With privacy breaches and security threats making headlines around the world on a daily basis, it’s becoming increasingly obvious to most enterprises that the personal information and sensitive data they hold is an extremely valuable commodity.
However, shared inappropriately—whether by accident or breach—the disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust.
The good news here is that this should be highly preventable. So in honor of Data Privacy Day—which will be celebrated this year on Tuesday, January 28—here are 10 tips for improving your privacy and data protection programs in 2014.
1) Know thy business—Take the time to understand what kinds of data your business handles and uses as well as how your coworkers are using your internal systems on a day-to-day basis. Understanding a “day in the life” of your colleagues will help you determine why and how they need to handle this protected data in the course of their daily work. The time you invest in understanding their requirements will pay off in spades as you will be able to craft solutions that meet their specific needs while ensuring compliance with regulatory obligations.
2) What are your “Crown Jewels”? —What kinds of data are you trying to protect? Many companies worry about “dark data” existing across their different communication gateways (be it file shares, SharePoint, social systems, and other enterprise collaboration networks) and enterprise systems. Understanding what and where this data is—and properly classifying it—will allow you to set the appropriate levels of protection in place. For example, many companies apply their security protocols in broad terms, using the same security procedures for everything. However, do you really need to put the same security protocols around protecting pictures from your company picnic as you do toward protecting your customers’ credit card information?
3) Set enforceable policies—Your general counsel’s office and compliance team are tasked with understanding your statutory and regulatory obligations to ensure your company complies accordingly. However, be sure that any policies you set internally can be measured, monitored and enforced. Broad statements such as “we do not allow PII data in Microsoft SharePoint,” without the ability to enforce this policy or measure its effectiveness, is not a sound data protection strategy. It’s like setting a curfew for your teenagers and going away for the weekend. Don’t leave your policies to chance or luck.
Do you really need to put the same security protocols around protecting pictures from your company picnic as you do toward protecting your customers’ credit card information?
4) Make it easier for your end users to do the right thing than the wrong thing—Create policies, rules and IT controls that are sensible and make it easier for your end users to do their jobs effectively with the systems and controls that you want them to use. Don’t set up policies that are so cumbersome and restrictive that your employees are pushed to private cloud options; e.g., Dropbox and Google Docs. Why? At the end of the day, your employees will do what they need to do to get their jobs done. Help them to make it simple while using the systems you can control.
5) Build bridges, not only walls—Traditional approaches to data security were designed to keep data “inside” your walls and keep intruders out. However, the challenge with that approach is that if you build a 10-foot wall, your adversary can come with an 11-foot ladder. Then, when you come back and build a 12-foot wall, they respond by bringing a 13-foot ladder, and so on. Walls become difficult to sustain and build, particularly when end users are accessing your data anywhere, anytime and from any device. Think about protecting the data itself wherever it resides—use your privacy and data controls to allow your end users to appropriately access data where it lives across these systems.
6) Trust and verify—Trust your end users to appropriately identify and classify sensitive data they are handling and/or creating, but verify that they are doing so. Using a combined or “layered” approach to data classification can ensure that the policies, training and tools you are providing are being properly understood and integrated into the day-to-day tasks of your workforce.
7) Create a pervasive culture of compliance—Many companies conduct annual privacy and security training. However, try to think of ways in which you can build an ever-present sense of privacy and security awareness into your employees’ daily activities. This can be done by using automation to help educate your employees by reinforcing “good behavior” and explaining mistakes as they happen, thereby helping to build in privacy and security by design.
8) Getting to “yes”—Some IT and business professionals working outside of the compliance role believe (fair or not) that privacy is where “IT goes to die” and that security “leads with no.” Most of their counterparts in privacy and security would like very much to change that perception. However it’s difficult to do so when they are understaffed and often engaged at the end of a project rather than at the beginning. This is not an effective way to build a collaborative team. Instead, it’s important for security and privacy officers as well as general counsel to take the steps we’ve discussed above to partner with their IT and business colleagues in order to gain the sponsorship and cooperation necessary to successfully implement privacy and data protection initiatives.
It’s not only your chief marketing officer that needs to be thinking about building your company brand. Chief privacy officers and chief security officers need to be able to market their programs as well.
9) Develop a Service Level Agreement with your colleagues in IT and the business—By implementing a standardized and repeatable process with your IT and business colleagues so that they will engage you as a project begins—rather than when it is waiting for your sign off as the only obstacle to launch—you will be able to help provide advice, guidance and approval at every step of the process. Consider using automation to allow your colleagues to request a privacy impact assessment of the systems they are planning to build and deploy. This way, you can provide them with a reasonable estimate and timeline for completion. Your involvement early on will save them from having to make last-minute design changes or decisions with the clock to launch ticking.
10) Reality is perception—It’s not only your chief marketing officer that needs to be thinking about building your company brand. Chief privacy officers and chief security officers need to be able to market their programs as well. People often think of “brakes on cars” as being designed to stop cars or slow them down. But in fact, when cars were first invented, they had no brakes at all, so you had to drive very slowly. When brakes were invented, it allowed cars to go much faster because drivers knew they had a mechanism by which to stop. Work very hard to encourage your IT colleagues and business users to think of privacy and security controls in the same way. Rather than “stopping” the business from doing its job, instead, the proper controls will allow you to realize the full potential of the data you do have—so that you can achieve all of the business objectives you’ve set out to accomplish.