It is without doubt that the COVID-19 pandemic forced some of the most significant changes in society, business and workforce practices in the last century. With billions of consumers and workers driven online, businesses adapted and accelerated their digital strategies. As staff worked remotely and scammers capitalised on the explosion of e-commerce, so, too, were weaknesses in privacy strategies exposed.
Following this time of great change and in a rapidly growing digital economy, the review and renewal of an organisation’s privacy program is critical. So, what are some of the ways an organisation can build and refresh for a more robust and adaptable privacy program?
Step 1 – Implement a Privacy Program Review
The first step towards renewal is a thorough review of an organisation’s current position. Such audits can include a privacy:
- Risk Assessment
- Impact Assessment
- Audit/assessment and,
- Evaluation of the Number and Type of Incidents
Step 2 – Understand New Legal, Regulatory and Privacy Obligations
Regular reviews ensure that a privacy program addresses both the current and evolving landscape driven by complex legislation and regulations across the jurisdictions the business may operate in, as well as the privacy and security risks associated with new technologies and changing business practices.
Beyond privacy legislation requirements, organisations should also regularly review how they can best protect and meet growing customer expectations.
Step 3 – Resourcing Skilled Teams
Staffing effective privacy (and security) teams requires a range of skills including security, compliance and legal expertise, experience in privacy frameworks and controls, hands-on experience in a privacy role, and security and technical expertise in current and emerging technologies and applications. Most organisations in Australia are small to medium size enterprises and will not have dedicated privacy teams, which is where the security and privacy functions in an organisation often converge.
The current shortage of skilled staff present challenges for hiring managers but a range of creative solutions may help resolve this issue:
- Retrain suitable candidates from other departments within the organisation
- Offer inhouse career development opportunities to lift hands-on experience
- Sponsor professional accreditation, education and training
- Fund ongoing reskilling and training programs
Step 4 – Privacy by Design
Organisations that implement privacy by design go beyond compliance-driven privacy programs. When implementing this best practice in data privacy and compliance, organisations are more highly regarded and trusted by customers, shareholders and board of directors.
Some additional privacy and security controls that go beyond legal requirements include:
- Identity and Access Management
- Data Security
- Data Loss Prevention
- Incident Response Plan
- Policy Management
- Third-party Risk Management
- Cryptographic Protection
- Data Minimisation and Retention
- Data Quality and Integrity
- Use Limitation
Privacy is never going to be a set and forget investment for business just as security is not. New challenges will appear. Old ones will morph and evolve. Governments will implement new legislation and regulations to address new technologies and practices. Community expectations will demand more. The organisation that either has the skills and resources to adapt to the privacy challenges ahead, or that recruits appropriate and credentialed third parties as and when required, will thrive and survive.
Privacy in Practice 2022 report, sponsored by OneTrust.