By Rajesh
Ganesan, Vice President, ManageEngine
With data breach penalties skyrocketing,
many corporations have finally made data privacy a priority-and rightly so.
However, it’s important to remember that privacy does not rest solely on the
shoulders of an organization’s DPO or CISO; in fact, it shouldn’t even fall
solely on the privacy team. After all, the privacy team is typically a small
percentage of the overall organization. Ultimately, data privacy is the
responsibility of every single employee, and this is where the personal privacy
pledge comes in. Essentially, this is a pledge that everyone takes, whereby
they promise to work alongside their co-workers to make data privacy a priority
in their lives.
The best way to avoid hefty fines and keep your
organization secure is to make every single employee feel responsible for data
privacy. At a minimum, everyone should use 2FA, as well as varied, complex
passwords; personal computers should never be left unlocked and unattended at
workstations, and employees should be cognizant of social engineering attacks,
not only while they’re at work but also during non-work hours. A personal
privacy pledge is a promise to do all of these things, and more. It’s an “all hands-on deck,” “no man left behind” type of effort.
Stress
education
The first element in the equation is to bring all of your
employees to the same education level. At our organization, it is a huge red
flag if any employee, consultant, or contractor doesn’t know what a “data
processor” or “data controller” does. In fact, we mandate that
teams take periodic quizzes. From the results of these quizzes, we then assign
each team their own “data privacy score,” which is then shared
internally-much like they do with students’ test scores in law school. By no
means is this an attempt to shame teams who know less about privacy than other
teams; on the contrary, it’s a way to stress how vital it is that all employees
are on the same page. Although we expect our employees to stay up to date on
data privacy legislation, such as the GDPR and CPRA, we stress privacy
principles rather than laws.
Emphasize
principles
There will always be new privacy laws coming down the
pike. As long as you have the fundamental privacy principles covered, your
organization will only have to make minor changes to account for these new
laws. For example, it’s important that your employees constantly think about data minimization. They should only collect customers’ data that they
absolutely need, and this data should be kept for the shortest amount of time
possible. On the R&D side of things, designers and developers should
consider privacy by design, which is
the notion that it’s important to consider all products’ potential privacy
repercussions from the products’ inception. The personal privacy pledge ensures
that employees keep principles like these top of mind.
Stay
vigilant
This pandemic has reminded us just how important it is to
keep our eyes and ears open. We saw an incredible 6,000 increase in phishing attacks
over the last year, as bad actors rushed to capitalize on workers’ apprehension
and general lack of data privacy knowledge. Again, it’s important that
employees remain vigilant outside of traditional 9-5 work hours as well. As we
work remotely and increasingly use personal devices to access corporate data at
home, it’s vital that we always stay alert. Software solutions equipped with
user behavior analytics can help to identify any anomalous, and perhaps
nefarious, activity on the corporate network. Unusual activity on the network
could very well be the result of a successful phishing attack. The personal
privacy pledge emphasizes how vital it is to be cognizant of these types of
attacks.
It is worth emphasizing that the personal privacy pledge
isn’t an effort to control your employees behavior; in fact, the pledge is
effective because it empowers the
individual employee. Over time-through education, awareness, and a focus on
principles-data privacy considerations become second nature for all employees.
Although the personal privacy pledge dauntingly begins with a steadfast
commitment to privacy, it quickly morphs into a relatively effortless endeavor.
So, have your employees take the pledge; this time next year, you’ll be happy
you did.
##
ABOUT THE AUTHOR
Rajesh
Ganesan is the Vice President of Product at ManageEngine, a division of Zoho
Corporation. He has over 20 years’ experience in building enterprise IT
products around security, access management, and service management. He spends
as much time as possible interacting with thousands of customers around the
world and is passionate about solving IT problems with a simple, yet effective,
approach. He has built many successful products at ManageEngine, focusing on
delivering enterprise IT management solutions as SaaS.
Leave a Reply