Thinking about adopting a paper compliance strategy? Think again

As the deadline to comply with the requirements of the EU’s new General Data Protection Regulation (GDPR) fast approaches, there are a growing number of companies who have in-house and/or external privacy counsel that are pushing a strategy of “paper compliance” to meet the voluminous requirements of the new regulation. Some advocates of this approach see paper compliance as a necessary stop-gap measure on the road to full compliance, i.e., paper and operational compliance. Others view paper compliance as the preferred currency of regulators and therefore as an adequate measure to protect the company from enforcement actions regardless of whether or not the company is operationally complaint with GDPR or other privacy and data protection regulations. Setting aside these and other motivations that inform a decision to pursue a strategy of paper compliance, it is important to note that there are significant compliance and accountability challenges companies should be aware of, and consider, prior to moving forward with this approach. In the remainder of this post we will briefly address each of these challenges to paper compliance.

Paper compliance is not operational compliance
Perhaps the most obvious challenge facing paper compliance is that while it can effectively codify principle-based data privacy laws into written policies, procedures, contract provisions, and workforce training materials (this is precisely what is meant by paper compliance), it clearly remains silent when it comes to the issue of operational compliance, which we can define as a company’s people, internal processing, and information systems and tools that operationalize the principles in the company’s various written policies, procedures and contracts.

Consider the following example: Company A has in place an external facing privacy notice that informs data subjects of their rights including the right to access, update, delete and restrict certain processing activities. Additionally, the company has documented internal policies and procedures that inform the workforce about what the company’s obligations are to data subjects and how to respond to and fulfill requests from data subjects. On paper, Company A certainly appears to be meeting its compliance obligations. However, lets also assume that Company A doesn’t possess the appropriate technologies or tools to meet its obligations to restrict certain processing activities or delete a data subject’s personal information, or, for that matter, even identify the systems in which a data subject’s personal information resides. In this case, paper compliance is akin to a house of cards. From afar, everything looks in order. In fact, any incident or complaint that would bring regulatory scrutiny could bring the house of cards tumbling down and along with it incur heavy fines and significant reputational harm.

Paper compliance is not a panacea for accountability
A related challenge to paper compliance revolves around the issue of accountability and its increasing importance in privacy regulations, including GDPR. Although accountability is one of those buzzwords that means different things in different contexts, for the purposes of this discussion we will define accountability as the organization’s compliance with their privacy obligations and the ability to verify that compliance. For advocates of paper compliance, the written policies, procedures, contract provisions and training materials can demonstrate and verify the company’s compliance with their privacy requirements. This is generally true of paper compliance proponents –regardless of whether they view it as a stop gap measure on the road to full compliance or whether they view it as sufficient to protect the company from a variety of risks including onerous enforcement actions. However, this view of paper compliance as tantamount to a company’s accountability obligations misses one very important aspect of accountability: Namely, while it is true that paper compliance can demonstrate to regulators (and customers) that the company has codified privacy principles and practices, this is not the same as adducing evidence that the company’s technical controls are operating in compliance with the companies privacy policies and procedures.
Real accountability must go beyond paper compliance/accountability to include a technical component that makes it possible for regulators to verify – via demonstrable evidence – that the company’s information systems and associated technical controls are processing personal information in accordance with the company’s documented privacy commitments. Many commentators have referred to our current era as the age of accountability. There is clearly a greater emphasis on accountability now than in recent times and companies that are unable to verify that they are in full compliance with their privacy commitments, there is significant risk of severe enforcement actions and reputational harm if they were to come under regulatory scrutiny.

Paper compliance? Proceed with caution!
Taken together, these compliance and accountability challenges call into question the efficacy of the paper compliance approach to protect companies from significant and potentially crippling risk. Paper compliance without operational compliance and real accountability is not just inherently partial compliance, it is, in a very real and consequential way, non-compliance.

Highlights from Prifender’s roundtable in IAPP DC Summit

On April 18th, 2017, Prifender held a roundtable discussion on privacy  engineering. The event featured three prominent speakers:

• Kevin Murphy, CISO & DPO at Corning Incorporate
• Peggy Eisenhauer, Founder of Privacy and Information Management Services
• Sagi Leizerov, Global Privacy Leader of EY

 Prifender’s Privacy Management Strategist, John Gevertz, formerly ADP’s Global Privacy Officer, moderated a lively discussion following opening remarks from the speakers.
Many of the participants, representing leading fortune 500 companies, agreed that technology will be the key enabler in light of emerging regulations such as the GDPR.

Two related themes emerged from the discussion.
First, that a “risk based” approach to addressing GDPR and other emerging regulations will fail.

The second theme was that at the heart of today’s privacy challenge is a data governance problem that spans over many terabytes and petabytes of data for most companies. Addressing the data governance challenge while enabling the business is not a task that can be met with policies, contracts and training, but rather more effective means are in order. The role of privacy engineering in addressing the current challenge was repeated throughout discussion, with Ms. Eisenhauer stating that technological innovation is the future of privacy management.

Prifender to hold a roundtable discussion at the IAPP DC Summit

As the cost of privacy violations increases, organizations are looking for ways to effectively implement their policies across business units, as well as be demonstrably compliant with them.  Both of these challenges require automation in day to day privacy management.  This need for automation will make the adoption of technological solutions a central theme for privacy professionals in 2017.

Over several years privacy professionals have been emphasizing accountability over personal information but had limited means for validating it.

2017 represents a shift for privacy professionals as technology offers them new opportunities to track and control the use of personal information across the enterprise.  The timing of this development is not incidental, but it does represent a perfect storm of conditions: the General Data Protection Regulation in the EU with its global span and steep fines coupled with an overall cyber security fatigue lead many organizations to look for data related challenges beyond mere protection.

The progress towards technical solutions moves compliance from “paper-based” solutions, such as policies and contracts, to more verifiable and demonstrable tools that ground risk management activities in the facts of how data is actually used across the enterprise.

Prifender will hold a roundtable discussion on the topic of privacy technology around the IAPP Summit in Washington DC on Tuesday April 18, 2017 from 4-6PM at the WeWork White House, 1440 G St., NW Washington DC.

This roundtable discussion will focus on the tangible opportunities to overcome the challenge of translating regulatory requirements to solutions that can be digitally managed.

The session, Translating Privacy Requirements to Zeros and Ones, includes three well regarded privacy proressionals as speakers: Peggy Eisenhauer, Founder of Privacy and Information Management Services, Kevin Murphy, CISO & DPO of Corning Inc., and Sagi Leizerov, Global Privacy Leader of EY.

Highlights from Prifender’s RSA roundtable in San Francisco

Privacy leaders agree on the link between automation and privacy management

On February 14th, 2017, Prifender held a roundtable discussion on privacy management and engineering. The event featured three prominent privacy officers:
• Michelle Dennedy, VP & CPO at Cisco Systems
• Marcus Morissette, GPO at eBay
• Kevin Murphy, CISO & DPO at Corning Incorporated

Prifender’s Privacy Management Strategist, John Gevertz, formerly ADP’s Global Privacy Officer, moderated a lively discussion following opening remarks from the speakers.
Many of the participants, representing leading fortune 500 companies, agreed that privacy today is where information security was 20 years ago, but that privacy professionals do not have the luxury of 20 years to improve it.

Two related themes emerged from the discussion.
First, privacy should be treated as a business enabler and not as roadblock; or, as put by Mr. Morissette “Don’t ask the privacy leaders what NOT to do, tell them where you want to get and they will help you get there.” The second theme was that at the heart of today’s privacy challenge is a data governance problem that spans over many terabytes and petabytes of data for most companies. Addressing the data governance challenge while enabling the business is not a task that can be met with policies, contracts and training, but rather more effective means are in order. The role of privacy engineering in addressing the current challenge was repeated throughout discussion, with Ms. Dennedy stating that technological innovation is the future of privacy management. There was another area of consensus around the room – it was an exciting time to be working in the field of privacy!

—————————————————————————————————

Prifender’s next roundtable will take place on March 14th, 2017, 17:00 at WeWork Moorgate, 1 Fore St, London EC2Y 9DT, UK.

Contact us to reserve your seat today!

Come visit us at the Global Privacy Summit 2017, Booth #10

Prifender is pleased to announce that we will be exhibiting at the Global Privacy Summit 2017 conference in Washington DC, April 19-20.

We will be showcasing a live demo of our solution, an identity-aware artificial intelligence technology, used to discover and map personal information across networks and systems, both structured and unstructured.

Come Visit us at Booth #10.

We look forward to meeting with you at this exciting event.

Prifender announces the launch of PAPI, a Privacy API

Prifender’s Privacy API will revolutionize how companies use personal information and comply with GDPR.

San Francisco based startup Prifender announced today the release of a new Privacy Application Program Interface (patent pending), aimed to assist corporate applications make the most effective use of the personal information that is available across the enterprise.
Continue reading Prifender announces the launch of PAPI, a Privacy API

Prifender CEO, Nimrod Luria, to Speak at Upcoming RSA Conference

SAN FRANCISCO, CALIFORNIA

We are happy to announce that our CEO, Nimrod Luria, will participate as a speaker at the upcoming event of the International Association of Privacy Professionals at RSA 2017, on February 13.

Luria will speak at a panel about the new technological approaches to privacy, and elaborate about the topic of emerging privacy technologies for the enterprise.
Continue reading Prifender CEO, Nimrod Luria, to Speak at Upcoming RSA Conference

Prifender named most promising startup at P.S.R.

Growing startups were given a chance to shine during the IAPP’s annual “Privacy. Security. Risk. Conference” held at the San Jose Marriott and San Jose Convention Center earlier this month.

During the event, the IAPP held its first-ever Emerging Privacy & Security Technologies Tech Fair within the Exhibit Hall of the Convention Center. Attendees were able to visit with the competing tech vendors, and then vote for the most promising startup within the privacy and security industries.

After the responses were tallied, the winner of the inaugural IAPP Tech Fair vote was Israel-based startup, Prifender.

Read the full press release HERE