This is the third and final article in a three-part series aimed at assisting companies in implementing a data privacy and security program. The first article addressed the importance of adopting such a program, how to put together a good data privacy and security team, cataloging your company’s data and devices, and understanding the data security risks your company faces. The second article discussed limiting data collection and retention practices to your business’s needs, safe disposal methods, securing the data your company collects, monitoring for potential breaches, sharing data with third parties, employee training and employees’ use of personal devices at work.
Document your company’s data privacy and security program
The best defense to a class action lawsuit sparked by a data breach is a well-articulated, well-reasoned and fully implemented data privacy and security program that outlines all policies and procedures impacting data privacy and security. When drafting the program, keep in mind its purpose: to educate regulators, rebuff plaintiffs’ attorneys and inform other third parties about the extensive efforts your company undertook to craft a robust data privacy and security program. Not only is sensitive data at risk, but so too is your company’s reputation for taking seriously its obligation to protect sensitive data. Be sure to involve legal counsel in drafting the program to ensure it complies with the patchwork of laws in the United States and any other country where your company does business. Once the program is in place, revisit it periodically to make sure it remains current in light of changes within your company and evolving data security risks.