Specials

Gartner: Essential Privacy Practices for CDAOs

By Bart Willemsen

Privacy laws are becoming increasingly prevalent, and customers are becoming more cognizant of their privacy rights. As they become more informed about their rights, they are also more inclined to switch to your competitors if those rights are not honored by you. In an organization, privacy and data protection officers typically take the lead in providing guidance. Sometimes worse, the security professional is looked at to solve many privacy concerns, but it is the responsibility of chief data and analytics officers (CDAOs) to ensure data protection within their departments.

CDAOs wishing to balance the organization’s overall success and maintain data privacy should take the following recommendations into consideration:

Uniformly Apply Privacy Program Requirements Across the Data and Analytics (D&A) Department

Regulatory requirements vary greatly around the world, but the fundamental capabilities necessary for compliance are often quite similar. An international organization’s privacy program may have such characteristics, which often leads to a complexity that CDAOs have to deal with. Therefore, a set of basic rules that encompass the majority of program requirements must be consistently applied throughout the data and analytics department.

The requirements for a privacy program include purposeful processing, adequate security based on regularly updated data protection impact assessments, transparency and accountability, and equal treatment of all customers, especially when obtaining consent and providing access to privacy rights. Additionally, as a CDAO, it is crucial for you to be able to show detailed control over the personal data that your department processes, the reasons for processing it, and how long it is kept.

Gain Customers’ Trust by Protecting Their Data

CDAOs can champion the function by using privacy as a competitive advantage. By protecting individuals’ data under the realm of their control, CDAOs can help build trust with their company’s clients. The trust that customers put in an organization’s ability to protect their data can bring in more business, win customer loyalty, improve retention and at times and increase customer spending.

Proper and consistent protection of data in data governance and analytics activities primarily requires the CDAO to strengthen their relationship with the chief information security officer (CISO) within their organization. While general security protocols may suffice for most individuals in the organization, the potential privacy risks associated with data governance and analytics activities are typically quite significant. Therefore, before implementing cybersecurity measures to safeguard data, it is important to first consider the perspective of the customer. During customer interactions, organizations can provide them with options through consent and preference settings. The customers’ choices can be promptly implemented by operationalizing directly applicable data-centric controls. This can be achieved through masking, tokenizing, or removing the data.

Establish and Demonstrate Purposeful Data Processing

CDAOs must use purposeful data processing as a fundamental principle to shape the data life cycle. In order to demonstrate sufficient, consistent, and detailed control over individuals’ information, they must maintain accurate and thorough documentation of business processes.

A CDAO must identify the ownership of personal data processing activities and take responsibility for the activities. CDAOs must also establish a data life cycle architecture for the personal data under their control by uniformly conducting a PIA at the beginning of every new high-risk analytics project.

CDAOs are often assigned additional analytics tasks that support objectives unrelated to the main business process. In such instances, implementing extra anonymization or pseudonymization measures can consistently decrease privacy risk.

Use Privacy-Enhancing Technologies

Selecting the appropriate technology for a specific use case is not always a simple task. CDAOs must collaborate with IT and security teams to ensure that state-of-the-art protection measures are being used, taking into consideration the level of risk to individuals.

CDAOs must use privacy-enhancing technologies (PETs), which are now readily available. The spiking interest in PETs has made this consolidated toolbox a top strategic technology trend in recent years. As for analytics use cases, several privacy-enhancing technologies or a combination of them may be applicable. The choice of which PET(s) to use depends on whether the analytics activities are internal or collaborative with external entities, the goal of identifying general trends or specific personal details, and the level of trust and control in the computation environment. PETs can assist in addressing concerns at the data, software/computation, and hardware/infrastructure levels.

Gartner analysts will discuss more topics related to data security at the Gartner IT Symposium/Xpo conference, taking place November 11-13, in Kochi, India. Media registration can be booked via [email protected].

 

 

(The author is Bart Willemsen, VP Analyst at Gartner, and the views expressed in this article are his own)