10 Privacy Resolutions for 2013

Jan 24, 2013 8:00am


The following is a guest blog post from ISACA.

With the rise of big data come big challenges, including how to deal with increasingly challenging privacy issues. To help protect information, which has become the currency of the 21st century, here are 10 resolutions for your enterprise to adopt in 2013:

1. Assign someone to be responsible for your privacy issues. Appoint a chief privacy officer or, at minimum, designate someone as the person responsible for privacy in your organization.

2. Know what personally identifiable information your organization collects and retains about your customers and employees. Take a data inventory so you know where the information is stored.

3. Ensure that your privacy policies are clearly written and enforceable.
They should address issues related to the collection, use, disclosure, retention and disposal of personally identifiable information. Do you do what your privacy policy says that you do?

4. Disclose personally identifiable information to third parties only for the reasons stated in your privacy notice.
Be sure to have the implicit or explicit consent of the individual.

5. Create a privacy-friendly environment
. Make sure your employees understand why it is important to protect personally identifiable information and the risk to the organization if they don’t.

6. Address all privacy-related laws and regulations
that apply to your business. Even if you do not have a physical presence in a state or country, you may be subject to its privacy regulations.  Know where your customers are located.

7. Train your employees to protect the privacy of personally identifiable information.
Implement a privacy training program for all employees that includes information sessions, posters, emails, etc., on the importance of keeping personally identifiable information secure, both in and out of the office.

8. Provide a process for individuals to make complaints
. Give customers an online form or email address for communicating their privacy problems or concerns. If problems arise, deal with them efficiently and effectively.

9. Create an incident response plan. Privacy breaches can occur despite your best attempts at prevention. Creation of an incident-response plan enables you to respond promptly.

10. Consider having a privacy audit performed by an outside trusted entity.
Hire someone knowledgeable in privacy, such as someone who holds the Certified Information Systems Auditor (CISA) credential.

ISACA, a no-nprofit association of more than 100,000 IT assurance, risk, security and governance professionals, offers a number of resources to help your enterprise govern and manage its information. From the COBIT 5 framework to the Privacy community in ISACA's Knowledge Center, these tools will help your enterprise ensure trust in—and gain value from—your information and systems.

I encourage you to use those tools to help you adopt—and stick to—these resolutions. Make 2013 the year of privacy in your enterprise.

Yves Le Roux, CISM, CISSP

Member, ISACA Guidance and Practices Committee