ROCKIN WITH DATA PRIVACY
BUILDING A DATA PRIVACY PROGRAM
About
Peter Gallinari, over 48 years of experience in Information Technology, with 30+ years as a professional leader in the field of Data Privacy, Cyber Security & Compliance. Industry expertise in Financial services, Health Care and Government Sectors. Have held positions as: Chief Data Privacy Officer for the State of Tennessee, Domain Information Security Officer for the State of Tennessee, former: Chief Security Officer at GE Capital and GE IT Director of Operations, Chief Security Officer supporting 3 hospitals in New York, AVP (Assistant Vice President) Delivery Services for Merrill Lynch. Regulatory compliance leader for such regulatory controls; GLBA, SOX, HIPAA, FERPA, FTI, CJIS, SSA, EU Privacy Directive (GDPR), Commercial compliance for PCI. Subject matter participant in support of Cloud innovative solutions (how to prepare to meet compliance and governance). Keynote speaker for Data Privacy and Cyber Security conferences, both public and private sector audiences.
Mission
In an increasingly digital world, organizations along with state government handles vast amounts of sensitive data. Building a robust data privacy program is crucial to protect this information and maintain public trust. I will outline the key steps in building a data privacy program and highlight the risks of not having one in place, along with understanding how privacy differs from the private and public sectors. It's not all about the legal components of data privacy to have a successful program, but understanding how to operationalize the program across your landscape which is essential.
Vision
We in the data privacy industry have been inundated with an abundance of information about the topic of data privacy. There are so many industry/educational and professional guidance references out there today covering this important topic to pull from. At times, it’s just too much to handle!
.
I felt it that it was a good time to consolidate this wealth of knowledge along with my own personal industry experiences and summarize it in a way that can be used as a reference guide (in one spot) for those to leveraged as you work towards ‘Data Privacy Awareness’ for your business. Any level of expertise in this field will find the content useful.
It is important to note that privacy practices and requirements may vary based on specific state laws, regulations, and organizational structures. Therefore, it is crucial for state government agencies and private business to use what is essential to their business, and as always consult legal and privacy experts to ensure compliance with applicable laws and regulations.
FUNDAMENTAL COMPONENTS OF A DATA PRIVACY PROGRAM
My intent is to share the detail on these items on the left.
​
​
​
If there is a particular area that you would like more information on, please contact me from my contact page.
​
IS DATA PRIVACY JUST ABOUT LEGAL AND CYBERSECURITY?
Keep in mind, legal plays a major role within your organization to ensure that you are in compliance with the handling/use/storage/dissemination/sharing and access of your data.
In order to support legal in regard to data privacy compliance, there needs to be a process to implement all the required tasks, for this reason, you need to have someone on the data privacy team to run the program from an operational standpoint. Without this person, there is a very good chance your program will not be successful. ​This part of the program is not the responsibility of a lawyer (my personal view) I can almost guarantee that they don't want that piece. They have enough to worry about dealing with new laws and policies to protect their organization.
The data privacy operational/technical leader will implement the program across the business: Provide privacy awareness and training, Perform Privacy Assessments (Privacy Impact Assessments), Monitoring and compliance, Risk Management, Incident response and remediation (work with business legal team), Documentation and reporting (metrics).
Now let's talk Security, and as a former CSO, I would need to rely on the following items:
1. Data has to have a data owner and it's not IT (Information Technology Division).
2. Data must be classified (only by the data owner)
3. Both Compliance & Legal need to be on the same page about data ownership and use of the data (again, not an IT responsibility)
4. Once data has been classified, security can apply the data protection controls to protect the data based on: Regulatory requirements, Business requirements, Data Owners requirements.
SO, to answer the very first question, the answer is no. Data Privacy is not just about legal or security. This is a team effort, which relies on the efforts or each group to do their part: Legal, Privacy, Security
Look forward to other discussions in the areas of:
-
Risks of not have a privacy program
-
How data privacy may differ in the private and public sectors
-
How the Data Privacy Officer works with your Chief Security Officer
​
​
“Data Privacy is a matter of trust. Our citizens/consumers are expecting us to do the right thing with their data.”
“By providing a service that focuses on a strong value of trust, we will build a reputation that demonstrates our integrity and how we value and respect our citizens/consumers privacy.”
- Peter Gallinari