Data Privacy
Products and services in Cloud, Data Analytics, and IoT continue to proliferate a rapid use (and often abuse) of PII beyond traditional data environments. As a result, clients would benefit from data privacy services. This is due to the greater need to mitigate the risks of privacy violations that can lead to legal risks, loss of consumer trust, and overall reputational damage. Our focus is helping clients via the following engagement models that VerSprite has designed to resolve today’s data privacy challenges:
Data Discovery/Data Flow Diagramming
Data Governance & Management
Legal & Regulatory Compliance Readiness
VerSprite’s data privacy services are based upon the company’s review of multiple data privacy laws, global privacy regulations, and privacy frameworks. We collaborate with partners in the Legal profession as well to offer a comprehensive response to privacy challenges today. Below is a synopsis of the aforementioned service engagements offered by VerSprite’s GRC service
Data Privacy with Data Discovery/Data Flow Diagramming
A key challenge for many organizations is to know where their data liabilities lie. This is particularly challenging as many clients’ IT infrastructure evolves from OnPrem models to Cloud infrastructures. VerSprite’s data discovery services focus on achieving the following:
- Conduct data flow diagramming efforts to map how customer-managed PII flows in/out of IT environments.
- Identify data sources (e.g. – databases, flat file systems, cache servers, and other repositories) and map out ingress/ egress data flows, specific to PII data.
- Leverage eDiscovery techniques, tools, and scripts to help traverse information systems and identify data types and extent of PII across OnPrem, Hosted, and Cloud-related systems.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Knowing where sensitive PII data is located is pivotal to properly addressing data privacy regulations worldwide. In doing so, clients will be able to apply the right amount of end deliverables that are commonly used by privacy offers, information managers, and IT managers who want to know how discovered PII should be better managed. End deliverables include the following:
1. Data Flow Diagrams (DFDs) depict both protocols, trust boundaries, inherent security controls, and data classification types for data. DFDs reside with technologists so that they can understand the direction in which PII flows in/out of IT environments. This plays a key role when having to address security controls referenced by various privacy laws like HIPAA, PIPEDA, and GDPR, as well as privacy frameworks such as the Asia-Pacific Economic Cooperation’s Privacy Framework, as well as the Cross-Border Privacy Rules.
2. Data Discovery Reports focus on illustrating where PII a targeted mapping of PII data stores and transportation mediums across Client infrastructure, as well as prescriptive advice for privacy gaps identified. This is extremely important for ongoing data management efforts and becomes a ‘living’ artifact for both IT and privacy professionals alike.
3. Privacy Impact/Threshold Assessments are non-technical assessments performed to identify the systems, applications, and data stores (also known as systems of record) that house PII. They complement more technical data discovery efforts from VerSprite’s previously mentioned eDiscovery efforts. VerSprite leverages NIST SP 800-122 to provide a framework for discovering which systems may be sharing PII and if proper authorization of such data shares is in place. This determination leads to the impact analysis of PII sharing amongst and beyond the corporate IT environments. Relevant privacy laws are mapped as part of the PIA piece of this process to identify impacts associated with previously identified data flows.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Data Governance & Management for Data Privacy
VerSprite performs a gap assessment against privacy and security control frameworks that tie to control references and mandates from various state, national, and global privacy laws. Our process builds off the knowledge of data flows of PII and correlates the data flows pertaining to those environments with regulatory requirements around safeguarding PII. As part of this service, VerSprite examines the following key privacy and data protection areas:
Data Classification:
Our review of data classification policies and how they are technically applied to information environments helps clients see how and where security controls should be applied in conformance to privacy requirements as data importers or data processors.
Data Retention Policy Reviews:
Data retention can extend an organization’s liability and overall data risk. Many organizations don’t have proper retention periods defined and can mistakenly make data too available for both internal and external factors. Without a true business need to have data available or even retained, companies can run the risk of becoming liable for its safeguarding and privacy. VerSprite evaluates data retention policies and practices by leveraging some of its data discovery services and then mapping the source of PII to retention policies applied by client organizations to those PII records.
Data and Privacy: Legal & Regulatory Compliance Readiness
Privacy laws have been exercised to affect many companies that violate the authorization, use, and security of PII data. Many of those laws, particularly with GDPR, provide many challenges to MNCs who may not know where PII is housed or what controls they have to ensure its proper safeguarding. VerSprite services for legal and compliance readiness around privacy laws extend to include the following:
Data Privacy Shield & Privacy Program Reviews
Many organizations do not have a formal data privacy program that defines both an internal and external policy around how PII is being managed. VerSprite not only reviews or helps develop appropriate policies around the nature and use of PII, but also reviews whether companies’ privacy programs have adequately prepared for or properly adhered to global privacy frameworks such as the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Considerations around the scope of PII (under management), data flows, exposure levels, and ongoing changes in acceptance from legal courts all factor in VerSprite’s privacy program reviews and guidance services. VerSprite reviews the precedence of legal cases (at various levels: state, federal, international) to establish strategies tailored to clients of varying industries and data exposure levels.
Legal Contractual Reviews
Sampling of vendor contracts and client MSA agreements help to determine the level of regulatory risks assumed by VerSprite clients or whether legal risk transferences are possible. VerSprite works with a partner legal firm (well-versed in international privacy laws) in order to provide a joint effort around privacy considerations for vendor and client contracts.
- Model Clauses & MSAs: VerSprite’s analysis helps to determine if risk acceptance of MSA terms may be over-arching to the services being provided by the client organization.
- Security Clause Review & Gap Analysis: VerSprite helps to identify whether or not depicted security controls or security assurances can/ cannot be fulfilled by the client. Many of these exercises pertain to contractual clauses found in EU’s Model Clauses and HIPAA’s Business Associate Agreements as an example.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Data Privacy Services from VerSprite
Protect one of your most precious investments, your business, with professional data privacy services.
Contact VerSprite today to get started.
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
Related Resources
