Eye on Privacy: Scrutinize Your Privacy Process
If you haven’t had time to keep up with the ever-changing privacy landscape (or have had your head buried in the sand waiting for the privacy issue to go away), now is a good time to assess how your company says it protects privacy—and how it actually does.
With new legislation in recent years changing the way companies must do business, the money it’ll cost to double-check your privacy practices could be dwarfed by what you might pay in fines.
Perhaps the best way to assess your risk is to conduct an audit of your privacy practices. According to Brian Tretick, a principal at Ernst & Young and leader of the company’s privacy assurance and advisory services, securing your business’ privacy need not be excruciating, nor even a lengthy process.
First, determine what you want to get out of a privacy audit.
“One [goal] could be for management to understand risk and exposure when processing personal information,” explains Tretick. “Another could be … to demonstrate competence to other stakeholders, or directly to consumers.”
Evaluating your entire company’s privacy practices all at once is impractical. Decide on your goal, then determine the scope and level of rigor.
“Is it your customer service capabilities?” asks Tretick. “Your direct marketing? Your Web components? Your enterprise systems?”
Now that you’ve focused your efforts, decide how closely you’ll look. There essentially are three levels of rigor, according to Tretick, which can be broken down as follows:
1. Top level, which entails ensuring that there are policies in place. This is the most basic level and shows that there’s something to work with.
2. Policy assessment, which involves reviewing the policies that are in place and finding where they need improvement, or where the controls that are in place can be improved. Are they designed effectively?