Tag Archives: data privacy

close up photo of a paper on a vintage typewriter

Data Privacy Implementation Strategies

Data privacy is a topic that many organizations are addressing. In this post, we will go through several steps that must be taken to implement a data privacy program.

Leadership Sponsor

As with any major initiative, data privacy is going to need the support of leadership. In particular, there will be a need for an advocate on the leadership team who will support the vision of improving data privacy. Who this person is will naturally vary from organization to organization.

ad

The sponsor is not only an advocate but also serves as a medium of communication between the data privacy team and leadership. The sponsor serves as the eyes and ears for the privacy team to help them to avoid pitfalls is deal with concerns that are not shared directly from the leadership team to the privacy team.

Put Someone in Charge

Implementing any program or strategy requires that someone take the lead. Therefore, when it is time to develop a privacy approach someone needs to be in charge. The selection of the leader will naturally vary from one place to the other. The point is that the leadership sponsor needs someone they can talk to directly about the challenges and concerns that may be made at the leadership level.

Depending on the size of the project there might be more than one person identified as a leader. However, it is generally wiser to start small and scale as appropriate.

Examine the Data

Before any action can take place it is important to take an inventory of available data. Another name for this is the compiling of a data catalog. A privacy leader must know what data needs to be held private. Without this information, it is hard to ensure the quality.

Knowing the data works in combination with the policies and procedures that need to be made. For example, if the data includes personal information this will influence how privacy is maintained versus data that does not contain such information.

Compliance Expectations

Knowledge of the data is used concerning compliance expectations. For a corporation, the compliance standard might be GPDR. For other organizations, compliance might be determined by local laws or organizational standards.

Generally, a privacy team must provide evidence that they are implementing and or obeying compliance standards. Therefore, a team might have to document and archive how they comply with regulations in the event of a data breach and or audit.

Assess Risk

Assessing risk helps to inform the privacy team in terms of what sort of policy and or procedures to implement. Fortunately, it is not necessary to develop this risk assessment in a vacuum. There are risk assessment frameworks such as ISO 31000 or ISO 27005. Either of these frameworks or others can help you to determine the level of danger your data is potentially facing.

Create Policies and Procedures

Policies are broad guidelines based on the context in which it is being developed for. Most websites have some sort of privacy policy that explains how and what data is collected along with its purpose. Privacy policies can include an idea of the roles and responsibilities of the data privacy team as well.

Procedures are the steps that need to be taken to fulfill the policies that were created. In other words, data procedures provide step-by-step guidance of policies. For example, if the policy speaks about the importance of only certain people having access to data a procedure for this might be how to set up a password or to seek permission to access a particular database. Essentially, policies inspire procedures.

Controls

Controls are inspired by risk assessment. In this step, you are implementing ways to mitigate risk to data. For example, it might have been uncovered that sensitive data is too easy to access. The control for this example may be to move the data to more secure data or to ensure that the data is password protected.

The main point here is that all of these measures must be integrated and working together. The data catalog and knowledge of compliance inspire the policies and procedures which in turn helps with the development of controls

Training & Monitoring

Now that almost everything is in place it is time to train people on the new privacy rules. The training will be context specific but is critical for getting buy-in to the new system. Without the cooperation of the masses, there is no hope for the success of the program.

After training, the training is assessed through monitoring. Monitoring assesses how well the program is running. It deals with such challenges as whether people are obeying the new procedures that have been implemented. Monitoring also helps in providing feedback in terms of where there might be growth opportunities. No system is perfect and monitoring provides critical information to strengthen the program.

Conclusion

Data privacy can be improved in any organization. The ideas presented here provide information on how to start a data privacy program. Naturally, all of these steps may not work for each organization but many valuable ideas have been shared to support the protection of privacy.

black android smartphone on top of white book

Privacy by Design

Privacy by Design is an idea found within the General Data Protection Regulation, which affects the data privacy practices of organizations. In this post, we will define this term and explain several principles of privacy by design.

Definition

Privacy by design is a concept in which data protection happens through the appropriate development of technology. Essentially, data protection should not be limited to one place or one feature instead data protection should be layered throughout the system of an organization.

ad

There are several ways to begin this initiative. A common method is to have a privacy policy that is up-to-date and readable. Another way to begin this process is to establish someone as the data protection officer. Lastly, it is also common to conduct some sort of assessment of data protection to determine areas of improvement before using an individual’s personal data.

Principles

There are seven principles of privacy by design. Below is a list with explanations.

  1. Proactive rather than reactive-There should be an effort to prevent privacy loss rather than trying to fix a situation in which people’s personal information is inappropriately accessed.
  2.  Privacy by default-Maintaining the privacy of data should be the first thing an organization thinks about and can include restricting use/access, and or deleting data that is no longer needed.
  3.  Embedding of privacy-EMbedding involves such tools as encryption, authentication, and the testing of vulnerabilities. In other words, privacy is used as a foundational aspect of developing a website or application.
  4.  Full functionality-This idea is a reminder that data privacy should not make it difficult to use a website or application. Protect data but avoid sacrificing the user experience.
  5.  End-to-end security-This is similar to principle number two and is essentially a reminder that privacy protection must be comprehensive from the time the data is received until the data is destroyed.
  6.  Visibility and transparency-People should know what is being done with the data an organization has of them.
  7.  Respect for user privacy-People should still have authority over their data after it is collected. What this means is that they can grant or rescind consent to their data at any time.

Implementation Perspective

There are several perspectives from which the implementation of privacy by design that must be considered and these are systems, processes, and risk management perspectives.

The system perspective involves documenting the organization’s commitment to data protection, appointing a data protection officer or leader, providing training for employees, checking security measures, developing a record-keeping system, and conducting a self-assessment. All of these steps are used to develop an initial system for data privacy.

For processes, it is necessary to determine roles within privacy such as people in IT, legal, etc. who support privacy with their technical expertise. It is also important to document the data processing process and privacy risks. Privacy controls for users and the implementation of security measures from the systems perspective are critical as well.

Risk management is another key perspective that needs to be addressed for data privacy. Risk management involves the legal purpose of processing data. It also includes tracking who has access to data, controls for accessing data, what to do in the event of a breach, and minimization, anonymization, and pseudonymization of data. Lastly, measures for data accuracy are developed here.

grey and black macbook pro showing vpn

Data Privacy

A field closely related to data governance is data privacy. In this post, we will look at what data privacy is as well as principles that need to be kept in mind when trying to keep people’s data private.

Data Privacy

Privacy is a term that is difficult to define. For our purposes, data privacy is the amount of control a person has over personal information in terms of how this information is collected, managed, and stored. This definition gives the impression that people have little data privacy because we are so often compelled to share our information online.

ad

Websites often require some surrendering of personally identifiable information (PII) such as name, address, phone number, etc while in the medical field, there is demand for personal health information (PHI). Sharing information about yourself can be frustrating for many but is the cost of doing business online. Naturally, once these various online companies have your data they must be sure to protect it.

Data security is not about collecting or managing data. Rather, data security is focused on the protection of data from unauthorized access. Securing data is critical to protect individuals and organizations from harm because of security breaches. For example, there can be serious financial repercussions if someone’s credit card number is stolen online.

Fair Information Practice Principles

With all the concerns regarding data privacy, it was natural that frameworks would be developed to help organizations with data privacy. One such framework is the Fair Information Practice Principles (FIPPs) developed by the Organization of Economic Development back in the early 1980s. Below are the eight principles in this framework.

  1. Limits on data collections-Every organization need to determine the smallest amount of data they can connect while still maintaining success
  2.  Data quality-Data that is collected needs to be accurate and pertinent to the purposes of the organization.
  3.  Purpose determination-There must be a clear compelling reason to collect data.
  4.  Limits of use-Personal data must only be used for its intended purpose.
  5.  Security-Data must be protected
  6.  Transparency-People should know that their data is being collected
  7.  Individual participation-People whose data has been collected have the right to access their data, have it corrected, and or erased
  8.  Accountability-Whoever collects this data is responsible for adhering to the principles listed above

The principles shared above have been adopted by many organizations to provide a foundation on which they can develop their own data privacy policies and philosophy.

Conclusion

Data privacy is a major concern in the world today. Organizations whether online or offline continue to demand more information about their customers. As such, this implies that there must be safeguards in place to ensure the protection of this information.