By Yves Le Roux
ISACA as a champion of privacy day has issued the following advice for businesses:
Trends and technologies from the Internet of things and wearable devices to big data and mobile apps that monitor health-related information are bringing privacy issues to the forefront. Data privacy is an important reminder that enterprises need to be thinking about this important issue and taking key steps such as:
1. Assign someone to be responsible for your privacy issues. Appoint a chief privacy officer or, at minimum, designate someone as the person responsible for privacy in your organization.
2. Know what personally identifiable information your organization collects and retains about your customers and employees. Take a data inventory so you know where the information is stored.
4. Disclose personally identifiable information to third parties only for the reasons stated in your privacy notice. Be sure to have the implicit or explicit consent of the individual.
5. Create a privacy-friendly environment. Make sure your employees understand why it is important to protect personally identifiable information and the risk to the organization if they don’t.
6. Address all privacy-related laws and regulations that apply to your business. Even if you do not have a physical presence in a state or country, you may be subject to its privacy regulations. Know where your customers are located.
7. Train your employees to protect the privacy of personally identifiable information. Implement a privacy training program for all employees that includes information sessions, posters, emails, etc., on the importance of keeping personally identifiable information secure, both in and out of the office.
8. Provide a process for individuals to make complaints. Give customers an online form or email address for communicating their privacy problems or concerns. If problems arise, deal with them efficiently and effectively.
9. Create an incident-response plan. Privacy breaches can occur despite your best attempts at prevention. Creation of an incident-response plan enables you to respond promptly.
10. Consider having a privacy audit performed by an outside trusted entity. Hire someone knowledgeable in privacy, such as someone who holds the Certified Information Systems Auditor (CISA) credential.
About the author
Yves Le Roux is chair of ISACA’s Data Privacy Task Force.