Privacy and GRC – What the New Ponemon Study and the GAPP is Telling Us

Many organizations get their first taste of the promise and power of a GRC program when they begin to implement a Privacy Program. Why? Because privacy is an enterprise issue that spans legal, IT, compliance and business operations. Privacy regulations vary by jurisdiction, and at times may be in conflict.  In fact, privacy regulations are expected to get tougher, with additional breach notification requirements. With the increase in cloud computing, mobile devices and social networking, we are seeing growing demands from individuals and governments that organizations proactively build in ‘Privacy by Design’.  Privacy is a core GRC use case that is broad in its application, constantly evolving, delivered through many channels, and as a result needs to be managed as a program.

Ponemon Survey on eGRC and Privacy
Surveying one of the largest eGRC practitioner communities at the RSA Archer eGRC Summit recently, a new Ponemon study reveals that “as eGRC continues to emerge as a top C-Suite priority, only 20% of large organizations have a clearly defined eGRC strategy that pertains to the entire enterprise and 33% admit they have no clearly defined eGRC strategy at all. Regardless of their industry, all organizations report that managing privacy regulations by geography and in accordance with country or state laws are a driving factor in their organization’s move to an integrated program that supports IT, Legal, Operations and Finance.  Respondents identified their top two privacy challenges as 1) ensuring data shared with third parties will remain safe and secure and 2) complying with all appropriate regulations.”
 If you want to see more about this, read RSA’s press release on the topic here.

Managing Privacy as a part of a GRC Program
Privacy programs have multiple facets, all of which fall into fundamental processes in GRC. Building common processes such as policy management, incident management and risk assessments to support not only privacy, but your other GRC challenges, make sense, creates efficiencies and provides an integrated foundation for managing risk across the enterprise. Here are some of the basic elements of a Privacy Program – all of these can be shared with similar programs such as security, regulatory compliance or controls testing.

• Policy Management from life cycle management, through communication to personnel and third parties
• Personal Information identification and classification
• Risk Assessments, to identify real exposures
• Privacy incident and breach management
• Training and Awareness of privacy policy and controls
• Choice and Consent in the collection of privacy information
• Use of private information for an identified purpose
• Retention and disposal of privacy information
• Access to, physical and virtual, and protection of privacy information
• Monitoring and Enforcement of privacy policies and controls

What can you do now?
If you are finding this a bit overwhelming, know that there is quite a bit you can do now to get started on building a strong, integrated Privacy Program. If you want to get some insight into the maturity state of your privacy processes, check out the Generally Accepted Privacy Principles (GAPP) from the IACPA here.

What you are likely to discover is that beyond the program itself, you will need technology to help you manage such a broad spectrum of requirements. Yes, you’ll probably need an open GRC platform that can manage the collaboration privacy policy development, dissemination and attestation requires, and the automation of controls testing – through continuous controls monitoring or questionnaires.  Privacy management is supported by most GRC platforms (see RSA Archer here as an example) that do a great deal to help monitor risk and compliance related to the use of personal information.
What is for sure is that privacy challenges are NOT going away. They are only getting more intense. Time to get moving! If you are one of the two-thirds that are in need an enterprise GRC strategy - use privacy as your first use case. It’s bound to move you up the curve quickly and provide real value to your organization.