10 compliance steps to protect personal information and data

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itbusiness.ca/blog/personal-information-and-data-protection-compliance-checklist/59720

The adoption by businesses organization-wide wide, of well-intended social
media strategies, cloud-based storage and the associated outsourcing
solutions can present data protection and privacy challenges.

Notably, with the rapid emergence and wide use by employees of mobile
devices such as smartphones and tablets, the challenges become somewhat
intensified – particularly in relation to the preservation of an
organization’s sensitive and proprietary information, as well as the
personal privacy of its employees and customers.

Adoption by organizations as part of an organization-supported bring your
own device (BYOD) or similar program, while an enabler for employees,
nevertheless can prove detrimental to an organization if not well
considered and properly implemented. Embraced by both the organization and
its employees, while well intentioned, the program can have dire
consequences to each, or both of them, if organizational confidential and
personal information are not safeguarded.

Subject to any imposed corporate restrictions, employees may freely surf
the web while also accessing their personal emails, texts, apps and the
like. At the same time, the device will have been electronically
partitioned by IT so as to enable “controlled and authorized access” to the
organization’s often sensitive, commercial information.

Sometimes, and typically depending on the employee’s defined role within
the organization, the employee may have access to the personal information
(PI) of others. PI may inadvertently include personal information of fellow
employees as well as personal information of the respective employees of
the organization’s customers and suppliers.

In permitting such access, whether purposeful or inadvertently, there is an
absolute requirement of complying with all applicable privacy legislation.
By way of example, in Ontario, adherence to the applicable provisions of
the Personal Information Privacy and Electronic Documents Act (PIPEDA) is
necessarily required.

Hence, an organizational strategy needs to embrace hard policies around the
protection of personal information, while also ensuring that the
organization’s corporate data is well protected.

It is hoped this checklist will provide some assistance, recognizing that
it is strictly a springboard and must be tailored to the particular
organization’s data protection and statutory retention obligations.

A note of caution though: the checklist is but a tool and a precursor to a
comprehensive review of the organization’s currently established data
processing practices. These need to be reviewed in association with the
organization’s legal compliance requirements under the relevant day-to-day
operational, reporting, and retention laws. Representatives from the
organization’s information management and legal department would need to be
part of this review and audit.

1. Adoption of a comprehensive personal information and data protection
compliance strategy

The organization must proactively ensure that its compliance approach
applies throughout the entire organization. This would include all data
processing activities that embrace or utilize technologies. In particular,
all employee mobile devices that provide remote access to the
organization’s standalone, cloud, and third-party managed servers.

2. “Personal information” inventory

Inventory, by way of an audit, the various categories of PI together with
their respective database, server, workstation, mobile device, cloud and
third-party location(s). Such audit should extend to both hardcopy
(specifying physical location) as well as digital format.

3. Appointment of a data protection compliance officer

Internal data compliance is critical to the well-being of the organization
and is therefore critical to appoint a person with overall responsibility
for enforcing and monitoring the organization’s data protection and
compliance strategy.

4. Develop and adopt a data protection policy

Your organization’s overall data protection policy will need to focus on
your organisation’s overall data processing activities, both internal and
external, as well as any current, in-place, related policies, as for
example any existing acceptable use or BYOD policies.

5. Compliance with regulatory registration requirements

Ascertain and comply with all required statutory registration and renewal
mandates related to personal information and data/information retention and
filing.

6. Notify and provide required information disclosure request to affected
individuals where disclosure is mandated

Promptly and with clarity, notify affected individuals should there be any
statutory or other lawful requirement to disclose personal information.

7. Third-party agreements with consultants and providers

Contractual compliance obligations with respect to PI and corporate data
assets need to be included in all contracts with third-party consultants,
data services providers, as well as off-site storage facilities providers
and operators.

Ensure that strict protection and compliance requirements are included
where the data is going to be located outside of Canada.

8. Security measures to protect personal information

Develop, implement and manage technological and organizational policies
protecting against accidental, targeted, or unlawful destruction,
alteration, loss, inadvertent or unauthorized access, disclosure or
processing of any form of PI.

9. Educate staff about your compliance policies and procedures

As part of the roll-out strategy, staff will need to be educated about the
need for privacy policies and procedures and should acknowledge compliance
by way of written agreement.

10. Your compliance toolkit – time to update

Data protection and compliance constitute a rigorous and continuous
process. While tools and third-party services are available to enable and
enhance internal data controls, there is also a need to comply with
evolving statutory and legal retention requirements. There is also a need
to periodically update your organization’s compliance toolkit.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!