IAPP-GDPR Web Banners-300x250-FINAL
Top 10 Data Privacy Tips for 2014 #DPD14

With privacy breaches and security threats making headlines around the world on a daily basis, it’s becoming increasingly obvious to most enterprises that the personal information and sensitive data they hold is an extremely valuable commodity.

However, shared inappropriately—whether by accident or breach—the disclosure of sensitive data can have dramatic financial impacts on an organization and erode consumer trust.

The good news here is that this should be highly preventable. So in honor of Data Privacy Day—which will be celebrated this year on Tuesday, January 28—here are 10 tips for improving your privacy and data protection programs in 2014.

1) Know thy business—Take the time to understand what kinds of data your business handles and uses as well as how your coworkers are using your internal systems on a day-to-day basis. Understanding a “day in the life” of your colleagues will help you determine why and how they need to handle this protected data in the course of their daily work. The time you invest in understanding their requirements will pay off in spades as you will be able to craft solutions that meet their specific needs while ensuring compliance with regulatory obligations.

2) What are your “Crown Jewels”? —What kinds of data are you trying to protect? Many companies worry about “dark data” existing across their different communication gateways (be it file shares, SharePoint, social systems, and other enterprise collaboration networks) and enterprise systems. Understanding what and where this data is—and properly classifying it—will allow you to set the appropriate levels of protection in place. For example, many companies apply their security protocols in broad terms, using the same security procedures for everything. However, do you really need to put the same security protocols around protecting pictures from your company picnic as you do toward protecting your customers’ credit card information?

3) Set enforceable policies—Your general counsel’s office and compliance team are tasked with understanding your statutory and regulatory obligations to ensure your company complies accordingly. However, be sure that any policies you set internally can be measured, monitored and enforced. Broad statements such as “we do not allow PII data in Microsoft SharePoint,” without the ability to enforce this policy or measure its effectiveness, is not a sound data protection strategy. It’s like setting a curfew for your teenagers and going away for the weekend. Don’t leave your policies to chance or luck.

Do you really need to put the same security protocols around protecting pictures from your company picnic as you do toward protecting your customers’ credit card information?

4) Make it easier for your end users to do the right thing than the wrong thing—Create policies, rules and IT controls that are sensible and make it easier for your end users to do their jobs effectively with the systems and controls that you want them to use. Don’t set up policies that are so cumbersome and restrictive that your employees are pushed to private cloud options; e.g., Dropbox and Google Docs. Why? At the end of the day, your employees will do what they need to do to get their jobs done. Help them to make it simple while using the systems you can control.

5) Build bridges, not only walls—Traditional approaches to data security were designed to keep data “inside” your walls and keep intruders out. However, the challenge with that approach is that if you build a 10-foot wall, your adversary can come with an 11-foot ladder. Then, when you come back and build a 12-foot wall, they respond by bringing a 13-foot ladder, and so on. Walls become difficult to sustain and build, particularly when end users are accessing your data anywhere, anytime and from any device. Think about protecting the data itself wherever it resides—use your privacy and data controls to allow your end users to appropriately access data where it lives across these systems.

6) Trust and verify—Trust your end users to appropriately identify and classify sensitive data they are handling and/or creating, but verify that they are doing so. Using a combined or “layered” approach to data classification can ensure that the policies, training and tools you are providing are being properly understood and integrated into the day-to-day tasks of your workforce.

7) Create a pervasive culture of compliance—Many companies conduct annual privacy and security training. However, try to think of ways in which you can build an ever-present sense of privacy and security awareness into your employees’ daily activities. This can be done by using automation to help educate your employees by reinforcing “good behavior” and explaining mistakes as they happen, thereby helping to build in privacy and security by design.

8) Getting to “yes”—Some IT and business professionals working outside of the compliance role believe (fair or not) that privacy is where “IT goes to die” and that security “leads with no.”  Most of their counterparts in privacy and security would like very much to change that perception. However it’s difficult to do so when they are understaffed and often engaged at the end of a project rather than at the beginning. This is not an effective way to build a collaborative team. Instead, it’s important for security and privacy officers as well as general counsel to take the steps we’ve discussed above to partner with their IT and business colleagues in order to gain the sponsorship and cooperation necessary to successfully implement privacy and data protection initiatives.

It’s not only your chief marketing officer that needs to be thinking about building your company brand. Chief privacy officers and chief security officers need to be able to market their programs as well.

9) Develop a Service Level Agreement with your colleagues in IT and the business—By implementing a standardized and repeatable process with your IT and business colleagues so that they will engage you as a project begins—rather than when it is waiting for your sign off as the only obstacle to launch—you will be able to help provide advice, guidance and approval at every step of the process. Consider using automation to allow your colleagues to request a privacy impact assessment of the systems they are planning to build and deploy. This way, you can provide them with a reasonable estimate and timeline for completion. Your involvement early on will save them from having to make last-minute design changes or decisions with the clock to launch ticking.

10) Reality is perception—It’s not only your chief marketing officer that needs to be thinking about building your company brand. Chief privacy officers and chief security officers need to be able to market their programs as well. People often think of “brakes on cars” as being designed to stop cars or slow them down. But in fact, when cars were first invented, they had no brakes at all, so you had to drive very slowly. When brakes were invented, it allowed cars to go much faster because drivers knew they had a mechanism by which to stop. Work very hard to encourage your IT colleagues and business users to think of privacy and security controls in the same way. Rather than “stopping” the business from doing its job, instead, the proper controls will allow you to realize the full potential of the data you do have—so that you can achieve all of the business objectives you’ve set out to accomplish.

Written By

Dana Simberkoff, CIPP/US


If you want to comment on this post, you need to login.
  • Jean Eaton Jan 14, 2014

    Great article, Dana! Keeping the principles of privacy and security in sight, simple language, and accessible at all levels of the organization can create successful strategies. Keeping these Top 10 suggestions in mind on a daily basis will be powerful.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»