Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
8Augu - Sept 2021 Privacy breaches are on the rise. Most (or all) of you reading this have likely received notice that your personal data has been breached. Some of you may have fallen victim to identity theft. Regardless, it's unnerving when a company notifies you that your personal information has been accessed or stolen by an unauthorized party. In the age of digital transformation, privacy awareness is on the rise and related legal obligations have taken center stage. Thus, a solid privacy and data protection program will help better protect personal information, builda foundation to mitigate data risks and establish trust with data subjects and consumers.For those in the United States, privacy has been understood as an individual's fundamental right for many years and, in a broad sense, is the right to be left alone.However,information privacy is a new concept. Information privacy is concerned with establishing the rules that govern the collection, use, disclosure, retention and disposal of personally identifiable information (PII). It provides an individual the right to have some control over how their personal information is collected and used, which means that data identification, classification, governance, IT controls and information lifecycle management are critical to mitigating data and privacy risks. When building a data protection program and associated policies and standards, it is a good practice to institute Fair Information Practice Principles (FIPPs), which are a set of guidelines for handling, storing and managing personal information. FIPPs are organized into four categories and can serve as a foundation to protecting personal data:· Rights of individuals ­ the company provides clear notice, choice and consent to how personal data is used, and the ability for an individual to request access to their data · Controls on the information ­ the company ensures that there is a level of care around information security, IT controls, and that the data maintains its integrity and quality· Information lifecycle­the company has defined collection practices, uses the data for legitimate purposes, retains data for legal, business or compliance purposes that are aligned with regulations, and data is destroyed when it should be· Management ­ the company has a plan to manage and administer their privacy program, can monitor the program to ensure they are meeting their compliance obligations, and can enforce their program's policiesTo build a holistic data protection program, it is important to first determine what the organization considers PII, particularly as it relates to applicable law. Typically, personal information includes name, gender, postal address, telephone number, email address, age and data of birth, marital status, citizenship, and government-issued identification numbers. In certain jurisdictions, PII may also include other information that can be reasonably linked to an individual, such as IP address, location, and other device data. Then, the organization needs to determine what they consider sensitive information, such as health information orfinancial data. Once those terms are defined, the project team should build their Data Protection Framework. Above is BDO Digital'sData Protection Framework, which allows an organization to manage individual rights and data protection obligations by looking at the organization's obligations from a holistic perspective. Outlined below is a checklist to get started.By Karen Schuler, National Data & Information Governance Leader and Taryn Crane, Technology & Business Transformation Services Manager, BDOOPINIONIN MYMITIGATE YOUR DATA RISKS BY IMPLEMENTING A HOLISTIC DATA PROTECTION PROGRAMKaren Schuler
< Page 7 | Page 9 >