top of page

What Are You Doing to Mitigate Privacy Breaches?

Many laws and requirements affect businesses today and the topic of privacy is receiving extra attention from auditors and regulators. However, it is not just about laws and compliance. There are many motivators driving businesses to be more responsible with a consumer’s personal data such as:

  • Enhance the company brand

  • Meet regulatory compliance obligations

  • Enable global operations and entry into new markets

  • Reduce the risk of data breach

  • Increase revenues from cross-selling and direct marketing

  • Comply with GDPR

  • Provide a competitive differentiator

  • Increase value and quality of data

  • Reduce risk of employee and consumer lawsuits

  • Be a good corporate citizen

  • Customer/Consumer trust

Consumer trust is a big motivator. Fines and fees from regulators are usually clearly defined and have a finite value to them. However, consumer trust can be broad and have much more severe repercussions. Loss of consumer trust can be fatal to organizations. It’s hard to obtain and even harder to gain back if lost. Because of this, many organizations are motivated to have a mature privacy program to ensure they do not lose consumer trust. A few ways organizations can mature a privacy program:

Data minimization Employees must understand data minimization and be able to place it in operation. Using internal identifiers, for example, instead of government identification numbers like Social Security numbers, reduces risk if the data is lost. Truncating, masking or scrambling information is another way to lower risk.

Privacy leads Appoint privacy leads in major business units, responsible for handling and processing personal information. Privacy leads should be a mid- or senior-level manager, with sufficient authority and oversight of controls within their area. Privacy leads can be the privacy program’s advocates to ensure controls are kept current and privacy incidents are elevated.

Implement change control

A privacy impact assessment, or other change control process, must be implemented to ensure it meets an acceptable level of risk and impacts to other processes are considered. Control changes must also be documented in a central repository for future auditing.

Know the “why”; Over-collection of data Companies have privacy policies and notices explaining how information is collected and used. However, remembering the details of the privacy policy and notice may quickly be forgotten by employees, as there are many other daily demands. Over-collection of data may not only result in a privacy incident but potential legal action by federal and state entities, or civil suits, for failure to follow a company’s promise to its customers.

In conclusion, mitigating risk is an ongoing process and requires the privacy office to establish a network of champions. Privacy program managers are accountable for the safekeeping and responsible use of personal information. Privacy managers should be ready to demonstrate compliance with applicable data privacy laws, reduce risk, build trust and confidence in the brand, and enhance competitive and reputational advantages for the organization. This starts with a mature privacy program.

bottom of page