Are you committed to data privacy compliance?
Over the last several years, there has been an explosion of concern over, and scrutiny of, data privacy compliance in the world. For the uninitiated, data privacy is a collective term used to describe rules and procedures around the collection, storage, use, sharing, transfer, disposal, or destruction of Personal Data.
As a marketer, you are probably aware of the new requirements on data privacy compliance. But have you considered how it might affect your campaign?
Data privacy compliance entails continual awareness of the risks that arise in relation to personal data, and an ongoing commitment to monitor your current privacy practices against these risks. It is not something you do once, top to bottom; it’s a process, not a one-time check.
Are you committed to data privacy compliance? Not just because the EU says you have to be, but by building a culture of data privacy that is designed into your organization. There are multiple ways you can approach privacy compliance. Each of these involves your company taking actionable steps towards implementing privacy compliance measures.
Here are some tips for organizations looking to become compliant.
Things that can help you with becoming compliant
Understand Where your Data is Stored
If you want to make sure your company is complying with the GDPR, start by understanding where your customers’ data is stored.
That may sound obvious, but it’s not. The GDPR doesn’t require you to know everything about your data, just where it is stored and who has access to it. And that can be surprisingly hard to figure out.
If your company uses cloud services, figuring out where your data is stored is not as straightforward as you might think. You can work it out for a given app or service: you sign up, and then you can see that information on their website or in their help docs. But then there are all the apps that are running on top of the cloud provider’s platform. And what about all the apps that are using APIs provided by the cloud provider?
Who knows how many different services are being used in total? It’s easy to get lost trying to follow everything back to its source.
If you are a business and you produce digital services, you should make sure that your customers’ data is always stored in the same geographical region as they live.
Data Protection laws vary by country and require that businesses keep their customer’s data within the country’s borders. If you do not comply with this regulation, you can be fined or sanctioned by law.
Know Who has Access to your Companies data
We are living in a data-driven world, so it is important to know who has access to your company’s data. This information will help you verify that your employees are following the rules for the security of data, or that they are taking the necessary measures to ensure this kind of information does not fall into the wrong hands.
The first step is to create a clear report on who has access to what information.
A computer program called “auditing” can list all the places in your company’s files where sensitive information appears, and who has access to those files. The audit program typically runs automatically every night; it doesn’t take any work for you or anyone else at your company.
The audit program makes an “audit trail” of every place in your files where sensitive information appears, with a record of who had access at each moment. The audit trail lists each person by name, so you can tell if some hacker got in from outside your company. It also lists every program that accessed the file, so you can check whether some piece of malware copied out your data without your knowledge.
The second step is to identify any weak points in your company’s security system. The third step is to find out whether this lack of security can be fixed fairly easily.
Make sure you keep an eye on the first three steps every now and then, as you may find out that some new employees were assigned with too much access privilege or that some parts of your system need improvement.
Make sure you have the right people and policies in place to deal with requests for personal information and data breaches
Strengthening your company’s security, and doing everything you can to protect the privacy and security of your users’ information, is a critical undertaking.
One of the most important pieces of advice we can offer is to make sure you have the right people and policies in place to deal with requests for personal information and data breaches.
Your team should include a designated point person who is responsible for ensuring that requests from law enforcement and government regulators are handled correctly. You should also have a written policy about how to handle such requests. Finally, it’s good practice to seek counsel from an attorney with experience handling these kinds of requests.
If you are an online business, particularly one that deals with financial transactions, it’s extremely important to make sure you have the right policies in place regarding personal information and data breaches. Even if you don’t store any personal financial information about your customers, you may well store information about them that could be used for identity theft — their names, addresses, phone numbers, email addresses, and so on.
The US Federal Trade Commission (FTC) has issued updated guidance on data security, including data breach notification. The new guidance takes into account the expansion of interconnected networks, the rise in connected devices, and the use of cloud computing.
The FTC stated that businesses should have a comprehensive written information security program in place. The organization said that organizations should identify vulnerabilities and threats, look at existing risks and assess the cost of implementing controls against these risks. This would be used to create a written information security policy that is updated regularly.
The FTC also said that businesses should have a process for evaluating personal data collected from customers or collected about employees to ensure that it is collected for legitimate purposes. It also advised businesses to establish policies on retaining collected data, limiting access to collected information, and ensuring collected information is up-to-date and accurate.