January 28th is Data Privacy Day and I’ve been thinking a lot recently about how Data Privacy applies to businesses.
It started with a quote from the Sony chief executive Michael Lynton about how there was “no playbook” on how to respond to the recent massive hacking of Sony information from every department of the company.
And, if you’ll pardon the language, that is absolute crap. One security consultant has suggested that Lynton’s comments might have been an attempt at damage control after several lawsuits from employees and former employees have been launched. They should have been better prepared.
Data Privacy Playbook for Business
There is a data privacy playbook for business. Most of the tools are free and readily available.
If you own a B.C. business and you only deal with B.C. customers, your business is governed by the Office of the Information and Privacy Commissioner of British Columbia and the PIPA law. If your business deals with clients all over Canada, you fall under the federal law of PIPEDA. The two laws are very similar. If you do everything you should be doing to protect your business data under PIPA, you will be safe under PIPEDA (check with your lawyer for the finer details, and checking with lawyer is part of the data privacy playbook).
The privacy commissioner office in B.C. has posted a ton of checklists, assessment tools and other useful stuff on their web site here.
But I will break this down for you in some simple steps.
- Audit the information you store: what do you store, how and where do you store, how long do you keep it?
- Check with your lawyer if what you are doing in step one complies with provincial law, federal law or laws of other countries you operate in.
- Create a training program for your employees on the privacy rules/laws that you must follow. Designate a privacy officer in the company.
- Get the privacy officer to educate and get compliance with your subcontractors and vendors or any third parties who might have access to your company information
- Audit your technology for adequate security. You need an IT consultant who knows about the data laws and IT security.
- Create a data breach disaster recovery plan. Get a PR specialist to help you craft how you notify customers and suppliers of a breach.
- Review your privacy plan every three years.
Go through all these steps and you can say you’re smarter than the CEO of Sony.