March is FinTech Privacy Month
In our previous article we mentioned that the FinTech sector is possibly the most regulated and we need to acknowledge that there is a real burden of compliance. But management of risks need not focus on “busy” but rather on “smart”.
There are two strategies for smart privacy compliance management: using frameworks and following the trail left in the Privacy Laws for a risk-based approach
In today’s article, we are going to talk about both approaches as the practical approach to privacy management.
The advantage of using a framework for your risk-based approach is that of addressing possibly hundreds of privacy and cybersecurity laws and requirements through governance setting. One such framework is ISACA’s COBIT – which distinguishes Governance from Management.
Nymity’s PMAF, Canada’s Getting Accountability Right or UK’s ICO Accountability frameworks are very useful Privacy Management Frameworks and they follow the legal constructs which are principle-based but go deeper, and in fact achieve the same governance setting result.
NIST and ISO 29001 combined with ISO 27701 achieve both Privacy Governance setting and the tactical Privacy Management goals, but also provide the flexibility of defining a “current” vs. “target position, thus subtly introducing a maturity element to the assessment.
The tactical aspects of privacy law implementation come after setting up a homogenous privacy program with all the legal and organizational risk governance components set and acknowledge by stakeholders
In the end – all of these Frameworks – provide the organization with the opportunity to define and execute an Organizational-level Privacy Risk Assessment.
This risk-assessment needs to be reviewed on an annual basis because laws, tactics, security threats and risk changes. The results of the risk assessment also point to the maturity that is required in other processes, not just in privacy.
If we look at Privacy Laws beyond the similar principles, we actually see an embedded risk-based approach. These laws invoke similar safeguards and here are some examples:
- Collection of personal information with valid consent or very strict other lawful basis
- Rules pointing to processing and transmission which invoke security processes and expertise
- Uses of personal data are limited and associated with a “specified purpose”
- Secondary uses are permitted under strict conditions
- Holding personal information has to be done in a responsible way (for a limited period), de-identifying and using technical segregation and risk-based (role-based) access restrictions
- Risk-based retention rules and secure and timely data disposition pointing to accountable enterprise data governance
- Organizing your company’s information asset inventory and knowing the data flows is a clear risk understanding step
- Technical and Organizational measures requirement bring back the broader aspect of risk management for the organization
- Resilience in addition to Confidentiality, Integrity and Availability addresses the risk of dependency on data for the enterprise to survive and enables data subject rights
- Vendor (third party) risk management is not good just for privacy accountability but also for organizational risk management and it is a best practice
- DPIAs or PIAs are quintessential for continuous risk assessment, whether on new initiatives or changes to existing ones. These instruments serve as testing grounds for innovation while limiting data to a purpose and applying the appropriate safeguards etc.
- Minimizing the data required for a project or imitative is that gate that puts the organization on alert to think carefully and stay accountable
- Privacy by Design and Default is not just a philosophy but an incredible resource for smart risk management
- Breach and incident handling proves that a proactive approach, training and awareness are best.
Managed Privacy Canada has certified privacy and cybersecurity expertise enhanced by years of technology and risk management experience to help any organization navigate the use of a Framework, as well as embedding a risk-based approach in their data handling practices. Organizations can start with the Practical Privacy Playbook (the 2021 P3) that can be found at www.ManagedPrivacy.ca
 Tim Merscheid – Master Thesis: Practical Combination of IT Security, Risk Management, and EU Data Protection (GDPR)