The Advisory Council - Data Privacy Compliance

Data Privacy Compliance Services
Many states have recently passed legislation designed to prevent exploitation of an individual's private data. Following the path forged by the Health Insurance Portability and Accountability Act (HIPAA), private data has been expanded from personally identifiable information containing health and medical information to information that points to any specific financial or demographic data that is not explicitly publicized by the individual.

As a result of these state laws and regulations, organizations are now charged with implementing procedures and deploying resources that providing for protecting what has been termed private data at rest, in transit and during use. In some instances, these restrictions apply to both physical (paper) data and electronic data elements.

In many cases, these state laws are punitive in that they define and assess fines, penalties and possibly criminal charges that may be attributed to any failure to protect data privacy of individuals or organizations. The recent legislation have also been prescriptive in that they define what should be done to help protect this data privacy. These newer regulations can also specify fines, penalties and possible criminal charges that can apply for organizations that do not comply even if no privacy breach occurs. This latter point is important because it is not predicated on an event, but rather can be applied be virtue of an audit or review by the state or an independent authority. In some cases, that may mean an individual (either placid or disgruntled) can bring about an investigation of an organization that they believe may not comply. In short, you are being charged with “doing the right thing” regarding data privacy.

These prescriptive regulations often define very specifically what you must do. Recently passed laws expect organizations that have a business presence in their states, or have customers, employees, contractors, or business partners who reside in their respective states adhere to these regulations. That means that you don’t need to have presence in the state to be subject to its laws. These specific items often include:

A person be appointed to manage the protection of data privacy
A written information security or data privacy policy
Training for all employees and business partners regarding the policy
A process for reporting and correcting violations

Some states go even farther in defining what you must do. Our Data Privacy Compliance offering can help you sort through these regulations and do what is necessary to comply and therefore protect yourself from litigation or even criminal charges.

Obviously, each state law is applied differently, and as one would expect, each state has been cognizant of an organization’s size and financial position in applying the regulation. That doesn’t excuse any organization from complying with the law, but it does imply the company be at least as diligent as “common practices” would dictate.

Our experienced consultants have developed an effective, comprehensive approach to Data Privacy Compliance that will help companies craft a program that can be judged compliant using the backdrop of these common practices based on the industry and organization size.

Description

TAC’s Data Privacy Compliance offering provides a “play book” process that leverages its three phases to help clients develop and execute strategies for effective, sustainable data compliance risk reduction. It should be noted that Phase One is applicable to small organizations with relatively simple privacy requirements and is generally sufficient for their needs. Large and medium size organizations, or those with complex data or network requirements, would typically need all three phases. The “play book” process and key deliverables are outlined below:

Phase One: Compliance Assessment

These activities will accommodate the common requirements of the recent state laws. Obviously, to be truly compliant, senior management must be uniformly committed to the principles of data privacy, and must be informed and support each of these activities.

Key Deliverables:

Data Security Coordinator Job Description and Credentials
Information Security and Protection Policy Template
Identification of most likely private data repositories (electronic and paper)
Assessment of existing data security policies
Employee training material and education plan

Phase Two: Technology Plan and Test Exercise

These activities can be completed once the Data Security Coordinator has been appointed and with help from the IT staff and other department representatives from each area where private data may be housed or used.

Key Deliverables:

Risk assessment directed toward reduced attack surface
Data privacy technology requirements
Strategic roadmap for full data privacy protection
Capital expense and three-year operating budget for data protection
Documented incident management and response plan

Phase Three: Incident Management Planning

With all components (technical and procedural) in place, and key individuals performing at their expected level, these tasks will help confirm the plan’s operation, and can serve as a significant tool in refining and improving the data protection strategy.

Key Deliverables:

Results of privacy protection exercises
Registration with selected certification resources (if included in the strategy)
Drafts of marketing briefs to capitalize on successful data protection program

Target Audience

CIO, COO, CEO, Board of Directors

Penalties for failure to secure private data range from substantial fines to criminal charges levied against senior management, officers and directors. Responses to privacy regulations include technology deployments, process management and education. Many organizations are already doing the necessary things to be compliant, but have not benefited from an independent assessment of that fact. Others need an effective prioritized roadmap to wisely and economically strengthen their security and privacy procedures, so that management can be assured that all the proper pieces are in place for full data privacy compliance.