For many, privacy is about managing the risk of a data breach, primarily from external hackers. Important as this exposure element is, it is just one element of a comprehensive privacy program. Private and public sector organisations have an extensive number of partnerships, both large and small, in which the partners have access to sensitive and personal data; data that is entrusted to the organisation by its customers, and data of the organisation’s employees. Given this more holistic perspective on privacy, critical questions an organisation should ask include whether each of its partners can be trusted to protect the privacy of its customers and employees, and how that trust is earned and validated.
There is also a relevant question of trust regarding the information technology (IT) equipment and applications that are used to capture, store, process, share, and ultimately delete personal data. Is each product or application that touches data designed to ensure that personal data remains private? Additionally, as IT systems share personal data, how is privacy ensured across systems; that is, is there an unbroken chain of custody? Moreover, do the answers to these questions vary if the system is virtual—only “live” for a period of time, and potentially in a data centre that is partially to fully outside the control of the data-owning organisation (e.g., private cloud versus public cloud)? Also, in the world of IT systems, how trustworthy are the external parties that have access to IT equipment, either locally or remotely, to administer, diagnose, repair, and upgrade? How is privacy ensured in those circumstances?
Continuing on the theme of IT equipment, all equipment is eventually retired. In some cases, the equipment has become technologically obsolete or is beyond repair; it has little to no residual value. In other cases, the equipment can be placed in the secondary market for resale. Regardless of disposition, personal data may be stored on that equipment. How is privacy protected when IT equipment moves from one life chapter to the next?
As these questions highlight, personal data is vulnerable to exposure and compromise, in multiple contexts, involving multiple parties. Consequently, a holistic approach to privacy is necessary and must be practised—and practised diligently. This, to say the least, is no small order; and for many companies that are entrusted with or indirectly come in contact with personal data, it represents a cultural change.
To keep reading, download the whitepaper below.