By Jill Frisby

For many organizations, data privacy is a world of extremes. Consider these two common scenarios:

  • Company A has an information security program that is practical, but not effective. Although the program doesn't impede the organization's ability to do business and carries minimal costs, it has been proven to be ineffective by either a regulatory audit or a data security breach.
  • Company B has an information security program that is effective, but not practical. The program is stringent and, as such, meets regulatory guidelines and protects data. The business functions, however, feel that the program impedes their progress; some units even consciously perform activities that the program prohibits because they perceive it to be a roadblock to their goals.

Somewhere between these two extremes lies Company C, which has an information security program that is both practical and effective. The program operates in a sensible manner that protects sensitive business and customer records without imposing unreasonable or costly requirements on the business units that it serves.

Practical does not mean an unacceptable risk of data loss, and effective does not mean that the cost is unmanageable for the business. A practical and effective information security program seeks to safeguard data by first understanding its business use and then identifying effective controls to protect the data. It also attempts to empower employees across the organization to help identify data protection issues and develop appropriate solutions.

Five Tested Strategies
For companies struggling to cope with this type of information security tug-of-war, there are five proven strategies for obtaining a balance between the practical and the effective:

   1. Start with a top-down privacy risk assessment. The first step in developing any good risk management program is to assess what risks need to be managed and how they affect the business. The process of completing a risk assessment can be daunting, but if you start with the organizational units and work down to the data itself, you can gain a more complete understanding of the management of private data throughout the enterprise. Here are some guidelines for conducting a top-down risk assessment:

      - Identify all relevant business units and processes. For each process, develop a general understanding of what private data is used as part of this process, and how it is used. Processes that do not affect private data can be removed from the scope of further analysis.

      - Identify all information assets associated with each process. An information asset may be an application, hardware device, mobile media, paper documents or a set of files. Determine how significant a breach of the data in that information asset might be, based on the volume and type of information.

      - Confirm the controls in place, and their appropriateness, to protect each information asset. Identify assets for which the data is not properly controlled. Make recommendations for remediation of these data control issues.

      When organizations start their privacy risk assessment from the bottom up, they risk giving equal weight to all data and, therefore, creating a privacy framework that is costly and difficult to implement. For example, if an organization were to assess computer disks or database fields, the initial solution might be "encrypt" or "eliminate remote access to" the data. If the business process requires the transfer of this data into other applications, or access of the data by third-party vendors, the solution would be impractical.

      In other cases, the use of the data in the business process could make a particular control ineffective. For example, if the desired control was to require all paper forms with customer data to be in a locked file cabinet at all times, but the business process required transporting these forms from office to office, the control would be ineffective and impractical.

      By performing the risk assessment from the top down, organizations can avoid these problems while creating information security programs that are practical, yet effective.

   2. Obtain senior-level buy-in. This is a key requirement for the success of any data privacy program. Too often, organizations spend money on, and dedicate resources to, information security programs that middle management and employees ignore because of a lack of senior management support. In other cases, senior management fails to define what levels of risk it considers to be acceptable and, as such, companies spend too much or too little on information security.

      Establishing the appropriate "tone at the top," and developing a corporate culture that places high emphasis on protecting information assets, will help assure that employees follow the desired policies and procedures. Involving senior management will help the information security function make sound decisions that align with the company's risk posture.

      In addition, middle managers play an integral role in enforcing data security standards. Organizations may send them to specific training, or provide checklists for departmental self-assessment.

      This will help prepare these managers for appropriate policy enforcement, which may even include inspecting trash bins to confirm that employees are following the shredding policy and checking desktops to confirm that sensitive documents are appropriately secured, computers are locked, and passwords are not written down in plain sight.

   3. Appoint a data privacy "champion" who has sufficient technical knowledge. Every major organizational initiative needs a champion or chief coordinator who can act as a subject matter expert. Management should appoint an information security officer, manager or equivalent who receives appropriate resources to manage the program.

      The information security officer should develop a strong network of consultants, peers and professional organizations, such as the IAPP, on which to rely for support. Continuing education and participation in industry conferences about information security and privacy should be ongoing requirements so that this individual is able to keep pace with the latest threats, vulnerabilities and safeguards.

   4. Communicate with all employees. Even the most skilled security professionals cannot control every aspect of their data privacy programs. Employees need to be enabled to implement the security program and propose changes if it is not effective.

      For example, while the data security officer can contract for document shredding, place receptacles throughout the facility and establish a policy on document destruction, each employee must make a conscious choice to place documents in a shred bin. Managers must play a role, monitoring employees' disposal of documents. Furthermore, employees should feel enabled to escalate issues, such as how to dispose of disks with sensitive data.

      When employees feel empowered to implement and assess the program in this way, information security officers can help provide appropriate solutions.

   5. Validate program effectiveness through independent testing. Once a data privacy program has been developed in line with objectives, supported by senior management, disseminated in a top-down fashion, led by a skilled champion and communicated to employees, it must be tested. Management must seek an independent analysis to identify areas where the program should be expanded or where it has not been implemented effectively.

      This testing must occur periodically, with examination of high-risk program components scheduled at least annually. This is necessary to confirm the effectiveness of program implementation.

Striking a Balance
Striking an appropriate balance between practical and effective will, at some level, be a continuous process of information security risk management. By completing an effective risk assessment and developing a baseline program aligned with business objectives, management will be poised to make appropriate decisions as new information security challenges arise.

By becoming aware of the pitfalls of ineffective and impractical programs, organizations can avoid common mistakes and develop an information security program that is respected, is followed and helps prevent costly disclosure of information.

Jill Frisby is a manager concentrating on data privacy issues with Crowe Chizek and Company LLC, a major accounting and consulting firm. She can be reached at 630.575.4317 or jfrisby@crowechizek.com.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»