Preventing Access to Personal Data and United States Government-Related Data by Countries of Concern may sound like the plot of the next Mission: Impossible movie, but it’s the very real subject of Executive Order (EO) 14117. And it’s now your mission to comply.

A new chapter in U.S. data protection

Signed by President Biden on February 28, 2024, Executive Order 14117 kicks off a sweeping set of national security protections designed to prevent sensitive U.S. personal and government-related data from landing in the hands of foreign adversaries. Specifically, the EO and its associated rulemaking aim to restrict data transactions with entities connected to countries of concern: China (including Hong Kong and Macau), Cuba, Iran, North Korea, Russia, and Venezuela.

Why? Because large-scale data transactions, including biometric data, genomic info, and precise geolocation, can fuel AI-driven surveillance, espionage, and other malicious activities. With blackmail and manipulation on the line, privacy professionals are now on the national security frontlines.

What the EO and DOJ Rules are designed to do

At its core, EO 14117 and the Department of Justice’s (DoJ) implementing rules are about national security resilience through data restriction. The focus is on preventing bulk data transfers to foreign adversaries and enforcing robust cybersecurity and compliance frameworks among U.S. organizations.

The DoJ’s final rule, effective April 8, 2025, begins with a 90-day grace period and then transitions into full enforcement by October 6, 2025. If your organization handles high-volume data tied to U.S. persons, especially in healthcare, finance, or tech, this affects you.

These enforcement measures are formalized through the Data Security Program (DSP), launched by the DOJ’s National Security Division. The DSP is the operational backbone of EO 14117, setting expectations for audits, due diligence, risk assessments, and recordkeeping. It’s also the lens through which enforcement actions will be evaluated, so organizations should build their compliance programs with DSP criteria in mind.

Covered data and thresholds: What’s regulated?

Under the rule, two types of data are regulated:

• U.S. sensitive personal data
• U.S. government-related data

The bulk thresholds that trigger regulatory requirements are:

Even if your organization doesn’t traffic in massive datasets, it’s shockingly easy to meet these thresholds over 12 months, especially when working with vendors, cloud platforms, or marketing tools.

Countries of concern and “covered persons”

The EO targets data transfers to the six named countries, but it also applies to any “covered person”, including:

• Individuals or entities 50%+ owned by a country of concern.
• Residents of a country of concern.
• Employees or contractors of a country of concern entity.
• Anyone the DoJ designates based on national security concerns.

While the DOJ may publish a Covered Persons List, it’s important to understand that this list is not exhaustive. Organizations must perform ongoing, risk-based screening and remain alert to new designations or indirect ownership ties that could trigger compliance obligations. Relying solely on a static list or point-in-time check could leave your program and your organization exposed.

So, if you’ve got cloud vendors or ad tech partners with overseas ties, it’s time to recheck your contracts.

It’s also important to note that EO 14117 does not impose strict liability. Instead, the DOJ applies a “knowledge standard,” meaning violations hinge on whether you knew or should have known a transaction involved a covered person or country of concern. Strong due diligence procedures—not just boilerplate contract clauses—are your best defense. That includes verifying counterparties, training staff, and documenting decisions in a way that can stand up to regulatory scrutiny.

What’s prohibited or restricted?

Not all data transactions are created equal. The rules separate them into prohibited and restricted categories:

• Prohibited: Data brokerage and access to bulk human genomic data by a CoC or covered person.
• Restricted: Employment, vendor, or investment agreements involving sensitive data must meet detailed security requirements to be lawful.

Enforcement, penalties, and oversight

The Department of Justice leads the charge with civil fines of up to $368,136 per violation or double the transaction value, whichever is greater.

Willful violations? Think $1 million and up to 20 years in prison. Yeah, this isn’t a slap-on-the-wrist situation.

The role of CISA: What security controls are required?

Under EO 14117, the Cybersecurity and Infrastructure Security Agency (CISA) has defined the core technical requirements organizations must follow. In brief, these include:

Organizational-level security

• Maintain monthly asset inventories (including IP and MAC addresses).
• Assign a CISO or security lead.
• Patch known vulnerabilities in 14 days.
• Maintain vendor agreements and network topologies.
• Enforce multi-factor authentication (MFA).
• Centralize and secure logs for 12+ months.
• Prohibit unauthorized USBs, auto-runs, or shadow IT.

Data-level security

• Minimize and mask data wherever possible.
• Encrypt in transit and at rest (TLS 1.2+).
• Isolate and manage encryption keys off-site.
• Leverage privacy-enhancing technologies like:
  • Homomorphic encryption
  • Differential privacy
• Prohibit countries of concern access through default-deny access policies.

Exemptions: You might be in the clear if…

Not every transaction is subject to EO 14117. Exemptions include:

• Personal communications and expressive materials.
• Travel-related info.
• Official U.S. Government business.
• Financial transactions (banking, e-commerce, etc.).
• Telecommunications services.
• Clinical trials and FDA post-marketing surveillance (if de-identified).
• Corporate group transactions for internal ops (e.g., payroll, HR).
• Transactions authorized by U.S. law or international treaties.

Still, if your data crosses borders or lands in complex vendor ecosystems, assume you’re in scope until proven otherwise. When in doubt, consult legal counsel to confirm whether your specific data use or transaction qualifies for an exemption.

Your EO 14117 compliance action plan

Take a deep breath. This is manageable. Think of EO 14117 as your organization’s new data defense playbook. Here’s how to get started:

1. Know your data

Create a comprehensive data inventory and mapping system. Track:

• Data types and volumes
• Origins and destinations
• Third-party access points

2. Vet your vendors

Review existing contracts and enforce:

• Prohibitions on data resale to countries of concern
• Written commitments to comply with DSP rules
• Annual screening for ownership links to countries of concern

3. Stand up a compliance program

This includes:

• A written and annually certified compliance policy
• Role-based training, especially for executives and data handlers
• Annual independent audits to assess effectiveness and surface gaps
• Long-term documentation of your program, policies, and transactions

For organizations engaging in restricted transactions, these aren’t just best practices. They’re legal requirements. Records must be retained for at least 10 years, audits must be conducted annually, and certifications must be formally signed by senior leadership. These steps form the evidentiary backbone of your compliance posture.

4. Monitor, report, and remediate

If you suspect or reject a prohibited transaction:

• Report it to the DOJ’s National Security Division within 14 days
• Maintain records and cooperate with any inquiries
• Submit your audit findings annually, and fix weaknesses fast

Turning privacy into a national security advantage

Executive Order 14117 marks a defining moment in how organizations must approach data governance. This isn’t about routine compliance or ticking boxes. It’s about building resilience against real geopolitical threats. For privacy and compliance professionals, it demands a shift from reactive policies to proactive, risk-based programs that safeguard national interests.

The good news? You don’t need to solve it all overnight. But now is the time to take stock of your data flows, vendor relationships, and security posture. Privacy has always mattered. Now, it’s mission-critical.

Clarity Starts with Your Data

Visualize, map, and manage your data with confidence. Identify risks, uncover blind spots, and streamline your privacy workflows in one intuitive platform designed to scale with you.

Illuminate your data

Always-On Intelligence for Privacy Pros

Turn complex regulatory change into actionable intelligence with Nymity research. Track global laws, align your obligations, and support every privacy decision with confidence.

Explore Nymity insights

Cue dramatic voiceover: “In a world where data breaches make headlines and regulators are sharpening their swords, one alliance stands between chaos and control: data privacy and cybersecurity.”

Okay, maybe it’s not the next summer blockbuster. But for privacy, compliance, security, and tech professionals, understanding how these disciplines intersect is essential for survival.

The convergence of data privacy, cybersecurity, and incident response isn’t just a trend; it’s a tectonic shift in how organizations defend their digital assets, protect personal data, and prove regulatory compliance. Like peanut butter and jelly—or firewalls and encryption—these functions are better together.

The data privacy-security partnership: A symbiotic (and strategic) relationship

Picture this: cybersecurity is the plumbing—the pipes and valves that transport and protect data. Data privacy is the quality control—governing what flows through those pipes, who can access it, and why. Cybersecurity needs to know what’s flowing through its pipes to determine the appropriate level of reinforcement.

Privacy focuses on:

• Data collection, governance, and minimization
• Individual rights (e.g., data subject access)
• Purpose limitations and user consent

Cybersecurity focuses on:

• Preventing unauthorized access
• Detecting and responding to threats
• Ensuring data integrity and availability

Together, they protect the what, why, who, and how of data handling. In the words of Gerald Beuchelt, CISO at Acronis: “Security isn’t just technology. It’s people, process, and tech. Without alignment, both privacy and security programs fall flat.”

Common threat vectors: The usual suspects (plus AI)

According to the 2024 Verizon Data Breach Investigations Report, these are the threat vectors keeping CISOs and CPOs up at night:

• Denial of service (DoS): Cheap to launch, disruptive, and a favorite first act for attackers.
• System intrusions: Ransomware, malware, and advanced persistent threats (APTs) are complex attacks with costly consequences.
• Social engineering: AI-enhanced phishing, deepfake audio impersonations, and manipulated trust-based relationships (yes, even via dating apps) are rising.

And don’t get too cozy thinking your industry is safe. Attackers don’t discriminate. If there’s value behind the data, whether it’s health, financial, or intellectual property, it’s a target.

Data privacy and security strategy: More than box-checking

Many companies treat privacy and security like taxes: necessary, begrudged, and only revisited annually. However, modern regulatory frameworks (e.g., GDPR, CCPA, HIPAA) demand more. They require continuous, demonstrable effort through ongoing assessments, real-time risk management, and well-documented incident response plans.

To quote the GDPR doctrine:

“Accountability is not a moment in time—it’s a mindset.”

Here’s how to build a strategy that stands up to threats and scrutiny alike:

1. Know your data flows

Map your organization’s data inflows and outflows. Understand what data you have, where it lives, who has access, and how it’s shared. This data inventory is foundational for both compliance and protection.

2. Secure your pipes

Implement layered defenses:

• Authentication and encryption
• Endpoint protection and network segmentation
• Continuous monitoring and logging

The NIS2 directive in the EU and the SEC’s updated Regulation S-P in the U.S. require security measures that are reasonable—AND provable.

3. Document everything

AI usage, incident response, third-party assessments—if it’s not documented, it didn’t happen. Regulators now expect detailed audit trails. For AI specifically, the EU’s AI Act and U.S. Executive Order 14117 demand transparency about training data and model design.

Want the full story on EO 14117? Dive into how this Executive Order is reshaping sensitive data governance, AI risk management, and national security compliance.

You don’t want to pull the plug on a major AI project because cybersecurity wasn’t looped in early.

Incident response: Plan now or panic later

If you’ve ever lived through a cyberattack, you know the worst time to build a response plan is while under attack. You’ve got 72 hours (or less) to disclose a breach under GDPR, and regulators like the FTC and SEC are enforcing that window with vigor.

What a modern response plan needs:

• Tabletop exercises with privacy, security, legal, PR, and executives
• Defined escalation paths and decision rights
• Pre-drafted internal and external messaging
• Clear logs of who did what and when

Dave Coogan of Paul Hastings put it bluntly: “You won’t have time to plan. Everyone will want a piece of you. Be ready.”

AI: Your new friend? Or your biggest risk?

Generative AI is a double-edged sword: enabling new capabilities while introducing massive new risks. From hallucinated data to shadow model training, the threats are as novel as they are nebulous.

To strike the right balance, consider the following for responsible AI governance:

• Validate: Test for bias, accuracy, and security before deployment
• Secure: Minimize training on sensitive data
• Prevent: Use controls to avoid misuse
• Explain: Be transparent about what your models do and why

Expect increased scrutiny and be ready to explain your work. Regulators now want to understand not just what your AI does, but how it works, why it functions that way, and whose data was used to train it.

Harmonization is a myth. Resilience is your goal.

Data privacy laws are no longer niche or regional. They’re global and growing fast. As of early 2025, more than 160 countries enacted privacy and data protection laws, according to the United Nations Conference on Trade and Development (UNCTAD). This surge in legislation reflects a collective recognition: personal data is a high-value asset and a high-stakes liability.

But with each new law comes a new set of expectations, frameworks, and reporting requirements. The result? A tangled regulatory web that privacy and security teams must continuously navigate.

Feeling the pressure? See how PrivacyCentral helps privacy leaders automate global compliance, manage risk, and prove accountability—without losing sleep or weekends.

For multinational organizations, the average cost of maintaining compliance with global privacy laws has soared past $1.2 million per year, according to the Cisco Data Privacy Benchmark Study. And that figure doesn’t include the cost of noncompliance, which can escalate quickly into the tens or hundreds of millions.

In this environment, harmonization remains more hope than reality. Organizations must juggle overlapping, sometimes conflicting, requirements across jurisdictions, including:

• GDPR (EU)
• HIPAA and FTC rules (U.S.)
• CIRCA, DORA, EHDS… the acronym alphabet never ends

In this fractured environment, the best approach is proactive, holistic, and documented resilience. Not reactive checkbox compliance.

Privacy + security = power

Let’s be real: no single department can shoulder this burden. Privacy and cybersecurity must work together. Integrated, not siloed. This means:

• Speaking a common language
• Sharing threat intelligence and breach response plans
• Being aligned on risk appetite and regulatory obligations

In a world where “if it can be monetized, it will be stolen,” this partnership isn’t optional—it’s your organization’s digital lifeline.

Final word? If you think “it won’t happen to us,” it already has. And if privacy and cybersecurity aren’t holding hands in your organization, they’re probably pointing fingers.

Now go forth. Patch your systems. Map your data. And maybe—just maybe—call your CISO for lunch.

Total Visibility. Trusted Control.

Uncover hidden data risks with dynamic mapping. Automate data discovery, generate real-time ROPAs, and assess risk across vendors, systems, and geographies—all from a single platform.

Map your data landscape

AI, Governed by Design.

Tame AI risk before it runs wild. Build transparency, accountability, and compliance into your AI workflows—from model development to deployment. Be audit-ready, risk-aware, and always in control.

Operationalize AI governance

Data breaches are increasingly becoming not just a possibility but a probability in today’s digital-first world. For privacy and security professionals, creating a well-structured incident response plan is highly beneficial. The stakes are high, as breaches can lead to a number of adverse consequences including financial penalties, loss of business, reputational damage, and a loss of consumer trust.

This article provides insights into data breaches, their distinctions from security incidents, notable examples, and considerations for developing a response plan to help mitigate associated risks. However, as always, we recommend consulting your privacy, data governance, and legal teams when drafting your plans.

What is a data breach?

Before we discuss a data breach, it’s important to understand what it pertains to—specifically, personal information (which may also be known as personal information (PI), personal data, or a number of similar constructs under applicable law). Generally, personal information can be defined as any information relating to an identified or identifiable natural individual; an identifiable natural individual is one who can be identified, directly (e.g., name or identification number) or indirectly (e.g., location data or online identifiers). Personal information also includes factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of an individual.

Now, on to a data breach (sometimes called a personal data or personal information breach), which is commonly defined under privacy or data protection laws. Generally it’s described as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information under an entity’s control. Data breaches can lead to a variety of potential harms for the affected individuals, such as identity theft, financial loss, and breach of subsequent systems (e.g., due to secondary attacks).

How data breaches differ from security incidents

While data breaches may be caused by a breach of security, the privacy aspects of a breach focus on the unauthorized access, handling, modification, or destruction of personal information. A security incident can cause numerous other issues such as unavailability, exposure of confidential non-personal information, etc.

• Data Breach: Involves unauthorized access, use, or disclosure of personal information. Examples include an employee improperly accessing customer records without authorization, mistakenly publishing confidential user data online, or exposing sensitive information through an unprotected database.
• Security Incident: Involves threats or events that can or do compromise the integrity, availability, or confidentiality of data systems. Examples include a cyberattack that steals encrypted customer data, malware infecting an organization’s servers, or the theft of a company laptop containing unencrypted personal information.

A security incident does not always result in a data breach. While a security incident may compromise data systems, a data breach specifically involves the unauthorized access, use, or disclosure of personal or confidential information. Incidents require investigation to determine if they resulted in a data breach.

The two often overlap but require distinct (although often complementary) strategies to address and prevent.

Standard phases of a data breach: The NIST Framework

Using the NIST Cybersecurity Framework, the standard phases of a data breach follow the four-step NIST Computer Security Incident Handling Guide (SP 800-61 Rev. 2). *There are newer phases defined under NIST however the phases listed here are being used as an illustrative explanation and baseline.

Understanding these phases can help organizations align their incident response plan with a recognized industry standard.

1. Preparation

• Establish incident response policies, tools, and procedures.
• Train employees on cybersecurity awareness and privacy best practices.
• Set up monitoring and detection systems to identify potential threats.
• Maintain up-to-date security controls to reduce risks.

How this relates to your incident response plan: The preparation phase directly informs the foundation of your response plan, including defining legal and regulatory requirements, implementing third-party vendor management strategies, and ensuring proper communication protocols are in place before an incident occurs.

2. Detection and analysis

• Identify potential security incidents through monitoring systems, analyzing logs,  and using tools to detect anomalies.
• Analyze incidents to determine their scope, impact, and severity.
• Document findings and escalate as needed.

How this relates to your incident response plan: Incident categorization and testing become crucial in this phase. Establishing clear severity levels and knowing when to involve legal counsel or the privacy team ensures effective decision-making and escalation.

3. Containment, eradication, and recovery

• Containment: Implement short-term and long-term strategies designed to prevent further damage (e.g., isolating infected systems and blocking malicious IPs).
• Eradication: Remove malware, patch vulnerabilities, and eliminate the root cause of the incident.
• Recovery: Restore affected systems, validate integrity, and resume normal operations.

How this relates to your incident response plan: This phase aligns with your notification and remediation strategy. Ensuring proper breach notification, data recovery, and system integrity validation is essential to minimize impact and restore operations efficiently.

4. Post-incident activity (lessons learned)

• Conduct a post-mortem analysis to evaluate incident response effectiveness.
• Improve security measures based on findings.
• Update response plans and train personnel.
• Document lessons learned for future incident prevention.

How this relates to your incident response plan: Post-incident learning and improvement are integral components of refining your privacy response strategies. Conducting feedback loops, establishing metrics for success, and ensuring board-level buy-in contribute to a continually evolving and effective response plan.

By mapping incident response steps to these standard NIST phases, organizations can ensure their plans are comprehensive, structured, and aligned with established security frameworks.

The growing importance of a data incident response plan

With the increasing frequency and complexity of data breaches, having a well-prepared response plan is more crucial than ever. Reports indicate a significant rise in reported breaches globally, reinforcing the need for organizations to be proactive rather than reactive.

Rising Data Breach Trends in 2024

Washington State Attorney General Report: The latest annual report highlights an alarming surge in data breaches:

• Over 11.6 million data breach notices were sent to Washingtonians—exceeding the state’s population for the first time.
• The number of breaches affecting at least 500 individuals increased to 279, marking the second-highest count since 2016.
• Ransomware attacks now account for 78% of all reported breaches, up from 68% in 2023. Ransomware also made up 52% of all cyberattacks and 41% of total breaches.
• Two mega breaches at Comcast and Fred Hutchinson Cancer Center each impacted over a million residents, the first time multiple large-scale breaches have been reported in a single year.
• Social Security numbers were compromised in 69.5% of all breaches, reaffirming its place as one of the most frequently targeted personal data types.

France’s Data Protection Authority (CNIL) Report: France saw a 20% increase in personal data breaches in 2024, with 5,629 incidents reported to CNIL. This underscores the growing challenge of protecting sensitive personal information across industries.

The rising number and scale of breaches highlight the need for organizations to have a structured and effective response plan in place.

Building your data incident response plan

A robust incident response plan requires more than basic preparation—it calls for strategic categorization, a clear framework for action, and a focus on long-term learning. Privacy professionals, partnering with security professionals and other stakeholders, can ensure their plans are both actionable and resilient by focusing on several critical components, including legal compliance, communication strategies, and continuous improvement.

1. Assessing and containing incidents

Understand the scope and cause: Assess the root cause of the incident and determine which systems, data, and assets were affected. This evaluation may be conducted internally or with the support of external specialists. Identify the owners of the impacted data and its nature to distinguish between privacy-focused and security-rooted incidents.

Assess potential impact: Evaluate the type of personal data involved, the number of individuals affected, and the potential or theoretical risks (the “blast radius”), such as identity theft or financial fraud. Ensure that assessments account for how the exposure of specific data types can contribute to further risks or exploitation.

Contain the incident: Isolate affected systems and secure both digital and physical assets, including the data itself. Implement immediate measures to prevent further risk of harm, such as revoking unauthorized access, applying patches, or strengthening security controls. Determine whether the risk is ongoing or has been fully contained, and take appropriate action to mitigate further exposure.

2. Legal and regulatory requirements (data types and jurisdictions)

Jurisdictional awareness: Understand and track the privacy regulations relevant to your organization that may apply in the event of a breach, such as GDPR, CCPA, and HIPAA. These laws often specify timelines, reporting thresholds, and procedures for notifying affected parties and authorities.

Global considerations: If your organization operates across borders, adapt your response plan to comply with the laws of the jurisdictions it operates in and varying breach notification requirements.

Know your obligations: Be aware that legal obligations can vary between jurisdictions. For instance, every U.S. state has unique breach response laws, while regions like the European Union have overarching regulations that may supplement or supersede local rules. TrustArc’s Nymity Research and Breach Index can provide detailed guidance on these obligations.

3. Communication strategy

Proper investigation and response channels: Ensure all data breaches are handled through designated, secure channels to maintain confidentiality and accuracy in investigations.

Attorney-client privileged communications: Mark sensitive discussions, particularly those directed by legal counsel, as privileged to protect strategic legal responses and maintain compliance with regulatory requirements.

Stakeholder communication: Identify internal and potentially external stakeholders who may need to receive communications. Proper notification internally may include IT, legal, compliance, and executive leadership. External notifications may involve insurance providers, outside counsel, law enforcement, regulatory authorities, or other relevant third parties. Maintain a regularly reviewed and updated contact list with each stakeholder’s name, job title, email, and phone number.

Media and public relations: Develop a strategy to manage media inquiries and public perception making sure appropriate stakeholders review and approve public or external statements. Consider whether statements may jeopardize an investigation, break attorney-client privilege, harm the business, or be premature. While transparency and accountability are key to maintaining trust, avoid making definitive public disclosures until the situation is fully assessed.

4. Third-party vendor management

Know your vendors and their data processing activities: Identify all vendors who have access to your organization’s data and understand what types of personal information they process. Maintaining a vendor inventory helps assess risks and ensures compliance with privacy laws.

Vendor incident plans: Verify that third-party vendors handling personal data have robust breach response plans. Regularly assess their compliance with privacy standards.

Contractual obligations: Include clauses in vendor contracts specifying minimum baseline privacy and security controls, breach notification responsibilities, liability provisions, and obligations for data protection. This ensures that vendors meet regulatory requirements and align with your organization’s risk management strategies.

5. Breach categorization and testing

Incident categorization: Define clear categories for breaches based on severity, such as low, medium, and high risk. Each level should include different treatment, such as determining when legal counsel or the privacy team needs to be involved if the incident originated as a security incident. This helps prioritize responses and allocate resources effectively.

Simulated testing and scenario planning: Conduct regular simulations, including tabletop exercises and breach response drills, to evaluate the plan’s effectiveness and identify potential gaps. These exercises should cover a range of scenarios, such as phishing attacks, employee errors, or technical failures, ensuring the team is prepared for diverse threats.

6. Technology integration

Data identification and monitoring: Utilize advanced tools to first identify and classify data sources and types within your organization. Implement continuous monitoring systems to detect potential threats, assess actual risks, and flag anomalous activities in real time, ensuring proactive threat mitigation.

Automation: Leverage incident response tools to streamline threat detection, logging, and reporting.

Data forensics: Ensure your organization has access to forensic tools and expertise to investigate breaches and pinpoint their root causes.

7. Notification and remediation

Notify stakeholders: Transparency is essential and legally mandated in many cases. All communications should go through designated teams such as communications, public relations, and legal counsel to ensure messaging is clear, consistent, and aligned with regulatory requirements. Notifications should include details of the breach, steps taken to mitigate risks, and actions for individuals to protect themselves. Determine if law enforcement or government agencies need to be involved, especially if criminal activity is suspected. Using pre-approved templates will help ensure that notifications are structured, clear, and timely, reducing the risk of miscommunication.

Remediation measures: Provide affected individuals with support that is either required by law, customary (e.g., industry standard), or required under contract. Examples of remediation may include credit monitoring, identity theft protection, call centers with guidelines, tips on securing accounts, and other relevant assistance tailored to the nature of the breach. Address vulnerabilities that caused the breach with technical fixes or process improvements.

8. Post-incident improvement

Feedback loops: After resolving the incident, gather your team to review what happened and document lessons learned. Update your policies, training programs, and technologies in order to reduce the likelihood of occurrences.

Cultural considerations: Evaluate the response of affected individuals to determine whether the notification and remediation processes, including how notices were communicated and received, were sensitive to regional and cultural expectations, especially in cases of global operations.

Metrics for success: Establish or consider revising existing benchmarks for evaluating your breach response plan’s effectiveness, such as reduced breach impact, improved response times, and enhanced stakeholder trust.

Simulation exercises: If not already in place, conduct annual drills to ensure the response team is prepared and the response process is effective.

Board-level buy-in: If not already doing so, regularly present findings and updates to executives to secure ongoing support and resources for privacy initiatives.

Reducing the risk of privacy breaches

While a strong response plan is essential, prevention is even better. Strengthening security controls and implementing proactive measures can help reduce the likelihood of incidents. Key steps that may aid in risk reduction include:

Risk assessments: Regularly audit your systems, processes, and third-party vendors to identify vulnerabilities.

Data minimization: Collect only the data you need and securely dispose of it once it is no longer required.

Access controls: Implement strict access management to ensure only authorized personnel can handle sensitive data. Use multi-factor authentication (MFA) to strengthen authentication protocols and reduce unauthorized access risks.

Employee training: Train staff to recognize phishing attempts, handle personal information securely, and report suspected incidents promptly.

Encryption and monitoring: Encrypt data at rest and in transit to safeguard against unauthorized access. Implement real-time network monitoring to detect unusual activity before it escalates into a full-scale breach.

Network segmentation: Limit network access to authenticated devices to prevent attackers from moving laterally across systems.

Regulatory compliance: Regularly review your security measures through audits and assessments to ensure compliance with industry regulations. Conduct security audits of both internal measures and third-party vendors to identify vulnerabilities and enforce security standards.

Building confidence in incident response

In the words of Benjamin Franklin, “By failing to prepare, you are preparing to fail.” Privacy professionals must be proactive, not reactive. A robust incident response plan equips your organization to navigate the complexities of breaches and incidents with confidence, transforming what could be chaos into order—like turning a stormy sea into calm waters.

Nymity Research and Breach Index

Discover global requirements and access ready-to-use templates for breach reporting and response planning with our comprehensive Data Breach Index.

Start your free trial

Data Mapping & Risk Manager

Streamline third-party risk management and protect your supply chain with tools to evaluate and address data security risks.

Request a demo

The rise of information technology (IT) has changed life as we know it, from the way people work to communication and even the way people think. How data is shared and stored has changed. And as data becomes more powerful, regulators and citizens are more concerned about preserving privacy.

In the past, data was stored manually – making it relatively easy to keep physical documents safe. Businesses could “build walls” around data to secure it and then defend those walls from attacks.

However, in recent years, the rise of cloud databases, email, mobile apps, data centers, and cloud-based systems has greatly increased the risk of an information breach. Thus, there are new challenges for data protection and information security. And a need to develop new approaches to protect data in this new world of IT.

Navigating the new business landscape: The impacts of technology’s explosive growth on privacy and public safety

Decades ago, we didn’t yet know the profound impact IT would have on business or human life. It all started as technology exploded, providing everyone access to powerful tools without the necessary skills or training to manage the data.

Very little data management training is implemented across departments, yet all kinds of employees manage data. And information security teams can hardly keep up with the number of apps and devices people continue to connect to the company network.

As a result, employees unknowingly expose sensitive data – and create massive distrust among company stakeholders.

With advancements in AI, machine learning, and cloud computing, privacy, and security risks have greatly increased. There is no way for companies to contain this information. It all lives outside of the business. That makes protecting it far more complicated.

So much so that some even argue privacy is dead.

As a business, it is only natural to continue to rely on IT to remain competitive. Still, without the proper privacy and security programs in place, businesses are at risk.

It’s time to rethink your approach to data protection and security and move towards a proactive, risk-based approach that will keep your privacy and security program safe. Companies that recognize how IT has created new opportunities and risks regarding privacy and security will be successful.

The appropriate measures should be taken to provide customers and partners or vendors with this important fundamental human right.

Making privacy a core value: How organizations can prioritize data protection

With more capacity, capability, and reach, information flows more freely now than ever before. Look at your phone. No matter where you go, this device is sharing your data. Where you move around the globe is being recorded, also known as your geolocation.

Everyone leaves a digital footprint everywhere they go.

This is just one of many examples of how the flow of information is being directed. Yet as information flows freely, customers want businesses to maintain a great sense of privacy for consumers.

So, what is privacy?

When TrustArc’s European consultant Ralph T. O’Brien was asked this question, he viewed it as an inherent social right. Yet, in America, there’s no right to privacy embedded in the Constitution. It’s only an implied right to privacy. With this in mind, how can companies prioritize data protection to make privacy a priority?

Businesses need to understand that privacy is a derived right, and we have privacy laws because there is an assumption that something in privacy is not working. Companies need to weigh the importance of what they need to do and what consumers expect of them.

Organizations need to be more transactional in their communication. For example, instead of saying, “Your privacy is important to us,” consider saying, “You want something, and in order for you to get that, we need to use your data in these ways.”

Not only is this a powerful message, but it also sets expectations realistically regarding privacy and how the company prioritizes it. More transactional messages about how data is used provide a more accurate, clear picture to consumers.

Currently, most privacy policies are too difficult and complicated for consumers to understand.

To successfully make data protection a priority in your organization, it must be viewed as a fundamental right that should be maintained. The importance of privacy should be ingrained in your day-to-day interaction with customers, making it a core value of the brand.

Why regulation alone isn’t enough: The need for continuous adaptation in data protection

While privacy laws are a good deterrent to keep businesses from collecting, processing, and using data unethically, they are not enough. Ultimately, striking the right balance between privacy and the flow of information is the key to an organization’s success. So what can businesses like yours do?

Invest in privacy technology.

The core of the message of privacy and technology has not changed. So what is continuously changing in the privacy world?

The density of data has changed. And the problem is bigger and only continues to grow in the future. The more data you put in one place, the more opportunity there is for nonpersonal data to become a preferential key to personal data. The truth is, it will never be 100% secure. But you can drastically minimize the risks.

Aligning privacy strategy with cybersecurity strategy

Even the most secure networks can potentially be compromised in this highly connected world.

Legislators worldwide have introduced stricter privacy laws, knowing it’s more about ‘when’ than ‘if’ data security breaches will happen.

Cybersecurity analysts predict that by 2024, at least 75% of the world’s population will be covered under modern privacy regulations, putting more pressure on organizations to prove they have an effective cybersecurity strategy.

As the world’s most wide-reaching privacy legislation – and one of the toughest – the European Union’s General Data Protection Regulation (GDPR) has heightened consumer expectations on how data is handled.

With fines of up to €20 million, there’s additional pressure on your organization to stay one step ahead.

Your preventative measures need to become more sophisticated, with a multi-layered approach to cybersecurity and ongoing risk management.

Roles of the Chief Information Security Officer and Chief Privacy Officer

Many organizations that do not have a dedicated privacy team led by a chief privacy officer (CPO) put the responsibility for managing privacy and GDPR compliance under the watch of the chief information security officer (CISO).

In some organizations, the CPO and CISO roles are filled by the same person. However, while some of the responsibilities are connected, there are some important distinctions:

Chief Information Security Officer – core focus on protecting the organization from information security threats to company-managed networks.

The CISO is responsible for managing the organization’s data governance and the security of its data-related infrastructure.

Chief Privacy Officer – core focus on protecting the privacy rights of individuals and external entities when their data is collected and stored on company-managed networks, as well as any transmission of that data.

The CPO manages the organization’s legal compliance with data privacy protection regulations such as the GDPR.

This responsibility includes managing data breach response plans to minimize data loss. Under the GDPR, organizations must report major breaches within 72 hours.

Are cybersecurity and privacy controls the same?

Before the GDPR and other privacy legislation came into effect, organizations’ data protection measures might have focused more on security than privacy – and it’s certainly possible to have strong data security without privacy.

But it’s not possible to have strong data privacy protections without strong cybersecurity.

Cybersecurity controls across the ISO-OSI model

Cybersecurity controls are applied in every layer of data communication managed by an organization, typically defined in the seven layers of the ISO-OSI model (the International Organization of Standardization model for Open System Interconnection):

1. Physical
2. Data link
3. Network
4. Transport
5. Session
6. Presentation
7. Application.

Cybersecurity controls are designed to address threats to the security of data as it moves across a network (and any interfaces with devices) by performing the following functions:

• Monitoring
• Testing
• Detecting
• Analyzing
• Correlating
• Responding
• Reviewing
• Reinforcing
• Defending.

Privacy controls and GDPR compliance

While cybersecurity controls are designed to identify and respond to potential threats to the security of data, privacy controls are firmly focused on protecting personally identifiable information (any data that can be traced back to an individual).

Under the GDPR, privacy controls must also address an individual’s right to informed choice, and consent to the collection of their personal data. It includes controls to support their choices about what personal data they permit organizations to collect and how that data is managed and shared.

The GDPR also includes rules about giving individuals the choice to consent to or block various kinds of data collected in cookies.

Privacy controls include cybersecurity tools to protect personally identifiable information, plus measures to manage the right to informed choice, including:

• Minimization (collection, retention, distribution, manipulation, transfer)
• Obfuscation (encryption, hashing, pseudonymization, anonymization)
• Informed choice (basis for consent, cookies and tracking, cookie wall, legitimate interests)
• Individual data rights (view, access, correct, limit, stop, erase, withdraw consent)
• Privacy by design.

Protecting data privacy under the GDPR

The GDPR gives individuals the right to know if an organization holds any data on them.

If an organization has collected their personal data, the GDPR gives people rights to view, access, correct, limit or stop processing that data, and ask that it be erased or returned.

The GDPR legal text includes nearly 100 references to expectations for organizations to protect the privacy of personal data with “appropriate technical and organizational measures”.

However, these measures are not precisely defined. When planning your organization’s cybersecurity and privacy controls, consider the following:

• Although GDPR data privacy measures are undefined, are our organization’s privacy protections risk-aligned?
• Are our privacy controls proportional to the privacy protection need and the investment?
• Where data privacy controls are lacking, are the compensating controls applied sufficiently to the risk?
• Personal data privacy protection measures can include technical devices, technical processes, staffing, structure, and procedures.

These measures need to address data privacy monitoring, testing, detecting, analyzing, correlating, responding, reviewing, reinforcing and defending; authorized use and behavior; and privacy controls.

Examples of “reasonable measures” to protect the privacy of personal data

Technical measures for privacy control

Reasonableness should apply to:

• Defenses
• Investment in infrastructure
• Monitoring, testing and detecting private data
• Developing protections and responses, including processes and procedures.

Organizational measures for privacy control

Reasonableness should also apply to:

• Adequate staffing to manage privacy control
• Authorization of access and use (dictating who has access to specific data, what they are authorized to do, whether it can be transported, and the protection required).

GDPR compliance plan: Seven Recommended Steps

Step 1: Perform an inventory.

To understand what private data your organization holds, you will need to map the networks, systems and tools used to manage data, and identify which records contain private data covered by the GDPR.

Then, you’ll need to create an inventory catalog that includes details about what data is contained in each location, its purpose, who in the organization ‘owns’ the data, who else has access, and what controls are in place to protect access and use (such as license agreements and contracts).

Step 2: Assess gaps in compliance with the GDPR and other data privacy laws.

Perform a gap analysis to find out how the organization’s business processes related to data address compliance with the GDPR and other laws. The information you collect during this analysis will help shape your data privacy risk mitigation plan.

Step 3: Map business processes and movement of data.

Under the GDPR, you need to maintain accurate and up-to-date records of how data is handled across the organization. This map will provide an audit trail identifying which data is personally identifiable information.

A data map also comes with records of when data was collected, where it was collected, how it was/is processed and analyzed, and the purpose for which the data is used.

Step 4: Risk-assess data and system assets.

Not all data is high risk. Your risk assessment needs to consider the risk level for each type of personal data record.

For example, high-risk categories include data on vulnerable populations, data containing financial information, and other sensitive information such as health records.

Other risks to assess include the adequacy of corresponding levels of protection available for low, medium and high-risk data.

Step 5: Evaluate contracts and disclosures.

Review all legally required agreements you have in place for how data is collected, managed and used, including disclosures such as privacy statements and terms of service.

Under the GDPR, individuals have the right to make informed choices about what private data is collected and how it is used.

Step 6: Review data owner choice, privacy rights and controls.

Evaluate the effectiveness of your communications and controls in place to ensure individuals can make informed choices about exercising their data privacy rights.

Under the GDPR, you must inform consumers about your intention to collect personal data and give them options for consenting to and controlling the collection of some (or all) data.

Consumers need to know what your organization plans to do with their data and how their data privacy rights will be protected.

Along with simple tools to exercise their rights such as reversing consent, taking back their data and/or limiting how your organization uses it.

Step 7: Correct deficiencies in data privacy protection and GDPR compliance.

A thorough GDPR compliance assessment by an independent third party can help you identify and correct any gaps in your data protection processes, procedures and policies.

TrustArc GDPR Assessment

Get a GDPR Assessment that’s conduct by expert privacy consultants, with deep expertise in identifying gaps, assessing risks, and designing prioritized step-by-step implantation plans for GDPR compliance.

Our GDPR compliance experts are supported in their work by the powerful TrustArc Privacy Management Platform, which helps ensure the assessment is comprehensive, complete and accurate.

As technology progresses seamlessly into every corner of our daily life, digital security and data privacy are becoming inextricably entwined.

Maintaining security against outside parties’ unwanted attempts to access personal data and protecting privacy from those we don’t consent to share information with have become equally important.

Why are digital data security and privacy management becoming so crucial for companies? How to keep your customers’ data safe?

Join our panel in this webinar as we explore data security and privacy risks and how your company can face them, hence increasing customer trust.

This on-demand webinar reviews:

• Why digital security and data privacy are connected and equally important
• How to reduce digital security and privacy risks while increasing customer trust
• How to achieve impeccable digital data security and privacy management

Any questions?

Feel free to reach out, we’d love to help. Contact us or call us at 1-888-878-7830 or +44 (0) 203 078 6495.

Learn more

Register for upcoming and on-demand webinars.

Explore all webinars