Click to learn more about author Rajesh Ganesan.
Contrary to popular belief, data privacy is not the responsibility of corporations. Sure, corporations are on the hook should there be a breach and an organization is found to be in violation of data privacy laws; however, everyone plays a part.
It is not possible to outsource the responsibility of privacy to one sole executive — a DPO (Data Protection Officer) or CISO (Chief Information Security Officer) — or even to one privacy team. From an org-chart standpoint, privacy teams are always a small percentage of every organization. That is why it’s vital that organizations take an “all hands on deck” approach, in which every single employee, contractor, and consultant is held responsible for their online behavior while at work, as well as the duty to safeguard confidential company data.
With international Data Privacy Day occurring a few weeks ago serving as a concrete reminder for organizations to reevaluate their stance on data privacy, it’s crucial that they hold employees accountable for their online behavior in and outside of the office. One way of doing this is to create a “personal privacy pledge” of sorts — essentially, this is a simple pledge whereby every employee promises to work alongside their employer to make data privacy a priority in their lives — in and outside of their standard 9-5 workday.
At our organization, we teach all of our employees and contractors about data privacy principles and legislation from day one. Moreover, we hold them accountable. We do this by mandating training courses, hosting periodic quizzes, and assigning every team a data privacy score, which is then shared internally — much like they do with students’ scores in law school. This isn’t to shame employees who are unaware of data privacy principles. It’s to empower them. We expect all of our employees to stay up to date on legislation as well, as we believe that them being privy to classified or personal company data is a privilege, not a right. They should know the basics about GDPR and the new CPRA; that said, we encourage our employees to focus on principles rather than laws.
Focus on Principles
New laws will always pop up. However, by focusing on the principles within the laws, everyone can ensure that the organization is prepared when these laws arrive. For sales and marketing folks, we emphasize the principle of data minimization: Only collect customers’ data that you absolutely need and keep it for the bare minimum amount of time. Essentially, if you can’t answer the question, “Why do I need this data,” you shouldn’t be collecting it. For R&D folks, we stress privacy by design. From inception, designers and developers should be thinking about the privacy repercussions their products will facilitate down the line.
Keep Your Eyes Open
So many data breaches are the result of human error, such as a convincing social engineering attack or a phishing email. During the pandemic, we’ve witnessed a whopping 6,000 percent increase in phishing attacks, as bad actors have capitalized on people’s uneasiness and general lack of privacy awareness. Part of the personal privacy pledge mandates that we all are actively thinking about the potential for these types of attacks and doing the best we can to prevent them.
Put Things in Writing
It’s been a couple of years since the GDPR was put into practice, and at this point in time, our employees get excited about privacy audits. Not only do they know what their individual teams’ respective privacy scores are, but they also know they have the requisite privacy policies written down to show any auditors. Additionally, our employees who manage customer data have those data inventories on hand as well should there be a subject access request or a visit from an auditor.
It may seem overly simple, but this personal privacy pledge works so well because it empowers the individual. Over time — through education, documentation, awareness, audits, and a focus on principles — data privacy considerations become effortless. By taking the data privacy pledge, privacy protection eventually becomes second nature, as we consider privacy implications from the moment we wake up to the moment we go back to sleep.