Privacy is key concern for customer's, people's and employee's confidence. Privacy governance enables companies to expand their business scope across various geographies in compliance with geographical privacy regimes. Having a strong privacy safeguards deployment also enables adoption of various technologies including cloud technology for business expansion. There are multiple channels like web, social media , instant messaging , partner networks through which organizations are trying to understand customer’s purchasing habits and present the related service and product to them. In this process companies are collecting lot of customer personally identifiable (PII) data without understanding the implication of incorrect use of this data and having loose protection controls. Organizations needs to follow the basic privacy principle while dealing with privacy data. Largely accepted privacy principles are from Organization for Economic Cooperation and Development (OECD). So, let us understand what exactly is meant by privacy and governing privacy principles.
What is Privacy?
The definition of privacy varies depending on social and cultural issues, stakeholder interests, and application context.
Popular privacy definitions include “the right to be let alone” by Justice Louis D Brandeis, focusing on freedom from intrusion, and “the right to informational self-determination”, allowing individuals to control, edit, manage, and delete information about themselves and decide when, how and to what extent that information is communicated to others.
It recommends that following OECD Privacy Principles should be followed while designing their privacy governance initiative
- Collection Limitation
- Data Quality
- Purpose Specification
- Use Limitation
- Security Safeguards
- Individual Participation
The rigor of privacy deployment depends on privacy requirements and cultural expectations. Following are the use cases where privacy governance needs to be considered
- If you are dealing with customer/employee personally identifiable information (PII), medical information.
- Rapid change of technologies like use of cloud , social media , mobile computing
- Performing data analytics and planning to consider secondary use of personal information.
- Planning to outsource your business function to third party or partners and sharing personal data with them for processing
Privacy governance function should be taken up by dedicated senior management person like privacy officer or privacy protection manager. Privacy committee should be established comprising of representative from senior management, business units, HR, Legal, IT, third party management. Privacy committee should closely interact with organization IT security organization.
Privacy Governance Approach
- Privacy requirement gathering and planning to consider business requirements, applicable privacy regulations, PII data flow through various IT systems like web, CRM, HR system, e-mail, messaging , backup systems, social media .
- Definition of Roles and responsibilities of privacy officers and privacy committee
- Review exiting security, HR policies and enhance or create new policy to meet privacy requirements.
- Conduct Privacy Impact analysis (PIA) your IT applications when new application is created or application is changed due to some business requirements or IT function is outsourced
- Privacy training to employees and stakeholder including third parties
- Define privacy safeguarded and security controls , make decisions on privacy enhancing technologies like DLP, Data Masking, Encryption technologies
- Keep monitoring industry- and country-specific regulations developments
- Keep monitoring privacy governance initiative
Success of privacy program depends thoroughly upon understanding privacy domain, requirements, required privacy compliances and designing the privacy program based on well-known privacy principles and customizing these further as per the geo graphical or industry specific requirements. Success also depends upon selection and deployment of appropriate policy and procedures and deployment appropriate privacy technology and then monitoring it.
Authored by Satish Kulkarni