Data breaches, cloud computing, location-based services and regulatory changes will force virtually all organisations to review, and at least half of all organisations to also revise, their current privacy policies before year-end 2012, according to Gartner, Inc. These issues will dominate the privacy officer's agenda for the next two years.
"In 2010, organisations saw new threats to personal data and privacy, while budgets for privacy protection remained under pressure," said Carsten Casper, research director at Gartner. "Throughout 2011 and 2012, privacy programmes will remain chronically underfunded, requiring privacy officers to build and maintain strong relationships with corporate counsel, lines of business, HR, IT security, IT operations and application development teams. An established relationship with regulatory authorities and the privacy advocacy community will also be an advantage to them."
Gartner has identified the top five issues that privacy officers must pay particular attention to in 2011 and 2012:
1. Data Breaches Continue to Be a Top Concern Data breaches rank high on the priority list because of their visibility, but preparing for and following up on breaches is actually straightforward. Most controls exist anyway if security management is working properly. This topic should not consume more than 10 per cent of a privacy officer's time.
Organisations should compartmentalise personal information, restrict access, encrypt data when transmitting it across public networks, encrypt data on portable devices, and encrypt data in storage to protect it from users who have been given too much privilege, from rogue administrators and from hackers. Consider data loss prevention tools, tokenisation, data masking and privacy management tools.
2. Location-Based Services Exploit Personal Information in Unprecedented Ways Location information can be GPS information, the nearest cell tower, information about wireless access points, indoor positioning information, speed, altitude, smart meter identifiers and IP addresses. Not every organisation processes geolocation data, but the area is evolving rapidly, and a specific way of processing may suddenly surface as a privacy scandal (e.g. smartphones storing more location information than expected).
Many providers are still in the "collect" stage rather than the "use" stage. They compile vast amounts of information, often without a clear plan of what to do with it. This violates a fundamental privacy principle: Collect information only for the purpose for which you need it.
Depending on the nature of the business, privacy officers will focus 5-25 per cent of their time on location-based services.
3. Cloud Computing Challenges Traditional Legal and Technical Privacy Protection Cloud computing and privacy are innately at odds. Privacy laws apply to one country; the public cloud, in its ideal form, is not related to any country. Privacy officers should not accept "no" for an answer when asking whether the processing of personal information in the cloud or abroad is allowed. Most privacy laws have some flexibility, guidance is evolving slowly and, in many cases, there are legally acceptable solutions. Organisations should focus on the location of the legal entity of the provider, not on the physical locations of its operation centres.
There are other cases when sensitive company information should not leave the country (for example, if there are export control or national security concerns), but in most cases - and usually under conditions - in-country storage is not mandatory for privacy compliance. In some cases, it will be sufficient to ensure that personal data will not be stored in a specific country that is known for its privacy violations.
Privacy officers - and enterprise decision makers - should support IT's cloud and offshore initiatives where possible while achieving maximum privacy protection for the individual customer or employee. This will consume 20- 30 per cent of the privacy officer's time.
4. The Value of Privacy Determines Necessary Protection, but It Is Difficult to Quantify The value of privacy and the sensitivity of personal information are impossible to determine without context. Personal information has hardly any value or sensitivity. Rather, it depends on how data is being processed. There is no right or wrong. Finding the balance between "not enough" protection and "too much" protection is an ongoing process. Legal requirements are a bad guideline as they trail technical innovation and cultural change by several years.
Privacy officers should set up a process to identify stakeholders for personal information, gather requirements from them, influence the design of the business process and applications, and plan for adjustments. Once this process has been created, its execution should take the privacy officer no more than 10 per cent of his or her time.
5. Regulatory Changes Are Imminent and Ongoing Regulatory changes should not distract privacy officers from pursuing their strategies, because most regulatory changes will only have a mid- to long-term effect. Absent of any specific laws or regulatory guidance, organisations must interpret existing, generic privacy legislation for emerging technologies like smart meters, indoor positioning, facial recognition on smartphones correlated to photo databases, vehicle and device locators, presence detection, body scanners, and others.
Monitoring of regulatory changes and, consequently, adjusting the organisation's privacy strategy are important tasks, but they should consume more than 5-10 per cent of the privacy officer's time.
Mr Casper said: "The remaining 15-50 per cent of the privacy officer's time should be spent executing the privacy programme, managing relations, steering the privacy organisation, reviewing applications, revising policies, document controls, draft privacy terms for contracts, consulting with legal, responding to queries, following up on incidents and supervising the privacy training programme."
Gartner analysts will discuss the priorities for privacy and other security professionals at the Gartner Security & Risk Management Summit.
About Gartner Security & Risk Management 2011
The Gartner Security & Risk Management Summit 2011 provides chief information security officers (CISOs) and security, risk management and business continuity professionals with advice on infrastructure protection, governance, risk management, compliance, business continuity, disaster preparedness, response and recovery. The event features analyst-moderated user roundtables, workshops and end-user case studies, plus new research, trend updates, best practices and long-range scenarios.
For further information on the Gartner Security & Risk Management Summit 2011 taking place on 19-20 September in London, please visit www.europe.gartner.com/.... You can also follow the event on Twitter at http://twitter.com/... using #GartnerSecurity.
Additional information is available in the Gartner report "Top Five Issues and Research Agenda, 2011 to 2012: The Privacy Officer." The report is available on Gartner's website at http://www.gartner.com/....
"In 2010, organisations saw new threats to personal data and privacy, while budgets for privacy protection remained under pressure," said Carsten Casper, research director at Gartner. "Throughout 2011 and 2012, privacy programmes will remain chronically underfunded, requiring privacy officers to build and maintain strong relationships with corporate counsel, lines of business, HR, IT security, IT operations and application development teams. An established relationship with regulatory authorities and the privacy advocacy community will also be an advantage to them."
Gartner has identified the top five issues that privacy officers must pay particular attention to in 2011 and 2012:
1. Data Breaches Continue to Be a Top Concern Data breaches rank high on the priority list because of their visibility, but preparing for and following up on breaches is actually straightforward. Most controls exist anyway if security management is working properly. This topic should not consume more than 10 per cent of a privacy officer's time.
Organisations should compartmentalise personal information, restrict access, encrypt data when transmitting it across public networks, encrypt data on portable devices, and encrypt data in storage to protect it from users who have been given too much privilege, from rogue administrators and from hackers. Consider data loss prevention tools, tokenisation, data masking and privacy management tools.
2. Location-Based Services Exploit Personal Information in Unprecedented Ways Location information can be GPS information, the nearest cell tower, information about wireless access points, indoor positioning information, speed, altitude, smart meter identifiers and IP addresses. Not every organisation processes geolocation data, but the area is evolving rapidly, and a specific way of processing may suddenly surface as a privacy scandal (e.g. smartphones storing more location information than expected).
Many providers are still in the "collect" stage rather than the "use" stage. They compile vast amounts of information, often without a clear plan of what to do with it. This violates a fundamental privacy principle: Collect information only for the purpose for which you need it.
Depending on the nature of the business, privacy officers will focus 5-25 per cent of their time on location-based services.
3. Cloud Computing Challenges Traditional Legal and Technical Privacy Protection Cloud computing and privacy are innately at odds. Privacy laws apply to one country; the public cloud, in its ideal form, is not related to any country. Privacy officers should not accept "no" for an answer when asking whether the processing of personal information in the cloud or abroad is allowed. Most privacy laws have some flexibility, guidance is evolving slowly and, in many cases, there are legally acceptable solutions. Organisations should focus on the location of the legal entity of the provider, not on the physical locations of its operation centres.
There are other cases when sensitive company information should not leave the country (for example, if there are export control or national security concerns), but in most cases - and usually under conditions - in-country storage is not mandatory for privacy compliance. In some cases, it will be sufficient to ensure that personal data will not be stored in a specific country that is known for its privacy violations.
Privacy officers - and enterprise decision makers - should support IT's cloud and offshore initiatives where possible while achieving maximum privacy protection for the individual customer or employee. This will consume 20- 30 per cent of the privacy officer's time.
4. The Value of Privacy Determines Necessary Protection, but It Is Difficult to Quantify The value of privacy and the sensitivity of personal information are impossible to determine without context. Personal information has hardly any value or sensitivity. Rather, it depends on how data is being processed. There is no right or wrong. Finding the balance between "not enough" protection and "too much" protection is an ongoing process. Legal requirements are a bad guideline as they trail technical innovation and cultural change by several years.
Privacy officers should set up a process to identify stakeholders for personal information, gather requirements from them, influence the design of the business process and applications, and plan for adjustments. Once this process has been created, its execution should take the privacy officer no more than 10 per cent of his or her time.
5. Regulatory Changes Are Imminent and Ongoing Regulatory changes should not distract privacy officers from pursuing their strategies, because most regulatory changes will only have a mid- to long-term effect. Absent of any specific laws or regulatory guidance, organisations must interpret existing, generic privacy legislation for emerging technologies like smart meters, indoor positioning, facial recognition on smartphones correlated to photo databases, vehicle and device locators, presence detection, body scanners, and others.
Monitoring of regulatory changes and, consequently, adjusting the organisation's privacy strategy are important tasks, but they should consume more than 5-10 per cent of the privacy officer's time.
Mr Casper said: "The remaining 15-50 per cent of the privacy officer's time should be spent executing the privacy programme, managing relations, steering the privacy organisation, reviewing applications, revising policies, document controls, draft privacy terms for contracts, consulting with legal, responding to queries, following up on incidents and supervising the privacy training programme."
Gartner analysts will discuss the priorities for privacy and other security professionals at the Gartner Security & Risk Management Summit.
About Gartner Security & Risk Management 2011
The Gartner Security & Risk Management Summit 2011 provides chief information security officers (CISOs) and security, risk management and business continuity professionals with advice on infrastructure protection, governance, risk management, compliance, business continuity, disaster preparedness, response and recovery. The event features analyst-moderated user roundtables, workshops and end-user case studies, plus new research, trend updates, best practices and long-range scenarios.
For further information on the Gartner Security & Risk Management Summit 2011 taking place on 19-20 September in London, please visit www.europe.gartner.com/.... You can also follow the event on Twitter at http://twitter.com/... using #GartnerSecurity.
Additional information is available in the Gartner report "Top Five Issues and Research Agenda, 2011 to 2012: The Privacy Officer." The report is available on Gartner's website at http://www.gartner.com/....
