SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Story image
Creating private data regulations for employees
Tue, 20th Oct 2020
FYI, this story is more than a year old

Data breaches are at an all-time high. Even as more cases are reported, employees remain the weakest link in the data protection chain.

Data privacy should be a top priority for organisations, irrespective of its size and service line. In any organisation, the HR department plays a vital role in training and managing the workforce. Likewise, the department should be involved in data privacy training and the formulation of data privacy regulations.

Whether employees are hired on a part-time or full-time basis, everyone must know about data privacy regulations. Everyone needs to be responsible for keeping the organisation's data secure.

Here is a guide to where organisations should start if they are considering creating private data regulations for employees.

Train employees in data privacy

Although employees are the weakest link in the cybersecurity chain, they can also be the first line of defence against breaches.

Creating private data regulations for them will go a long way in ensuring that they play an active role in securing the data environment. However, it's helpful to start by training them about data privacy and what it entails.

They should be aware of the data privacy laws and regulations that apply to businesses in their industry and the enforcement actions that non-compliant businesses face. Communicate the significance of data privacy to them since they play a crucial role in protecting their data as well as the organisation's data.

Have a personally identifiable information privacy policy in place

Every organisation collects, stores, and transmits sensitive personal data and personally identifiable information (PII). Even so, few employees can tell the difference between the two.

Which such knowledge lacking, it will undoubtedly be challenging to create and enforce data regulations for employees. This highlights why they should be able to distinguish PII from personal data.

PII comprises information that can be used to identify an individual. This includes:

  • Full names
  • Location data (including IP address)
  • An identification number
  • Online identifiers such as cookies
  • Any other factor that relates to the economic, genetic, social, or physical identity of an individual

On the other hand, sensitive personal data is related to:

  • An individual's political opinions
  • Details of his/her ethnic or racial origin
  • Religious beliefs
  • Biometric information
  • Health records
  • Payment card data

If your organisation handles either of the two sets of data, employees should know how they can protect the data from getting into the wrong hands. It all starts with creating private data regulations for them to follow.

Create awareness about emerging changes in data privacy laws

Every year, new data privacy laws emerge. Similarly, changes are regularly made to existing regulations to bring them up to speed with trends in the information security sphere.

It will be challenging to create data privacy regulations for employees if they are not apprised with emerging laws. The organisation should stay informed about the ever-changing regulations, lest the regulatory landscape shifts under your feet.

Implement data privacy best practices

Even though the regulatory landscape is fluid, organisations must observe and implement data privacy best practices. Some of the best practices to employ to create private data regulations at an organisation include:

Looking at private data holistically

Breaches can emerge from any part of the data environment. Consequently, organisations should consider data privacy as a company-wide undertaking rather than something confined to the IT department.

Mapping data

Data can only be secured if there is a clear picture of where it's stored, who has it, and how it's transmitted.

Vetting vendors

Ensure that vendors who collect and process PII on the organisation's behalf have implemented adequate data privacy and security measures.

Reviewing your regulations and practices regularly

Organisations can only keep up with advances in the data privacy industry if they know where they stand as far as their internal data privacy practices are concerned. Undertaking regular reviews of regulations will help pinpoint security gaps that ought to be addressed.

Establish incident reporting structures

Most organisations don't have incident reporting policies in place. As a result, employees tend to ignore reportable privacy incidents that end up causing costly breaches. Therefore, it's best to establish incident reporting structures and policies so that employees know what to do in case reportable incidents occur.

For instance, employees should know who to report to if they find sensitive information lying in full public view near a printer. If there's a chain of command in place, such incidents will be reported to the relevant individuals and addressed immediately before they lead to severe incidents.

With the increasing number of breaches, the significance of robust cybersecurity policies and measures cannot be understated. Organisations need to formulate their own in-house data privacy regulations to prevent breaches and protect their standing in the industry.