Risk management and compliance monitoring: October’s PrivacyRight tools
Any organization that collects, uses, or discloses personal information faces privacy risks. What separates organizations that deal effectively with these risks from those that are adversely impacted by privacy breaches is a proactive approach to privacy protection that emphasizes planning.
The ninth and final webinar in our PrivacyRight series focuses on Risk Management and Compliance Monitoring, two crucial aspects of an effective privacy management program.
The Personal Information Protection Act (PIPA) requires organizations to make reasonable security arrangements to protect the personal information in their custody or under their control. In other words, if you collect and process individuals’ personal information, or if another organization does that on your behalf, you are legally responsible to protect that data.
A risk management approach to protecting personal information means identifying and evaluating privacy risks and working to monitor, minimize, avoid, or otherwise mitigate them. Organizations can then meet their PIPA obligations in a way that is scalable and proportionate to the specific threats they may face.
Privacy impact assessments (PIAs) are a valuable tool toward this end. The latest webinar helps to demystify the process of writing a PIA and provides organizations with a clear understanding of whether current or proposed initiatives meet the legal requirements and obligations in PIPA for the collection, use, or disclosure of personal information.
PIAs do not need to be complex; however, they must be thorough to be effective. The time taken to prepare a PIA can pay dividends for an organization when tallied against the potential financial and reputational damage of a privacy breach.
The entire PrivacyRight series has emphasized the importance of organizations making privacy a priority – both as a legal necessity and to build and maintain trust with individuals. These efforts need to be revisited periodically to ensure that as threats to privacy evolve, protections do as well. This is where compliance monitoring and internal or external audit activities are crucial. These could be regularly scheduled privacy and security audits at large organizations or simply checklists for smaller organizations to keep on top of privacy threats and staff compliance with your organization’s privacy policies and procedures.
This month's featured guidance document, Securing personal information: a self-assessment tool for organizations, offers detailed questions organizations should consider when assessing current or planned activities involving personal information.