Christine has over 10 years’ experience in the technology regulatory domain. She started out in mobile technology sector where she led the alignment and synergy effort with local regulatory authorities and carriers in China, Southeast Asia, and the UK, on product and service transparency and monetization models that were shaping the fast-growing mobile value-added service (VAS) market. In the recent years, she has expanded her privacy horizon by taking up different privacy related responsibilities from software product design, privacy program management, cloud governance and compliance, and digital workflow transformation, to most recently enterprise privacy operation and information governance in life sciences sector. She also regularly participates and speaks at industry events and panels.
The rapid technological advancement, as well as the expansion of network capability have led to a plethora of new opportunities and challenges for businesses across industries. Data becomes the building block and enabler for business growth. With enormous amount of data being generated and processed every day, and the increasing awareness over personal data protection. Businesses of all sizes yearn for solution-driven governance to address some of the top-of-mind concerns, such as how can we withstand the regulatory headwind, while benefiting from the tremendous digital innovation opportunities; how to ensure that we are putting in sufficient technological safeguards and regulatory guardrails while democratizing data to promote sustainable growth? How can companies innovate responsibly under the changing regulatory climate while trying to assess the potential risk in the technology greenfield? What is a risk-based approach to future-proof compliance when there are so many shiny opportunities and business imperatives with disruptive technology like artificial intelligence (AI) and alike? What is the transformational value measured against the equally pressing environmental issues, and geopolitical tension in having technology dominance?
Understand the Regulatory Landscape
The first step to ensure privacy compliance is to understand the regulatory landscape. Companies must be aware of the regulations that apply to their industry and the types of data they collect and process. In addition to data privacy regulations under, for instance, the General Data Protection Regulation (GDPR) or similarly, the California Consumer Privacy Act (CCPA) or other US state privacy laws, many companies must adhere to other domain specific regulatory compliance stack, for example Financial, Medical Device, Healthcare, Technology among many others.
To comply with these regulations, companies should adopt a strategical approach to implement privacy governance alongside or within the other compliance tracks.
- Conduct a comprehensive risk assessment: this involves identifying the types /elements of data that the company handles, the potential risks to the data, and the compliance requirements that apply to that data. With the fast AI adoption, there may be many new data types including unstructured data such as biometric, sensor, multimodal data among many others that would require new data handling approach. By understanding the data classification and associated risk, the company can develop a plan to address risks effectively.
- Implement strong security measures: data security is an essential component of data privacy regulatory compliance. Implementing strong security measures such as encryption, access controls and network security can help protect sensitive data from unauthorized access or disclosure.
- Implement Privacy by Design (PhD) and privacy controls and safeguards: PhD is a framework that involves incorporating privacy and data protection into the design and development of products and services from the outset. This approach can help companies to identify and mitigate potential privacy risks before they become a problem. Implementing data lineage tracking to ensure legal basis or purpose of processing stay intact throughout the data lifecycle; leverage applicable access control and data encryption tools to drive data centric protection. By implementing PhD, companies can ensure that their products and services are compliant with privacy regulations and are built-in privacy from the outset.
Integrate Privacy into the Technology Stack and Enterprise Architecture Design
To effectuate privacy governance, companies must integrate privacy into enterprise architecture design. In practice, this means that companies should conduct privacy impact assessments (PIAs) before launching new products or services or even just connecting internal systems, where data sets can be potentially combined. PIAs involve analyzing the potential privacy risks associated with the collection, processing, and storage of personal data and identifying measures to mitigate those risks.
Companies should also consider implementing privacy-enhancing technologies (PETs) such as encryption, anonymization, and pseudonymization to protect personal data from unauthorized access or disclosure throughout the data lifecycle. For instance, by anonymizing personal data, companies can use that data for statistical analysis without compromising individual privacy. By using encryption in every stage of data processing, businesses can protect personal data in use and storage. PETs are not new to the industry, some technology may have been improved or advanced. Although with very promising outcome to preserve privacy and enhance security while data is in use or processed, they are not the magic wand to achieve compliance.
There are many different types of PETs, each with its own strengths and weaknesses. It is important to choose the right PET for the specific use case and to ensure that it meets the privacy requirements. Evaluate the PET to determine if the PET itself meets the privacy principles, such transparency in the collection and processing of personal data, if the codes can be reviewed to ensure the technology is designed with privacy conscious as well as compliant with privacy principles under the various privacy laws including sectoral like HIPAA. Lastly, test and monitor the PET to ensure the technology is working as expected, which may include audit and risk assessments. PETs are very promising tools if used correctly to protect data while in use to achieve business imperatives, generate benefits and profits.
Establish Clear Policies and Procedures and Respective Employee Training
Clarity in communicating data protection requirements across the entire company is quintessential. This creates consistency in data handling best practices, and helps employees understand their responsibilities and obligations. Privacy compliance is not just the responsibility of the legal or compliance team – it is a company-wide effort. All employees must understand the importance of privacy compliance and the steps they can take to ensure that personal data is protected.
To promote data driven culture throughout the whole organization, companies should invest in privacy training for all employees. So that employees are up to date with new technologies, processes, and the importance of data and their roles to support this continuous compliance effort.
Process improvement requires developing data governance policies and procedures that are aligned with changing business needs, evolving technologies, and new regulatory requirements. Incorporate regular reviews and audit procedures to identify any gaps in compliance and as an opportunity to address areas of improvement proactively with relevant corrective and preventive measures.
Partner with Cross Domain Experts
Complying with privacy regulations can be complex, particularly in the AI era. To achieve agile governance, it is important to collaborate across the company, including legal, compliance, IT, and business teams. Especially when privacy is heavily intertwined with every process and multi-stakeholders. For example, how to incorporate privacy governance to automate and streamline data management process, utilize data quality tools to enforce data validation rules to certify data accuracy as well as data cleaning processes to remove duplicates or incomplete data, data transformation to ensure format compatibility and orchestrate data literacy based on common data insights and ethical use of data to improve data driven decision makings.
Privacy governance is becoming increasingly important in this digital age, as the use of data driven technologies continues to grow in prominence. While these technologies have the potential to revolutionize many industries, they also bring significant privacy risks. An agile governance framework can help companies more effectively manage privacy risks, yet is flexible, adaptive and balances the benefits of innovation with the complexity of societal impact. Ultimately, privacy governance is not only a legal and regulatory requirement but also a moral and ethical responsibility that companies must embrace to thrive in the AI era.