- Shopping Bag ( 0 items )
Net Privacy shows executives, consultants, technology designers, and other decision makers how to ...
Net Privacy shows executives, consultants, technology designers, and other decision makers how to protect information privacy in today's competitive business arena.
This chapter provides a step-by-step approach to conducting a privacy-needs audit. It has divided the privacy-needs audit phase into 10 major steps that follow the first 10 steps of the organizing and researching process discussed in Chapter 4. The steps are illustrated in Figure 5-1.
Figure 5-1. Conducting a Privacy-Needs Audit: Phase 2 of Privacy Planning
In addition to describing the 10 steps for conducting a privacy-needs audit, this chapter covers the type of obstacles that an organization can encounter at each step. As in other chapters, these candid comments about obstacles are based on several decades of experience in working on organizational change using the task force approach to accomplish major enterprise initiatives.
The objective of the privacy-needs audit and the entire privacy-_planning process is to reduce the organization's vulnerability when it comes to privacy. No organization should have a false sense of security about how vulnerable it is to privacy problems. Many organizations read the latest story in the newspaper about privacy issues that pertain to certain types of data, then take a brief look at their own in-house treatment of that particular type of data, and prematurely conclude that they are not vulnerable. Building a complete and thorough data inventory system to begin the privacy-needs audit will help reduce tendencies to take short cuts as the company develops and implements the privacy plan.
Companies should not, however, assume that the central information technology department is aware of all the data used by departments or business units. All too often databases and information systems have sprouted up around an organization. These databases can be standalone systems that departments have created, or they can be derivatives of centralized databases that have been extracted for specific data mining or data analysis tasks.
A formal cataloging approach should be used in inventorying data and information. To move further into the planning assessment and planning process, the company needs a uniform and thorough description of all data and information. Setting up a database that is accessible by the entire privacy task force is a good way to facilitate the cataloging process. Expect the inventory process to take a considerable amount of time; it can take weeks and sometimes months to do a data inventory, depending on the size of the organization.
To find the data and information used in the enterprise, the privacy task force and the department teams need to look everywhere. For example, data may be found in the following locations:
All the obstacles basically come down to what is referred to as cultural barriers to change. This defensiveness or fortress-building response has always been encountered in organizations that are faced with new threats, shifts in marketplaces, or social pressure. For example, heavy resistance to environmental protection requirements lasted for decades and still exists in some parts of the country and in many places around the world. Resistance to equal opportunity such as gender and racial equality in the workplace is something that has yet to be completely overcome. Progress has been made on both the environmental and equal opportunity fronts, but it has taken over 30 years.
Simply stated, companies should be warned against an observed tendency on the part of departments and business units to not fully cooperate with enterprisewide initiatives. Do not establish an environment of distrust and paranoia when dealing with departments or business units. Just take an approach of thoroughness during the data inventory step. A company's best weapon in the quest for thoroughness may not be lengthy forms for each supervisor to complete, but a softer awareness-building approach in which key supervisors or technical experts are polled about how data are being used.
To help achieve thoroughness and overcome potential resistance to the data inventory process, count on taking a three-prong approach. First, as pointed out in phase one, the organization and research phase, start an awareness campaign about the importance of privacy efforts and provide employees with a mechanism for giving feedback about potential vulnerabilities. Second, start the formal inventory process as outlined in this chapter. Third, create and distribute a survey to key personnel as a separate data collection effort to get their inputs on privacy vulnerability. The company can then triangulate the three sources of information and cross-check them as it builds the data inventory.
The major obstacles in accomplishing a thorough review of laws and regulations related to information privacy requirements are time and expertise. Medical organizations have already been confronted with a variety of privacy requirements, and financial services companies have long been dealing with privacy issues. Most organizations, however, are just beginning to deal with privacy issues and probably have very few staff familiar with privacy requirements. If in-house legal counsel is not available, contracting with an outside specialist in the field of privacy law is the best course of action.
The major obstacle in assessing an organization's insurance coverage is finding the expertise to do an adequate assessment. Larger organizations often have a risk management department to evaluate risks and insurance coverage. Smaller organizations tend not to have such expertise in-house, which means that they will need an outside consultant to help with this step. Basically, coverage from insurance companies regarding privacy violations is not expected. If it is a matter of data theft, they may provide some coverage. On the other hand, if inappropriate risk taking or an employee blunder causes a privacy violation, then the insurance company is not likely to provide coverage. During this step the enterprise must determine what if any coverage its insurance policies provide.
The company is urged to take a comprehensive look at existing or past issues. This process may include a review of customer complaint forms or records in all business units and departments. If it has a Web site, the company should review any email or inquiries regarding privacy. All too often these inquiries get buried in an email box somewhere on a server and are never reviewed. If visitors to the Web site have made inquiries, these inquiries could provide insight into the perspective of the organization's Web customers or users.
The major obstacle in identifying past data privacy issues is what is referred to as institutional memory. In some cases people who have been involved in privacy incidents may have left the company. In other cases memory tends to be selective, and the task force may have difficulty assembling an objective perspective on past privacy incidents. As major incidents of the past are identified, the task force should contact the people who are no longer with the organization and attempt to get their perspectives on specific incidents. If employees involved in an incident are still with the company, the task force should talk to as many people as possible to make sure a well-rounded perspective of the incident develops. All of these efforts will help the task force develop a full understanding of what the organization faces and has faced in terms of privacy problems created within the enterprise.
These organizations should be informed that a privacy plan is being developed. This part of the privacy planning process can be very problematic; however, the enterprise must recognize that even the best privacy policies and procedures cannot protect it from encountering problems if a business partner obtains data that it misuses in a way that exposes that data to unauthorized parties.
The major obstacle is getting business partners to cooperate. If a company has long-standing relationships with the business partners, it will probably not be too difficult to foster cooperation. The most difficult scenario occurs when large numbers of channel partners are affiliates. This scenario especially applies to newer Web-based companies that use affiliate programs or to the large technology companies that have relationships with resellers, VARs (value added resellers), OEMs (original equipment manufacturers), or consultants. In these cases, collecting information on each affiliate may be impossible. The best course of action in these situations is to focus on the largest partners first. In addition, once the privacy policies are formulated, the organization can require all partners to adhere to its policies as a condition of having the business relationship.
Along with assessing the privacy policies and problems of business partners, the company should establish a process that follows news stories in which the partners are mentioned. Even if self-reporting of privacy problems is required, a business partner that gets bogged down in a privacy scandal may not place a high priority on calling to discuss the problem. Thus, a monitoring process is advisable. Any privacy-related information found through such monitoring, as well as all self-reported information from business partners, should be catalogued and analyzed by the task force....
|1||The Threat to Privacy and Corporate Vulnerability||1|
|2||The Nature of Privacy Problems||15|
|3||The Regulatory and Legislative Environment||30|
|4||Organizing to Protect Privacy||43|
|5||Conducting a Privacy-Needs Audit||55|
|6||Evaluating Technology Needs for Privacy Protection||67|
|7||Developing the Enterprise Privacy Plan||82|
|8||Implementing the Enterprise Privacy Plan||97|
|9||Managing Privacy on the Enterprise Web Site||115|
|10||Managing Privacy on Internet Supply Chains||130|
|11||Managing Privacy Efforts over the Long-Term||141|
|12||Protecting the Privacy of Enterprise Storage and Processing||152|
|13||Protecting the Privacy of Corporate Communications||173|
|14||Protecting Corporate Desktop Privacy||211|
|15||Protecting the Privacy of the Road Warrior's Laptop||246|
|16||Protecting the Privacy of Remote Access and Telecommuters||265|
|17||The Future of Privacy Management||293|
Posted April 24, 2001
This book took us through the privacy planning process step by step. There were so many things we had not thought of and the book helped us make sure we covered privacy planning from all angles.Was this review helpful? Yes NoThank you for your feedback. Report this reviewThank you, this review has been flagged.
Posted April 26, 2001
This book provides a thorough structure for the privacy planning process. The framework and step-by-step process helped me through the privacy planning process.Was this review helpful? Yes NoThank you for your feedback. Report this reviewThank you, this review has been flagged.