As data privacy regulations impact more SMBs/SMEs in the US and around the world, professionals from information security and other disciplines find themselves needing to jumpstart a privacy program. What are the biggest challenges that new privacy leads will likely face? And what approaches will help flatten the learning curve?
To share a wealth of insights on embracing data privacy from diverse starting points, a recent episode of The Virtual CISO Podcast features Rosemary Martorana, CPO at Corning. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.
Managing diverse privacy regulations
With more and more countries and US states passing privacy regulations, managing all the potential differences in the geographies where you operate can be a major headache.
“I’m not going to pretend to have the answer to that,” admits Rosemary. “We’re still learning about how to manage that. I just read a statistic the other day that by 2023, 60% of the world’s population will be under some sort of modern privacy regulation. [Here is a link to updated research.] That’s a lot considering where we’ve come from in just the last few years.”
Fortunately, many of these new laws reference GDPR as their starting point.
“I think if you’re GDPR compliant, you’ve got a great foundation—but don’t rest your laurels on that,” cautions Rosemary. “Think about how other nations or US states are going to be adding to that baseline.”
Getting a privacy program off the ground
Another big challenge that more and more SMBs/SMEs are facing is proving to clients, boards, and other stakeholders that they have a robust privacy program. What’s the fast path to getting there?
“Start by understanding what the corporation has in place today, if anything at all,” Rosemary advises. “Then start to benchmark where you need to go.”
Fortunately, the data privacy community is still small and close-knit, and fellow professionals are keen to share best practices and watchouts.
“If you have the opportunity, the time, and the latitude, benchmark with other people,” suggests Rosemary. “Leverage resources like the International Association of Privacy Professionals (IAPP) to make those connections and understand how other people have established programs or have answered that knock by the CEO at their door.”
Understand your company’s privacy risk
To create a privacy program with baseline standards that meet company needs, you must first understand your org’s personal data footprint and associated privacy compliance risk.
“I would start by talking to folks in the field, understanding where you can get some short-term or immediate successes and go from there,” suggests Rosemary.
Another early step is to pull together a data map so you know what personal information you’re accumulating, where it’s coming from, and how it flows through your organization.
“It can feel like it’s going to be insurmountable to establish a program and figure out where those data processes and data flows are, but you have to start somewhere,” Rosemary shares. “Now is the time to start if you haven’t—because this field is growing. The regulations are only going to become more daunting. They’re going to become more detailed. Start now so that you aren’t sitting there with the COO staring at you and trying to figure out where and how to begin.”
To hear the complete podcast show with Rosemary Martorana, click here.
How do your stakeholders impact the collection and mapping of personal data? This podcast episode covers that topic: The Two Audiences For Privacy & How They Drive Data Collection