• LinkedIn
  • YouTube
  • Twitter
  • Facebook
  • Google+

Make sure your privacy program has these 5 vital components

Get PDF file

by on
in Centerpiece,Office Management,Records Retention

padlock and browserAccording to Mary Ellen Callahan of Jenner & Block, the former Chief Privacy Officer of the U.S. Department of Homeland Security, a company’s privacy program should start with a foundation based on the following:

1. Thorough data inventories. Everything must be accounted for, categorized and follow a firm storage policy.

Email’s constant flow and your staff’s freedom with it will likely make it the trickiest horse to wrangle, and a policy on archiving it will probably inconvenience more than a few workers.

Train everyone beforehand to get into the “each email is a record” mindset, even if they’re still permitted to thoroughly trim their inboxes.

2. A privacy impact assessment. Here’s where you ask all the “W” questions, such as:

  • What are the regulations we must abide by?
  • Who will access the data?
  • Where is it all stored?
  • What’s the financial impact of our program?
  • When will things be destroyed?
  • What are the methods we’ll use to protect it all?

3. A vendor review and certification. Take a hard look at your data vendor and its history.

Trust, but verify. Learn as much as you can about the technology they use that keeps your records safe. Take note especially of how exactly the vendor will notify you if someone is attempting to look at your data—even if they’re on the up-and-up (for example, the government). Also consider how much liability the vendor is willing to shoulder.

4. An incident response plan. Identify the “tiger team” that will go into action if something goes wrong, or even if you just suddenly need to access data in ways you hadn’t foreseen.

A lawsuit might trigger such an event, not just a breach. Long before an unforeseen occurrence, consider what an announcement to customers or clients might look like.

It’s a message you may have never had to consider before, and not enough organizations are ready with one if it is needed.

5. Data loss prevention tools. IT needs to set up triggers to stop data from leaving your network.

If an employee were to send an email containing a social security number, would anyone know about it?

Is there a way to determine who has recently touched any given record?

Callahan also reminds us to establish a policy that deals with what happens when someone is caught leaking data—“because it’ll happen on day one” of your program, she says, as uncertain employees accidentally break new and non-intuitive rules.

Leave a Comment