Building a Privacy Compliance Program

I take the (perhaps uncontroversial) view the privacy and security are intertwined.  While easier said than done, here are some steps for establishing a privacy compliance program.

• The first step is to know what it is you have. Working with your IT group, review what information your company keeps, understand where it is stored, who has access to it and whether there are effective cybersecurity controls in place.  This should include understanding what information employees have on their own devices that are used for work – or in the workplace.

• Once you know what you have, you will need to determine what information needs to be kept private. This will require you to understand the legal environment in which your company operates, including the laws and regulations of any jurisdiction in which you do business, where you store your data and what national borders your data crosses.  Remember that in the US, sector-specific regulators are deeply in the privacy business, so you must keep abreast of what agencies like the SEC, NLRB, FTC, and HHS are saying.  Finally, you also cannot overlook the promises you’ve made about privacy in your own privacy policies and statements.

• It is critical to view a privacy compliance program as an employment law matter.   As I have argued elsewhere, employees are the single largest threat to privacy and cyber security.  Whether they are being malicious, negligent or simply being tricked, the actions of your employees will often determine what data is kept private and what is not.   Solid training and strong policies will go a long way to help you ameliorate this problem.

• Create polices that cover employee personal devices that enter the workplace, especially in a Bring Your Own Device environment. Make sure to encrypt these devices, and obtain employee consent for remotely wiping the devices if the need occurs. If a mobile device is necessary for the job, it is best to let employees decide whether they want to use a personal device or a device you provide to them. Make sure your employees understand that they should have no expectation of privacy on the data on such devices.

• Back good cybersecurity with good policies, such as prohibiting unapproved devices from connecting to your network, prohibiting the installation of unapproved software, and ensuring that there is an approval process for downloading any data onto a mobile device.

• Train employees to comply with security policies and to resist efforts to get them to divulge data, such as a so-called spear phishing campaign. This is especially true of c-suite executives. 

• Work closely with IT to ensure that your organization stays up-to-date with cybersecurity, including the use of two factor authentication, broad use of encryption and intrusion monitoring.

• Finally, be prepared for a breach. Consider breach insurance and create a plan that covers what you will do in the first minutes, hours, and days after an incident is discovered.