Practicing Data Privacy in an Age of Sharing

Written by: Andy Lin

In this day and age, if you hold any form of personal data, you could be sitting on a fortune. Traditionally, the majority of organizations focusing on this information have been large data corporations (Big Data). However, organizations of all shapes and sizes are now looking to monetize the data they hold—and few industries have more valuable data than financial services. But this rush to exploit data can have unintended consequences if not done carefully, and understanding the difference between data privacy and data security is crucial when pursuing these initiatives.

Privacy Matters

In most organizations, data security receives the lion’s share of attention. Protecting systems from theft, outages, and other threats is a clear business priority. Since the early days of technology advancement, there’s been a race for corporate security teams to create and implement new protective measures to thwart the evolving techniques of cyber attackers. This constant battle has led to the creation of an entire industry surrounding data security.

But data security doesn’t equate to data privacy, and the privacy industry isn’t nearly as mature. So why does privacy matter?

Many organizations collect massive amounts of data. Websites track mouse movements, applications store user-specific information, and smartphones hold a wealth of telemetries. To the untrained ear, the term “privacy” and “security” might be hard to differentiate. But data security, which relates to the practice of protecting data from unauthorized access, doesn’t dictate the proper use of that data. Privacy generally focuses on the knowledge and consent of a data subject around what information is collected and how it can be used or shared.

Consider a bank collecting a new customer’s non-public personal information (NPPI) to open a deposit account for them. They’ve collected the necessary data to perform the agreed-upon service, but the bank later sells the customer’s data to an advertising agency. The bank has maintained the data’s security but not its privacy, and many would agree that (even aside from regulatory issues) this is a breach of trust.

Many related situations will fall into some gray area between agreeable or disagreeable bank initiatives.  What if the bank analyzes a customer’s demographic information to recommend additional products or partner referrals? What if the bank monitors the customer’s account for activity with competitors, then offers products and discounts to take over that business? What if the bank outsources this type of analysis to a third party? There aren’t always clear answers, and this is the essence of the privacy controversies we see today.

Despite lengthy, fine-print privacy notices, consumers and end users often don’t understand how an organization is using their information and might not always be comfortable with it. This can quickly turn into a public relations nightmare, or worse.

More Than Just A Trend

In 2018, the European Union’s General Data Protection Regulation (GDPR) took effect and became the first major legislation that sought to modernize privacy regulations. Then in 2020, the California Consumer Privacy Act (CCPA) took effect. Both of these acts represented a fundamental shift in the concept of data ownership and consent. Data subjects are now given more visibility and more say in how their data is collected and used, and many other countries and states will likely follow suit.

So how will the recent prioritization of privacy affect your organization’s strategy?

Historically, banks and credit unions have adhered to the Gramm-Leach-Bliley Act (GLBA) for customer data privacy. However, GLBA is from the 20^th century and doesn’t effectively address modern data management concerns. While the CCPA and similar upcoming legislation in other states carve out exemptions for GLBA, forward-looking institutions may want to adopt a more robust privacy program to prepare for strategic initiatives, especially those involving fintech and data monetization. With data privacy coming into the spotlight, acting now to get ahead of the risk is crucial.

Implementing a Data Privacy Framework

Building a privacy program based purely on a regulatory compliance checklist can meet your immediate requirements, but you’ll eventually outgrow it. To develop an effective privacy program, you need to understand your data and its complete lifecycle. Your inventory and classification should be able to answer questions such as:

• Collecting – Is this information personally identifiable? Was consent given to collect this information? What was the purpose of collecting this data? What are the regulatory requirements?
• Storing – How is the data being stored? Is data being inventoried? Is there reasonable assurance that the data is secured?
• Processing – Is ownership retained during the process? Are there data loss prevention solutions in place?
• Using – Is the data being used as it was intended? Is selling and sharing this information allowed? Is there transparency on how the data is being used? Is this use ethical?
• Destroying – Is retaining this information necessary? Is there a record of this data being destroyed? What assurance is provided that the data has been destroyed?

Then consider where the risk lies. Data can carry many types of inherent risk beyond just regulatory requirements, such as reputation, market, and customer service risk. Once you have all of this information, you can compare the controls in place over the data at specific storage locations throughout its lifecycle against the data’s risk.

Accepted Frameworks and Standards

There are several privacy frameworks available for organizations who want to formalize the program, and they’re each targeted towards different needs and reporting requirements. Some of the more notable frameworks include:

• National Institute of Standards and Technology (NIST) Privacy Framework
  • Adaptable based on size and industry, and adjustable across maturity levels
  • Composed of three parts: Core, Profiles, and Implementation Tiers
    • The Core outlines activities that can be implemented to manage privacy risk, and it also prioritizes communication across stakeholders. These are divided into categories and subcategories based on each function.
    • A Profile represents the current privacy activities versus that of the desired targets. Profiles are developed based on an understanding through the Core.
    • Implementation Tiers address the current and target profile. Similar to the NIST Cybersecurity Framework (CSF), these tiers reflect progression through more advanced control processes.
  • Self-assessed, voluntary management tool that targets privacy aspects through enterprise risk management (ERM)
• ISO/IEC 27701 For Privacy Information Management Systems (PIMS)
  • Allows for certification of the organization’s PIMS
  • Describes technical and organizational controls across 14 broad categories
  • Extends the Information Security Management System (ISMS) defined by ISO/IEC 27001
  • Maps GDPR compliance requirements
  • Provides guidance on how to create, implement, and maintain PIMS
• American Institute of Certified Public Accountants (AICPA) Privacy Management Framework (PMF)
  • Adapted based on Generally Accepted Privacy Principles (GAPP)
  • Addresses the business activities that involve collecting, creating, using, storing, and transmitting personal information
  • Can be attested within System and Organization Controls (SOC) reports when including the privacy principal
  • Nine components including:
    • Access
    • Agreement, notice, and communication
    • Collection and creation
    • Data integrity and quality
    • Disclosure to third parties
    • Management
    • Monitoring and enforcement
    • Security for privacy
    • Use, retention, and disposal

Conclusion

Financial institutions hold a wealth of data, and the ways they use that data will come into sharp focus in the coming years. Data monetization will likely play a role in business strategy, and the ever-increasing capabilities of fintech may lead you into unfamiliar territory. How will you balance privacy commitments with your business goals? Fortunately, data privacy guidelines are starting to catch up with our technology, and an experienced professional can help you navigate it all.