3 Steps to Address Data Privacy as a Business Problemby Ashley Wong | June 30, 2019
“Cybersecurity is a business problem, not a technical problem.” – Kip Boyle, CEO of Cyber Risk Opportunities, LLC and Author of Fire Doesn’t Innovate: The Executive’s Practical Guide to Thriving in the Face of Evolving Cyber Risks
As a business owner, you may disagree with that statement. After all, the responsibilities associated with data privacy and cybersecurity sit squarely with the technology department – the CTO, software engineers, and IT. Right?
Wrong. In the digital age, an effective data privacy and cybersecurity program is critical to the long-term health and growth of a business. In addition to protecting confidential company information, an effective data privacy and cybersecurity program can protect a company from attempted fraud, help a company to build and maintain trust with clients and customers, and prevent a company from incurring regulatory fines and other costs associated with a data breach.
The following three steps outline the most critical actions a business owner should take in order to build an effective data privacy and cybersecurity program.
1. Know your data and systems.
The first step for any company in building a strong and effective data privacy program is to understand its own infrastructure and the sources of its data. Performing an audit and creating a data map that illustrates the current reality will empower a company’s leadership team to implement effective policies and mitigate the most substantial risks.
- What kind of data is your company collecting?
All data may be valuable to your company, and that alone is reason enough to secure it appropriately. However, security becomes much more important if you are collecting “personal information” (i.e. names, email addresses, IP addresses, and other identifying information) and absolutely critical if you are collecting “sensitive personal information” (i.e. health information, social security numbers, bank account information, credit card numbers, driver’s license information).
- How and from whom is your company collecting data?
A company should undertake to create a data map, identifying all its different sources of data. For instance, you may be collecting information from consumers, business customers, vendors, or suppliers.
- Once collected, where and how is data stored, processed, used, and shared?
In order to guide your company toward data privacy best practices, you must first understand the reality of how your company is handling data. A company must continue to monitor and manage these activities and should regularly review and update its data map.
2. Know your responsibilities.
Once a company has come to understand its infrastructure and the sources and types of data it is handling, it can then begin to view its data and cybersecurity policies through the lens of the various frameworks and contracts that impose obligations on it and on the way it handles that data.
If you’ve been following our blog, you may have seen my recent post “Data Privacy Compliance as a Microsoft Supplier.” In that post, I discuss some of the obligations that a company may unknowingly undertake when signing a contract. For this reason, it is wise to call your legal counsel early and often when negotiating a contract and to be prepared to dig into the details. This time investment will pay dividends in the long term.
Laws and Regulations.
Regulation of data privacy and handling of personal information is ever-increasingly a global issue. In the digital age, companies almost universally operate websites, which can be accessed from all over the world. As such, companies in the U.S. may be required to comply with laws and regulations all over the United States and in the European Union, Canada, and other countries.
- In the U.S., the California Consumer Privacy Act (CCPA) and California Online Privacy Protection Act (CalOPPA) govern the collection and handling of personal information of California residents, while many other states continue to work toward passage of their own data privacy regulations.
- In Canada, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs the receipt of consent when collecting and using data for commercial purposes.
As companies continue to collect more and more data on individuals, these activities will only become more heavily regulated. Companies can stay ahead of this by effectively managing and mapping their data and by engaging with their legal counsel regularly and proactively.
3. Know your people.
While most people associate data security with technical measures, such as encryption and strong passwords, in reality, a company’s employees are often the first line of defense. A well-trained and well-prepared team can be the difference between preventing a breach and responding to one. In order to prepare your team to handle data and respond to fraud attempts appropriately, it is critical to provide regular training, reminders, and notifications on cybersecurity and data privacy best practices. Regular training and communications of best practices with employees will go a long way in ensuring that these matters remain top of mind for those team members who are regularly interacting with customers, handling company funds, and engaging with vendors and other third parties with whom data is being shared. Finally, a company should appoint a team of select management, technical, and legal personnel and create and distribute to this team policies and procedures for responding to and mitigating potential breaches.
This list provides a very high-level roadmap for tackling a very complex and potentially daunting issue. Equinox can assist in this effort by reviewing contracts, providing customized data privacy training your whole team, and advising on data privacy laws, rules, and regulations. To learn more about your company’s responsibilities, contact Equinox or register for our upcoming July Focus event.