Data Privacy Day – Fostering a Culture of Privacy Awareness at Work

Data Privacy Day is a great time to think about how your business collects, stores, manages and uses data.

Personal information about customers, vendors and/or employees may be valuable to your business – but it’s something consumers value, too.

These questions discuss the importance of safeguarding data at your organization, things to consider in protecting this information and how you can foster a culture of privacy awareness at all levels of the organization:

Why is privacy good for business and why should businesses of all sizes be privacy aware?

Data Privacy is good for businesses of all sizes because consumers value their privacy. Nearly 75 percent of Americans feel it is “extremely” or “very” important that companies have “easy-to-understand, accessible information about what personal data is collected about them, how it is used and with whom it is shared.¹ Consumers will place more trust in a business or organization that respects their privacy. People are more likely to purchase products and services from a company they trust.

What security measures should organizations follow to protect individuals’ personal info from unwanted access?

First off, the best way to protect data is to only collect what is absolutely necessary. You can only leak what you’ve collected. Also limit access of personal data to only the members of the organization that need access to it. In other words, only those that need it will only be allows to access what they need, no more.

Second, remember “If you collect it, protect it”. However, security measures are not one-size-fits all. First, match the security needs to the organization and its capability. Then, critically examine and assess the specific risks to your organization. Finally, align operational and technical means to reduce risk.

Some simple things that can help are keeping a clean machine and educating the staff of your organization so they are Cyber Aware. STOP.THINK.CONNECT.‘s Keep a Clean Machine campaign is an ongoing effort to help everyone understand the importance of protecting internet-connected devices from malware and infections – especially malware that connects your devices with botnets. You can learn more here: https://www.stopthinkconnect.org/campaigns/keep-a-clean-machine-campaign
To assist organizations’ Cyber Awareness training programs, the CSIAC has created a series of videos designed to introduce several fundamental cybersecurity concepts. This fast, free, and easy-to-watch video series describes current cybersecurity threats and protections for government, industry and academia. Learn more here: https://www.csiac.org/series/cyber-awareness-videos/

In addition to your privacy and security policies and practices, you need to do your due diligence and monitor any partners and vendors. Organizations are also responsible for how third-parties use and collect personal information.

What should organizations look out for to make sure their vendors and partners are privacy aware?

First, the organization should have a process/policy in place before selecting a vendor or partner, if possible. The policy should ensure that the vendor/partner’s data privacy and security practices align with the organization’s. The third party should have the similar policies on how they collect, store, use and share personal information. If you don’t know what your third-party’s policies are, ask. This may prompt them to become more privacy aware. Remember if a vendor or partner’s data is compromised, your data could be too!

What types of information should organizations share with individuals regarding their data use practices and privacy/security policies?

All organizations should be open and honest about how they collect, store, use and share personal information. Clearly communicate data use practices and any features or settings offered to
consumers to manage their privacy. Transparency is key. It is important that every member of the organization and all of its customers understand your privacy and security policies.

How can businesses creatively and effectively communicate how they use individuals’ info?

Organizations should not count on their privacy policy as their only tool to educate consumers about the organization’s privacy practices. Communicate clearly and often what privacy means to the organization and the steps the organization takes to achieve and maintain consumer privacy and security.

A common way criminals may target an organization’s customers is via phishing emails and spoofed web pages. Organizations should tell its customers what to expect from them so the customers can avoid falling for these attempts to steal their information.

What are the best tactics for educating staff about their roles in and the importance of privacy and data security?

In order to create a culture of privacy in an organization, it is important to educate staff members about their role in privacy, security and respecting and protecting the personal information of colleagues and customers. Creating a cyber awareness campaign that is tailored to the organization is likely to have a profound effect on its success. Not all organizations are susceptible to the same threats. However, every organization’s staff members should know the threats that could impact their organization and how best to mitigate those threats.

Creating education campaigns that are fun or some how competitive can make fostering the culture of privacy easier. Buy-in from leadership is also important. Make sure that everyone understands why this is specifically important to them and the organization as whole. A privacy aware culture will save an organization time, stress, and money. Highlight exactly how and everyone will jump on board.