I have been working on data privacy since before it was a recognised area of law. When I started out, what is now understood as privacy was part of a company’s compliance programme and fell to its compliance officers. Of course, privacy still falls under compliance, but it has become a unique feature of the compliance programme.
To oversimplify things for the sake of making a point, privacy is just compliance with an IT flavour, and it is something I have been giving presentations on to boards of directors and executive management for over a decade.
It’s funny, because I still have a compliance-based approach. I come to the meetings with only four slides. At first, everybody looks at me like I am out of my mind, but they soon understand that we don’t need many more to understand what privacy is all about.
Essentially, privacy in an organisation can be reduced to four fundamental questions: Which data are we collecting? Why are we collecting it? What are we doing with it? And finally, where does it go to die?
In reality, privacy and compliance programmes have to be a lot more detailed, of course, but at the end of the day, if a company can effectively answer these four “Ws”, I would argue that it has a very robust programme.
While the fundamentals of privacy have stayed the same, the environment businesses operate in has not. In particular, the general public is becoming more aware of privacy issues, and the last of the four “Ws” has taken on a new importance. Companies cannot keep data forever and they must find ways to get rid of the data they do not need in a secure manner. Businesses must also remember that security is always key when it comes to privacy. If you’re storing data in the cloud then to a large extent you are relying on a third-party. The quality of its controls and server management may be exceptional, but it is a potential gap in your security.
As chief privacy officer, I work with the chief information security officer daily. Together, we have built an incident response plan for privacy and another for security, but the two are intertwined. My management agreed to it because we demonstrated that cybersecurity breaches are, almost invariably, a threat to privacy. That’s why I would advise counsel to always take the two threats together. You rarely discover one without the other.
Technically speaking, security has improved a lot in the last twenty years. We have created automated tools that can support anyone’s privacy policies. So much that nowadays, most ransomware attacks are due to human failure or insiders. The old approach of making a brute force attack on a server typically does not work anymore. Consequently, the bad people have gone back to tried-and-true technics, like spear phishing, which lead to attacks that take advantage of social behaviours.
I have seen an 80% increase in phishing attacks in the past few years and it has gotten even worse since the beginning of the pandemic. These are often very targeted and very well thought-out from a social engineering perspective. Hackers know that we work and live on our computers and smartphones, and it just takes one careless mistake form an employee for them to download IDs and then access all or part of your system. It is a little scary, and board members are generally very worried about phishing, but privacy professionals are here to help.
I have been tracking what may happen, during and after the pandemic, as regards to medical records. Form a privacy point of view, they have always been sacrosanct, and I think that we are going to start seeing that peel back a bit.
In the US, there has been a lot of hue and cry over vaccinations because there is this tension between the Occupational Safety and Health Administration’s requirements and the level of security that is reasonable to expect from companies. Employers have an obligation to maintain a safe workplace.
This includes protecting people from airborne diseases. Therefore, for them to carry out their duty, they should be allowed to inquire if their employees have been vaccinated against Covid.
These things have never really been allowed in our modern societies, so the ways in which this will play out should be of interest to every privacy professional and general counsel.