Consent. Let’s begin with the first thing that must be present. You cannot get very far without consent or permission from the people you’re collecting data from. Mitigating cyber or social attacks begin here. Strong familiarty with known attack methodologies such as Cyber Kill Chains, MITRE ATT&K as well as risk assessment frameworks such as the OWASP testing guide. In some cases, the company has legacy data that was collected before data privacy laws were enacted or before data privacy laws evolved to what they are today. In the past, data privacy laws were not ubiquitous or strong. Lawmakers or regulatory bodies did not have evidence of how data could affect people. Over the years, the sentiment changed when data breaches began occurring most famously on social media giants like Facebook. Today, almost every industry has suffered from data breaches. And, although companies are not reimbursing affected people directly, government steep fines are strong reasons that motivate companies to always have data governance policies that oversee how data is collected, used, disclosed, and shared. Strong data governance policies aid technical security controls such as containment, eradication, and recovery activies as part of incident response events should a data breach occur.
Protocol. In health research, the protocol describes how companies carry out research. Protocol documents describe the objectives, methods, processes, assessments, outcomes, and roles that will be followed during the course of the research study. Although writing a protocol is standard and required in the industry, they vary in the applicable policies and regulations that govern the study. Risk transference is present at this stage. Some companies rely on external companies when their goal is to concentrate in areas they believe produce better value. Thus, they offload the data collection risk onto external contractors or companies that exist solely for the purpose of collecting data and acquiring some of the legal and regulatory risks. There are also organizations that do not have the financial means to hire external companies and carry the steps themselves.
Compliance is a process that checks whether companies are following data privacy laws and regulations in their industry. Preparation is key to prevent data breaches, unauthorized data disclosures, and other events that could affect the company reputation. Preparation activities such as tabletop exercises, awareness training, business continutity plans, to name a few, are some actions companies can use to reduce threats, vulnerabilities, risks, and attacks against company data regardless of their classification. Large companies have dedicated offices for this process. Small companies either have few individuals covering this task, retain specialized external companies, or accept the risks of not having a compliance process. A strong data governance program is usually necessary for compliance to produce positive effects. Some companies may see compliance as a deterrent to their day-to-day activities or a threat to their profits. Therefore, having a data governance steering committee, having a mix of top-level management and experienced data management professionals, is often a necessity if the company wishes to scale, avoid fines, and bring all employees onboard to the “privacy-first” concept. Compliance is also important if a company is a multinational enterprise with branches in different countries in the world. Each region in the planet has different data rules. For example, Europe has the GDPR regulations that stipulate how companies must use and process private data from European citizens. The US has similar laws and regulations at the healthcare level in HIPAA (general), HIPAA Privacy Rule, HIPAA HITECH, and HIPAA Security Rule.
Privacy. Privacy is the process that controls how sensitive data is disclosed, used, shared, and disposed. Often, privacy and security are mixed concepts, but they are not the same. However, both privacy and security work together. Whether companies have silos or not, privacy is present virtually in every team. From marketing, accounting to software engineering, all departments come across some form of sensitive data that is tied to privacy laws and their roles. It’s very difficult to imagine a role who is except from privacy laws as most companies need identifying information to deliver a product or service.