Organizations have to take a disciplined approach to their data privacy programs if they want to succeed, says the new Canadian-based head of KPMG‘s global privacy practice.
“The only way to manage privacy risks is to monitor, test, and reassess your risk posture continuously,” Sylvia Kingsmill said in an interview. “You don’t just build a privacy program and let it sit, you’re continuously monitoring for changes and trying to get ahead of the attacker.”
Kingsmill, who is KPMG’s national privacy, regulatory and information management lead, was named global privacy leader late last year. In that position she will work with privacy experts to ensure the consulting firm doesn’t duplicate its efforts around the world.
Kingsmill got her start in privacy as a member of the office of the Information and Privacy Commissioner of Ontario under Ann Cavoukian. A former advisor to the Canadian government’s round table consultations on its National Digital Strategy, Kingsmill is also a special advisor to the International Council on Global Privacy by Design, advising on artificial intelligence, big data and ethics by design.
Asked if businesses still collect more personal data than they need, Kingsmill said it’s not just a private-sector problem. “I think a lot of organizations collect too much information. It’s just now that we’re seeing de-identification principles and anonymization techniques being discussed to lower the risk of over-collection of data. That’s because of Quebec’s Loi 64 [the province’s new privacy legislation] and GDPR [the European Union’s General Data Protection Regulation], where data minimization and Privacy by Design is the default.”
Collecting only the personal data needed is becoming more important for managing privacy risks, she added. The more personally-identifiable data collected, the more vulnerable the organization is to a data breach, particularly if the right access controls or data anonymization techniques are missing. It will take a greater understanding of data analytics and the use of alternative personal information identifiers to make organizations understand they can manage without collecting as much personal data as they think they need.
“I think you can de-identify, mask or anonymize datasets and still extract value for data analytics while reducing your privacy risks and security exposure,” Kingsmill said.
Asked what her message is to organizations, she said, “we have an opportunity to play a key role in shaping the digital future. That means new technologies will need increased safeguards around the issues of security, privacy, ethics. I think we need a tremendous amount of government and regulatory support for all of the technology advances so that the launch of new technologies run in parallel with new rules of engagement. New technologies create risk, and government needs to step up and our regulators need to be empowered to enforce these new rules. Otherwise Canada’s going to lag behind.”