October 14, 2022

Last Updated on January 19, 2024

In smaller orgs it’s often “the security person” who gets stuck with the task of standing up a basic data privacy program. Where to begin and what to prioritize?

On a recent episode of The Virtual CISO Podcast, Dimitri Sirota, CEO at BigID, talked about the convergence of security and privacy, and what it means for SMEs looking to address basic privacy rights for stakeholders. The podcast host is John Verry, Pivot Point Security CISO and Managing Partner.

Start with automated data mapping

In Dimitri’s experience, the key foundational element for any SME privacy program is automated data mapping and inventory.

Once you know what you have and where it’s stored, you’re ready to start offering services. If you don’t have a map of your personal data, “it’s basically just kabuki theater at that point,” Dimitri jokes.

“Start there because these [capabilities] power some of the other elements of a data privacy program,” says Dimitri. “Typically, the first things that people want to do is the mapping and inventory to support data rights, so they can provide transparency. They want to be able to either get requests through email or phone, or have a portal.”

Next comes a gap assessment

From a starting point of processing customer and employee data subject access requests (DSARs), many SMEs are ready to invest in assessments to identify compliance gaps in their program.

“You’ll probably want to start looking at assessments because you’re going to need to produce them for regulators, and maybe even your board of directors,” Dimitri notes. “Then you can start layering on more sophisticated requirements like consent, cookie management or a record of processing activities (ROPA).”

The security/privacy convergence

Dimitri and John strongly concur that security and privacy are converging. It’s axiomatic that you can’t establish privacy without security. But the overlap goes deeper than just securing sensitive data.

“In some organizations, especially smaller ones, privacy fits within security,” Dimitri offers. “But even in large organizations they go hand-in-hand. I think there’s going to be increasing convergence between the two, especially as we move away from just legal practitioners to more of this IT problem that involves automation and looking across my data. I think more and more of the IT aspect of it will be owned by security.”

Dimitri continues: “In big organizations, you typically still have these three pillars of a chief privacy officer, chief security officer, chief data officer—and they have what I would describe as graying intersections. Historically, security focused on unstructured data security, and then the CDOs focused on structured data; the SQL, the data warehouses. But they’re starting to do both. We see a lot of them come on the same calls. You may have an initial focus from a budgetary standpoint on, ‘Hey, we just to find the good data for data governance.’ Or ‘We need to find the regulated data for GDPR.’ In some companies those three stakeholders are becoming two, and maybe eventually they become one. But you definitely see three today, and you increasingly see them collaborating on problems of privacy. Because you can’t decouple privacy from data security and from data/information governance.

What’s next?

To listen to this podcast episode with data discovery expert Dimitri Sirota all the way through, click here.

Should security and privacy merge—or are they inherently separate disciplines? This blog post argues for the latter view: Why Cybersecurity and Privacy Should Be Viewed as Two Entirely Separate Disciplines

ISO 27701 Certification Guide

Discover what you need to achieve ISO 27701 certification! You are 6 simple steps away from "provable" compliance with every Privacy regulation.