How has your enterprise positioned itself with respect to data privacy?
Data Privacy Day is not only an excellent time for consumers to review and reflect on the confidentiality of their online data, but for companies to take stock of how they treat that consumer data, too.
How has your enterprise positioned itself with respect to data privacy? Most companies should have a formal privacy policy posted on their websites. How often does your organization review and revise your policy? Are your statements of data usage still accurate? Issues like browser/cookie tracking, site visit histories must be addressed clearly and correctly.
Bigger picture on data collection: have you confirmed that you are only collecting the data you need from your customers? In the big data era, companies are tempted to gather anything and everything about their customers, then figure out what to do with the information later on. But consider the downside impacts in the event of a breach or a privacy access request from a customer. Reducing data collection to the essentials can mitigate these risks: you can’t lose – or be forced to produce – data if you never kept it in the first place. For the information that you have collected, are you transparent about why you are collecting it, restricting your use of that data accordingly, and limiting the downstream distribution of that data to third parties unless consent is given? Obligations around seeking and tracking consent from customers is only getting more severe.
Has your organization documented a process for handling and responding to a privacy access request from a customer or third party? Without some kind of framework in place in advance, access requests can be particularly time-consuming and costly exercises. In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) website outlines the response requirements, schedules, and obligations for companies that receive access requests.
Looking inside the enterprise, are you familiar with your organization’s data governance policy? Formal structures covering data inventory and criticality assessments, data access and permission rules, right through to retention period policies and protocols around the destruction of obsolete data should be documented. Some organizations view retention and destruction policies as burdensome. However, setting and following clear directives on how long to store data can yield great benefits as well. If you have data retention periods defined, the scope of “electronic discovery” requests can be limited if your firm enters litigation for any reason. Minimizing stored data to only what’s necessary can reduce backup/restore windows, conserve storage resources, and improve data access efficiencies as well.
Has your company confirmed where sensitive client data is stored? Many companies choose – or are obliged – to store personal information in-country. For example, many Canadian companies prefer to use Canadian cloud solutions or local hosting in order to ensure that their clients’ data isn’t subject to exposure to foreign government access demands. Have you reviewed your hosting contracts to ensure that your cloud data storage is local if this important to you or your clients? This review should be done on a regular basis, as third party or downstream vendors may change their arrangements without notifying you. When executing new contracts, look for language that guarantees data sovereignty, so you can feel confident in storing your clients’ personal information – and in telling prospective customers how seriously you take data privacy. Concerns about data security and data privacy issues is certainly “on trend”, so taking a leadership role in protecting privacy can help be a differentiator for your company.
Have you reflected on your internal cyber security training modules for staff, and your internal data security practices? Is there appropriate emphasis on the importance of maintaining data privacy? Just as cyber security should be every employee’s responsibility, respecting customer privacy and confidentiality should be an everyday part of doing business. Access to client information should always be on a least-privilege, need-to-know basis to help ensure customer data is kept confidential. Many computer systems, applications, and networks support role-based access to resources, so you can limit access to sensitive information to select job functions. Among other benefits, this practice helps contain risk, can limit malware event exposure, and simplifies IT control audit. And though the focus of this article has been on protecting client data, obviously employee data, partner, and supplier information need to be handled carefully as well. Defining one set of best practices for the administration of data makes management more straightforward, and helps reinforce the twin pillars of privacy and security.
Digging deeper on the IT side, have you confirmed that customer data is encrypted and stored securely, be it in the cloud or on hosted equipment? Your firm must take every measure to ensure the security of your client data, and mitigate the risk of exposure of that data due to a security breach. Never forget that if your cloud provider is breached and your clients’ data is exposed, it will be your company – not necessarily the cloud service – that takes the brunt of the bad press. In addition to the cascade of other problems that flow from a cyber security event, the loss of goodwill at disclosing private customer information is one of the most severe. Consider your impressions of companies that have suffered data breaches in recent months and years – irrespective of the steps taken to tighten security, compensate losses, and conduct spin control on a breach, a black cloud can linger over a company indefinitely.
Keeping abreast of the evolving data privacy landscape is essential. Larger enterprises typically designate a Chief Privacy Officer or senior representative (often from the legal, compliance or IT teams) to oversee privacy-related initiatives. For smaller businesses, following industry conferences and reading up on emerging legislation can be helpful with staying in touch. In Canada, for example, the regulatory landscape is complex – beyond the over-arching PIPEDA, each province may have its own “substantially similar” privacy policies. Throw in the leading-edge GDPR (General Data Protection Regulation) in the European Union along with other evolving international laws, and it becomes a daunting task to stay current. Engaging third-party consultation or legal assistance may be appropriate, especially if your firm is doing business in multiple jurisdictions.
Hopefully this article will generate discussion and review among your firm’s leadership team. For a wealth of additional information and resources on Data Privacy Day, visit the National Cyber Security Alliance’s StaySafeOnline website