Show all

How Profitable Organizations Keep away from Privateness Pitfalls

Information professionals are inundated with warnings about the consequences of violating privacy laws and regulations, but inadvertently. At the same time, the flurry of recent consumer protection laws has inadvertently wreaked havoc for global corporations trying to understand the laws and demonstrate compliance.

While there are ample resources for understanding the law, there are no practical guidelines for implementing a privacy program. To fill this loophole, here are some actionable steps to ensure data protection.

Driver of the transformation in data security

Data security and compliance are ubiquitous in C-suite executives in all industries. It seems like there is another known data security breach every week that is falling victim to the most tech-savvy companies in the world.

For example, 2.7 billion identity records were discovered by hackers in 2019 and offered for sale on the Internet. Perhaps the most famous breach involved Facebook – a hack exposed the personal information of nearly 50 million users. But Facebook isn't alone – Quest Diagnostics, Houzz, and Capital One are just three of the many branded organizations that joined the list of the most iconic hacks over the past year.

In the meantime, data protection regulations are becoming increasingly strict worldwide. From the General Data Protection Regulation (GDPR) in Europe to the California Consumer Protection Act (CCPA), laws are implemented worldwide. There are also many guidelines out there that are out of force but are part of self-regulatory frameworks that are considered industry best practices.

Given the growing concern about data security, organizations put their money where they are. According to AIIM research, 51% of companies plan to spend “more” or “much more” on information governance, records management and digital storage in the next 18 to 24 months.

Steps to develop a data protection program

How can organizations increase their data protection efforts? Here are a few key steps to follow.

Development of a project roadmap

A written project roadmap is crucial to get a clear overview of your data protection program. This is where you codify the scope, important milestones and dependencies of your project. Here are some important questions:

  • What specific information and data types require privacy policies?
  • Which personal data do we have to collect and use?
  • What is the Appropriate Life Cycle for Personally Identifiable Information and Sensitive Data?
  • What schedules and milestones do we need to adhere to for our privacy program to be successful?
  • How and when will we continuously reassess our data protection program?

Define roles and responsibilities

Well-defined roles and responsibilities are the backbone of a successful data protection program. Your plan must formally hold people accountable for doing the "right" thing at the "right" time – and that requires defining and employing roles that are appropriate to your organization's culture.

Some common roles are:

  • Chief Privacy Officer – An officer responsible for managing risks related to privacy laws and regulations.
  • Data Protection Officer – An independent high or technical level resource that ensures that the organization applies the laws protecting personal information about individuals.
  • Data Protection Officer – Part of a cross-functional team responsible for building a data protection culture, raising awareness, and ensuring compliance across the company.
  • Data Owner – Individuals throughout the organization who are responsible for the data within a given domain or process.
  • Data Steward – Subject matter experts and process owners who are responsible for day-to-day data management.

Development of a training plan

Data protection is not a person's responsibility. Everyone in the organization should be trained in the systems and processes that have been put in place to ensure compliance.

Most data protection laws actually require this. According to the GDPR, for example, companies are legally obliged to offer their employees internal data protection training courses on data protection. Some ways to achieve this include workshops, online training, and / or interactive exercises to ensure that everyone is up to date with policies and procedures. For example, users should know what types of data they cannot modify or disclose to third parties, recognize fraudulent attempts to obtain personal data, and understand the consequences of neglect in privacy.

Go forward

The burden of data security and regulatory compliance requires a higher level of information governance. The risk of a data breach has never been higher, regulations are becoming stricter and organizational risks have never been higher. Keep these steps in mind as you design your privacy program. Look for vendors and partners with the right mix of skills, vision and expertise to properly secure and protect private information.

This blog was originally published in cooperation with AIIM under the title "Development of a functioning data protection program".

You can download the original information sheet here.

Comments are closed.