Dana Louise Simberkoff, JD, CIPP/US, Chief Compliance and Risk Officer, AvePoint
I recently attended a speaking session on the importance of developing a classification schema for your data, presented by a privacy attorney and a Chief Privacy Officer. They described in detail how to build a classification schema that would properly identify Personally Identifiable Information (PII), secure sensitive information, regulated content, and other types of company specific sensitive data – such as financial information, contracts, and intellectual property. Toward the end of the session, an audience member raised his hand and asked, “How do you make sure that the documents are actually tagged with the schema?”
Unfortunately–but not surprisingly–there was no real assurance that tagging would be correct or completed at all. Therein lies the problem! There are many factors that go into the determination of an organization’s privacy program and policies–including statutory and regulatory requirements, company or organizational best practices, and market demands. But regardless of the mandate source, all organizations should carefully consider whether the policies they are building are technically enforceable.
“Privacy and security should not be seen as blockers to productivity but rather as enablers of the business”
Creating a policy without any mechanism (automated, manual, or third-party) to measure and monitor compliance of the policy is somewhat like setting a curfew for a teenager and then going away for the weekend. How do we know as privacy professionals if people will live up to expectations? How do we know if those expectations are even reasonable?
1) Set enforceable policies: In the absence of education or experience, people will naturally make poor privacy and security decisions with technology. This means that systems need to be easy to use securely. This is a critical point and probably one of the single largest opportunities for privacy and security programs to be revamped.
2) Make it easier for your end users to do the right thing: Create simple policies, rules, and IT controls and make it easier for your end users to do their jobs effectively with the systems and controls that you want them to use. Don’t set up policies that are so cumbersome and restrictive that your employees are pushed to private cloud options – including Dropbox, Box, and Google for Work – to be able to effectively do their job. At the end of the day, your employees will do what they need to do to get their job done. Join them in making it simple to use the systems you can also control.
3) Trust and Verify: Trust your end users to appropriately identify and classify sensitive data they are handling and/or creating, but verify that they are doing so. Use a layered approach to data classification to ensure that the policies, training, and tools are being properly understood and integrated into the day-to-day tasks of your workforce.
4) Measure, Report, and Monitor: That which is not measured cannot be improved. Don’t have a policy that sits on a shelf - policies should be living, breathing documents that reflect and direct the flow of your business. Privacy and security should not be seen as blockers to productivity but rather as enablers of the business. Your reporting can help you build a better security program, as well as help you demonstrate the Return On Investment (ROI) for your program.
Privacy officers must closely align not only with their security counterparts, but also with their IT counterparts. For privacy officers fluent in the language of the law, it is important to understand the limitations and possibilities available to their company through technology.