by Steve Schlarman, November 10, 2009

Archer recently established a client Working Group for the purpose of discussing regulatory and industry requirements related to data privacy and the need for a broad vision as it pertains to privacy and enterprise governance, risk and compliance. Our recent meeting brought to mind an experience from my past that highlights the need for a comprehensive approach to data privacy.

Several years ago, I was helping a newly appointed CISO get his arms around a very complex and diverse international company’s business. Our objective was to build an understanding of the business to design a long-term information security strategy that could withstand the rigors of a large, multi-national, high-profile company. A primary goal of the CISO, and a critical part of our strategy, was to build a collaborative, multi-disciplinary approach. As part of this effort, we held interviews with many stakeholders across the company, including key executives, business unit managers and other management-level roles that would either influence the security needs or be part of the strategy.

One such discussion was held with a member of the legal counsel whose responsibilities included support for the information technology organization. We had a solid discussion on intellectual property protection, data security, and other topics relevant to data integrity and confidentiality. At one point, we brought up the issue of personal information and privacy. The response we received was this: “Based on the company’s business, very little, if any, personally identifiable information is being collected, and privacy is not an issue.”

Immediately following the meeting, the CISO and I both discussed our misgivings about the organization’s immunity to privacy issues. A quick search on the Internet revealed multiple sites associated with the company that allowed customers to register and provide information for consumer purposes, including one site that targeted children and youth participants. The ensuing investigation exposed a lack of process around marketing-related sites and the fact that many individual business units were contracting services to external parties for these “quick hit” presences on the Internet. The business units were bypassing normal information technology and legal personnel due to a lack of direction on the collection of personal information.

Many times, it’s not just the data collected through key business processes but these outlying situations that can impact a company from a privacy perspective. Organizations must broaden their privacy program to cover not just internal business functions but also third-party services where the privacy of customer data may be at risk. A comprehensive approach to data privacy protection requires collaboration among Privacy, Information Security, Enterprise Risk Management, Human Resources, Legal and Vendor Management teams to ensure a holistic view of the organization’s information assets, technologies, business processes, services and personnel.

Archer’s GRC solution suite includes the many components needed for an enterprise approach to privacy program management—from documentation and measurement through maintenance, tracking and reporting. If you’d like to learn more, I invite you to participate in Archer’s upcoming webcast on Global Privacy Program Management. This event will feature a discussion on the current privacy landscape with Dr. Larry Ponemon of the Ponemon Institute, along with a live demo of Archer’s privacy capabilities led by Senior Product Manager Steve Suther. Here are the details:

Webcast: Global Privacy Program Management
Tuesday, November 17, 2009
1-2 p.m. Central
2-3 p.m. Eastern
Register at https://archer-tech.webex.com/archer-tech/onstage/g.php?t=a&d=552042254