With all the different legislation either already enacted or being enacted in different jurisdictions, organizations may find it difficult to determine what they need to do to ensure they meet the requirements. However, there are privacy best practices that can be put in place to help organizations be better prepared to meet the obligations.
In this article we will look at some of those best practices.
Let’s look at some data protection best practices that will help an organization adapt to the requirements of privacy laws.
1. Identify personal information that is created, received, and shared
Identifying person information is a common obligation of privacy laws. This involves tracking the flow of personal information across and through different applications. It also includes where the personal information is stored and with whom the information is shared with. In simple terms, organizations need an inventory of the information they have, why they have it and what it is being used for.
As we mentioned earlier, personal information includes any information about a person that makes the person identifiable including things like a person’s email or mobile number or even subjective information like evaluations or comments. The Office of the Privacy Commissioner of Canada (OPC) gives some good examples of what constitutes personal information.
2. Ensure personal information is secure both internally across the organization and externally to protect against breaches or unintentional disclosure
Locking down databases where personal information resides is only the start of ensuring the security of the personal data. Many organizations don’t think about other areas that the data may reside. Examples include the personal data in emails, customer lists on employee laptops, backups in the cloud. Organizations need to ensure they think about security at all levels of an organization with layers of security that mitigate risks.
Protecting the data internally is crucial but organizations need to also work with any third party partners they engage with to ensure that they have the privacy policies, processes and security in place that meet the personal information requirements.
3. Ability to respond to requests from people regarding their data and who the data is being shared with
Organizations need to have a system in place that can gather the information being requested across the organization. For example, customer service may have some data on that person while accounting may have other data on that same person. Unfortunately, not providing the correct information to the requestors may lead to penalties and fines therefore, organization need to consider these areas when setting up their systems.
4. Create processes for producing personal information reports
A common requirement of privacy laws is allowing people to get a copy of the data they requested in a simple format. Therefore, the system developed to gather the personal information should also have the capability of generating a report with all the information for people who request a copy of the data.
5. Develop a process for deleting personal information
Another common requirement across many privacy laws is the right of a person to have personal information deleted or anonymized. The challenge for organizations is to ensure that they don’t delete or anonymize information that is required to comply with other laws in their specific industry. For example, organizations in the healthcare industry may have specific requirements when it comes to data. When looking at deleting personal information, organizations should consider what data they require for their success as well as what data needs to be preserved under data retention policies to determine what data can be deleted or anonymized.
6. Personal information data hygiene
As data storage costs have decreased, organizations have had the tendency to keep personal information longer than for the purpose it was designated for. Organizations need to take the opposite approach. Collect only the information needed for the designated purpose and store that information for only as long as the designated purpose is achieved. By doing this organizations reduce their exposure by limiting the personal information collected and the duration that information is retained.
With the various provincial, federal, and global privacy laws tabled or already enacted, organizations may find it difficult to ensure compliance. The above best practices provide a good start. However, to better understand the impact of the privacy laws on your organization, we highly recommend engaging with a legal expert with specific expertise in privacy laws.
IT Service Providers, like MicroAge, can help with your privacy journey by providing services and solutions related to the security, storage, backup, and recovery of data.
Contact us today to see how we can help.
3 Critical Cyber Threats For Businesses in 2019
Malware, vulnerabilities, and social engineering are some of the main concerns for IT security professionals. Although the tactics used to target businesses and individuals are…
5 Benefits of an Optimized IT Infrastructure
Is your current IT infrastructure helping your business thrive in its industry or creating obstacles for growth? If you’re still not using cloud technologies to…
3 Advantages of Using Cloud Infrastructure
Everyone knows that cloud computing is a hot trend, and its adoption should only increase over the next few years. According to one study published…
Top 5 Cybersecurity Myths
The digital world has offered small businesses around the world with numerous options for growth and protection. However, it has also allowed myths and lies…
5 Tips To Avoid Clicking On Suspicious Email Links
When it comes to emails, it can be easy to click on dubious links that install malware or unwittingly share your personal information. For this…