Twenty-four hours to reflect on whether your organisation is in the right place with its processes and policies. That is what Data Protection Day should represent for organisations who rely on the use of personal information. 28th January is also a good moment to be thankful that the new Regulation didn’t impose a strict 24-hour obligation to notify data breaches but instead requires an (only slightly) more practical three-day window.
So here are four things to consider to help join in with the purpose of the day:
1. Check your staff are onside
As both a threat and a blind spot in most organisational data governance, the actions of employees - both accidental and deliberate - rank highly. It is always hard to believe that a colleague might steal or sell crucial personal information on customers, right up to the moment when it happens. As a first step, it is vital to know exactly who has access to data and in what circumstances. This allows for controls and monitoring to be put in place which can spot when an individual has exceed their authority or access rights. Wrap training and a governance culture around that and you will be in a better place. But if you don’t have that map of data users, start drawing it today.
2. Check your contractors mirror what you do
It is easy to assume that business partners, vendors and contractors have adopted the same approach to data protection as your organisation. But is it written into their contract and actively audited? Did the deal get struck on the basis of the third party’s terms and contracts which perhaps are different, especially if they are offshore? Not knowing what rules these vital components in the extended organisation are playing to creates a risk that can be significantly reduced, starting by a review of their contracts.
3. Check in with your customers
Your brand values may be about transparency, fairness and straight dealing, but is that how your customers experience it when being asked to provide their data? It is very easy for downstream touchpoints to adopt an approach that is not consistent, such as a digital marketing agency including a request for date of birth in a web form when it is not necessary for purpose. Complaints and drop-off points can be a good source of insight into where such demands are excessive. A few hours acting like a prospect and going through your own registration or enquiry process can also be highly illuminating.
4. Check your business model
An essential principle of the new Regulation is privacy by design and data minimisation. In this respect, it runs directly counter to the big data trend where organisations capture and collate as much information as possible. Does your business really need all of the data it is currently capturing and does the way it gets integrated create a new risk of exposure or loss? Is the current big data approach sustainable if blended sources have to be managed to the requirements of the Regulation? If you don’t know where the minimal data threshold is for what you do, today is a good opportunity to think about the options.
Fingers crossed you discover you are in the right place on all four of these and that next year’s Data Protection Day will find you able to deliver a positive message, not worry about finding yourself in the headlines.