Data protection sought in daily entity operations and in its actual delivery of services, should coexist with the responsibilities for consumer data privacy. This second piece follows its previous writing which addressed the coexistence of protection and privacy from an institutional perspective. In furtherance of that theme, this piece will touch upon the organizational aspect involved to see the coexistence materialize between data protection and consumer privacy, i.e., looking at data protection from the vantage point of ensuring privacy for entity accountability.
Organizationally, clients find themselves needing to organize their approach. To some it may be a designated group or establishing a board that is tasked with the mission of data protection. That type of group may represent sections of the organization from legal (inside or outside counsel), accounting, contract management, human resources. Depending on how comprehensive the entity, this group could involve research and development, network administrators, regulatory liaisons, and auditors. A robust approach would venture to hire outside reviewers to assess the integrity of the entity’s approach, performance, training, update compliance, including new products and services. The group or board should keep in mind a reasonable schedule to undertake risk assessment and reviews of inputs from previous reviews. It is critical to focus on mitigating factors and the initiatives to do so. One example of how mitigating initiatives can enhance the coexistence of data protection and consumer protection is to address laptop usage and data transfer process through networks via laptops. Another is the encryption to encompass the transfer will be a key aspect with an entity’s integrated process. As these mitigating processes proceed, the entity’s decision-making body with oversight into the group’s assessment and work will set the standard for the entity’s approach throughout the organization.
The data governance aspect that arises from this process will be crucial among the mitigation factors. The result is a cultural shift ingrained in data privacy. This cultural shift takes the form of setting schedules for frequent network backups and patch updates. Schedules for updates and installs are ineluctable to any cybersecurity approach that is accountable. By instituting the backup process and patch updates the chances of being able to withstand a cyber incident improve. The key understanding to this governance or cultural change is the integration of hardware, services, software and their life cycle. For instance, being aware of the notifications for updates and acting on them timely is helpful for maintaining data privacy. This should be the norm. Also, assuring the comprehensive execution of encryption through drives helps reduce interruptions and data loss. A greater improvement would be an automated encryption process. As a result, the client learns that one approach is not the solution for all. A narrow focus on trying to be compliant is also not the appropriate mindset. Focused too much on compliance, though important, can set narrow and myopic approaches.
A word about compliance is needed, however. Focus on privacy is not solely about compliance. The entity will need to embrace its codes of conduct (if any exist), assess its administrative and operational weakness, account for consumer expectations of privacy, and its readiness. Different components of an entity will need to be cognizant of how their individual task or mission fits with their policies, technology, duties, and goals towards data privacy. The earlier an entity instills privacy concerns in different levels of operations, the integrity of the privacy approach can be realized. Early stages of a program, product, or a service development, should involve privacy considerations. Even after a product or service is deployed the entity should engage in assessments to weigh its success in achieving its privacy approach. Importantly, each assessment will be relevant to the service, product, or program, i.e., email marketing, software deployment, client program, etc.
From the compliance side of the issue, during the dearth of a comprehensive federal privacy legislation, entities seeking to be accountable, need to mind both state and federal pieces of legislations that have sliced into the issue. So far, amid state and federal efforts there is a series of legislation that do not mesh. Many states have passed data security initiatives, but have little to do with improving privacy protection. The focus has been on notification requirements. Notification requirement without predictable standards are meaningless for purposes of seeking data privacy. The issue of enhancing the data protection and consumer privacy is not an esoteric academic theoretical exercise. The solutions to be accountable for data privacy are hard, tangible, measurable, and valuable. Yet, the notification, by itself, must be focused and be issued quickly with an assessment of the nature of the breach and the data. Entities must also embrace new media to include social media and email. The purpose of notification is to promptly alert the consumer to monitor their financial records, accounts, etc. to make the changes necessary for their own financial, personal, medical, social media, and digital record security in the aftermath of a data breach.
As this second piece closes, one additional point is needed. In a competitive market new services, products, programs, apps are being delivered through varied devices and networks. Such diverse combination of sources and means draws the importance of having a privacy focus or a design for privacy in handling data. Entities across the digital market are needing to embrace data governance toward a culture of privacy to be accountable, at least, consumers are expecting it. This is more so important while we have the absence of a standard baseline for data privacy across federal and state legislation. It is this change in entity mindset towards governance and accountability that is needed to realize that coexistence in institutions between data protection and consumer privacy. The following piece will touch upon data collection, its uses and its integral role in the market place vis-à-vis consumer privacy and data protection.