TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Are You a Completely Green CPO? Here's Somewhere To Start Related reading: A look behind the EDPB's move to enhance enforcement cooperation

rss_feed

""

You’ve just been hired as Company X’s first chief privacy officer. Although Company X has been around for several years, it’s only recently been collecting personally identifiable information (PII). You want to make sure that every employee of Company X knows how to properly handle PII, especially sensitive personal information (SPI). You sit down at your desk to write the most comprehensive internal privacy policy you can imagine. You’ve included rules about collecting PII, limitation of use, sharing PII with third parties, records retention and proper disposal and/or destruction of PII. The board of directors unanimously approves the policy and it becomes effective immediately.

You think your job is done.

Unfortunately, having a policy in place does not guarantee compliance. While you’d love to believe that every employee will always abide by the terms of the privacy policy, that’s simply not the case. Just weeks into your tenure, you notice many troubling things. Employees are leaving documents containing SPI unattended at network printers and copy machines; managers forget to lock their computer screens when leaving their workstations, and entire departments are sharing customer PII with third parties without a contract or consent terms in place. So what can you do to make sure that everyone is adhering to the policy? Some tips:

  • The privacy department should work with internal audit to periodically assess employees’ compliance with policy.
  • Make sure that you have a contract or consent terms in place any time the company shares PII with a third party. Keep an organized file of these agreements.
  • Do not collect SPI such as Social Security numbers or someone’s personal financial information unless it is completely necessary. Securely destroy this information when it is no longer needed.
  • Develop an education campaign to raise privacy awareness and encourage best practices. Give presentations; send periodic emails, and use visuals around the office such as posters, tent cards and flyers to catch employees’ attention.

But why should you go through all this trouble if a policy is already in place?

Because failure to protect a customer’s PII could result in costly litigation, both in terms of time and money. The company will also suffer considerable reputational harm if a data breach occurs, especially if there isn’t an adequate response plan in place. Finally, according to the Ponemon Institute, employee negligence accounts for 36 percent of all data breaches, and the average cost of a data breach is $3.8 million, representing a 23-percent increase since 2013.

Remember, a policy is only as effective as its enforcement. Without proper enforcement, the policy is just a bunch of nice words.   

photo credit: Tranquil landscape via photopin (license)

Comments

If you want to comment on this post, you need to login.