A Skills-Based Approach To Enterprise Privacy
The speed of technological advancement has made it imperative to reexamine traditional approaches when it comes to privacy protection
Privacy has become the linchpin for the success of any enterprise. There are multiple reasons for this. The first and probably the most visible reason is the rise of privacy legislation such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA) and India's own Personal Data Protection bill. The second is the rise of new and advanced persistent threats to data such as ransomware and, last but not least, the rise of privacy-aware customers has emerged as a key factor. The impact of breaches extending into the real world has implications for both enterprises and individuals. Large-scale reputational damage and financial damage can result when news about the latest and largest privacy breach spreads via the internet across the globe.
Traditionally, the approach to privacy has been to implement a slew of measures impacting the people, process, technology triad to ensure privacy. The speed of technology change, however, has made it imperative to reexamine traditional approaches when it comes to privacy protection. Despite the obvious techno-deterministic lens proponents of technology apply when arguing that technology itself is the solution, it is important to underline here that technology in and of itself is a double-edged sword.
To effectively grapple with privacy challenges posed to enterprises, it has increasingly become important to take a multi-pronged approach with a blend of technology and business focus. Effective privacy protections require blending technical skills and knowledge to assess, build and implement a comprehensive privacy solution while enhancing business value, customer insights and trust—ultimately improving the organisation's image.
This is easier said than done, however, and requires a thorough understanding of the enterprise's data lifecycle, the associated privacy architecture that goes with the enterprise's data lifecycle and tying it together with the right privacy governance system. A 'by design' approach is recommended to achieve effective privacy, which requires understanding the needs of the business and the potential of technology from the word go. In many cases, technology enables the collection of any and all types of data from users and oftentimes without the user even being aware that a specific type of data is being collected. Within the enterprise, business and even IT staff are often not aware of what data is required and why. So, it is imperative to adopt a lens that helps engineer the necessary approach to using technology and applying it to business needs while keeping in mind the privacy angle.
To effectively ensure privacy aspects are considered by design when it comes to technology, people in the decision-making loop need to be competent to not only understand the technology but also understand what controls (i.e., countermeasures) can be applied to ensure privacy. Traditionally people involved in privacy protection have not had much to fall back on when it came to building skills necessary for applying a privacy lens to decision-making. A disaster is waiting to happen when a poor understanding of the risks posed by misunderstood and badly configured technology is coupled with ill-defined processes aimed at privacy protection. There is a great demand for privacy professionals. According to ISACA’s recent Privacy in Practice 2022 survey, 63 percent of global respondents anticipate increased demand for legal/compliance roles and 72 per cent expect more demand for technical privacy roles. The Privacy in Practice 2022 survey also found that the top three things that global respondents are seeking in privacy professionals are compliance/legal experience (62 per cent), prior hands-on experience in a privacy role (56 percent) and technical experience (48 per cent).
All is not doom and gloom on the privacy landscape, especially with the rise of a new approach to managing privacy that involves building the skills to understand business needs while also considering requirements originating from a compliance and customer privacy perspective. This approach allows the configuration of the underlying business processes and technologies to ensure effective privacy. New certifications such as the Certified Data Privacy Solutions Engineer (CDPSE) take a very hands-on, techno-centric, skills-based approach to effective privacy. These certifications are aimed at the practitioner in the enterprise and are agnostic of the role they play. The idea is to provide an approach to understanding the privacy implications of technology and what can be done from an enterprise-wide perspective to ensure effective privacy. Increasingly, privacy challenges abound at the crossroads of emerging technologies such as cloud, artificial intelligence, and their adoption by enterprises on the fly, in situations such as the shift to working from home in response to the pandemic.
This scenario requires an understanding of the privacy risks/challenges posed by technology and implementing effective actions to prevent risks from occurring or at least being able to recover appropriately when something happens. To paraphrase a familiar saying, this will demand knowledge that is more than an inch deep and at least a mile wide.
By its very nature, this may not be possible for all technologies and all applications. However, with the appropriately skilled workforce, enterprises can at least ensure that they have the right framework in place allowing them to ask the right questions and analytically approach all privacy aspects. The outcome of such an approach would be an effective set of measures to ensure privacy on a continuing basis.
It is important to remember that three things will be required for success:
- The ability to incorporate privacy by design into technology platforms, products and processes
- Connecting with business stakeholders to understand their data needs and speak in a language they understand
- Ensuring compliance with relevant laws and requirements
Having a skilled workforce will be a great first step in each of these areas and will go a long way toward ensuring success and assuring privacy as required.
Disclaimer: The views expressed in the article above are those of the authors' and do not necessarily represent or reflect the views of this publishing house
Around The World