Every company in the world stores data—and much of it is personal information about customers, employees, vendors and other stakeholders. Regardless of size, industry or location, these organizations are obligated to follow a strict set of data privacy laws and to protect certain information from falling into the wrong hands.
But the laws and regulations are complex, often conflicting and can be confusing. Moreover, despite their efforts, those tasked with ensuring their organization complies with data privacy requirements are often unclear about whether the programs they institute actually meet those requirements.
The following questions and answers are intended to offer some clarity around data privacy risk management and the complexities of privacy compliance—including challenges around European data protection.
1. What are the biggest risks associated with data breaches?
Data breaches are not only costly in terms of hard dollars but also in terms of brand damage and loss of reputation. Customers (consumers and businesses) and employees quickly lose trust in organizations that do not adequately secure personal information in their possession.
2. What is the role of risk management in protecting personal data?
Assessing the risks associated with managing personal data is really no different than assessing the risks associated with managing confidential data with the caveat that heightened security requirements may exist where personal data is being managed. It is important that organizations identify areas of risk, categorize the likelihood of that risk and then determine how to remediate or minimize the risk and resulting impact to the organization, its customers and/or employees.
3. What is a “risk-based approach” to data privacy?
Aside from the more straight forward “pure” compliance with privacy laws (“is it legal?”), a risk-based approach is particularly important when evaluating the quantity and type of personal data that may be collected as well as determinations on where to expand service offerings that might be influenced by legal compliance requirements in certain jurisdictions.
4. What can organizations do to minimize the risk of a data breach?
A very proactive approach to reducing data breach exposure is by instituting strong security measures to protect personal data in the organization’s possession and requiring that its third party providers also take on a strong security posture. Whether the measures are internal or external, they include protecting customer and employee information through the use of technological tools such as encryption and firewalls, as well as organizational measures such as limiting employee access to personal data and properly disposing of data once it is no longer needed.
5. What role does training play in data privacy risk management?
Organizations should be providing adequate data privacy training to employees who have access to consumer, employee or company records. This is more than just the standard confidential information training may organizations already provide often provide related to their code of conduct.
Training should identify:
- The risks to the business (both financial and reputational) posed by sharing confidential information, personal information and other secret data.
- Laws applicable to the organization’s and the employees’ obligations to comply.
- Real-world examples of what can happen when information is not kept confidential.
Employees should also be adequately trained on the organization’s approach to privacy and security, and its policy on sharing information it collects with third parties.
6. Who should have access to the private information a company collects and stores?
Only employees who need access in order to perform their job function should have access to personal data.
7. Who should be responsible for ensuring an organization is doing all it can to achieve and maintain compliance with data privacy laws and regulations?
There should be a designated individual responsible for evaluating and addressing privacy concerns. That individual should be involved in the development of any new products and services to allow them an opportunity to evaluate whether any privacy considerations exist and work with the development team to address them while in development as opposed to after the product or service is rolled out.
This approach is generally referred to as “Privacy by Design” because it incorporates privacy into the product development lifecycle, rather than evaluating the potential privacy impact after the product is fully developed and released.
8. What other tools can help companies protect information?
There are a number of technology tools that can help companies protect data, but organizations can’t rely on technology alone. Education of employees coupled with technical and physical safeguards are the best ways to ensure protection of information.
9. How should companies try to minimize the amount of data they collect?
Organizations often collect more personal data than they need. They should be guided by practices that support the principle of data minimization: only collect the amount and type of personal data necessary to perform the service or function for which they were engaged.
For example, while it might make sense for a company selling health remedies to collect information on the types and quantities of vitamins an individual consumes, an athletic-clothing manufacturer should think twice (even if it is related to an ad campaign) before collecting that sort of data.
10. What should companies do to better organize the data they collect?
Organizations should consider creating a catalogue and data map of the types of data they possess, where the data flows (including to whom) and where it is stored. If a company is collecting personal data that may be considered sensitive (which may be defined differently by data privacy laws in various jurisdictions around the world), they should be evaluating the security measures they have in place to protect that information and minimize the potential for a breach.
11. How can organizations “risk proof” their data?
No organization that collects personal data is “risk proof.” In order to do business, most organizations will have to share some amount of personal information with third parties whether to deliver services or to manage their own business. However, they should closely follow the concepts of data minimization and transparency—only the minimal amount of personal data should be collected and shared and only where necessary.
12. What are some best practices around sharing information?
Organizations should be transparent about the circumstances in which an individual’s personal information may be shared with third parties. This allows those individuals to be fully informed about why and how their information may be shared.
Organizations should also obtain assurances from any third parties with whom they share information that those third parties will protect the personal data entrusted to them. This may include requesting that the third party protect and secure data in a manner consistent with the organization’s privacy and security measures and policies.
In addition, third party subcontractors should be trained on your organization’s standards and ensure that they attest to your privacy and security related policies and procedures, particularly where they will be accessing data within your systems. And be sure to document that you’ve done this.
13. How do organizations validate the measures they’ve implemented?
Validation can take the form of internal assessments or third-party assessments. These assessments should help provide evidence that an organization is in compliance with its own stated policies, as well as with all applicable laws.
When data breaches occur, organizations that can demonstrate they have made an effort to assess their compliance may see lower fines than those that ignored privacy compliance or simply “checked the box.” In some cases, regulators and governments are issuing guidance on how to conduct Privacy Impact Assessments, and the benefits of doing so.
14. Is anything new on the government front related to data protection legislation or European data protection?
The EU is currently formalizing its new data protection law—the General Data Protection Regulation—that is much needed and should provide greater certainty in many of the areas the prior EU law, the Data Protection Directive, did not. The General Data Protection Regulation has been in the works for nearly five years and will dramatically shift the privacy landscape for those organizations with operations in the EU and for organizations doing business with EU consumers. It is anticipated there will be a two (2) year window for compliance with the law once it is formally issued.
In addition, discussions between the U.S. Department of Commerce and the European Union Commission (which began in 2013, but reignited with the recent European Court of Justice ruling invalidating EU acceptance of Safe Harbor earlier this year) are ongoing. A draft agreement, the EU-US Privacy Shield, has been released and is intended to replace the EU-US Safe Harbor program. Both sides are hopeful that the agreement will be formalized by mid-to-late 2016. Despite reaching agreement, there remains some uncertainty about the new program’s impact to US business who want to participate in the Privacy Shield as well as whether EU organizations will place enough trust in the program to make participation worthwhile for US businesses.
To learn more about how NAVEX Global 's incident management, training and policy solutions can help your organization comply with data privacy laws and regulations, talk with one of our ethics and compliance experts today.