Data Privacy in a Data-Driven World

With the introduction of data privacy laws such as the European Union's General Data Protection Regulation and the California Consumer Protection Act, organizations are being told to reduce the risk of misuse of personal data by collecting only the data required for business purposes and then deleting or anonymizing the data when it is no longer needed. Penalties for noncompliance are the greater of up to €20 million or 4 percent of the organization's global revenue. Since May 25, 2018, there have been 206,326 cases reported by supervisory authorities from 31 European Economic Area countries, with 94,622 of these related to complaints, while 64,684 were initiated by data breach notification. Here are some steps to help establish a foundation for a strong data governance and privacy program: * Continuously assess the latest frameworks, standards, and best practices for data privacy and governance. * Implement a strong data governance and privacy framework (see below). * Deploy resources (technological and personnel) to identify the use of sensitive data. * Understand the latest information related to critical vulnerabilities (i.e., US-CERT). * Establish and continuously audit and advance the internal control framework related to data privacy. * Educate personnel about their responsibility for data privacy and protection, and about the data life cycle (how data is collected, used, stored, disclosed, archived, and destroyed).