Defining privacy policies and procedures: Amongst other things, most of today’s data privacy and protection laws and statutes require many businesses to update or create more privacy policies, in addition to the implementation of several privacy procedures. Data-centric businesses may thus have to, in operationalizing best data protection practices, create or modify the following documents:
- Privacy policies
- Privacy Notices
- Consent Notices
- Opt-out (and opt-in) policies, notices & procedures
- Disclosure and deletion procedures
- Data security classification standards
- Privacy impact assessment
- Data breach/Incident response plans
- Consumer request procedures
- Creation of data security & privacy controls:
In addition to the aforementioned, businesses also need to specifically review and strengthen their management and security of consumer data – including personal identity information (hyperlink of PII article).
The type of security needed varies, depending on the type, medium and sensitivity of the consumer data that the business deals in. Some typical controls used include:
- Controlling or preventing movements between data repositories.
- Tightening data access controls and credentials
- Securing data at rest – by way of encrypting
- Preventing the sharing, printing or storage of data elsewhere
- Intermittent scanning of repositions of inappropriate data.
- Conduct of communications and training:
Another significant milestone in the operationality of data protection regulations lies in what can be called “Employee behavior change management“. It involves all attempts geared at making employees adhere to a new process.
As part of attempts at operationalizing data protection and privacy rules in businesses, employers need to implement change management through employee training to ensure that employees embrace and adhere to the new data privacy and protection administration. Such training can address, for instance, why data protection is suddenly important, the company’s overall responsibilities, and the roles staffs have to play in the process.
In all, it can be seen that operationalizing data protection & privacy in businesses can be pretty exhaustive, but not herculean. If nothing else, perhaps the fines and sanctions that loom over businesses would be enough incentive to have a rethink.