These are the 5 questions board members and C-level execs should ask about data privacy and data management

An executive team that prioritizes data security and data privacy can set the tone throughout an organization by instilling a culture of good data governance and security. A key part of this is being knowledgeable leaders who ask the right questions. While not an exhaustive list of questions, here are some of the top questions they should be asking.

What sensitive data do we hold and how are we protecting it?

Asking what is being captured and stored, and what needs to be protected is an important first step. To secure data, you need data inventory tools that can identify sensitive high-risk data at scale. The organization needs to know all the data being kept – even dark data. Learn more about how RecordPoint can help gain enterprise-wide visibility of all your data assets with a continuous data inventory process.

Are our records management, privacy and IT security teams working together?

Information management, security and privacy teams acting independently – is still all too common. Historically, data privacy and protection were very much about safeguarding who had access to data and making sure you protected unauthorized access. Information governance, on the other hand, was more about managing information and improving the quality of that information and was considered a separate exercise. Working with records managers and privacy officers, IT security teams can be armed with the information necessary to create processes and protect information instead of simply storing it.

Are we adhering to privacy laws and minimizing data stored?

Existing laws mandate that organizations can keep data only for as long as it is needed for the use it was collected. Article 5 (1)(C) of the General Data Protection Regulation (GDPR) defines data minimization by saying that personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.”

Many organizations collect massive amounts of data thinking that it’s helpful to hold a lot of data on their customers, but this can be very problematic in the event of a breach. Marketing is one function that is often guilty of data hoarding, saving every piece of data because it might be useful in the future.  

One only needs to look at the daily news of data breaches that continues to highlight the risks associated with data hoarding and data graveyards. The cost of these breaches can be astronomical for companies, both financial cost and the cost of losing the trust of their customers. The recent Okta YouGov State of Digital Trust Report found that over 75% of customers won't use services or purchase products from organizations they don’t trust with data. What’s more, 47% permanently stop using an organization’s services following a data breach or misuse of data.

What are our notification obligations to regulatory authorities?

In the United States, federal-level breach notification obligations apply to certain sectors (e.g., healthcare, financial institutions, and telecommunications). At the state level, each of the 50 states and Puerto Rico now have a breach notification obligation. Federal rules require notification to the appropriate federal regulators if the applicable thresholds are met. For example, HIPAA's Breach Notification Rule requires covered entities to notify the US Department of Health and Human Services (HHS) for certain unauthorized uses or disclosures of protected health information ("PHI").

In Australia, under the Notifiable Data Breaches (NDB) scheme any organization or agency under the scope of the Privacy Act must notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach is likely to result in serious harm to an individual whose personal information is involved.  

Are we prepared to handle right-to-be-forgotten requests?

In the event of a data breach, your organization might find that they are overwhelmed with Data Subject Access Requests (DSAR), and right-to-be-forgotten requests. When your customers are notified of a data breach, they’re on high alert and often want to know all the data you have on them. If these information requests are still handled manually, does your organization have the financial resources and workforce to handle these? For organizations with manual processes, according to Gartner processing a DSAR costs an average of US$1400, and it typically takes more than two weeks to respond.  

Responding to these requests can play a big part in re-establishing trust after a breach, so you need to have processes in place. The team at RecordPoint are working on some exciting innovations to help streamline your Data Subject Access Request (DSAR) processes, so please reach out to learn more.

Company directors need to assess data security just as they would any risk, making knowledgeable decisions to understand what data they have along with regulatory requirements to which they must adhere. By asking these questions, they will have the knowledge to confidently act, and set the tone for their entire organization.