Responsibility and Accountability
Have you ever worried about your personal information falling into the wrong hands? Our clients do. They take data privacy very seriously, and so do we.
We all have a responsibility to protect the data of our clients and employees. Privacy incidents are often caused by people making simple mistakes out of line with our policies. To help avoid any such mistakes, we have created a set of data principles.
- Don’t collect data unless you have to.
- Don’t use data for purposes other than the purpose about which you have informed the individual.
- Protect data at all costs.
- Destroy data when it’s no longer required.
We all are accountable for protecting the data we hold on our employees, customers, and clients. When in doubt, follow these principles to help protect personal data.
Your data should never be collected without your approval, and you should never collect data without approval. Always ask yourself the following:
- Is this information I’m about to collect personal?
- Do I need it?
If you don’t need the information, don’t collect it.
You must provide consent before a company can disclose any of your data. Equally, if you are ever in a position to disclose data, your data subject must provide consent.
Data should always be made anonymous, when possible, to safeguard the subject. No one should have their data abused or misused. You must protect it from loss, theft, unauthorized use, or modification. There should always be means in place for an individual to access and, if necessary, correct the information we hold on them.
Everyone has the right to know why their data is being collected and how it will be used. Customers have the right to hold any company that is in possession of their personal data/PII accountable for what happens to their data.
In summary, if at all possible, don’t collect personal data/PII. But, if you do, then you must make sure that the individuals who you are collecting the data from know why it has been collected and give their consent; you must protect the data while you have it; and you must destroy it when it’s of no more use. It is smart to follow a retention and destruction schedule and to periodically assess the usefulness of data.
Now we’ll look at a real-life example.
Viktor is working from a cafe. He is collating employee information into a spreadsheet for his company. Viktor wants to update the project on the network, but the cafe’s Wi-Fi is unprotected. Let’s see how he handles this.
Viktor decides to use the company Virtual Private Network. He can use the cafe’s unprotected Wi-Fi to create this private connection. Viktor has ensured that the personal data/PII remains protected and secure within his company’s network.
Viktor is getting ready to leave the cafe, but wants to do some work on his smartphone while commuting on the bus. Viktor knows he has to be responsible when sending and saving files.
Viktor encrypts the file he wants to work on with a password that only he knows and saves the file onto his phone. Viktor ensures that the data is protected and is aware that he should only ever work with files on authorized work devices and in accordance with his company’s IT security policy.
Viktor knows he is liable for any data he works with. Any breach of data can have financial impacts or legal risks, and could harm the company brand and reputation. His company could also be subject to significant fines if implicated in a data breach. No matter where you work from, personal data/PII must always be protected.
Imran’s company is merging with another organization. Both organizations operate in the US and the EU, and they’ll need to share personal data and personally identifiable information (PII).
He’s worried about ensuring this data is protected after the merger. He’s compiling a list of questions to ask the other organization.
✓ Is data stored securely and accessed only by authorized users?
✓ Are policies in place to protect data providers’ anonymity?
✓ Are users trained in data protection policies?
✓ Are security audits completed on a regular basis?
✓ Are electronic records securely purged?
✓ Are bonuses paid to staff to protect PII?
You shouldn’t need to incentivize employees to maintain data security. Data must be stored securely and accessed only by authorized users. Policies must be in place to protect the anonymity of those about whom the data is stored. Everyone must be trained in these policies. Security audits need to be completed on a regular basis. Documents containing personal data/PII must be shredded. When destroying electronic data, all electronic records must be securely purged in accordance with our company’s retention and destruction schedule. Privacy incidents are often the result of people making simple mistakes out of line with our policies. Our data policies exist to protect you, and us. There are also federal and state laws that set out the requirements for proper disposal of certain categories of PII.
Imran needs to create a spreadsheet for the marketing department with details of customer purchasing trends.
What must he do to ensure the security of any personal information?
✓ Print out the spreadsheet and hand-deliver it to his contact in the marketing department.
✓ Make anonymous any personal information before emailing it to the marketing department.
✓ Send the spreadsheet as an attachment in an email to the marketing department.
When using data outside of its normal intended environment, the data must be anonymized so as to remove any trace of personal data/PII by which the customer can be identified. Data should always be made anonymous when possible to safeguard the subject.
An audit of the other organization’s network highlights major security vulnerabilities. Research identifies a possible data breach.
✓ Any customers whose information was compromised could take legal action against Imran’s company.
✓ Imran’s company could be liable for huge fines and possible criminal charges.
✓ Imran will lose his job, but the company will face no other consequences.
✓ Imran’s company could suffer bad publicity.
Imran now understands the importance of protecting personal data/PII and that data breaches can have severe consequences, including loss of reputation, fines, and even criminal charges. Individuals may take action against any company, should it be identified that the company caused a data breach.
You have the right to hold any company accountable who is in possession of your personal information. Not following principles of proper protection of personal data/PII can have huge ramifications. Under certain US laws, there are also reporting and notification requirements when a data breach has been discovered, including laws recently enacted in some states.
In the EU, under the GDPR, if a data breach occurs the company responsible for the breach must notify the relevant regulator within 72 hours of becoming aware of the breach. Generally speaking, organizations must also notify individuals impacted, including their customers, without undue delay after first becoming aware of the breach. Be sure to notify Legal if you discover or suspect that we have had a data breach, so that proper reporting can be done swiftly.
This content is an extract from the data privacy training course.