The average person doesn't know much about corporate legal risks, with perhaps one exception: data privacy. Credit card abuse is so rampant and consumer anxiety over identity theft so great, that any suggestion of a corporate data privacy problem immediately reaches the mainstream media. It can spell real trouble for a company's reputation, and remediation is costly. And of course, data privacy problems attract unwanted attention from regulators, too.
The challenge for companies isn't just protecting consumer and employee financial data. We live in an era increasingly concerned about privacy of all kinds, and this is reflected in new privacy regulations emerging from the U.S., Europe, and beyond. The requirements are not consistent, often in tension with policies requiring transparency and disclosure on certain issues, and the effect is at times truly bewildering.
But the greatest cause for concern isn't the regulatory tangle—it's that many companies still have yet to comply with even the most basic and universal provisions of data privacy laws. For example, research by The Corporate Executive Board shows that 35 percent of major companies do not provide data protection training to their employees—in spite of the fact that such training is almost universally required.
In truth, the tangle of state, federal, and international regulations are a distraction from the main task at hand: building a data governance system within the company. Whatever the regulations require, compliance and training efforts cannot reliably take place until the company has a structure for assessing data risk, assessing changes to regulations, and communicating those risks and regulatory requirements to key players—including rank-and-file employees. Until this infrastructure is in place, the stream of regulatory updates is but an invitation to fight fires one by one.
Yet company lawyers spend more time reading and reacting to new regulations than they do building policy and practice—the infrastructure that will allow the company to respond to any new regulation in the future. The good news is that good data privacy infrastructures always have some key elements in common, and the Legal and Compliance Practice of the Corporate Executive Board has defined these key elements. The following five components of successful data privacy programs allow companies to better define and improve their approach to data privacy management.
Data Assessments: Personal data collected, stored, and used within the company should be assessed.
Inventory of Applicable Laws and Regulations: Based on the types of data collected in the company and its geographic location, an inventory of actual program, IT and physical controls, policy, training, and monitoring regulatory requirements should be conducted.
Policies and Procedures: An overarching policy containing the company's privacy principles and philosophy, as well as policies and procedures specific to individual data types (customer, employee, vendor), data retention, and data transfers, should be implemented.
Training and Awareness Programs: Online training based on fundamental privacy principles should be required of all employee. Additional targeted training should be in place for specific, high risk segments.
Ongoing Auditing and Monitoring: Companies should use program metrics to track effectiveness, and should conduct ongoing internal program and assessments and/or third-party audits if required by specific standard or regulation.
An infrastructure based on these key elements is necessary for the effective management of potential data privacy problems. By having these programs in place, companies can successfully respond to the data privacy threat.