Have you considered building a data protection training but you’re not sure where to start? You might be a bit overwhelmed with what topics to select. Data privacy, in of itself, is a big subject. So much so there’s an entire day dedicated to the topic on January 28, 2018.
Building a world-class data protection training doesn’t have to be a hurdle for your organization.
In this blog, we share our experience with developing our world-class data privacy awareness and training programs with you directly. Take these topics and use them, in building your own privacy awareness and training program.
What is data privacy and why is it important? How is it different from security?
Privacy and security are often used synonymously, but each term carries its own importance in the enterprise. Privacy is how data is collected, stored, transmitted and destroyed. Whereas, security is how data can be protected from internal and external threats.
It’s important for an organization to understand privacy. Privacy matters because an organization’s most valuable asset is data. Data comes with significant risks. – Click to Tweet
Humans are often considered the biggest risk to data privacy and security.
Therefore, it’s important to communicate the importance of data privacy to your employees. You don’t want your data to be exposed to anyone and everyone to see. Employees play an important part in protecting their own data and the data within the organization.
What is the data lifecycle and the top questions to consider?
Once your employees know about the importance of data privacy and protection, it’s equally important to explain the lifecycle for data. In other words, how data is created, stored, used, shared, archived, and finally deleted.
Key Questions to Ask in the Data Lifecycle:
- When building a data privacy and security awareness program, your employees should know about the following:
- How is data collected/created within the organization and personally?
- What are the legal constraints in collected or creating the data you’re using?
- Is your data stored securely?
- Which employees need access to stored data?
- Is the data backed up in the storage and does the storage offer high-availability?
- What are the appropriate uses for various data types?
- Is everyone that uses the data bound by confidentiality or Non-Disclosure?
- Can you share the data? What data is approved to share?
- What are the approved methods for sharing data?
- What’s is the appropriate method of archiving your company’s data?
- Where’s the company’s data archives located?
- What data can and should be deleted?
- When should data be deleted within the organization?
The data lifecycle stages are important to be aware of for all employees. Today, data quickly flows through various stages of the data lifecycle. Employees are the “gatekeepers” for organizational data and should feel empowered to handle your most important asset.
What is personally identifiable information and sensitive data? How are they different?
Your organization likely transmits and collects personally identifiable information (PII) and sensitive personal data. But, do your employees know the difference between the two?
Your employees should know what distinguishes PII from sensitive data.
PII is any information related to an identifier for a person. These traits could be:
- A full name
- An identification number
- Location data (IP address)
- Online identifier (cookies)
- Other factors related to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person
Sensitive personal data is data related to the following:
- Details of racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic and biometric information
- Sex life or sexual orientation
- Health records
If your organization and its employees handle or plan to start handling this sensitive data, you need to make them aware of how these two types of datasets should be treated and protected.
What is an employee’s data privacy and protection responsibilities?
Your employees need policies to adhere to and guidelines to follow. Policies and guidelines help them understand how to handle data across the lifecycle.
Your privacy and security policies are specific requirements that employees must follow and meet to protect your data.
The most common general information security policies include:
- Acceptable Encryption Policy
- Acceptable Use Policy
- Clean Desk Policy
- Data Breach Response Policy
- Disaster Recovery Plan Policy
- Digital Signature Acceptance Policy
- Email Policy
- Ethics Policy
- Pandemic Response Policy
- Password Policy
- Security Response Plan Policy
Don’t let these policies just sit in the dark either! These policies should be revisited at least annually. Your staff may change, and it may be time to update for various roles and Departments within the organization. These policies and guidelines should be living, breathing documents.
What’s the importance of data backup and retention?
Your employees need to know about why it’s important to backup and retain data. Again, your business data is likely your most important data, and your employees are the gatekeepers that handle data. Systems can crash, humans can make mistakes, and disasters do happen. That’s why it’s so critical to have backups and retention in place.
Your employees should know about the proper process of backup and retention. It aligns to the data lifecycle for your company.
Make sure your employees know:
- Does your environment automatically replicate and backup? Maybe it should.
- If not, do you have a procedure in place to create at least 3 copies of data?
- Do you store backups in 2 different types of media for redundancy?
- Lastly, do you store at least one backup in the cloud for high-availability in the event of a disaster?
What are the best practices to detect and avoid security breaches?
Here’s where your security awareness program comes into play. You should educate and inform your employees about the dangers of phishing, social engineering schemes, malware, viruses, and more.
It’s also important to train your employees on email best practices, acceptable internet use, and approved software and applications. Your employees need training on remote access and how and when to use a Virtual Private Network (VPN) as well as if portable storage devices of USBs are permitted on the network.
Lastly, you may not realize it, but physical security also plays an important role in cybersecurity. Are you familiar with No-Tech Hacking? A concept put forth by Johnny Long, one of the most well-known hackers of our time.
Physical security is an important facet to protecting data privacy. Employees must be aware of all types of social engineering schemes aimed at stealing your corporate data.
How do you use encryption when sending confidential data?
Encrypting your data is the best ways to protect your organization against data leakage, whether from cybercriminals or employee mistakes. Encryption helps across multiple stages of the data lifecycle stages – in use, at rest, and in motion.
Best practice calls for encryption across each of these data paths. If you require employees to use a VPN at all times, encryption can still be used at rest and in use as VPN typically covers data in motion.
The most common types of business data encryption are:
- Company Intellectual Property or Proprietary Data
- Company Financial Reports
- Personally Identifiable Information
- Research and Development Data
- Sensitive Customer Data
- Upcoming Product Launch Details
From an employee perspective, devices such as laptops, phones, tablets, and any other device used for employee storage should be encrypted. Employee email can be encrypted to protect your data and email privacy.
How do you properly dispose of data and determine when data is at its end-of-life?
At the last stage of the data lifecycle, the disposal of data becomes a top question for an organization and its employees. How and when to dispose of data will need to be covered in your data privacy and security awareness programs.
Common organizational security policies will include a data retention policy which points out when documents to need to be retained and for how long. Another best practice at this stage is to mark data with a destruction data so that employees clearly know when it’s an appropriate time to dispose of data.
For your security department, you may want to have a policy that follows an industry standard like NIST’s Guidelines for Media for sanitizing and clearing the hard drives of departing employees or ones that need to share data. Here’s a guideline to follow regarding media:
- Clearing: Overwrite the media
- Purging: Magnetic erasure of the media
- Destruction: Physical destruction of the media
Surprisingly, many local state governments in the United States have legislation regarding the proper disposal of personally identifiable information and sensitive data. Companies are therefore required by law to keep sensitive customer and employee data on file for a defined period.
Overview of global data privacy law
Global data privacy regulations are widespread and are changing rapidly. Any multinational organization should give employees an overview and summary of major global data privacy laws.
A global data privacy training should encompass all aspects of breach notification, consent, erasure, data portability, and the appropriate means for sharing and transferring data.
Bottom line – make your data privacy awareness training specific to local laws and regulations that impact the organization. – Click to Tweet
You should also provide some background to these laws and how each affects your organization with the recent changes in global data privacy regulations.
What are the consequences of not being #PrivacyAware?
Your organization can face hefty fines for non-compliance with global data privacy laws in the event of a data breach due to negligence. In addition, your employees may face civil fines and criminal prosecution in the event of data leakage or breach.
Build awareness around the penalties your organization could face given a privacy violation.
For example, with the upcoming European Union’s General Data Protection Regulation, any business found not in compliance after May 25, 2018, can face fines up to €20 million or 4% Adjusted Gross Revenue, whichever is larger.
In the United States, regulations like the Health Insurance Portability and Accountability Act (HIPAA) can assess fines between $100 to $50,000 per violation. The Gramm-Leach Bliley Act (GLBA), aimed at financial institutions, also places fines on organizations found to be in non-compliance. An organization can be fined up to $100,000 for each violation under the GLBA.