As a company’s managing director or chief executive officer, you don’t want to make the front page of any newspaper because your company experienced a data breach. You want to, therefore, ensure that your company has a data privacy monitoring scheme to detect, avoid or manage potential privacy breaches. Those stakeholders who think a one-time data privacy audit is all their company needs and never pay attention to data privacy monitoring, often end up with privacy incidents or breaches.
Ongoing monitoring of existing data privacy activities within an organisation helps the organisation verify if they are doing what they say they are doing with data and if the procedures in place match every detail in their policies.
There are different types of monitoring. The first on the list is compliance. This type of monitoring focuses on the collection, use, and retention of personal information your organisation collects. It ensures that the necessary policies and controls are in place to comply with the Nigerian Data Protection Regulation (NDPR) or if your company processes data of Europeans, you will also include compliance with the EU General Data Protection Regulation (GDPR).
Compliance monitoring comes in four common approaches, namely self-monitoring, audit management, security/system management and risk management. These four approaches aim essentially at detecting and correcting violations, supporting enforcement actions within the organisation and evaluating compliance progress frequently.
Your company must keep abreast of laws, regulations and requirements with regards to data privacy. These regulations keep changing as technology evolves. Therefore, you have to keep your ears peeled to these developments so that your company can monitor these changes and update policies accordingly. It is advisable to have roles and responsibilities who own such tasks.
Another type of monitoring is internal and environmental monitoring which focus on vulnerabilities, which may include physical concerns, such as building access and visitor activities. Do you have the personnel who monitor these activities within your organisation? If not, you need to factor this into your monitoring section. It may address insider threats, such as sabotaging, modifying or stealing information for personal gain, or cybersecurity threats to your information technology assets.
Stakeholders often ask what the best forms of monitoring are. There are different forms of monitoring.
The first type you should look at, for ease of monitoring, is to consider using automated tools. If your company has the budget, you should invest in active scanning tools for network and storage, which identifies risks to personal information and to monitor for compliance within internal policies and procedures. A good scan result may find files with personal data stored incorrectly on a network that is publicly accessible, thus identifying potential privacy breach. Before you purchase these tools, it is advisable to seek the advice of a privacy professional or your chief privacy officer.
For monitoring to be robust, there needs to be auditing, which includes, internal and external reviews of people, processes, and technology, and other aspects of business function. It would help if you determined how often these audits would take place within your organisation, and more importantly, ensure that these audits do not disrupt your business.
You must also gauge the type of complaints you are having. The complaint-monitoring process tracks, reports, documents, and provides resolutions of the customer, consumer, patient, employee, supplier and other complaints. Tracking details about types and origin of complaints often provide early indicators of areas that need improvement within the business functions.
What about your controls? Are they built to spot processes that veer away from the agreed data protection principles? Relying on an established set of privacy controls at the operational and programme level, this type of monitoring is about assessing the design and efficacy of your control stacks. Some companies use governance, risk, and compliance (GRC) tools to automate their controls, which helps them carry out checks and track remediation activity.
Lastly, you must ensure that your human resources department consistently provides privacy protections for employees’ personal information across HR processes. Your company is required to protect employees’ personal data. As such, investigations related to compliance with security and privacy practices should be of particular interest to your human resources team.
Without monitoring your data privacy framework, your company’s data protection framework may collapse. A wise stakeholder will embed a monitoring scheme into their business functions and ensure that the monitoring (depending on the size of the organisation) is constant.
Frontpage February 7, 2020