My upcoming presentation at ISACA’s 2024 virtual conference will cover some of the most important elements of privacy that a cybersecurity professional should know and understand. I’ll wager that most readers will say that those elements are GDPR or CCPA or HIPAA, etc. I would, however, argue that while legislation is important, privacy extends far beyond it. We need to think about privacy beyond mere legislation and understand it more deeply than just compliance responsibility.
Privacy can be classified as an economic responsibility, as organizations processing information inappropriately can be subject to regulatory fines, reputational damage and/or increased regulatory supervision. Privacy can be classified as a legal responsibility as privacy legislation mandates strict governance over the processing of personal data. Privacy can also be classified as an ethical responsibility as legislation lags ethics, and morality comes into play.
The intersection between privacy and cybersecurity is ever increasing and the boundaries between the two ever blurring. By way of example – data breaches lived firmly in the realm of cybersecurity for many years. However, since the adoption of GDPR and mandatory disclosure requirements of several data protection and privacy laws around the world, the balance of responsibility and ownership of data breaches has become blurred.
Also, the language of privacy is very different from that of cybersecurity – cybersecurity professionals talk about penetration tests, vulnerability assessments, ransomware attacks, firewalls, operating systems, malware, anti-virus, etc. Meanwhile, privacy professionals talk about data protection impact assessments, case law judgements, privacy by design and default, legitimate interest assessments, proportionality, etc. In fact, the language of privacy is not even consistent in its own right, with much confusion between the fundamental differences between data protection and privacy and its definitions across jurisdictions.
To support cybersecurity professionals’ ability to connect with, understand and support privacy teams, my presentation begins by highlighting the key terms that cybersecurity professionals should understand to be able to talk the language of privacy more fluently. Having spent the first 20 years of my career working at a senior level in cybersecurity and over a decade working in privacy at similar levels, along with completing a PhD in privacy and writing a best-selling book about privacy leadership, I have learned the language of cybersecurity and the language of privacy. While a common language is not available (and would be nice), frameworks that address both privacy and cybersecurity present an excellent solution to this challenge, e.g., the NIST frameworks for cybersecurity and for privacy or the ISO 27001/27701 standards.
My presentation will also outline key processes in privacy legislation that are associated with the typical risk-based approach adopted by most data protection legislation, e.g., data protection impact assessments. However, this presentation also describes other important characteristics of privacy that are important to understand beyond legislation: such as privacy as a commodity, an asset, a cultural attitude and a form of control. Also outlined are factors influencing our privacy behaviors and attitudes and how important it is to consider these when 1) recruiting people to your team and 2) developing training and awareness programs for your organization.
Finally, the presentation will bring to light some challenges with certain privacy terms, e.g., the “Data Protection Officer” or DPO, as defined by GDPR. Using this term to describe a role means that you must comply with the requirements as described by GDPR. However, if you have no mandatory requirement to appoint a DPO, then in certain situations it may be prudent to consider using other titles – such as Privacy Champion or Privacy Leader.
How did I select the 10 things that every cybersecurity professional should know? With eight OECD privacy principles, seven privacy by design principles, 99 articles in GDPR, 173 recitals in GDPR, at least 20 significant pieces of data protection legislation, six key legal bases for processing, at least 10 acronyms and so on, I distilled “all things privacy” down to 10 key things based on the questions that I am most frequently asked or those domains from clients. I look forward to exploring them with you in more detail at the conference!