Data Privacy: Advice from ISACA

By Yves Le Roux

ISACA as a champion of privacy day has issued the following advice for businesses:

Trends and technologies from the Internet of things and wearable devices to big data and mobile apps that monitor health-related information are bringing privacy issues to the forefront. Data privacy is an important reminder that enterprises need to be thinking about this important issue and taking key steps such as:

1. Assign someone to be responsible for your privacy issues. Appoint a chief privacy officer or, at minimum, designate someone as the person responsible for privacy in your organization.

2. Know what personally identifiable information your organization collects and retains about your customers and employees. Take a data inventory so you know where the information is stored.

3. Ensure that your privacy policies are clearly written and enforceable. They should address issues related to the collection, use, disclosure, retention and disposal of personally identifiable information. Do you do what your privacy policy says that you do?

4. Disclose personally identifiable information to third parties only for the reasons stated in your privacy notice. Be sure to have the implicit or explicit consent of the individual.

5. Create a privacy-friendly environment. Make sure your employees understand why it is important to protect personally identifiable information and the risk to the organization if they don’t.

6. Address all privacy-related laws and regulations that apply to your business. Even if you do not have a physical presence in a state or country, you may be subject to its privacy regulations. Know where your customers are located.

7. Train your employees to protect the privacy of personally identifiable information. Implement a privacy training program for all employees that includes information sessions, posters, emails, etc., on the importance of keeping personally identifiable information secure, both in and out of the office.

8. Provide a process for individuals to make complaints. Give customers an online form or email address for communicating their privacy problems or concerns. If problems arise, deal with them efficiently and effectively.

9. Create an incident-response plan. Privacy breaches can occur despite your best attempts at prevention. Creation of an incident-response plan enables you to respond promptly.

10. Consider having a privacy audit performed by an outside trusted entity. Hire someone knowledgeable in privacy, such as someone who holds the Certified Information Systems Auditor (CISA) credential.

About the author

Yves Le Roux is chair of ISACA’s Data Privacy Task Force.  

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s