Assessing your current privacy program

- So you want to create a culture of privacy but first you have to get the basics right. So let's talk about how you do that. First identify someone in your organization who is passionate about the issue of privacy. They will need a strong understanding of various laws and regulations your company will need to comply with. If your organization already has someone designated as the chief privacy officer or head of privacy then you're already well on your way. But if you do not already have someone in this role it's important to find someone higher up in the organization who is able to serve as the company champion of privacy. He or she will make sure privacy is considered when key decisions about the company strategy of products are being made. This person may sit in legal or your compliance arm they need to be senior enough to get folks to listen. They need the resources to build a program and need to held out as the one single point of contact in your company to answer all privacy questions. So step one: make sure you've got someone in charge. Second take a look at your documentation. You should have a privacy policy that tells your customers how you handle data you collect about them. In addition you should have the data breach plan that can be put into action should the worst case scenario occur. And in reality as most security and privacy folks will tell you a breach is not a matter of if but when. In addition to these basics if you're doing business in Europe, Asia or Latin America there will be other documents you're going to need to put in place as well. Third, think about your employees. You should also have a privacy notice in place that tells your employees what data you collect from them, how you use it and who you share it with. Make sure they understand their rights with respect to the emails, photos, and other personal items they may have on their company owned devices as opposed to the companies right to access this data in the event of a lawsuit or investigation. Fourth, if you haven't already conduct a gap assessment. Find out where personal information exists in your organization, how it is being used, what controls are in place and how data is currently being handled. There are multiple vendors that offer this type of gap analysis and this is a good first step in gaining objective data about your companies level of compliance. This will help build awareness and support amongst the senior leadership for advancing your privacy program. Finally, you need to make sure you have a process in place for reviewing and documenting privacy risks within your organization. Often times companies require all products to be reviewed by a team of lawyers before they can be shipped. You can add privacy to the list of issues those lawyers should be reviewing. You then want to teams to document those decisions so if a new product blows up in the press or regulator ever comes knocking, you can go back and explain how your company thought threw the privacy risks. So let's review the key things you need to have to get the basics right. First you need someone in your organization who is responsible for privacy both externally and internally. Second, you need to prepare documentation outlining your policies and procedures with respect to privacy. Third, you should also have a privacy notice in place that tells your employees what data you collect from them, how you use it, and who you share it with. Fourth you need to conduct a gap assessment. And finally put a process in place for reviewing products to ensure they have been designed with privacy in mind.