Millions of people are unaware of how their personal data is being collected, used, or shared in an increasingly digital society. As a business, it’s more important than ever to have a data privacy strategy to protect customers and employees and remain compliant with applicable regulations.
In an era of heightened risk and uncertainty, remote workforces, and complex technologies, having effective, accurate, and easy-to-understand policies and procedures has become critical to keeping pace in the developing global regulatory landscape.
Data Privacy and Protection: Why Is It Important?
Data privacy is the set of strategies and processes that focus on how personal data is collected, processed, stored, shared, retained, and destroyed, while data protection focuses on securing the availability and integrity of data and protecting assets from unauthorized access.
A data privacy and protection strategy is crucial for any organization because it aims to provide individuals with transparency, control over their data and how it is used, and to protect personal data from unintended access and use. Without a data privacy and protection strategy, your organization may be more vulnerable to consumer complaints, regulatory investigations and fines, and fraudulent activities like identity theft, phishing, and hacking.
Components of a Data Privacy and Protection Strategy
When developing a strategy, you need to understand:
- The Business: Understanding the business is key to a data privacy and protection program. The more you know about the business, the more you’ll understand the types of data it processes and the level of protection required.
- The Data: Many organizations collect personal data from both internal and external sources. For example, a bank collects financial information from customers. A healthcare organization collects health information. All organizations collect and process personal data of their employees. It’s important to identify the categories of personal data as this will inform various privacy notices, policies, and procedures.
- The Purpose: It’s one thing to identify data, but to understand what the data is and how it serves a purpose in your organization is an entirely different task. This is important when building a data privacy and protection strategy because it helps you populate your personal data inventories and records of processing (where applicable or legally required), identify opportunities for data minimization, confirm that the data collected is proportional to the purpose, and implement appropriate safeguards.
5 Steps to Get Started
Identifying data, how that data is used, classifying the data, and outlining what actions to take with each type of data is key to data privacy. Here are five things all organizations can do to begin or enhance their data privacy strategy:
- Identify where your data is located. It can be a challenging task but identifying where your data is should be the first step in protecting it. Where does all your data live, and where does it go? What types of data exist? Where is it physically hosted? Discovering your data is a foundational task because it informs the rest of your data privacy and protection strategy.
- Identify what your data is. You cannot protect your data without first understanding what you have. After identifying where the data is, the next step is to create a personal data inventory and record what you do with that data. You may also tag the data by classification at this point. Data classification helps to organize the data into groups – most often according to the level of sensitivity – to enable efficient data protection. It’s also important to note that data protection and e-discovery have certain functional overlap. Data investigation is also less burdensome when your data is classified; therefore, the two can be interdependent.
- Determine who has access to the data. Who currently has access to each type of data? This includes internal stakeholders and third-party recipients, such as service providers or partners. Knowing who is receiving or accessing the data and where they are located affects the rules you’re placing around the data and transfers. Certain privacy laws may also require data localization or additional technical, organization, and contractual safeguards to transfer data cross-border.
- Define how you will implement privacy controls. Once you understand your data, you can better customize privacy policies and procedures. For example, you can use your personal data inventory to guide where and how to execute a data subject/consumer rights request. Understanding your business, technologies, and risk profile can also help you create a customized privacy by design program and methodology that embeds privacy controls during the early stages of a project or development lifecycle.
- Implement technical and organizational controls. A data privacy strategy relies upon the implementation of strong security controls. This includes organizational or programmatic controls such as policies, training and awareness, incident response plans, password policies, and technical controls such as encryption, anonymization, logging, multi-factor authentication, and vulnerability detection. One important safeguard for data protection is data loss prevention (DLP), which prevents unauthorized data leakage outside the organization. Once data is classified, the technical implementation of DLP can establish policies for each layer of classification to prevent unwanted sharing. Once implemented, continuously monitor and maintain the policies to stay updated with business needs and regulatory requirements.
Written by Taryn Crane, Mark Antalik and Steve Combs. Copyright © 2022 BDO USA, LLP. All rights reserved. www.bdo.com