Sage Advice - Cybersecurity Blog

4 Steps to a Privacy Initiative Roadmap

Privacy-initiative-roadmap-postDigital privacy is an evolving, hot topic in the world right now. With the rise of ecommerce, digital marketing, online offers, and smart devices, it’s extremely difficult not to have your personal information – whether that be transactional information or information that defines you – out there. But what if we thought about it from the standpoint of your business? How can you make sure your organization is protecting individuals’ data and using best privacy practices? Let’s delve in to how you can create a privacy initiative roadmap for your organization.

Step 1: Commit to it

The first step in creating a privacy initiative roadmap is committing to creating trust in your audience by protecting the data you collect, use, and store. The first part to commitment is deciding that you want to honor the standard (and recommended) privacy principles outlined by the Organization for Economic Cooperation and Development (OECD), and adopt them as a basis for a privacy policy.

Among the important principles are practicing transparency with individuals about how you’ll be using their data and having the ability to give them information if they ask for it. Another important principle that all organizations should follow is the accountability principle, meaning that your organization’s data controller should be kept accountable for complying with the privacy principle and measures that support it.

Part of committing to creating a privacy initiative roadmap is embracing privacy by design, meaning that privacy should be thought about, or even come as second nature, in all business objectives and efforts. You want to make sure that you’re communicating the privacy policy to all internal and external stakeholders. Privacy by design, a written policy, and buy-in from all employees will not come on day one, so create a timeline for your commitments and the rest will follow methodically.

Step 2: Create a Privacy Threshold Assessment

Take inventory of everything that involves your data. Privacy Threshold Assessments (PTAs) are a great tool meant to help organizations create and assess privacy documentation requirements of business activities, such as procedures around storing personal information and email marketing.

To create a PTA, you should first figure out what data you’re currently collecting, such as credit card information, birth date, phone number, gender, habitual patterns, survey answers, and data being collected from your app (i.e. location services). The list is long and those are just a few examples of data that is easy to forget you’re collecting.

Next, analyze why you’re collecting it and how it’s being used. Is the information you collect being sold or disclosed to any third-party vendors you’re working with, and does the data source know about it? Has the individual given consent to receive promotional emails from your organization? If the information is no longer relevant or you know it will never be used, simply get rid of it. You also must think about regulations and policies that pertain to the data you’re collecting and what it’s being used for.

Creating a PTA is all about digging deep into all the information your organization may be collecting on an individual – which is easier said than done, and most likely will take a lot of research depending on the depth and breadth of your organizations’ offerings, promotions, or nature of the business (like a municipality or hospital).

Step 3: Put protection mechanisms into place

Once you’ve developed a PTA, you must put the appropriate protection mechanisms into place to keep your data safe. This is where having a strong cybersecurity program comes in, and includes things like:

  • Automated hardware and software tools like firewall and antivirus;
  • Intrusion detection and intrusion prevention mechanisms;
  • Having a reliable threat detection service such as Tyler Detect;
  • Training employees on Social Engineering tactics;
  • Creating a cybersecurity culture in the organization by training people, creating processes around security and privacy, and applying those processes to the technology;
  • Keeping your data confidential and only available to those who need to see it; and
  • Assuring the integrity of your data and making sure it’s never manipulated or forged.

Having multiple layers of protection and defense mechanisms is crucial not only to developing a strong cybersecurity program, but it’s essential in protecting the sensitive customer and prospect data you collect daily. Start by implementing a few of the tools and trainings listed above.

Step 4: Comply with your policies and applicable laws and regulations

When creating a privacy roadmap initiative, you must think globally even if your customers and prospects are mostly from the United States. Laws like GDPR and CCPA exist for certain geographical areas, and chances are good you have collected some data from individuals residing in those areas, even if you may not be aware of it. Ensuring that you are being compliant with these laws will help you not only have a great privacy practice, but it will get you prepared for laws that are likely going to start cropping up in an area where you do, in fact, do business.

Sector regulations may also affect how you treat privacy. In the financial industry it’s the Gramm Leach Bliley Act (GLBA) and in the world of healthcare it’s the Health Insurance Portability and Accountability Act (HIPPA). While you must comply with those, they don’t account for the full privacy plan because they only cover transactional and discrete data sets, and you are probably collecting more data than those regulations protect.

Finally, it’s important to practice what you preach. Make sure you have all levels of the organization on board with the privacy policy, and always remember to have the most ethical plan.  Once your privacy initiative roadmap is developed, ensure that teams have ongoing compliance so that you can further develop your best privacy practices. Eventually, they will become mature and engrained in your organization.

Risk-Assessment-CTA-728-x-90

 

Topics: Privacy


The Sage Cybersecurity Lifecycle

The Sage Data Security Cybersecurity Lifecycle

Cybersecurity isn’t a destination.

There is no single, straight path that will get you to the point where you can say, “We did it! We’re 100% cyber-secure.”

A more realistic destination is cyber resiliency – the ability to prepare for and adapt to changing conditions, so you can withstand and recover rapidly from disruptions. Achieving cyber resilience depends on what we like to call the cybersecurity lifecycle – an ongoing cycle of interconnected elements that compliment and reinforce one another.

Learn More