PreviousDeveloping your Data Privacy and Protection Program
A question that is often asked is, “Which department is responsible for Data Privacy within the organization?" Depending on who you ask, the response to that question will vary.
Some may insist that it is the responsibility of IT to ensure that customer data is collected, stored, processed, and removed in accordance with the various data privacy regulations. Others will say Compliance and Legal, given the discipline’s prescriptive legislative nature. Based on how many organizations view data opportunistically, some may even say Marketing. Others believe this responsibility lies with the office of the CEO and the executive leadership team, given the reputational and financial risks a data breach or data leak could pose to the organization. Who is right? We will get to that in a little while.
When we think critically about the entire lifecycle of the data collection and processing journey, we immediately realize that there are several touchpoints that will include many different individuals. To illustrate this point, I’ll share a recent experience.
I recently visited a corporate office to conduct personal business. To gain entry to the parking lot, the security guard recorded my full name, the vehicle’s license plate number, and the make and model of my car. When I entered the building, the receptionist again recorded my name. Then, in order for her to confirm that I was who I claimed to be, she requested that I present a government-issued ID. Of note is that when I recorded my name in the log, I could see every person who signed in before me, the time they arrived and which department they were visiting.
During my meeting with the company’s representative, I completed several forms, all of which asked for personally identifiable information, with at least one requiring personally sensitive information. Sitting at the rep’s desk, I could see photocopies of other customers’ documents on his desk in plain view. He then informed me that the completed forms would be sent to the operations unit for processing and then, depending on the processing outcome, to another division for enrollment. A week or so had passed when I received two emails from the marketing department: one regarding a public holiday office closure notice and the other a monthly newsletter.
In the scenario just described, it is clear that many organizations require quite a bit of personally identifiable information for customers to conduct business with them. We have come to accept this as standard practice, despite the fact that many organizations have not done the work to determine whether the information they require is necessary for a customer to do business with the organization. It is also evident that several individuals from various departments across the organization will be involved in collecting, processing, storing, and removing said data.
Often, the individuals involved in the process are unable to explain why the data is necessary, how it will be stored, who will have access to it, how long the organization will keep it, how it will be used, and how or when it will be removed when it is no longer needed. Many organizations commit the error of placing an excessively narrow emphasis on who is responsible for data privacy. They tend to concentrate on a few key players and exclude the rest of the staff from this crucial discussion.
The statistics around data breaches and data leaks reveal that a vast number of these result from human error or negligence due to ignorance. It may be the security guard or receptionist who inadvertently leaves the visitors’ log in an unlocked pedestal at the end of the day or the marketing associate who sends the incorrect Excel file containing personally sensitive data to an external distribution list. The law does not care how it happens – the penalties and fines are the same regardless. Legislators presume that organizations will take all the necessary steps to educate all employees on sound data privacy practices so that they can operate in compliance with the law.
The answer to the question that we started with should be evident by this point: data privacy is everybody’s business. While one business unit may be responsible for developing and managing a data privacy framework across the organization, all staff and key stakeholders must be aware of the basics at the bare minimum. There is, therefore, an obvious need to raise awareness about individuals’ rights to personal data protection and privacy.
Data privacy awareness and practices can send strong messages to everyone regarding the company’s business ethics and the value it places on the rights of the data subjects. The most effective way to convey this message is to demonstrate a commitment to get everyone across the organization sensitized to the matters of data privacy, including the rights of data subjects, the responsibilities of the organization and the consequences of non-compliance. Let’s be clear about one thing: ignorance of the law is not a plausible defense.
While one business unit may be responsible for developing and managing a data privacy framework across the organization, all staff and significant stakeholders must be aware of the basics.
We are offering organizations the opportunity to:
Create awareness among their staff members about the Data Protection Act
Understand the responsibility of the organization under the Data Protection Act with our: Data Protection Executive Briefing; and Data Protection Essentials Training