5 Ways to Build a Culture of Data Privacy in Your Organization

January 28th marks Data Privacy Day, which for us here at Coretek, means that we spend the week reiterating the value of building privacy considerations into all that we do for ourselves and our customers.

What is Data Privacy Day?

Data Privacy Day began in Canada and the United States in January 2008 as an extension of Data Protection Day in Europe, commemorating the signing of the first legally binding international treaty regarding privacy and data protection. 

Why is Data Privacy Day Important?

Data Privacy Day serves as an essential reminder to ensure that we safeguard personal information, both in our professional and personal lives. Unfortunately, data privacy is often overlooked until our personal data becomes a target of compromise, or worse, has already been compromised. Below we detail five tips to enhance data privacy at your organization and start your journey to building and maintaining a culture of privacy awareness.

5 Steps to Enhance Data Privacy at Your Organization

1. Understand Your Business

Data privacy is important, but what does it mean for your business to maintain a culture of privacy? You must know all the areas where you should consider data privacy and which data privacy regulations are required for your organization.

  • We recommend conducting an assessment to determine the avenues used for data collection within your organization. Ask the following key questions to gain a better understanding of how the organization is collecting and protecting data: Do you directly collect private information from consumers? 
  • Do you design or build applications that collect private information from consumers?
  • Do you provide services to other businesses that might allow you access to the private information they process?
  • Are you transparent in your privacy practices?
  • Do you respect employee and consumer privacy? 

Although these are not the only questions that an organization should ask itself, they will allow you to understand your business better. Once you know how your business intersects with data privacy, you can determine where your gaps in privacy are and what you need to put in place to mature your privacy practices. If you need help in this process, you can reach out to partners with experience in data privacy for business.

Download Your 10-Step Recession Resiliency Plan

2. Obtain Executive Buy-In

The next step in building a culture of privacy is to get executive leadership to buy into it. If business decision-makers are not informed about why privacy considerations and regulations (HIPAA, GDPR, etc.) are relevant to the business and the services it provides to its customers, it will not be easy to establish a privacy-focused culture.

When executive leadership values privacy at the organizational level, they help instill a culture of privacy awareness from the top-down, which is more likely to succeed.

3. Design a Robust Training Program that Works for Your Organization

Developing a plan for how your organization can cover a multitude of components of privacy training is crucial. It is essential to understand that Privacy Awareness is different from Security Awareness, but they intersect in many ways. The key difference is that Privacy Awareness Training can focus on the importance of the data that needs to be protected and the understanding of what requirements your company may also be subject to (HIPAA, GDPR, etc.) to ensure privacy protections and access rights are taken into consideration. Alternatively, Security Awareness Training can span a broad range of topics relating to confidentiality, integrity, and availability (the CIA Triad), physical and logical access, social engineering tactics, detecting malware, etc. All of these factor into securing the data that your organization is responsible for but may not teach your employees about the importance of knowing how to handle personal data.

It is valuable to understand if your organization processes Personally Identifiable Information (PII) or Protected Health Information (PHI) for yourself or customers or if your company will receive requests to access the data held for them as a consumer. By creating privacy awareness training that covers the breadth of topics like recognizing Data Subject Access Requests (DSARs), you can chip away at the knowledge gaps and begin to mature your privacy practice.

  • In general, training your organization on privacy can be a challenge. A training method that works well for one business area may not work well for others. We recommend deploying a multi-faceted approach to training: Train on your policies.
  • Train with easy-to-digest PowerPoints, presentations, town hall meetings.
  • Strategically place eye-catching training posters around the office (breakroom, game room, gym, office supply area, etc.).
  • Use interactive training videos and modules.
  • Provide positive reinforcement and feedback for those who complete training.
  • While determining which training approach works best for your business, keep in mind that your program can be refined over time and continuously improved as needed. Encourage feedback from your employees to gain better insight into the most effective training.

4. Create a Culture of Privacy Awareness and Champions to Support It

Once you understand how your business intersects with privacy, have the buy-in of your executive leadership team, and a training program designed, your organization is officially on the way to building a culture of privacy awareness and champions—but what is a ‘privacy champion’? A privacy champion is not necessarily a designated role; instead, it’s a mindset that your employees develop over time that allows them to identify potential privacy concerns or areas for improvement to existing privacy practices.

How do I know if our organization is ‘privacy aware’ or if we have individuals that might be ‘privacy champions’?

Finding out might be easier than you think! Ask yourself:

  • Do our employees know what to do if they have a privacy concern?
  • Do our employees know who to contact if they have a privacy concern?
  • Do our employees come to us with ideas relating to enhancing privacy practices?
  • If the answer to these is “yes,” congratulations, you have established a robust culture of privacy awareness! If the answer is “no,” determine where the gaps are and the best path forward for addressing them.

5. Build Privacy-by-Design

Ensure privacy is at the forefront of discussions, project plans, and implementations by considering the seven principles of Privacy-by-Design:

  • Proactive, not reactive; Preventative, not remedial
  • Privacy as the default setting
  • Privacy embedded into design
  • Full-functionality – Positive-sum, not zero-sum
  • End-to-end security – Full lifecycle protection
  • Visibility and transparency
  • Respect for user privacy —Keep it user-centric

When an organization incorporates these seven principles of Privacy-by-Design, employees and customers are granted assurance that the privacy of their data is important.

Learn More about Data Privacy

We have included some additional resources about data privacy week. If you have any questions feel free to reach out below.

Start a conversation with our team today!