Privacy and Data Protection
Domestic and international privacy regulations make every database a minefield of potential liability. Maximizing data value while continuously protecting privacy is a critical component of organizational success.
Privacy Program Approach
A modern privacy program must chart a secure course through numerous – and, sometimes contradictory – federal, state and international mandates.
From governance and program planning, to privacy incident management and response, we leverage our deep understanding of privacy to establish, support and mature a multipronged privacy program for federal and commercial operations.
Our privacy services include:
- Privacy Risk Assessment: Privacy risk assessments combine the technical rigor of traditional security assessments with a review of problematic data actions that can result from processing personally identifiable information (PII). MBL’s general approach is based on the NIST Privacy Risk Assessment Methodology (PRAM). We then tailor this approach to specific regulatory requirements as needed. These include requirements incumbent on the Federal Government, such as OMB Circular A-130, NIST SP 800-122 and NISTIR 8062, as well as those incumbent on the private and commercial sectors, such as HIPAA, U.S. state-specific requirements and Europe’s General Data Protection Regulation (GDPR). During this assessment, we analyze PII storage and processing in the context of your business and legal landscape. We work with you to develop approaches that limit the collection, maintenance and use of PII, while still meeting business and operational requirements. We then help you understand and mitigate any remaining technical and legal risk related to PII processing.
- Breach Response: We prepare, test and execute breach response plans and procedures to address incidents that involve loss of PII. We draft risk of harm templates, identify and plan for all required legal notifications and develop a granular public relations and communications plan. We couple these plans with online training for key privacy personnel, and we conduct tabletop exercises to improve response effectiveness.
- Privacy Compliance: An ever-growing list of federal, state, international and private-sector entities promulgate complex, overlapping privacy regulations. We evaluate your privacy protection policies, processes and procedures (the “3 P’s”) to determine your overall privacy posture. We assess the 3 P’s for compliance with privacy regulations that impact your organization, and identify risks and vulnerable practices. We then provide prioritized recommendations for mitigating those risks without impacting business operations.
- Training: MBL’s off-the-shelf privacy training will quickly get technical and non-technical staff up to speed on national and international privacy regulations. Or we can develop custom online or in-class training tailored to your organization’s unique privacy landscape.
- Privacy Posture Assessment and Baselining: MBL privacy advisors will review your processes, policies and procedures to understand your operations and as-is privacy state. Backed by insight into your business needs, we will assess your privacy posture to identify risks. We will then provide prioritized recommendations to mitigate those risks without impacting your business.
- Baselining and Continuous Improvement: Using a formal framework, such as the NIST Privacy Framework or other recognized standard, we will conduct a baseline assessment to define your current privacy posture. As an example, we will compare actual practices (e.g., advertising) to stated commitments. Disconnects in policy and practice can lead to regulatory action by state attorneys general, federal regulators and even private citizens. In addition to resolving these disconnects, we will also help you develop a short-, medium- and long-term maturity-level based plan for evolving your privacy program against the national and international privacy standards most relevant to your business.
- Data Inventory and Minimization: Major privacy laws like GDPR and CCPA require that organizations carefully inventory data holdings. MBL will help you not only inventory data, but also redesign business processes to minimize this data inventory and reduce your privacy risk surface. By minimizing use of PII, Personal Health Information (PHI) and other sensitive data types, we lower your overall privacy risk profile.
- Privacy Transparency: We help you develop a privacy, data protection and transparency program that highlights your commitment to privacy, and demonstrates that your privacy offerings are a notch above industry competitors. This helps you receive a return on your investment in protecting private data.