Navigating the Privacy HodgepodgePosted 2013-04-01 Email Print
No single privacy law blankets the country. Instead, there is a crazy quilt of laws with which every organization doing business in the U.S. must comply.
Complying With Relevant Laws
Organizations must ensure that they maintain data privacy plans and policies that comply with relevant laws for their industry. ISACA, a professional association focused on IT governance, offers the following guidelines for enterprise data privacy plans and policies:
· Know what sensitive customer data or PII your organization collects and retains and where it is stored, and ensure that the most appropriate controls are in place.
· Develop an incident-response plan for potential privacy breaches to help your organization respond promptly.
· Ensure that company policies and plans are clearly written and enforceable; they should address issues related to the collection, use, disclosure, retention and disposal of PII.
· Make sure employees throughout the company understand why it is important to protect PII and the risks to the organization if they don’t.
· Train employees to understand how they can help protect PII and reinforce the training program with regular information sessions and notifications on policy or plan updates.
· Assign privacy and data protection policy to a designated person, such as a chief privacy officer, who should also be responsible for monitoring relevant privacy legislation.
Involvement of the board of directors is also recommended to ensure that proper controls are implemented. The board should govern the overall process by directing, monitoring and evaluating the organization’s overarching privacy vision and requirements based on the business needs. Executive management and all employees involved with privacy-related information should focus on management: planning, building, running, updating and monitoring privacy controls.
To address the broad array of privacy issues that vary across different areas of a business, organizations should consider developing guidelines by consulting a comprehensive business framework, such as ISACA’s COBIT 5. By leveraging the enabling processes in such a framework, the team responsible for data privacy will know they have addressed the complex mix of privacy-related requirements, benefits, risks and resources.
This issue gets incredibly more complicated for organizations conducting business outside of the United States or for non-U.S. companies seeking to do business here. Those companies need an even more rigorous process and structure for monitoring regulation and ensuring compliance — a situation in which a comprehensive business framework is more important than ever.
No internal policy or control will eliminate the array of federal and state laws, of course. But such policies do provide a way to make sense of what is required by law, desired by consumers and expected by your board of directors.
Jeff Spivey is international vice president of ISACA, a professional association focused on IT governance, and vice president at RiskIQ.