January 28th marks Data Privacy Day, which for us here at Coretek, means that we spend the week reiterating the value of building privacy considerations into all that we do for ourselves and our customers.
Data Privacy Day began in Canada and the United States in January 2008 as an extension of Data Protection Day in Europe, commemorating the signing of the first legally binding international treaty regarding privacy and data protection.
Data Privacy Day serves as an essential reminder to ensure that we safeguard personal information, both in our professional and personal lives. Unfortunately, data privacy is often overlooked until our personal data becomes a target of compromise, or worse, has already been compromised. Below we detail five tips to enhance data privacy at your organization and start your journey to building and maintaining a culture of privacy awareness.
Data privacy is important, but what does it mean for your business to maintain a culture of privacy? You must know all the areas where you should consider data privacy and which data privacy regulations are required for your organization.
Although these are not the only questions that an organization should ask itself, they will allow you to understand your business better. Once you know how your business intersects with data privacy, you can determine where your gaps in privacy are and what you need to put in place to mature your privacy practices. If you need help in this process, you can reach out to partners with experience in data privacy for business.
The next step in building a culture of privacy is to get executive leadership to buy into it. If business decision-makers are not informed about why privacy considerations and regulations (HIPAA, GDPR, etc.) are relevant to the business and the services it provides to its customers, it will not be easy to establish a privacy-focused culture.
When executive leadership values privacy at the organizational level, they help instill a culture of privacy awareness from the top-down, which is more likely to succeed.
Developing a plan for how your organization can cover a multitude of components of privacy training is crucial. It is essential to understand that Privacy Awareness is different from Security Awareness, but they intersect in many ways. The key difference is that Privacy Awareness Training can focus on the importance of the data that needs to be protected and the understanding of what requirements your company may also be subject to (HIPAA, GDPR, etc.) to ensure privacy protections and access rights are taken into consideration. Alternatively, Security Awareness Training can span a broad range of topics relating to confidentiality, integrity, and availability (the CIA Triad), physical and logical access, social engineering tactics, detecting malware, etc. All of these factor into securing the data that your organization is responsible for but may not teach your employees about the importance of knowing how to handle personal data.
It is valuable to understand if your organization processes Personally Identifiable Information (PII) or Protected Health Information (PHI) for yourself or customers or if your company will receive requests to access the data held for them as a consumer. By creating privacy awareness training that covers the breadth of topics like recognizing Data Subject Access Requests (DSARs), you can chip away at the knowledge gaps and begin to mature your privacy practice.
Once you understand how your business intersects with privacy, have the buy-in of your executive leadership team, and a training program designed, your organization is officially on the way to building a culture of privacy awareness and champions—but what is a ‘privacy champion’? A privacy champion is not necessarily a designated role; instead, it’s a mindset that your employees develop over time that allows them to identify potential privacy concerns or areas for improvement to existing privacy practices.
How do I know if our organization is ‘privacy aware’ or if we have individuals that might be ‘privacy champions’?
Finding out might be easier than you think! Ask yourself:
Ensure privacy is at the forefront of discussions, project plans, and implementations by considering the seven principles of Privacy-by-Design:
When an organization incorporates these seven principles of Privacy-by-Design, employees and customers are granted assurance that the privacy of their data is important.
We have included some additional resources about data privacy week. If you have any questions feel free to reach out below.