Information professionals are inundated with warnings about the consequences of violating privacy laws and regulations, but inadvertently. At the same time, the flurry of recent consumer protection laws has inadvertently wreaked havoc for global corporations trying to understand the laws and demonstrate compliance.
While there are ample resources for understanding the law, there are no practical guidelines for implementing a privacy program. To fill this loophole, here are some actionable steps to ensure data protection.
Data security and compliance are ubiquitous in C-suite executives in all industries. It seems like there is another known data security breach every week that is falling victim to the most tech-savvy companies in the world.
For example, 2.7 billion identity records were discovered by hackers in 2019 and offered for sale on the Internet. Perhaps the most famous breach involved Facebook – a hack exposed the personal information of nearly 50 million users. But Facebook isn't alone – Quest Diagnostics, Houzz, and Capital One are just three of the many branded organizations that joined the list of the most iconic hacks over the past year.
In the meantime, data protection regulations are becoming increasingly strict worldwide. From the General Data Protection Regulation (GDPR) in Europe to the California Consumer Protection Act (CCPA), laws are implemented worldwide. There are also many guidelines out there that are out of force but are part of self-regulatory frameworks that are considered industry best practices.
Given the growing concern about data security, organizations put their money where they are. According to AIIM research, 51% of companies plan to spend “more” or “much more” on information governance, records management and digital storage in the next 18 to 24 months.
How can organizations increase their data protection efforts? Here are a few key steps to follow.
A written project roadmap is crucial to get a clear overview of your data protection program. This is where you codify the scope, important milestones and dependencies of your project. Here are some important questions:
Well-defined roles and responsibilities are the backbone of a successful data protection program. Your plan must formally hold people accountable for doing the "right" thing at the "right" time – and that requires defining and employing roles that are appropriate to your organization's culture.
Some common roles are:
Data protection is not a person's responsibility. Everyone in the organization should be trained in the systems and processes that have been put in place to ensure compliance.
Most data protection laws actually require this. According to the GDPR, for example, companies are legally obliged to offer their employees internal data protection training courses on data protection. Some ways to achieve this include workshops, online training, and / or interactive exercises to ensure that everyone is up to date with policies and procedures. For example, users should know what types of data they cannot modify or disclose to third parties, recognize fraudulent attempts to obtain personal data, and understand the consequences of neglect in privacy.
The burden of data security and regulatory compliance requires a higher level of information governance. The risk of a data breach has never been higher, regulations are becoming stricter and organizational risks have never been higher. Keep these steps in mind as you design your privacy program. Look for vendors and partners with the right mix of skills, vision and expertise to properly secure and protect private information.
This blog was originally published in cooperation with AIIM under the title "Development of a functioning data protection program".
You can download the original information sheet here.