Privacy Gap Assessment Critical for GDPR ComplianceArrka Consulting's Shivangi Nadkarni on the Essential Steps for a Structured Privacy Program
The single largest challenge that an organization faces in complying with a privacy framework is in mapping their personal identifiable information, says Shivangi Nadkarni, CEO at Arrka Consulting. "The reason is the definition of PIIs itself have expanded and evolved over the last few years to include above the surface PII which is what you and I intuitively understand. But there is a vast amount of PII which is below the surface like meta data, device identifiers etc, Nadkarni says in an interview with Information Security Media Group.
See Also: Why Metadata Isn't Enough
Nadkarni says in order to put controls against sharing data one needs to have a ready map of where PIIs are being stored. "This inventory has to be mapped and it has to be kept continual because data is constantly evolving. That is a humungous task," says Nadkarni. (See: Making the Most of ISO Standards)
In this interview with Information Security Media Group (see excerpts below), Nadkarni also discusses:
- The global privacy frameworks one can refer to;
- Challenges while mapping PIIs;
- What to expect from data protection law in India.
Nadkarni, CEO at Arrka Consulting, has over 22 years of experience in information risk and privacy, e-commerce and networks. She previously headed the global application security and identity management practice at Wipro and established India's first licensed certifying authority for digital signatures in collaboration at Sify.
SUPARNA GOSWAMI: Any organization which is thinking of implementing a privacy program will start with a gap assessment. So what are the next steps post a gap assessment?
Shivangi Nadkarni: Typically, organizations work through the cycle of figuring out whether GDPR is applicable to them or not, and once they've done that, the applicant usually go through a structured gap assessment exercise where they see whatever gaps that need to be bridged for them to be compliant with GDPR. The challenge usually comes when it comes to actually [bridging] those gaps because privacy cuts across almost all functions of an organization. The more personal information they deal with, the larger the implementation is. You need to have a structured approach to implementing the privacy program. Typically, a structured approach is using a robust framework. So, for example if you're implementing information security, you look at a framework like ISO 27001. So, that gives an organization a guidance to roll out a security program. Similarly, you have frameworks for privacy programs. You have the Data Security Council of India's privacy framework called the DPF, which is very robust. There are frameworks from the U.S. like the AICPA. There is also the BS 10,012, a British standard. We look at these three as proper privacy framework implementation program. Typically, a framework then gives an organization a way to roll out privacy. Typically, the larger the organization, the more time it takes to implement this program. So once they start implementing a privacy program they start looking at the complexity and that's when the journey starts.
GOSWAMI: What is the biggest challenge faced by organizations when they start implementing the privacy frameworks. Where do they usually lag behind?
NADKARNI: In my opinion based on some of the programs that we've been rolling out and whatever I have heard from others in the industry, the single largest challenge that an organization faces is in doing what is called mapping the personal identifiable information. The reason is the definitions of information itself have expanded and evolved over the last few years to include more than just identity data, demography data, health data, financial data. But there is a vast amount of PII which is below the surface like online identifiers, device identifiers, meta data, social media handlers. All of that is also personally identifiable information. So, now when an organization is trying to roll out the privacy program, they need to first get an overview of what information they're dealing with, where it lies and who is using it for what. Because until they have that view, they cannot really implement privacy controls. In order to put these controls first you need to have that full map of PII inventory and it has to be kept continual as data is constantly evolving. This is a humongous task and not an easy problem to solve. The reason I say it's a hard problem to solve is because it's not something that you can just run a set of tools to get hold of this data. Though today you have discovery tool for both structured data and unstructured data, you need to be able to implement this and draw data flow maps to see where this data is going, who is doing what with this data, who are the business owners, how is it being protected, what purpose is it being used for etc. (See: Protecting PII in Mobile Apps)
Therefore if this problem is taken as an independent exercise and done throughout an organization it helps to implement privacy program because you can put controls irrespective of geography and law.
DATA PROTECTION LAW
GOSWAMI: India plans to come out soon with the first draft of its data protection law. You too must have given your feedback. What has been your initial thoughts after reading through the Srikrishna Committee's recommendations? What do you expect out of it?
NADKARNI: We are all eagerly waiting for the first draft to come out. And we have no reason to believe that it will not be anything different from most other laws in the world today. And there are aspects like, you know, proper usage having a focus, breach notifications. There are other aspects also like cross deal in many laws. But no matter what is written in the law, companies will have to roll out a privacy program. And after that it is a matter of to what degree some of this will have to be complied to. So we know the parameters on which the law will be based. Let's wait and watch.