy events, from the EU General Data Protection Regulation (GDPR) being adopted to EU-US Privacy Shield being finalized. TRUSTe was there as your trusted privacy advisor throughout the changes, and here are the top three blog posts of the year:

1. EU GDPR Series: Tips on Privacy Compliance

This series gives the background on the EU GDPR, the path to compliance, and practical implementation steps for each phase of your program. Each individual post contains best practices, tips, and examples of how to implement a GDPR Privacy Program.

2. Three Part Series: The Privacy Leader as Business Enabler

TRUSTe General Counsel & Chief Data Governance Officer Hilary Wandall wrote a three part series about navigating the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively.

3. Key Takeaways from Building a Privacy Governance Program Webinar

In this webinar Michelle Fleury, Sr. Director of Supply Chain Operations at Cisco, and Patrick Curry, Director of Privacy and Compliance at McKesson US discuss how to build a privacy governance program. The blog post contains steps to get your privacy program started.

We look forward to even more exciting developments in 2017!

The Privacy Leader as Business Enabler – Part 3. Maximize net data value.

Return and risk balance concept

16 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe

Over the past two days, I shared the first two lessons I’ve learned to “Be a counselor and Build sustainable solutions over the past 15 years of seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. The final lesson I’ve learned is that it’s not enough to focus on regulatory compliance, maturity, accountability or even ethics. While all of these are important components of an effective, holistic, progressive approach to managing a program, in order to truly embed privacy and data governance into the functioning of a business, a privacy leader needs to help the business understand the value of data as an asset – as well as the risks associated with that data – not just on the individual project level, but across the organization. In other words, the privacy leader needs to think and speak the language of the business and the way in which the business thinks about successful outcomes. Here are some tips to help get those conversations started.

3.  Maximize net data value. In sharing my first lesson learned, I mentioned that when you are guiding business teams on how to realize the value of the data to their specific projects, you should help them see the corresponding risks associated with not effectively governing and protecting that data. While that can – and should – be done on a project-by-project basis, in order to truly enable the business, the privacy leader should look for opportunities to partner with other data stakeholders in the organization to drive or support the organization in support of a broader data governance strategy.

a.  Partner for integrated data governance. A broader, holistic data governance strategy for an organization that enables it to concurrently view data needs, data value and data risks, needs to take into consideration not only privacy and data protection-related data responsibilities, but rather, how those responsibilities align with other information lifecycle management and compliance responsibilities within an organization. Such responsibilities might include financial data, for which the chief financial officer is the primary stakeholder; trade secrets and other intellectual property, for which the chief innovation officer, chief technology officer, research or product leader of the organization is responsible; customer data, for which the chief marketing officer typically is the key stakeholder; e-discovery for which the general counsel is primarily responsible; and administrative, technical and physical risks associated with sensitive, confidential and proprietary business information which the chief information security officer typically oversees; and compliance program implementation and effectiveness, which the chief ethics and compliance officer monitors and oversees for the organization. Consistent data identification and classification strategies across all of an organization’s data types can inform consistent evaluation of data uses and reuses, benefits and risks.

b.  Consistent data evaluation can drive better business decisions. Establishing an integrated data governance program can not only help organizations understand the benefits and risks of data in a holistic way, it can drive consistent evaluation of the value and costs associated with acquisition, storage, use and reuse of the data. This in turn can inform the business of how effective management of the data is key to driving a range of potential business outcomes and also how to make key business decisions based on that knowledge and understanding. [1] Early work is underway to quantify the value of data as an asset. [2] This work may lead to better assessment of the value of data generated in connection with an innovative new technology, the value of data in a potential divestiture or sale of a line of business, the value of data compromised by a breach and the investments in resources, controls and insurance to preserve that value. Over time, perhaps there will be accounting standards for recognizing most data on an organization’s balance sheet, and for how data contributes to revenue, expense, and net income or loss. For now, however, viewing one’s privacy responsibilities as part of a broader data governance strategy can help earn the privacy leader a seat at the table in strategic discussions about business drivers in addition to discussions about compliance and risk.

[1] See http://www.gartner.com/smarterwithgartner/why-and-how-to-value-your-information-as-an-asset/

[2] See Sidgman, J and Crompton, M. Valuing Personal Data to Foster Privacy: A Thought Experiment and Opportunities for Research. Journal of Information Systems: Summer 2016, Vol. 30, No. 2, pp. 169-181.

 

The Privacy Leader as Business Enabler – Part 2. Build Sustainable Solutions.

blank

15 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe

Yesterday, I shared the first lesson I’ve learned “Be a counselor over the past 15 years while seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. The second lesson I learned first caught me by surprise and then over time convinced me that the methods the business teams I was counseling were seeking to solve their business challenges were in fact the potential answer to a problem I encountered six years into serving as a privacy leader. Before I share my tips on building sustainable solutions, I thought sharing my personal story on how I learned this lesson could provide some helpful context.

I was fortunate to learn how to be a privacy leader from an amazing leader, lawyer, counselor, philosopher and friend. He had the vision and the courage of his convictions to lead us to develop a global privacy and protection policy that would set a baseline standard for governance and protection of data across our business globally. Over two years, he persuaded all areas of the organization on the business value of the approach. Over the next thirteen years, only the proliferation of breach notification laws and a mega-merger would necessitate a few substantive changes to that policy.

The surprise to me was the sustainability of the policy given the frequency with which new privacy laws continued to be enacted. Regardless of how often the laws continued to change, the policy always provided the basis for complying with the substantial majority of any new legal and regulatory requirements. The best evidence of that policy’s sustainability, as evidenced by its ability to address even the latest developments in global privacy standards, is that earlier this year, it ultimately became the basis for the first EU approval of a company’s binding corporate rules (BCRs) that were based on a program previously certified by TRUSTe as compliant with the APEC Cross-Border Privacy Rules (CBPR) system.

While we were able to develop a sustainable policy all of those year ago, we were less fortunate in dealing with the rapidly growing number of initiatives that moved from paper to automation to cloud computing to data analytics. Six years into running a global privacy program primarily off of email, documents and sheets, we made our first attempt at using technology to automating some of our workflows. After piloting a number of approaches over the next five years, we concluded that the only way to really serve the business efficiently and effectively over time was to build an integrated privacy management platform that would allow us and business teams to readily determine the risks of a particular technology or business process at any point in its lifecycle. Put simply – build sustainable solutions. Here are some tips to help you develop your own approach.

2.  Build sustainable solutions. Not all organizations are ready to put robust, sustainable solutions in place. Some are only resourced to handle obligations on an initial ad hoc basis. Others are beginning to move up the maturity curve toward repeatable, defined, managed and optimized.

a.  Business is not static. Regardless of an organization’s privacy and data governance program maturity, most organizations have data and technology needs that continue to evolve as business needs change and technology improves.

b.  Privacy regulation is unlike any other regulatory area. Because data about people can be generated in some many different forms and contexts – from where we go, to what we eat, to how we feel, what we spend and whether we sleep – privacy and data protection requirements can be enforced by many different types of regulators, and in some cases, by private parties as well. In this complex regulatory environment, the privacy leader, as well as others in the business, legal and compliance, need to be able to demonstrate accountability and compliance upon request at any point in time.

c.  Good governance and technology solutions. Good governance, clearly documented roles and responsibilities are critical not only to putting a program in place, but also to enabling it to be implemented effectively and to mature over time. Technology solutions support these goals as well. Other business functions that rely on data, such as finance and human resources, have recognized the importance of investments in workflow automation, cloud computing and data analytics. Privacy and data governance programs can be made sustainable through technology solutions that facilitate creating data processing inventory, evaluating of associated risks, documenting mitigating controls, identifying changes, managing potential incidents and demonstrating what is in place and its effectiveness. While this can be a substantial undertaking, investment in modular solutions in ways that are tailored to an individual company’s culture and maturity can enable an organization to manage privacy much more effectively so that the privacy leader can focus on tackling new and emerging issues.

In summary, sustainable solutions such as good governance and technology position the privacy leader well for helping the organization to maximize net data value – a concept we’ll explore further in my final post in this series.

 

The Privacy Leader as Business Enabler – Part 1. Be a Counselor.

Hilary current
14 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe

Part 1. Be a Counselor.

Last Thursday I had the honor of delivering a firestarter session at the IAPP Practical Privacy Series in Washington D.C. I had been asked to speak about re-envisioning the role of a privacy leader as a business enabler – rather than a leader who solely focuses on providing compliance, policy and/or legal guidance, and it inspired me to share three invaluable lessons I’ve learned over the past 15 years while seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. Based on the kind feedback I received from participants, I am sharing highlights from the session in a three part blog series.

  1. Be a counselor. Regardless of an organization’s maturity in governing data, protecting data, or implementing a privacy program, business teams need to focus on delivering business results. They may feel that they don’t have time to worry about privacy regulations and processes that detract them from that focus. What they need is a counselor – someone who helps them think through their business needs for the data and the business risks associated with not governing and protecting the data effectively and sustainably. How can you be a counselor? Follow these tips to get started.
    1. Have a conversation. Seek to understand what the business wants to do with the data: What are their goals? What do they want to achieve? What data do they believe are needed for that purpose? Do they think they might want to do with the data in the future? Based on your discussions with them about the value of the data to them, help them understand the risks associated with not protecting the data.
    2. Transparent communications. Help them envision transparency tools, such as notice, choice and account management for individual rights like access and correction, to meet broader communications objectives for projects. For example, a newsletter might be a vehicle to deliver a required privacy notice as well as a mechanism to invite the recipient to consent to additional other types of interactions with the organization.
    3. Choose the best vendors. Business teams often will be guided for expense management reasons to select vendors primarily based on cost. Often, however, the lowest cost vendors are ill equipped to support the risk management and regulatory obligations for which the business is responsible. Worse yet, some business teams don’t realize that their data responsibilities and liability don’t end when the data are in the hands of the vendor. Guiding the business to select vendors that appropriately balance cost and mitigate risk will help prevent data breaches and other liability problems that can obliterate any immediate cost savings.

If you found this guidance helpful, I hope you’ll return for the other two parts in this series.

div>