Insider threat used to drive the need for monitoring. However, monitoring today is also about effectiveness—of the privacy program, of joint or overlapping compliance activities and of the balance between privacy risk and business value. While technology has yielded new tools for addressing and preventing data loss or leakage and for generally monitoring computer, database and network activities, there is still no silver bullet that addresses all the needs for monitoring the use of personal information enterprisewide. Finding the best technical solutions means understanding the capabilities for logs, queries and other controls within existing processes and technologies, determining the gaps and building or buying appropriate solutions to close them. It also means factoring in maintenance and consistent monitoring of operations.

Looking Forward

Privacy is a mainstream business issue. These eight areas deserve more than a check-the-box exercise. Each one should be addressed as part of the comprehensive, deliberate management of privacy risk and compliance. Founded on policy and governance, an effective privacy program relies on controls, monitoring, compliance activities and other assurances to keep an effective operation in place.

Brian Tretick is an executive director in the Privacy Risk Advisory Services practice of Ernst & Young in the U.S. He has more than 20 years of professional experience in information security, and has spent the past decade focused on privacy and data protection. He serves the IAPP as a regular member of the CIPP Faculty.

The views expressed herein are those of the author and do not necessarily reflect the views of Ernst & Young.