It’s Data Privacy Day! Taking place each year on January 28, Data Privacy Day is international effort to create awareness about the importance of privacy and protecting personal information. In the wake of another year of significant and high profile data breaches, Data Privacy Day is a great way to connect to the global privacy community and understand what you can do to better protect personal information – whether it’s your own or that which is handled by your organization.
Data Privacy Day Tips
In light of the day, we caught up with two privacy experts to ask them five questions about the state of privacy today and what you need to consider to ensure your organization is dealing with personal data the right way:
Sam Pfeifle – Publications Director, International Association of Privacy Professionals (IAPP)
Dana Simberkoff – Chief Compliance and Risk Officer, AvePoint
What steps can organizations take to better secure personal data?
Sam Pfeifle (SP): Quite simply, if organizations are collecting and processing personal data, they need to train anyone touching that data to understand what they’re handling. Everyone in the organization should be able to recognize personally identifiable information (PII) as they come across it and know how they’re meant to protect and handle it. It’s often those on the front lines of the organization – the customer service representatives, the data analysts, or the programmers – who come into contact with sensitive data. Don’t let them be your weakest link.
Dana Simberkoff (DS): Organizations need to:
- Understand the data that they collect and the systems in which they hold it.
- Determine the appropriate life cycle and access controls for that data.
- Implement and train staff on the policies and procedures around appropriate data handling.
- Implement technical controls to ensure compliance.
- Monitor effective implementation of their program.
In other words, they need to say what they do, do what they say, and be able to prove it!
What privacy trends do you think we’ll see in 2016?
SP: Already we’ve heard it from the US federal government, and I expect we’ll hear it from a number of other large companies in 2016: It’s time to professionalize the way privacy is done. Instead of making privacy a side-of-the-desk job for a lawyer or compliance manager, companies are now understanding that they need to have a privacy professional heading up their data handling activities. It takes a very particular skill set – a combination of compliance, risk-analysis, and technical understanding – to do the job right.
DS: In part because of the IT obligations of the European Union General Data Protection Regulation (GDPR), there will be a new focus on the role of CIOs in helping to implement appropriate privacy safeguards. This means a greater emphasis on Privacy by Design and Default as well as mapping data flows for all systems and programs that process PII.
How does the cloud influence information governance strategies?
SP: It probably influences information governance most by introducing confusion. People have the idea that “cloud” means some kind of mysterious data server in the sky. In reality, of course, cloud providers are just vendors with whom you need contracts and agreements. In fact, cloud providers likely make many of your security and data inventory tasks easier, as it becomes their job to protect the data, and they are likely better at providing structure to your data than you are.
DS: All organizations will need to consider their cloud strategies in a very practical and operational way, considering it’s not a question of “if they will go to the cloud”, but rather “what they will put in the cloud.” Next, in order to have a strong compliance strategy for the cloud, they will need to have good data governance practices for their on premises data. This means discovery, classification, tagging, and controls.
What precautions can individuals take to protect personal information?
DS: Understand as individuals that nothing is free and your data has value. In the same way that you protect your identification and credit cards by securing them in your wallet or purse and keeping them properly protected, remember to take the same care with your identification and financial information online. Don’t choose to have web sites “remember you” unless you are very confident in their privacy and security practices. Do select to use the most protective settings in your web browser of choice. While you may have to fill out online forms more than once – and you won’t have that “special item” suggested and waiting for you when you return to the online shops you frequent – just think of what you may find when you look across everything available instead of what someone else chose for you. In general, being in control of your information is always better.
What would you like people to take away from Data Privacy Day 2016?
SP: Doing privacy right is about creating a culture of privacy at your organization. People need to have privacy top of mind. In the same way you train your organization to make sure the lights are out or the doors are locked, you need to train your people to make sure data is encrypted and deleted at the appropriate time. People need to be trained to ask the right questions of data – Who needs access? Where is this going? Why do we need it? – in order to see risk when it presents itself.
DS: Individuals can influence the protection of their privacy rights by choosing to do business with companies that practice what they preach. And companies should not wait for a breach to happen. Do your best to limit the chances of it happening to your company. If and when it does, be prepared to respond quickly and mitigate the damages. Your best defense is a good organizational program. It’s not good enough for your senior management to become interested in privacy only when things go wrong. Get them to the table early and keep them involved.
Download Our Free Tool to Analyze Your Organization’s Privacy Risk
Need help understanding your organization’s privacy risk? The AvePoint Privacy Impact Assessment (APIA) System can help you automate the process of evaluating, assessing, and reporting on the privacy implications of your enterprise IT systems. Exclusively available through the IAPP, APIA allows you to select questions from a pre-populated bank of Privacy Impact Assessment (PIA) questions or create your own, meaning you can build and save PIA templates to be reused and reported out.
Visit the IAPP website to download APIA for free today!