Policy Controls: Why The Whole World Wants You to Write Policies

As a follow-up to Chris’s 2018 Privacy & Security Forum update, I’ll focus on policy controls, because the entire world has lasered in on policies thanks to the GDPR effect. But first, a tip of the hat to Professor Solove and Professor Schwartz for their role in designing and running this conference. It was substantial, and rigorous, and there wasn’t an infomercial to be found!

Policy controls and their importance is the hot topic for anyone doing business – healthcare, financial or retail – on either side of the ocean. Keep in mind that policy controls are the basis on which anyone assessing the company’s system is building. Also remember that GDPR uses the term “privacy” interchangeably for what we in the US differentiate into privacy and security. So when they say “policy controls” they’re saying privacy policies (e.g., controls) and those very likely pertain to privacy and security.

Note: This information will be explored in greater detail in our upcoming GDPR Guide for Business Associates. Keep an eye on our website and sign up for our newsletter to receive an alert. The guide should be available by early December.

Related to the topic of policy controls in all of its attendant meanings, I attended several GDPR-focused workshop sessions.

One of the speakers at a session I attended focused on policy writing – European style and United States style.  The German IT attorney who spoke about European style policy writing made the following statements (and yes, I’m paraphrasing):

  • Data Protection Authorities (DPAs) are likely to read policies
  • DPAs are likely to take policies at their word. If an organization is not following its own policies, the DPAs are likely to view that as a breach.

From a United States perspective, substitute OCR/regulators/auditors for DPAs, and the same advice holds true. For instance, consider the following instances of policies and procedural controls related to HIPAA, ISO 27001 and SOC 2.

The HIPAA Security Rule is not prescriptive. Covered entities and business associates must implement controls that are:

  • reasonable for the organization’s size,
  • the complexity of what it does, and
  • the sensitivity of the information with which it deals.

ISO 27001 is not prescriptive. ISO says that you build an Information Management Security System to ensure information privacy. Organizations develop their Information Security Management Systems based on:

  • risk assessment,
  • risk treatment plans, and
  • the Statement of Applicability.

SOC 2 is not prescriptive. Organizations design their own controls to meet the SOC 2 principles that are relevant to the business.

Privacy & Policy Controls Success Tip: Walk the Talk

With all that said, once an organization designs a policy control, it needs to live up to what it says it will do. Auditors are “show me” people. Say one of the controls you assert is in place for your information system includes a well-defined off-boarding system. You say that every step is tracked by a ticketing system, and that management reviews occur at regular intervals to make sure the system is being followed.

You can bet that the auditors will ask to see the written documentation that defines the system, a sample of the tracking tickets, and dated evidence of management review.  There may be a call for an organizational chart that depicts that management really is management, too.

You get to design and implement the policy controls that your organization will follow.  Follow regulation, and good practice, yes, but also make sure that your business can and will live by the standards that you’ve committed to – whether you’re in Portland, Oregon or Prague, Czech Republic!

For help with the intricacies of certification readiness, including policy controls, contact Julia Huddleston, a Certified Information Privacy Manager and a Certified Information Privacy Professional.  

*More information about the 2018 Privacy & Security Forum can be found here