B.C. Information and Privacy Commissioner Michael McEvoy says a customer’s trust is one of the most valuable assets a business of any size can have.
“Protecting people’s personal information is crucial to maintaining that trust,” McEvoy said. “Organizations need more than good intentions to achieve this – they need a plan.”
He said the commissioner’s office’s PrivacyRight program offers a step-by-step guide for businesses for building a comprehensive privacy management program.”
So, what are the top 10 things businesses should be looking at to protect customers’ personal information?
1. Assign a privacy officer: Depending on the size of your business, this might be you, but you must have a dedicated staff member who can oversee how your organization handles personal information and respond to privacy questions or complaints.
2. Know what you have: Conduct an inventory of all the personal information in your custody, why you have it, how sensitive it is and where it’s stored.
3. Assess risk: Determine whether you have adequate security safeguards in place to protect the personal information in your custody.
4. Write privacy policies that people can understand: Keep it straightforward and in plain language, not “legalese.”
5. Develop and follow a records retention schedule: Don’t hang on to personal information that no longer serves a legitimate business purpose.
6. Develop a breach management plan: Having a breach management plan in place gives you a plan to ensure that if you are subject to a privacy breach, you’re able to mitigate the worst effects and work quickly to rebuild customer trust.
7. Train and train again: Make privacy a part of your training protocol for employees. (See the OIPC’s PrivacyRight program for a host of resources suitable for this purpose.
8. Hire someone to test your defences: Hiring someone to do “pen” or penetration testing – such as simulating a cyberattack on your data – is one way you can see how well your defences would hold up in the face of an actual attack.
9. Know your partners: While banks are highly regulated, and that regulation confers a level of trust, the same isn’t always true with data storage. Thoroughly research anyone who will be handling your customer’s data.
10. Review and revise: Privacy threats are ever-changing, so it’s important to ensure that your privacy policies, safeguards, breach response plans and training are updated regularly.
— With thanks to the Office of the Information and Privacy for compiling the lists at the request of Glacier Media.