Ever since the European Commission launched its proposal to change privacy legislation in January 2012 (see here), the debate about privacy compliance has been on, not only in Europe, but also in the rest of the world.
Important to remember is the fact that this is just a proposal. Some people already take their wishes for reality and claim that this is already valid or will very soon be valid, which is not the case.Â However, we must give credit to the European Commission for (re)launching the debate on how we handle sensitive data from customers or citizens in our increasingly networked and automated world.Â
The question raised quite often is how information security professionals can keep up with privacy legislation and compliance. I recommend using COBIT 5 as the framework to govern privacy, work out the risks around privacy, ensure proper security management and allow auditing of privacy measures in place.Â
There are some critical success factors to handle privacy in an effective and efficient manner.Â The most important one is commitment from top management; if top management is not aware of or not concerned about privacy, they will not make available the proper resourcesâ€”in terms of people and budgetsâ€”to handle privacy in a professional manner.Â
Other factors relate to proper knowledge of roles and responsibilities, proper coordination, one glossary, etc., in addition to involvement by all stakeholders including legal counsel, IT, HR, operations, business unit leaders, security (corporate, IT, physical and executive protection) and internal audit.
A main issue many privacy coordinators face is the diversity of all types of privacy legislation and regulations, especially when working in a multinational environment, where sometimes there are even conflicting privacy rules and requirements.Â This makes it very difficult to select one privacy solution.Â
Thus, the suggestion here is to select a privacy baseline, but allow local implementation guidelines to enable local units to adjust to local requirements without violating basic concepts and rules.Â This is, in today’s world, a huge challenge and one of the inspirations for the proposal of changes in the European privacy legislation.
Finally, it is key to have communication mechanisms around privacy, not only for internal requests, but also for handling external ones. ISACA has always stressed the importance of information and the proper protection of privacy-related information.Â In COBIT 5, ISACA suggests making a clear distinction between privacy governance and privacy management, meaning that the board of directors of any organization should direct, monitor and evaluate the privacy vision and requirements based on the business needs, whereas the executive management and all employees involved with privacy-related information should focus on the plan, build, run and monitor approach.Â
Since privacy is impacting the whole organization, ISACA suggests using and reviewing all COBIT 5 enabling processes to ensure the board and executive management have proper coverage of all privacy-related requirements, benefits, risks and resources.Â
Does this mean that all processes as stated by COBIT 5 have to be changed in the organization? The answer here is obvious: no. Only those that lack the expected maturity as stated by the board and executive management must be changed.Â Processes that are under control and meet the expectations can remain as they are.Â
As a final observation, the COBIT 5 implementation model suggests seven steps to improve privacy processes/activities with three rings: program management, change management and continuous improvement.Â
Marc Vael, Ph.D., CISA, CISM, CGEIT, CISSP
Chief Audit Executive, SMALS vzw, Belgium
We welcome your comments! Please log in using the Sign In link at the top right of this page and then leave your comment in the box at the end of the post.
To view all blog posts, please click on the ISACA Now link in the blue box on the left.
View full post on ISACA Now: Posts