Privacy Challenges – Part 3: Lack of tools and best practices

Sep 27, 2016

We have made the promise to help our clients understand their privacy challenges and enable them to tackle them in a way that meets both their business requirements and regulatory requirements. Some time ago, one of our clients posed a central question: “What are key privacy challenges that organizations currently face in your opinion?” So, we decided to create a series of blog posts describing five key privacy challenges that touch organizations regardless of their industry.

The challenges, as we have named them, are:

  1. Data is the new oil
  2. Changing regulation
  3. Lack of tools and best practices
  4. Lack of professionals
  5. Implementing privacy throughout the organization

Lack of tools and best practices

Facing changes in regulation*, organizations have yet to determine what the new regulation means for their business and customers. More importantly, it is not the ‘what’ or ‘why’ that organizations struggle with – but ‘how’.

According to our research conducted in March 2016 among Top 1000 Finnish companies, there is an increasing awareness about the upcoming General Data Protection Regulation (GDPR) and a desire to take action. However, major concern for companies was a lack of both general and industry specific best practices to help them navigate through regulatory, business and consumer requirements.

Another concern is the need for tools to actualize privacy management activities effectively across organization. In most organizations, privacy management is still largely manual work: filling out spreadsheets, writing reports and lengthy email threads that are flying back and forth just to get stuck and lost. These tasks are time-consuming and usually done by expensive experts or consultants. But the reality is, that in comparison to data security, which is often discussed in connection with data protection, the tool selection for effective privacy management is almost as good as non-existent.

Whereas there is a plethora of service providers and products for various data security needs from firewalls to data recovery, privacy management services and tools are offered only by a small handful of companies. This leaves the organizations to a situation where they either have to deploy an army of pricey consultants or struggle their way through their privacy challenges on their own.

One of the challenges is finding a privacy management tool that enables companies manage and report the status of privacy management as it exists across the organization. EY’s Global Information Security Survey (2015) found that nearly half (46%) of survey respondents are most worried about the lack of clear picture of where personal information is stored and processed outside of the organization’s main systems and servers.

However, some recognized best practices for privacy management are available. One of the most established ones is Privacy Impact Assessment. Privacy Impact Assessment (PIA) is a process, which can help organizations to identify the most effective way to comply with their data protection obligations and to meet individuals’ expectations of privacy through measuring compliance and identifying risks in the organization’s data processing activities. According to IAPP-EY Annual Privacy Governance report (2015), 70% of organizations operating in the EU area report using PIAs and further 80% of governmental offices in the EU and US deploy PIAs.

PIAs have become a central part of privacy management, and their use is likely to only increase. The GDPR determines that conducting “data protection impact assessments” (DPIAs, i.e. PIAs) become mandatory in a variety of cases where an organization processes personal data. When conducted effectively and diligently, PIA helps organizations to assess their current and planned operations’ impact on privacy.  When thoroughly done, PIA also gives you a prioritized list of next steps. If you don’t know where to start with your data privacy program, PIA is a good answer.