Continuous monitoring is required for effective data privacy and security

By Ambler T. Jackson

Ambler T. Jackson, CIPT, CIPM, CIPP US/G, JD, is a privacy subject matter expert located in Washington, DC, USA.

Continuous monitoring is the maintaining of ongoing awareness of information security vulnerabilities and threats to support organizational risk management decisions.[1] One US federal government resource describes continuous monitoring as a risk management approach to cybersecurity that maintains an accurate picture of an agency’s security risk posture, provides visibility into assets, and leverages use of automated data feeds to quantify risk, ensure effectiveness of security controls, and implement prioritized remedies.[2] In the financial industry, continuous monitoring has been described as an “automated, ongoing process that enables management to assess the effectiveness of controls and detect associated risk issues; improve business processes and activities while adhering to ethical and compliance standards; execute more timely quantitative and qualitative risk-related decisions; and increase the cost-effectiveness of controls and monitoring through IT solutions.”[3]

Recent events related to personal data and security have given rise to the increasing need to continuously monitor business processes and the entire data life cycle. As such, it is a best practice—and in the case of federal agencies, it is a long-standing practice—to develop and adhere to a continuous monitoring strategy. Continuous monitoring involves an ongoing process that requires management to continuously review business processes in order to appropriately mitigate risk associated with collecting, maintaining, and using personal data. Most professionals in a management function or role, or who have management responsibilities, understand that continuous monitoring is an important risk management tool; however, many professionals in management are just now beginning to understand why continuous monitoring is critical and absolutely necessary for business operations across the enterprise.

Continuous monitoring is typically discussed as part of a framework for managing risks. There are several kinds of risks (e.g., strategic, operational, financial, compliance). Within the operational and compliance risk areas, from a data privacy and security perspective, new risks are emerging daily. Without enterprise-wide continuous monitoring, it will be nearly impossible to proactively identify and mitigate new risks. Enterprise-wide risk management allows an entire organization to contribute to mitigating risk; this includes everyone from the frontline employees, technical experts, and management to executive leadership. The approach takes into consideration the mission, objectives, business functions, and processes of the organization as well as the culture and appetite for risk.

What is personal data?

Fundamentally, your personal data is data that identifies you. For example, if I ask you to provide me with your personal information so that I can contact you and ask that you provide feedback on the topic of this article, you may provide me with your email address and phone number. These two data elements are personal to you. No two people share the same email address or telephone number. Upon reading the request, you will immediately understand that I am referring to your data. So, on the one hand, given the context of this example, most people will agree that the term personal data is self-explanatory.

On the other hand, personal data may take on a different meaning and result in a different privacy impact depending on several factors, including, but not limited to, the purpose for which data is collected, how it is used, and by whom. There’s no one global definition for personal data. The legal and regulatory definition and description of personal data may vary according to, for example, the citizenship of the individual to which the data belongs, the type of data collected, the industry to which the data pertains, and other variables.

For example, in the United States, the government describes personal data using the phrase personally identifiable information (PII), and PII is defined as “any information about an individual maintained by an agency, including (1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and (2) and information that is linked or linkable to an individual, such as medical, education, financial, and employment information.”[4]

At the state level, at least in California, personal data is expressed as personal information. According to the California Consumer Privacy Act (CCPA), personal information means information that identifies, relates to, describes, references, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or device….”[5] Under the European Union’s General Data Protection Regulation (GDPR), personal data is any information that relates to an identified or identifiable living individual.[6] The Brazilian General Data Protection Law (LGPD) defines personal data as any information related to an identified or identifiable natural person.”

This document is only available to members. Please log in or become a member.
Become a Member Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings