Looking around us we will find all surrounding people, whether they are elderly individuals, adults, teenagers, or even children, holding at least one smart device addictively and forgetting their actual physical place and people around as if they are living in another virtual world where they can do what they like when they like. The addiction increases whenever they are younger and their use and demand for content is widely different; covering memories, news, chatting, business, games, videos, audio, among so many others, but this does not matter as all of them are sharing their personal data without even knowing that.
In business, the situation is totally different as corporates have two different types of personal data, namely customer’s data and employees’ and partners’ data. All the time these corporates are trying to serve their customers better to achieve their organizational objectives and gain their customers’ loyalty. To do so, they are trying hard all the time to collect, analyze, process, and store their customer’s data in a manner that in many cases does not respect these customers’ privacy rights or new privacy regulations.
In some cases, some corporates make millions and billions of dollars per year by processing their customers’ data in a specific manner to know how they think and behave, and this gives a great malicious advantage to corporates over customers. In many cases, we cannot call these individuals customers as they are using the corporate’s applications and services for free, and therefore, the term “data subject” is replacing the “customer” to represent all types of relationships between corporates and individuals even if it is a commercial one.
Having the two types of personal data usage, which are individual and business, and taking into our consideration insights.pecb.com the frequent news about privacy breaches and their impact on data subjects and corporates, we can understand why we have more and more regional and national privacy regulations with huge penalties.
What is Personal Data?
Personal data is any piece of information that can directly or may indirectly lead to recognizing a human being, including name, date of birth, address, phone number, and email address. Also, physical chrematistics like weight, length, the color of skin or eyes, sex, blood type, and reaching to biometric and genetic features. It can be financial like salary, loans, amounts of installments, sources of income and types, and prioritized expenses. One of the most common types of personal data collected and analyzed lately is relationships and data shared during personal and business communications. All these types of personal information among many others are collected and analyzed without the knowledge or consent of their owners to be used for secret purposes which are in many cases malicious and illegal.
What is Privacy and Why it is Important?
Privacy is the right of everyone to keep his own personal data protected from exposure by anyone else to be used for any given purpose. Due to the lately increasing personal data breaches and how many businesses are abusing the personal data of millions and billions of data subjects we started to hear about regional and global regulations like the GDPR and many national ones. The United Nations Conference on Trade and Development (UNCTAD) announces that 71% of countries have data protection and privacy legislation, 9% have draft legislation, 15% do not have legislation, and 5% of countries provided no data on legislation.
These laws and regulations were created to protect personal data from being collected, analyzed, processed, and kept without having clear and proper consent from their data subjects. There are some interference types if personal data were put in the wrong hands like decisional interference by affecting the individual decision-making process and the resulting decisions, self-representation by representing an individual in a specific manner by using their provided and shared personal information and intrusion by disturbing individual solitude or tranquility. We can find many data subject suffering from different types of cyberbullying and harassment due to many techniques including social engineering which is so much more successful in many cases.
At the same time, corporates are considered victims just like individuals when the personal data of their data subjects which can be the personal of their customers, employees, and even business partners or suppliers, are breached in any manner. This breach will lead to paying ransom to the attackers, paying penalties to regulators, and paying compensation to customers in addition to losing them and the corporate’s image in the market.
To know how much privacy is important just think about the impact of breaching it from a personal or business perspective. Individuals can have huge impacts including, and not limited to, losing the respect of others in their communities, source of income, professional credibility, ability to make decisions, participation in elections, and potentially reaching to personal health and safety. For corporates the impact is much bigger based on the nature of personal data they have and process and where their business processes are located and under which applicable laws and regulations. Therefore, we can find many corporates are investing huge amounts of money in protecting the personal data they store.
Privacy for Individuals and Corporates
I think it is clear that nowadays personal data is collected and shared in clear and unclear manners and its impact can easily reach individuals and corporates. This necessitates the need for proper awareness for different types of audiences. Who is responsible for planning and conducting awareness is totally different, as in some cases it can be governments for citizens and residents or tourists, corporate HR and Cybersecurity departments for employees, suppliers, and customers or individuals increasing their own awareness and changing their daily habits and data behavior.
There are many national awareness programs as Privacy Week in New Zealand, Privacy Awareness Week in Australia, Data Privacy Week in Canada, and Privacy, Safety, Security, and Trust Online in Philippines, among many others. Three years ago, Dubai Police has reproduced and published the famous “It wasn’t me” song with a lot of awareness lessons to all citizens and residents about how to save and not share their banking information with the support of many local banks. Two years later Egypt has done the same and many other countries all over the world are thinking about having similar public initiatives of awareness campaigns to increase the privacy awareness of their people.
Are Privacy Regulations and Standards New?
If we consider GDPR among other lately released privacy laws and regulations and ISO/IEC 27701:2019 are the first of their kind, we are wrong as there were some earlier laws and regulations like Data Protection Directive in EU since 1995 and ISO/IEC 29100:2011 Information Technology – Security Techniques – Privacy Framework among others. Privacy laws, regulations, and standards evolve over time and now we witness a great level of using and sharing personal data geared by the immerse social media applications and platforms which collect and process the personal data of billions of users all over the world. Can you imagine that more than 140 years ago and exactly in 1890 the two attorneys Samuel Warren and Louis Brandeis wrote the article “The Right to Privacy” and published it in the Harvard Law Review?
Privacy Costs and Impacts
Whenever the costs of implementing a Privacy Information Management System (PIMS) in a corporate are calculated, the impacts of breaches, attacks, and penalties must be calculated first. Nowadays we hear about some penalties reaching hundreds of USD millions and in some cases, corporates cannot survive after some privacy cases. Impacts are also evaluated based on the type of data affected and their criticality to their respective data subjects and their interests.
GDPR for example imposes huge fines if personal data is breached or misused by the organization reaching 10 million Euros or 2% of the organization’s annual global turnover and up to 20 million Euros or 4% of the organization’s annual global turnover whichever is greater. In other words, this can mean hundreds of millions for some of the tech giants we have today with their turnover exceeding billions of Dollars or Euros. The Saudi Personal Data Protection Law (PDPL) imposes fines reaches to 5 million Saudi Rials that can be duplicated and 2 years of imprisonment. These two examples are a sample of so many new privacy regulations that start to enforce organizations to protect data subjects’ rights of privacy and remove or reduce the potential impact of breaches or misuse.
If the top management of organizations considers the diverse impact on their organizations and their data subjects due to any negligence, I am sure they will invest in implementing powerful and effective PIMS.
Some other organizations will do it as an advantage and not only for compliance purposes, which I respect more. In one of my academic research articles, I am proposing an Enterprise Governance of IT “EGIT” Maturity Model “MM” which measures four main pillars, which are; Service Management, Information Security Management, Business Continuity Management, and Compliance Management which is a very important pillar lately due to its great impact on organizations.
ISO/IEC 27701 Benefits
ISO/IEC 27701 was released in 2019 to cover the international needs for privacy management systems and after the release of new laws and regulations and the update of others. It is based on ISO/IEC 27001:2013 and considers the existence of an Information Security Management System (ISMS) certification as a prerequisite. There are many benefits from implementing and certifying a PIMS based on ISO/IEC 27701:2019 which can be realized during the implementation journey and after getting your organization certified. These benefits will differ based on the nature of your organization and whether it is a private, governmental, or NGO organization and where its data subjects are located.
The most important benefit is that ISO/IEC 27701:2019 was built taking into consideration the existing privacy laws and regulations and covers almost all their requirements and specifications which are identical in many cases. Therefore, implementing an ISO/IEC 27701:2019 PIMS means that your organization has already covered not less than its applicable local and international privacy laws and regulations by default. This will enable your organization to comply with laws and regulations in addition to other contractual requirements enforced by customers and partners or suppliers. Maybe there will be some specific requirements and specifications that still need to be implemented but they are still the bare minimum.
How to implement ISO/IEC 27701
The implementation of a PIMS based on ISO/IEC 27701:2019 is a group of journeys starting with the implementation journey, operation journey, certification journey, and continual improvement journey, and each one of them has specific characteristics.
Each journey has specific stakeholders and needs resources and covers a specific part of the PIMS lifecycle.
The first journey is about identifying the organization’s context by understanding whether the organization is a controller, processor, or both. A controller is the one who decides why data is collected and how it will be used and how it will be processed as well. While the processor is the one who processes data on daily basis. In the past organizations were playing both roles but lately, and with the increase of outsourcing and cloud services, many organizations are considered controllers, and one or more of their partners or suppliers are considered their processors. In this case, the controller is still responsible for privacy compliance governance and the processor is responsible for privacy compliance too. The best-case scenario is to have the organization playing both roles, but this is very rare nowadays. In this journey, understanding the types of personal data collected, processed, and stored is very important, in addition to the types and nationalities of data subjects which is very critical to understand applicable laws and regulations and their respective requirements and implications.
The second journey will be the implementation of PIMS which covers the organization’s and its data subjects’ needs by hiring one Data Protection Officer (DPO) and one or more privacy technologists if the organization does not have any to start analyzing the data lifecycle stages and support in conducting Privacy Impact Analysis (PIAs) and Data Protection Impact Analysis (DPIAs) to understand the impacts of breaching processing and storing data subjects’ personal data. After analyzing the current situation and applicable laws and regulations, a project with clear roles and responsibilities will be initiated for developing PIMS which will be specific to each organization based on its specific context. During this project, there will be many components developed like the Privacy Policy which contains the top management’s intention regarding privacy and the Privacy Statement which will be presented to data subjects when needed. Building systems that are less susceptible to attacks will be a core principle in the organization by following what is called Privacy by Design (PbD) and its principles and requirements.
All the organization’s internal processes and systems will be updated to collect, process, and store fewer data and an external relationship with partners or suppliers will be reshaped accordingly. Clear measurements will also be embedded into all respective processes and systems with powerful technical training for technical engineers and frequent awareness to all other employees.
A clear Incident Response Plan will be developed to handle any privacy incidents and to reduce its impact in addition to updating authorities and data subjects properly.
All the applicable privacy rights will be implemented and integrated with existing processes, procedures, and technical systems to cover data subject consent for collecting, processing, storing, and sharing their personal data and how to update them or even deletion. Building this PIMS based on ISO/IEC 27701 will require continual measurement and an internal audit and management review will be a must.
All these requirements will enable the organization to respect the privacy of its data subjects while protecting its assets and existence as a minimum if it does not target satisfying its customer and leading the market.
The next journey will be operating the PIMS by all respective internal employees and external partners or suppliers properly which will be a challenge at the beginning as many procedures and technologies will be updated or even replaced. Handling data subjects’ requests and regulators’ requirements are the main characteristic of this journey while incidents may happen every now and then.
I believe that complying with laws and regulations and respecting the privacy of data subjects is one of the basic rights of people in the whole world, now with data sharing as one of the core principles of doing business and providing services. You can choose your own journey and your roles which can be secure or victim.