Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

5 things CIOs need to know about privacy policy

Lauren Brousell | July 23, 2012
Technology and government policies and regulations are constantly in flux. Here are five tips to help CIOs stay in compliance and avoid getting into hot soup.

1. You must revisit policies regularly.
"Criminals are getting enormously sophisticated," said Lisa Sotto, head of the global privacy and information security practice at Hunton and Williams in the U.S. "If you fix your systems based on today's vulnerability, you won't address tomorrow's." Technology and government regulations are constantly in flux, but your own policies need to remain clear, concise and transparent. Take MySpace's recent troubles with the FTC. Inconsistencies between information it shared with third parties and the rules laid out in its privacy policy left the company subject to audits for the next 20 years. According to Jay Cline, president of Minnesota Privacy Consultants, it's safer and more cost-effective to blend security and compliance policies into a single, integrated framework.

2. Consumerisation could create risk.
Having a bring-your-own-device policy means data no longer resides solely behind corporate barriers, so it's "a test for how well CIOs know their company culture and where it draws the line between risk and convenience," Cline said. Sotto emphasised the importance of knowing which company documents may be under a legal hold — in other words, an employee must not destroy them. "It's hard to control that when it's the employee's own device," she said.

3. Employee education is critical.
Cline said training is the best way to mitigate risk, but it "doesn't move the needle of employee comprehensive behavior until it becomes meaningful to specific roles in the company." Agreeing, Sotto said: "It's important to tailor your training to your organisation. Educating consumers is a difficult task, and one I would say is daunting."

4. Regulations are evolving in the U.S.
President Obama has backed the Digital Advertising Alliance process, which would allow consumers the freedom to create their own privacy preferences. The FTC has also suggested privacy principles for companies to adopt that address consumer choice, policy promotion and transparency. Sotto suggested consulting a lawyer on how to deal with new or updated government policies like Do Not Track. "Implement best practices now so you don't have retrofit your systems later," she said.

5. ... and in Europe.
Sotto said CIOs need to keep in mind that in Europe, privacy is a fundamental right, whereas in the U.S., it's a consumer right. In the EU, "you're not allowed to transfer data to a non-adequate jurisdiction," which Sotto said forces you to ask, "When you store data in the cloud, where is that cloud?" Cline suggested taking webinars to stay updated.

While the situation may be different for the Asian region, there is no doubt that CIOs working for regional organisations should know of the evolving laws governing the various countries.


Sign up for CIO Asia eNewsletters.