TPRM Tools for Data Privacy

Is it safe?

Almost two years into the pandemic it’s a question that still gets asked a lot.

It’s also a question everyone should still regularly ask about their data and how it’s being used. Can you trust that it’s safe? Can that trust be verified? What tools are available for assessing your data’s safety and security?

In the movie Marathon Man (1976), Sir Laurence Olivier asks Dustin Hoffman,

“Is it safe?”

Hoffman, tied down in a chair, wearing his bathrobe and pajamas, looking very ill at ease, replies, “Yes it’s safe. It’s very safe. It’s so safe you wouldn’t believe it.”

In fact, Olivier does not believe it, and he’s brought along his trusty toolkit so he can, as Ronald Reagan would famously put it a decade later, “trust, but verify.” No spoilers here, but what happens next is unforgettable.

This brings us to the National Cybersecurity Alliance’s efforts to promote the need for secure online environments and encourage a culture of cybersecurity. Among their signature programs is the annual Data Privacy Day campaign, which is being expanded this year to Data Privacy Week (January 24-28), reflecting the increasing importance of the subject for both individuals and organizations. Fittingly, there are also two themes this year: “Keep It Private” for individuals and “Respect Privacy” for organizations.

What is Data Privacy Week?

Data Privacy Week wants individuals to understand there is a tradeoff between online convenience and data privacy- you give one to get the other. The National Cybersecurity Alliance encourages people to manage their privacy settings on web services and apps, protect their data by creating strong passwords, use a password manager, and take advantage of multi-factor authentication whenever possible. These tools are effective at keeping data safe and private.

For organizations and businesses, it’s more complicated. There’s not only an organization’s internal data but also the data of partners, customers, suppliers, etc. All of which must be inventoried, managed, kept safe, secure, private, and often, delivered to third parties who must maintain contracted protocols. And there are also increasing local, regional, and international regulations for how data is used, stored, and protected.

How to Manage Data Privacy

Managing data privacy methodically and successfully is called Data Governance, and Shared Assessments provides Data Governance Tools as a free industry resource available for download to help organizations navigate and address data governance in third party relationships. Our Data Governance Tools were originally built to meet the demands of GDPR (General Data Protection Regulation) but have grown to include the requirements from various privacy regulations and framework updates, including CCPA (California Consumer Privacy Act).

Last year at this time, we told readers If You Collect It, Protect It, and wrote about how quickly the privacy landscape is evolving. In the past year, things have only sped up, with new challenges emerging alongside ongoing problems related to the supply chain crisis and the pandemic.

Let us help you.

Our kit contains four tools:

1. The Data Governance User Procedure Guide includes instructions for using the Target Data Tracker, Privacy SIG, and Privacy SCA Procedure as a part of conducting data protection or data privacy third party risk assessment.
2. Our Privacy SIG Questionnaire Template is a scoped privacy SIG Template to be used when conducting a stand-alone data protection impact assessment or as a pre-scoping tool for prioritizing vendor assessments.
3. The Privacy SCA Procedure Template is a scoped privacy SCA Standardized Test Procedure that identifies a set of documentation, artifacts, and privacy criteria to be evaluated when an assessment requires a focused privacy risk assessment tailored by the services that are outsourced.
4. Our Target Data Tracker (TDT) is a data governance tool that enables the identification, tracking, and monitoring of the use and disclosure of personal data to third and fourth parties. The TDT enhances your process to maintain data/vendor inventories and creates a due diligence artifact that meets specific contractual obligations for conveying data protection safeguards.

• There are four phases of a mature vendor assessment lifecycle: Evaluate, Trust, Verify, and Manage. The Target Data Tracker (TDT) handles the Manage part.
• Use the TDT for making a Data Protection Impact Assessment (DPIA). Once completed, it provides a wealth of quantifiable and qualitative information about how well your data is protected including:
  • Who collects, accesses, transmits, processes, discloses, or retains personally identifiable information?
  • What types of personally identifiable information (PII) are collected, accessed, transmitted, processed, disclosed, or stored/retained?
  • Where does the processing occur? Do the services trigger any cross-border data flows for collection, access, transmission, processing, disclosure, or storage / retention of Target Data?
  • Why is the data used; how is data use authorized and defined in contracts; and what is the nature and purpose of the processing?
  • How is the data protected and what controls or data governance measures are in place?
  • When and where did data processing start and end for both third parties and Fourth/Nth Parties? What information do I need to collect to update vendor and data inventories?

If the past two years have taught us anything, it’s to expect the unexpected. However, a year from now, one thing is certainly possible: when someone asks, “Is it safe?” you can reply, “The data? Yes. It’s safe.”