Privacy is a relatively subjective term in corporate environments. For most companies, contemporary privacy compliance rests squarely on the shoulders of the IT department, as other departments consider privacy to be a technology issue. Let's be practical; how can one department single-handedly manage the privacy compliance of an entire company?
There are many opportunities for IT teams to get lost while addressing the plethora of data protection laws worldwide - such as the General Data Protection Regulation (GDPR) - as well as specific regulations like the Personal Data Protection Act (PDPA) in Singapore. PDPA, for example, imposes obligations on companies around the collection, use, and disclosure of personal data in Singapore. The government has also recently enacted a new mandate for companies to disclose when it has become the victim of a data breach – with harsh penalties for noncompliance.
Adhering to privacy regulations is no longer a marketing hook; it's a serious obligation, and companies can't afford to have an "it-can't-happen-here" approach any longer. To help companies get serious about privacy compliance and accomplish compliance goals, we have compiled six essential steps based on our own experiences.
1. Strict privacy settings by default
Any action that involves the processing of consumers' personal data must be handled with privacy in mind, and companies should enable the most stringent privacy settings by default. For example, removing the tracking code on websites and applications can achieve the highest level of compliance for the organization. Although tracking codes are useful for marketing and product development teams' decision making, they should still be removed. Also, sharing customers' behavior patterns with Google Analytics, Crazy Egg, Hotjar, or others without customers' consent invites unwanted trouble.
2. Department-level DPOs
It's vital to have a data protection officer (DPO) to manage the company’s compliance with regulations, such as PDPA or GDPR; however, appointing one DPO for the whole company isn’t enough to ultimately achieve compliance goals across an organization. In our case, we decided to name individual DPOs for each department who report to one centralized DPO. This helped us understand the various privacy-related use cases of each team, as well as how to address these use cases according to our compliance standards—all under one common framework.
3. Risk-driven Development
Emerging research and development (R&D) are the lifelines of every technology company, but privacy concerns are exacerbated by using data mining and artificial intelligence techniques to analyze user behavior. In our case, we adopted a risk-driven model to our R&D, which helped us identify and mitigate pressing privacy risks well before anything went into production. This model allowed our developers to prioritize risks, apply the right mitigation techniques, and save a lot of time.
4. Using the Right Language
When it comes to privacy compliance, there's a lot of jargon used across various departments. It's often difficult for an employee from one team to understand all the jargon words used in another department. To tackle this situation, we decided to translate all commonly used privacy terms into plain English. We also began awarding privacy points to teams for achieving internal compliance goals, which can be redeemed for cash, and deducting points when there was a violation. This helped our employees to simply and quickly understand and use the right terms to solve privacy issues together.
5. Automate Privacy Controls
Knowingly or unknowingly, employees often breach privacy policies. For example, leaving papers with customer data in a printer tray, loosely sharing customer information on internal forums, and sharing event participants' details with other internal teams are ways that privacy violations take place in daily office interactions.
To combat this issue, our company built intelligent bots into our internal chat service to help us quickly identify privacy violations. Now, if an employee tries to share information that appears to contain personal data, such as phone numbers and email addresses, a bot automatically pops up and warns the user not to share personally identifiable information. Building automated intelligent controls helped our employees learn privacy rules contextually.
6. Maintain an Activity Register
It's important to document who handles which tasks to monitor who is accountable. This can be done using a Responsibility Assignment Matrix (RACI). By using RACI matrices at the department level, we were able to improve the overall success rate of our compliance programs significantly. As an example, our developers listed their top 20 routine tasks in an internal RACI matrix document. If there were any deviations from their respective routines, privacy teams would reach out to the developer as quickly as possible.
Implementing these six points alone may not be enough to achieve all your compliance goals; however, these provide a solid baseline to strengthen your organization's privacy controls.
Chandramouli Dorai, Marketing Analyst, ManageEngine contributed this article.
The views and opinions expressed in this article are those of the author and do not necessarily reflect those of CDOTrends.