skydiving, two thumbs up
PHOTO: Zach Marshall

Data is your most valuable asset, but depending on how you treat it, its potential can either be fully realized or it can become toxic.

According to IBM we “create 2.5 quintillion bytes of data” a day. 

Analysts project by 2025, data from connected devices will yield insights driving potential business value of as much as $11 trillion.

But studies suggest 80 percent of corporate data is dark data — meaning either meaningless or unprotected content. 

All of this is taking place at a time when the regulatory environment surrounding data breaches and privacy protection is becoming increasingly stringent, complicated and challenging to address

Growing Challenges for Data Protection Officers

New and emerging privacy regulations such as the EU General Data Protection Regulation (GDPR) will impact companies doing business around the world, creating a need for almost 28,000 new data protection officers (DPO) in Europe alone. 

How will these new DPOs manage their roles in this increasingly volatile environment? 

Automation will enable privacy officers to scale their programs to meet the challenge emerging technologies and exponential data growth pose.

Many factors go into determining an organization’s privacy program and privacy policies, including statutory and regulatory requirements, organizational best practices and market demands. But regardless of the source of the mandate, careful consideration needs to go into whether the polices created are technically enforceable.  

Creating a policy without a mechanism — automated, manual or third-party — to measure and monitor its compliance is somewhat like setting a curfew for a teenager, going away for the weekend and expecting it will be followed because you said so. 

As privacy professionals, how do we know if people will live up to our expectations? How do we know if those expectations are even reasonable?  

In order to build an effective privacy policy, we must understand the legal and statutory requirements that will shape the policy within our organizations, and also understand how these policies relate to our organizations' business practices, people and technologies. 

Your strategy should center around the data that you hold.

How to Create an Effective Automated Privacy Policy

Some simple best practices can help set your organization up with an effective, automated privacy policy:

1. Set Enforceable Policies

In the absence of education or experience, people naturally make poor privacy and security decisions with technology. Your organization’s systems need to be easy to use securely and difficult to use insecurely. This is a critical point and probably one of the single largest opportunities for privacy and security programs to be revamped. 

2. Make it Easier to do the Right Thing than the Wrong Thing

Create common sense policies, rules and IT controls that make it easier for your end users to do their jobs effectively with the systems that you want them to use. 

Don’t set up cumbersome and restrictive policies that push your employees to unsanctioned cloud options (such as Dropbox and Google Docs) to be able to effectively do their jobs. Your employees will do what they need to do to get their job done. Help them by making it simple to use the systems you can control.

3. Trust and Verify

Trust your end users to appropriately identify and classify the sensitive data they are handling and/or creating, but verify that they are doing so. 

Using a combined or layered approach to data classification can ensure that employees understand and integrate the policies, training and tools you are providing into their daily tasks.

4. Monitor, Measure and Report

That which is not measured cannot be improved. 

Don’t have a policy that sits on a shelf. Policies should be living, breathing documents that reflect and direct the flow of your business. 

Privacy and security can and should be seen as enablers of business instead of blockers to productivity. Your reporting can help you build a better security program, as well as demonstrate the return on investment for your program. 

Take Control of the Flow of Data

In order to meet these best practices, privacy officers must closely align both security and IT counterparts. For privacy officers who are fluent in the language of the law, understand the possibilities and limitations presented to the organization through technology. 

Data is like water — it is rising all around us. Technology provides the vehicles that allow privacy and security officers to create the dams that prevent us from drowning and allow us to manage the appropriate flow of data.