Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
9Augu - Sept 2021 ·Governance There should be a culture of compliance, accountability and ownership of policies, combined with a tone at the top that supports data protection and compliance initiatives.· Privacy Operations The program should not only include a Global Privacy Office and should also involve supporting business units and operations to support privacy needs. This is a good area to consider outsourced operations and technology to drive down cost. · Privacy by Design Each process and system that collects, stores and/or uses personal data should be designed with privacy in mind ­preventative not remedial, privacy as a default setting, privacy embedded into the design, full functionality despite increased privacy controls, end-to-end security, as well as visibility and transparency for the users.· Notice Ensure that public notices describe how the organization collects, uses, retains, and discloses personal information. It is critical that the organization follows the guidelines they publish.· Consent Management The organization's websites or apps should empower the individual to obtain consent when information gathering is required. · Rights Requests & Complaints Under many laws, such as the EU General Data Protection Regulation (GDPR), it is required that you allow individuals to gain access to or request deletion of their personal records. Additionally, the organization must allow individuals to file a complaint if they suspect that their individual rights have been violated. · Data Management At the core of any good data protection program is data management. A holistic data protection program's data management platform should ensure that the company can identify personal data sources located on their systems, where the data goes (in flows and out flows), builds upon the stated privacy policies, communicates uses of data, and can be monitored to ensure there is appropriate data classification schemas and retention programs in place. Additionally, the data should only be used for its intended purposes and should have a legitimate reason for being stored for a certain period.· Data Security Handling personal data and the controls that are implemented to protect personal data is essential to any good data protection program. Remember to ensure that appropriate access controls, encryption, data loss prevention strategies and appropriate authentication mechanisms have been implemented, and always map to required data security laws and regulations.· Incident Management Incident response is a critical element of any data protection program. Without a sound incident response program, it is likely that the organization could be fined as a result of poorly managing the incident. This program not only requires a strong investigative and forensics team, it also requires a sound communications plan, crisis management team, and incident notification capabilities. · Vendor Management Data that flows to third parties should be reviewed and the practices that those vendors employ are extremely critical to fulfilling the organization's holistic data protection program. Consider how data is handled when it is collected, stored or analyzed by a vendor. · Training & Awareness If your employees don't understand their responsibilities, then it is likely the program will fail. Train team members regularly, especially those that handle personal information and regularly communicate regulatory changes so each associate understands the company's obligations. · Regulations & Change Manging change is a challenge for any organization ­ monitoring regulatory changes is even more challenging. Build a program that implements monitoring on a regular basis and consider employing outside resources (technologies, service providers, consultants) that can track and manage your new obligations. At the core of any program will be the organization's ability to manage, maintain and govern personal data to ensure that it is protected and accessible. And, once the holistic program is developed, the company can consider taking a cyclical approach to complying with varying regulations. Often companies approach regulations from a linear perspective (e.g., GDPR, CCPA, PIPEDA) versus cyclical maintenance (e.g., identify regulatory changes, review current status of privacy program, create or update as needed). The combination of a holistic program and continuous monitoring allows the organization to better manage an individual's rights, comply with regulations and laws, and respond to potential incidents.
< Page 8 | Page 10 >