Learn more here, and get your free data privacy toolkit
This year, the National Cybersecurity Alliance has made a landmark decision to extend annual Data Privacy Day. For the first time, it is now Data Privacy Week, scheduled for January 24-28, 2022. The move recognizes the growing importance of data privacy by encouraging businesses to protect customer data and individuals to manage their personal information.
Become a Champion of Data Privacy Week and receive a free toolkit full of useful materials to help you promote privacy within your organization. Champions include companies and organizations of all sizes, as well as hospitals and healthcare providers, schools and school districts, colleges and universities, nonprofits, and government organizations.
There is also a Champion program for individuals—because we each play a role in protecting our own personally identifiable information (PII).
Importance for Businesses
Nearly 80% of adults are concerned about how companies actually use their personal information, according to a recent study by the Pew Research Center. The National Cybersecurity Alliance recommends several actions organizations can take to reassure customers, clients, patients, and other stakeholders that their personal information is respected and protected. These actions include:
- Conduct a data privacy assessment.
- Adopt and implement a privacy framework.
- Educate and train your employees.
Action: Conduct a Data Privacy Assessment
The National Cybersecurity Alliance recommends that all organizations, even smaller businesses, conduct a data privacy assessment. This should include a review of procedures for the collection, processing, use, storage, transfer, and destruction of sensitive data.
Every organization should know exactly which privacy laws and regulations apply to them, and what actions must be taken as a result. Regulations range from global, such as the European General Data Protection Regulation (GDPR), to federal regulations including HIPAA, GLBA, PCI DSS, Sarbanes-Oxley, CMMC and others, to the California Consumer Privacy Act and a growing body of similar state laws.
In addition to adhering to applicable privacy regulations, the NCA advises organizations to follow reasonable security measures to safeguard individuals’ personal information from inappropriate and unauthorized access, and to make sure it is only collected for relevant and legitimate purposes.
Any organization who engages third-party vendors, partners, or other stakeholders to provide services is additionally responsible for how those third parties collect and use individuals’ information. Your data privacy assessment should encompass their data procedures and systems as well as your own.
Like security risk assessments, data privacy assessments require a baseline assessment to be followed by periodic reassessments.
Action: Adopt a Privacy Framework
Adopting an appropriate data privacy framework is fundamental to managing risk and creating a culture of data privacy within your organization. There are several privacy frameworks available to suit most organizations.
The NIST Privacy Framework, developed by the National Institute of Standards and Technology (NIST), follows the structure of the Cybersecurity Framework to enable organizations to easily use both. Like the Cybersecurity Framework, the Privacy Framework has three parts: Core, Profiles, and Implementation Tiers. Each component reinforces privacy risk management through business and mission drivers, organizational roles and responsibilities, and privacy protection activities.
ISO/IEC 27701 is the data privacy extension of the globally recognized security framework, ISO 27001. ISO/IEC 27701 guides the management of risks related to Personally Identifiable Information (PII) and provides a framework for managing data privacy. ISO 27701 also aids organizations in complying with the European Union’s General Data Protection Regulation (GDPR) and other data privacy requirements.
Numerous other frameworks are available and should be reviewed before you decide which is most appropriate for your organization.
Action: Train Your Employees
The National Cybersecurity Alliance also recommends creating a culture of privacy in your organization through employee training. Training begins with sharing your privacy policy and procedures. An excellent technique is to engage employees by asking them how privacy and data security apply to the work they do each day. Awareness is central to creating your culture of privacy.
New employees should be oriented in your organization’s privacy culture during onboarding, and of course privacy and cybersecurity awareness training should be refreshed and repeated periodically for all employees.
Finally, try to create an environment in which everyone feels they have an important role to play in keeping data private—because they do. And because we all learn differently, offering a mix of online training, classroom training, interactive webinars, and other training formats provides something for everyone.
Act Now to Become a Data Privacy Champion
The Data Privacy Champion program is your first step in preparing for Data Privacy Week 2022. It’s easy to become a Data Privacy Champion, and no financial support is required.
Becoming a Champion gives you access to a suite of tools and materials that will help you promote data privacy throughout your organization, and among your third-party vendors, all year long. Join 24By7Security today in advocating for data privacy—and watch this blog for additional information!