Digital privacy is a very hot topic these days, between media reports of major corporate breaches and failures, and the ever increasing stringent regulatory requirements of policies like the General Data Protection Regulation (GDPR). Chief information officers (CIOs) should have digital privacy on their collective radar, working to create an IT plan that ensures proper privacy, security, and confidentiality for users and the company itself.
Compliance with any regulatory bodies, as well as strong internal privacy practices regardless of requirements, will ensure that your organization is well protected going forward. Data and privacy breaches are something to take every effort to avoid, as they can cause massive damage financially and in terms of your organization’s reputation.
There are many paths a CIO can take to digital privacy and security, based on the needs and objectives of each business. Here are a few key things to remember when developing your own digital privacy IT plan, especially as GDPR-based principles stretch out to countries outside of the EU.
GDPR Guidelines
Here is a good overview of GDPR. The GDPR outlines core privacy principles, specific to GDPR. While these are applicable to organizations that have to abide by GDPR, they can be helpful to adopt generally, as GDPR regulations are stringent enough that following them is a good idea for any organization focused on privacy.
GDPR regulations indicate that organizations have to maintain personal data in a way that is legal, transparent, and fair. That means that personal information a company accesses and stores has been collected in a way that each person has consented to it and that the way the data is being used abides by what each person was told. The data can only be used in the manner to which it was consented.
Companies collecting data have to define exactly what they are collecting, how it will be used, and ensure that only the minimum of data will be collected and accessed for these purposes. Every time personal data is collected it should be done specifically for its purpose, versus nabbing data for generic purposes. Whatever is not being used should be removed.
That data has to be accurate and up to date, giving the client or subject the opportunity to clarify or rectify any wrong or incomplete information. People whose data has been accessed must have a mechanism for reviewing, changing, and removing that data.
For organizations not used to worrying about data privacy, or for those with more lax standards, GDPR may seem over the top. However, it’s a standard for a reason — it works, and it keeps data subjects comfortable.
Understanding Your Organization’s Data Privacy
Each company has its own infrastructure and environment, and that impacts data threats and data privacy. An agency working with health or financial information, for example, will have different data privacy concerns than an organization that is solely collecting contact information for the people it serves.
An audit of your existing privacy and security infrastructure as well as an understanding of any potential threats is key in developing a data privacy policy and system that makes sense for your organization and its stakeholders. If you collect, use, or disclose personal information at all, this should be your first step.
Ideally, the goal of an audit should be to uncover and fill in any gaps in security and privacy measures. And, this kind of audit is not a one-time thing that is only done at the start of the policy making process. Rather, a proactive CIO should be scheduling digital privacy policy and infrastructure reviews on a regular basis, to continually protect information and manage risks.
Taking a look at how competitors and others in your industry are handling data privacy can sometimes be helpful. Industry standards form a good benchmark of what privacy and security measures could be considered reasonable and appropriate, so your own agency can meet, and ideally exceed, those measures.
Third Party Privacy
Hybrid cloud infrastructure, service as a platform, and other technological advances put third parties into the realm of security concerns. That’s because if a third party has care and control of your own data subjects’ information and they breach or otherwise compromise that information, you could be liable for not vetting that third party carefully enough.
Today’s IT infrastructures are rarely fully in-house and on-premises, and because of that, your organization needs to carefully choose each third party and understand the full scope of what they are doing, including any further subcontracting. Their decisions and actions will reflect on your company, good or bad, so before you sign on with any kind of service provider or contractor, be sure to understand what their digital privacy practices are.
In short, whether it’s your own rules or the way you integrate a contractor into your environment, digital privacy is something requiring thoughtful planning and work.