With the holidays behind us and the new year upon us, privacy officers are sitting down and focusing on the annual privacy goals for their organization. Here is a list of resolutions for privacy officers to consider.
- Draft robust privacy policies and practices. It is important to annually review your organization's privacy policies and practices and consider if they need to be revised. You want to make sure that they are accurate – many times, a policy is drafted, and when implemented, changes are made in the process without the policy being updated to reflect those changes. You want to consider if the policies and practices are being complied with, and if they aren’t, determine why they aren’t and what needs to be changed to ensure compliance. Does the policy need to be adjusted? Does more training need to be conducted?
- Consent for the collection, use, and disclosure of personal information will be valid and informed. Your client needs to know and understand the purposes for the collection, use, or disclosure of their personal information. Under the Consumer Privacy Protection Act (which is making its way through the legislative process to be enacted), a corporation is to provide the following information to an individual to obtain valid consent: (a) the purposes for the collection, use, or disclosure of the personal information determined by the organization; (b) the manner in which the personal information is to be collected, used or disclosed; (c) any reasonably foreseeable consequences of the collection, use or disclosure of the personal information; (d) the specific type of personal information that is to be collected, used or disclosed; and (e) the names of any third parties or types of third parties to which the organization may disclose the personal information.
- Have data protection agreements in place with third-party vendors and execute audits. Third-party vendors that process your organization’s data need to set out in a contract, i.e., a data protection agreement, the safeguards that will protect your data. A review should be done of the data protection agreements you already have in place with your third-party vendors. Has the sensitivity of the personal information that the third-party processes increased? Do the safeguards in place continue to adequately protect your data? Are there audit provisions in the agreement that you should be executing? Have you requested a copy of the vendor’s third-party certification and/or annual penetration testing reports?
- Data protection safeguards will be proportionate to the sensitivity of the data collected by the organization. The following factors should be considered when selecting the right safeguards to have in place to protect your organization’s data and the personal information of your clients: the sensitivity of the information and the risk of harm to the individual (i.e., health and financial information would be considered highly sensitive and require stronger safeguards); the amount of information collected and/or retained; the extent of distribution; the format of the information (e.g., paper or electronic); the type of storage; and the types and levels of potential risk your organization faces.
- Training is relevant with full participation by members of the organization. The most well-developed privacy management program will not succeed if team members are not trained on how to implement it. Different positions in the company will have different responsibilities in implementing the program. Training and education need to be recurrent, and the content of the program needs to be periodically revisited and updated to reflect changes in technology, processes, and products and services delivered to clients.For privacy training and education to be effective, it must: be mandatory for all new employees before they access personal information and periodically thereafter; cover the policies and procedures established by the organization; be delivered in the most appropriate and effective manner, based on organizational needs; and circulate essential information to relevant employees as soon as practical if an urgent need arises.
- The organization is prepared to manage a breach incident. One only needs to check the headlines to realize that cyber breaches are part of the risks that every organization needs to mitigate and manage. When there is a data breach incident, you want to be prepared to respond to it immediately. Every organization should have a breach incident plan setting out the procedure to be followed in the event of a breach, who will be responsible for what function, who will be coordinating the response, etc. In these situations, you do not want to be wasting time figuring out who is doing what – you want immediate containment. Periodic testing of the breach incident plan needs to be conducted.
May 2024 bring excellent data and privacy protection to you and your organization!
Alysia Christiaen is the Chief Privacy Officer of Lerners. She is available to assist a privacy officer in making and implementing their privacy New Year’s resolutions. Privacy on Demand packages are available for organizations in need of privacy and data protection legal services.