Dear Advisor: How do I know if my company is compliant with security and privacy regulations?

December 2021

With the log4j vulnerability and the AWS outage this month, I’m getting many requests for advice around security. Since security also goes hand-in-hand with CCPA (for customers in California), GDPR (AKA “right to be forgotten”) and other privacy regulations, such as for healthcare and finance, I’ll share advice that applies to both security and privacy here.

Disclaimer: This is not legal advice, but a framework to help you do this assessment of your company yourself.

My framework for how you can evaluate your company’s security and privacy practices touches on people, process and technology. Once you diagram/answer these questions, you should be able to cross-reference your work against regulations, to see for yourself where the security gaps are in your current process.

Technology

Process

  • "Request to be forgotten":

      1. What is the deletion process on the company’s side, for handling a “right to be forgotten” request?

      2. How will historical metrics be reconciled following requests to be forgotten?

      3. How will flagging of fraudulent transactions change following requests to be forgotten?

  • Access:

      1. Limit access to identifiable customer data. Does anyone outside of Sales need to know people’s names and emails?

      2. Does everyone need the most granular level of data access? Or are week-over-week trends enough for most teams?

  • Deployment to production: is there a process :) – and is it as automated as possible? With alerts in place when things go wrong? (I've given many talks with advice on deployment of Machine Learning to production here.)

People

I’ll admit, this looks deceptively simple, but will take some time to complete. One way to get started is to pick a business question you'll try to answer, and as you work on answering that question, document the answers to the questions here -- to see for yourself where the security gaps are in your current process..

Good luck! Do you need help figuring out what business question to start with, please reach out!

You may also like: