You think your job is done.
- The privacy department should work with internal audit to periodically assess employees’ compliance with policy.
- Make sure that you have a contract or consent terms in place any time the company shares PII with a third party. Keep an organized file of these agreements.
- Do not collect SPI such as Social Security numbers or someone’s personal financial information unless it is completely necessary. Securely destroy this information when it is no longer needed.
- Develop an education campaign to raise privacy awareness and encourage best practices. Give presentations; send periodic emails, and use visuals around the office such as posters, tent cards and flyers to catch employees’ attention.
But why should you go through all this trouble if a policy is already in place?
Because failure to protect a customer’s PII could result in costly litigation, both in terms of time and money. The company will also suffer considerable reputational harm if a data breach occurs, especially if there isn’t an adequate response plan in place. Finally, according to the Ponemon Institute, employee negligence accounts for 36 percent of all data breaches, and the average cost of a data breach is $3.8 million, representing a 23-percent increase since 2013.
Remember, a policy is only as effective as its enforcement. Without proper enforcement, the policy is just a bunch of nice words.
photo credit: Tranquil landscape via photopin (license)
If you want to comment on this post, you need to login.