In this Help Net Security interview, Evelyn de Souza, Head of Privacy Compliance, Oracle SaaS Cloud, talks about the constant efforts required to keep up with privacy laws in each country, and ensuring compliance across the entire organization.
She also discusses the main challenges in implementing consistent privacy policies across various departments and regions and how to address them.
The views and ideas expressed within the content are solely the author’s and not of any affiliated company.
The data privacy landscape is complicated and constantly evolving, especially for enterprises operating in multiple countries. How do you keep up with the privacy laws in each country and ensure compliance across the entire organization?
Keeping up with privacy laws in each country is a constant effort. Fortunately, there are resources such as the IAPP regulation trackers that can ease this burden. While many of today’s privacy regulations may have a “GDPR-esque” flavor, the differences between regulations are becoming increasingly more nuanced, for example, one U.S. state privacy regulation requires an opt in, another focuses on opt-outs. What constitutes sensitive data under one privacy regulation might not be under another.
Despite these nuances, where possible I recommend mapping to a harmonized framework for the common articles and controls as that can minimize duplicative efforts and then as a second step, factoring the differences in regulation into your privacy framework.
What are the main challenges in implementing consistent privacy policies across various departments and regions? How do you address these challenges?
Implementing consistent privacy policies across various departments and regions can be challenging especially for smaller organizations that may not have the resources to keep up with the increasing patchwork of privacy regulations and the sometimes-unpredictable cadence of regulation updates.
In addition to establishing a robust privacy framework, per the response to the previous question which helps ensure a more consistent approach, another way to address the challenge is to think of the key contexts and use cases across your organization. By writing privacy policies in simple language so that stakeholders can easily digest them and tailoring to the specific use cases that may apply across the various departments in your organization, helps privacy policies become more relatable and memorable.
Considering recent calls for stricter data protection regulation, how effective do you think corporate self-regulation has been in protecting customer data?
I see both pros and cons of self-regulation. Self-regulation can be effective in enabling organizations to adopt privacy standards that meld well with their overall ethical posture and that involve diverse stakeholders to arrive at a balanced privacy posture. It can also encourage friendly competition between organizations looking to leverage this as a brand differentiator.
On the other hand, self-regulation can produce inconsistency. Without explicit endorsement by a government or a regulating agency, there might be “regulation uncertainty” and this could cause some organizations to delay their investments in privacy.
The idea of ‘less is more’ seems important in data collection. How do you determine which data is essential for analytics and business objectives?
Determining which data is essential for analytics and business objectives really depends on the goals of the organization and the initiative. Start by defining your objectives and performance indicators and then identify the data sources and data points that map directly to those objective and performance indicators.
From an initiative standpoint, different initiatives require different data sets. For example, data from market research, industry reports and competitor analysis could provide insights into consumer behavior trends while customer reviews and surveys may be needed for initiatives involving customer satisfaction.
Regularly review your data requirements to ensure your initiatives remain aligned with business goals, objectives and performance indicators.
How do you balance the need for robust data analytics and customer personalization with the ethical and legal responsibilities of data privacy?
Some of the strategies for balancing the need for personalized data analytics against ethical and legal data privacy responsibilities include:
- Data minimization: As per the previous response, avoid collecting excessive data that could pose a privacy risk and only collect and use that which is specific to the business objective.
- Transparency: Be transparent in your policies about what is collected, how it’s collected and how it will be used. Ensure explicit consent from your end users.
- Strong data governance: Ensure strong oversight in areas not only such as data security, but also privacy by design, customer education, audits and reviews to enable data privacy posture to constantly evolve.
The balance between customer analytics and privacy is a delicate one that requires an ongoing commitment to fostering a culture of privacy and respect for data and end users within your organization.
With the development of AI and machine learning technologies, what are the future challenges and opportunities for privacy compliance?
As AI and machine learning technologies continue to evolve, the challenges include ethical, considerations, bias and legal compliance to name a few but the opportunities are also significant. AI can be used to enhance data protection such as anomaly and threat prediction to potentially reduce the chance for data breaches. It can be used to automate some aspects of compliance and compliance reporting.
Additionally, techniques such as differential privacy and secure multi party computation could be applied in some arenas to enhance privacy.
Are there any emerging technologies that will revolutionize how we approach data privacy and compliance?
There are several emerging technologies that that have the potential to enhance security, transparency and control over personal data.
Two that come to top of mind, but that are not without challenges, are:
- Homomorphic encryption: This technology can make it possible to perform analytics on encrypted data without exposing sensitive information.
- Blockchain and distributed ledger technology: could be used to enhance data integrity, manage consent and manage audit trails for privacy compliance.
These aren’t the only technologies and it’s essential to consider the specific needs and regulatory requirements of your organization when adopting emerging technologies to ensure they align with your privacy and compliance goals.