Why a privacy risk assessment is vital to ensuring regulatory compliance – and must extend to client-side website security.
- Most of the world’s population will soon have their personal information covered by at least one privacy regulation.
- Organizations must have a privacy assessment cadence and perhaps employ a privacy officer to be sure they meet the requirements unique to their business.
- Client-side website vulnerabilities must be a part of any privacy audit or assessment as the browser is a collection site for data and is uniquely vulnerable to data leaks and cyberattacks.
- Request Risk Assessment
Data privacy is one of the most fiercely debated topics today among business leaders, technology companies, governments and individuals. Fueled by the introduction of strict data protection regulations across the world, such as the California Consumer Privacy Act (CCPA) and the GDPR (General Data Protection Regulation), it is incumbent on organizations to ensure the privacy of the data they process – or face costly consequences. Argentina, Brazil, Egypt, India, Indonesia, Japan, Kenya, Mexico, Nigeria, Panama, Singapore, Thailand and the United States (and numerous states within it) have all enacted or proposed postmodern privacy and data protection laws following the introduction of the GDPR.
By 2023, 65% of the world’s population will have its personal information covered under modern privacy regulations, up from 10% today. – Gartner
A 2019 survey by Gartner noted that 64 percent of senior executives said “accelerating privacy regulation” was the top emerging risk their organizations face, with privacy regulation concerns most prevalent among professionals in banking, financial services, and technology and telecommunications industries.
Despite this, there are daily reports of data leaks or exposure from within organizations that thought they had the proper data protection measures in place. In the first three quarters of 2020, there were 2935 publicly reported breaches – including a few high-profile ones such as Twitter, Microsoft, Wattpad, Broadvoice, Estee Lauder and Whisper.
Privacy risk assessments — also known as data protection impact assessments (DPIA) or privacy impact assessments (PIA), exist to ensure you accurately measure and manage the risk to your customers and keep your organization compliant with global data protection regulations.
Why do I need to conduct a privacy risk assessment?
Data is the lifeblood for every organization. But if your business collects sensitive and personal customer data – to build marketing campaigns, improve the customer experience or for payment purposes, for example – how you manage, store and secure that data will be essential to maintaining your regulatory compliance. But that does not just mean protecting your organization from data breaches and cyberattacks; it also requires respecting data subjects’ privacy.
Personal data always needs to be kept secure as vulnerabilities in the flow of data lead to the risk of breaching customers’ personally identifiable information (PII). The data in question could be usernames, location data, online identifiers like IP address or cookies, or passwords.
Despite the headlines, you do not even have to be subject to a cyberattack: under the regulations, a breach can include the accidental or unlawful destruction, loss or disclosure of personal data.
This applies to data whether it is saved on a database, as a hard copy or being transferred to or from third parties. Each area has its own risks, but the OWASP Top 10 Privacy Risks Project lists website vulnerabilities, including injection flaws (which allow attackers to copy or manipulate data) and sensitive data exposure (which allows attackers to gather sensitive information) as the biggest risk to data privacy.
Any organization required to comply with the CCPA or GDPR (and other coming country and US state privacy laws) must conduct regular privacy risk assessments. The ability to ensure confidentiality, integrity, availability and resilience will be crucial – as will be restoring data promptly in the event of an incident. You will also need to demonstrate you have taken adequate steps to protect the data in your care in the event of a breach or leakage.
What does a privacy risk assessment involve?
A privacy risk assessment is typically designed with three main goals:
- Ensure conformance with applicable legal, regulatory and policy requirements for privacy
- Identify and evaluate the risks of privacy breaches or other incidents and effects
- Identify appropriate privacy controls to mitigate unacceptable risks
- Include a website vulnerabilities audit
How do you conduct a privacy risk assessment or PIA?
Data protection regulations like the CCPA or GDPR do not prescribe specific data protection technologies. There is no “official risk assessment template.”
“Risk identification needs to be part of the process, as well as a systems design. Privacy by design and by default is all about identifying privacy risk and making sure a risk-based approach guides you through the entire lifecycle of data,” notes the International Association of Privacy Professionals (IAPP).
Benefits of privacy risk assessments
According to the IAPP, undertaking privacy risk assessments have multiple benefits for your organization:
- Provides an early warning system – a way to detect privacy problems, build safeguards before, not after, heavy investment and fix privacy problems sooner rather than later
- Provides evidence that an organization attempted to prevent privacy risks (reduce liability, negative publicity, damage to reputation)
- Enhances informed decision-making
- Helps your organization gain the public’s trust and confidence
- Demonstrates to employees, contractors, customers and citizens that your organization takes privacy seriously
Many of these benefits focus on how undertaking privacy risk assessments can help circumvent the costly and embarrassing effects of a data breach.
For example, the average cost of a data breach is now $3.92 million, with the biggest contributor to costs being lost business. The effects of organizational data leakage can also be felt for years. According to 2019 figures, 67% of data breach costs were realized within the first year after a breach, but 22% accrued in the second year, and another 11%accumulated more than two years after a breach.
There is also the reputational damage and diminished goodwill that organizations will suffer – once an organization has lost the trust of its customers, it is difficult to win it back. Data breaches caused abnormal customer turnover of 3.9% in 2019, and 64% of consumers say they are unlikely to do business with a company where their financial or sensitive data was stolen.
Why a Privacy Risk assessment must include your website
As we mentioned earlier, it is critical to conduct privacy risk assessments wherever data flows throughout your organization – and this includes your website, an area often overlooked, despite being a goldmine for customer PII (and subsequently a prime target for hackers).
Data leakage can often occur at the client side of the website, so it is more difficult to see what is going on until it is too late.
To combat this, you need a real-time view of your digital data supply chain: all the technologies running on your digital properties. Essentially, you are performing a full privacy risk assessment as web pages are loaded.
You should know what code is running on your website – whether it is your own or from known or unknown third parties – and be able to control and limit who has access and what data they collect and share – all to prevent data leakage.
If you are unsure of your website’s security posture or you think you may be vulnerable to attack, ask yourself: Who is responsible for website security in my organization?
- How many third-party technologies do I have on my website? And what exactly do they do?
- Are there any security checks in place to ensure third-party technologies do not capture or pass on sensitive information?
- Performing a regular site scan to see exactly what is running on the site – this includes testing any new updates to detect any suspicious behavior
- Observing and monitoring client-side site traffic in real time with actual user activity to help identify any suspicious patterns so you can act before any damage is done, all without impacting the customer experience.
- Controlling permission to trusted third-party services – creating an allow list and a blocklist will enable you to only share data with trusted vendors
With a real-time website security strategy and enforcement tools such as the Ensighten Platform, you can prevent website data leakage and unauthorized sharing of PII while complying with the CCPA and other data privacy regulations – as well as those yet to come.
“As attackers focus more on the client-side, organizations must consider the impact of script and browser vulnerabilities more broadly. Work the above scenarios into your threat modeling and think about how to best protect your customers and their experiences with your site,” notes analyst Forrester.
Get your free Website Vulnerability Assessment and check your customer data exposure to help ensure your compliance with global data privacy legislation.
Get in touch with Ensighten to find out more about how to protect your website from data leakage or theft while complying with global data privacy legislation.
Founded in 2009, Ensighten is the global cybersecurity leader providing client-side protection against data loss, ad injection, and intrusion while enhancing website performance.