Gartner made some specific
recommendations to protect data from breaches, such as compartmentalizing
personal information and restricting access to only the smallest number of
users, and keeping track of who has privileges to view the data. Data should be
encrypted when being transmitted across public networks and stored on portable
devices and on other forms of storage, Gartner said. The report also
recommended using data-loss-prevention tools, tokenization, data-masking and
Depending on the nature of
the business, privacy officers will focus 5 to 25 percent of their time on
location services, Gartner said. While not every organization processes
geo-location data from GPSes, the nearest cell tower, nearby wireless access
points, smart meter identifiers and IP addresses, organizations need to be well
versed in ways to avoid a potential "privacy scandal," such as a
smartphone application storing more location information than necessary,
Many organizations are
currently compiling "vast" amounts of data without a "clear plan
of what to do with it," Gartner said, noting the practice violates a fundamental
privacy principle of "collect information only for the purpose for which
you need it."
Gartner also claimed cloud
computing and privacy are "innately at odds" because the laws that
apply to the specific country in which the organization is headquartered doesn't
apply to data residing on public clouds because it doesn't reside in any one
particular country. Even so, privacy compliance does not require that data has
to stay within the country, as organizations should focus on the location of
the cloud provider, not of its data centers.
"Most privacy laws have
some flexibility, guidance is evolving slowly, and in many cases, there are
legally acceptable solutions," Gartner said. Privacy officials should
support IT's cloud and offshore initiatives while implementing "maximum
privacy protection" for customers and employees. Gartner estimated that
privacy in the cloud would consume 20 to 30 percent of the officer's time.
Organizations need to find
the balance between "not enough" protection and "too much"
protection, Gartner said. Privacy officials should not look at legal
requirements as "they trail technical innovation and cultural change by
several years," according to Gartner. There should be a process to
identify stakeholders for personal information, gather requirements, influence
how the requirements are implemented and make adjustments when necessary. With
the process in place, the execution should not take up more than 10 percent of
the privacy official's time.
Finally, regulatory changes
should not "distract" privacy officials, Gartner said, because most
regulatory changes have only a "mid- to long-term effect." Monitoring
for changes and adjusting existing processes "are important tasks,"
but should not consume more than 5 to 10 percent of the officer's time, Gartner
The remaining 15 to 20
percent of the privacy officer's time should be spent executing the privacy
program, revising policies, following up on incidents and managing relations,