Make the ‘culture of privacy’ a priority!

As we all know, all organisations are collecting data as part of their business directing processes. What we unfortunately also know is that some of the big tech companies around the world know more about us than we want them to know. What is even worse is that these big tech companies are selling our personal data which can easily be bought by “bad” organisations that are misusing our personal information.

Therefore, it cannot be reiterated enough: personal information is property that belongs to us, which companies must handle with care.

That makes privacy compliance a much more complex challenge. Companies need to think more about what’s best for the consumer as we handle personal data, as well as how to accommodate the consumer and the rights he or she might exercise under various privacy regulations.

Make culture of privacy and security a watchword

In short, businesses need to make a “culture of privacy” a priority, in much the same way as anti-corruption activists like the Integrity Initiative and partners stressed the importance of a culture of compliance in the 2010s. A culture of privacy and security must be the watchword now.

It forces deeper changes in business processes, policies, and corporate awareness of privacy—and any time we talk about changes in policy, procedure, and corporate culture, the compliance function is crucial to that.

Now let’s get more practical.

To see what the DPOinBOX privacy platform can do for your organisation, sign up for a free trial or contact us for a no-obligation, free walkthrough session.

Goals into capabilities

When you translate those goals into capabilities that the company must have to get the job done, several emerge as the most important:

1.  Data Management

The regulation includes a list of specific types of information within the scope of the Data Privacy law – names, e-mail addresses, photos, audio recordings, Internet search history, biometric data, and more – plus the catch-all, “any information that can reasonably be associated” with a specific person.

The most fundamental compliance capability is simply to understand what personal data your company collects. Where does that data enter your extended enterprise? What business processes touch it? What third parties touch it? Where is the data stored?

2. Assessment and Monitoring of Third Parties

Oversight of third parties is not a new capability per se, but the Data Privacy law pushes the need for that capability to new heights. For example, it draws a distinction between “service providers'' and other third parties. A service provider receives personal data from your business as part of a written contract, to execute a specific task for you: write a legal brief, host a website, run payroll, and so forth.

This means compliance functions will need to sharpen their assessment of third parties, to understand the exact business relationship and assure that it meets all the criteria for service providers.

3. Building Compliance Business Processes

Remember, the Data Privacy law gives residents certain rights to their personal data. For example,