Privacy considerations are rising in business significance, and not simply as a matter of data breach liability. First, privacy (like cybersecurity itself ) is a key business driver in today’s digital world. Second, the evolution of privacy norms and requirements must be reviewed continuously and anticipated, not simply because they change over time but because they can change overnight.
Regardless of what laws apply to your particular industry, we would like to offer a new acronym to help you assess and formulate a solid approach to data privacy: the CLAUSES.
Collection. The most important aspect of all data privacy is determining and potentially restricting the types of data you collect in the first place. If your company likes metadata because it never met a data it didn’t like, think again!
Location. Consider your ability to pin- point the location of the data you collect. First, data is easily replicated. Companies would do well to map the flow of personal (and confidential) information in its origi- nal, derivative, duplicate and shared form. Second, geographic location may matter. Certain data might be restricted from being stored in, or even accessed from, specific geopolitical boundaries.
Access. It’s only obvious that for data to remain private, it requires some form of access control (whether technical, physical and/or administrative) in order to restrict who sees it and to ensure they under- stand and abide by all accompanying data restrictions.
Use. Just because your company holds private data, does not mean it has the right to use it for any purpose. Many organiza- tions by law or policy provide specific assurances to data subjects regarding limi- tations on how personal data will be col- lected, accessed, used, shared and retained.
Security. Organizations should deter- mine whether they hold specific kinds of personal data that are subject to addi- tional security requirements (think bank- ing, healthcare, credit cards and student records as examples), to include any emerging requirements for corporate employment records containing sensitive information.
Eradication. Whether voluntarily or as required, companies often are faced with the need to destroy, de-identify or correct private data either upon request or after a set period of time.
Standards. Organizations would do well to compare their privacy approach against either mandated or recognized standards and guidelines and, in this way, determine their compliance levels and risk posture. By considering the privacy CLAUSES, your company will be off to a great start.