With fast-paced changes in the digital ecosystem and varied responses of governments in our global economy, cybersecurity planning is more important — and more complex ― than ever. However strong your defenses, criminals are always probing for weaknesses in large and small businesses alike.
A robust cybersecurity plan helps you prepare to handle these evolving threats. It outlines the procedures that protect your organization against risks, threats, and vulnerabilities. It should also address how you handle user data. If your business collects or processes consumer data of any kind, these two policies are must-haves for your cybersecurity plan.
Think of this as your documented standards for how you communicate your data collection process with your customers and empower them to exercise their rights to control how their personal information is used. These legal rights vary from place to place, so this is where things can get a little murky. Research may be the last thing you want to do, but it’s best not to skip it. A little due diligence beats the potential consequences of ignoring these relatively new laws.
Generally speaking, the EU’s General Data Protection Regulation (GDPR) standards are the most strict, but Bloomberg Law’s new data privacy law comparison is a great way to get familiar with relevant U.S. and EU laws (without giving yourself an aneurysm). It’s in plain language and their charts make the information easy to parse and compare. This is something your customers will also appreciate in your company policies.
Just like you, your customers care about their data and shouldn’t need a law degree to know how and why their data is being collected and shared. There are many great examples of privacy policies that do this well, and resources like Workable’s GDPR privacy policy template for creating your own framework.
Get advice from a legal professional to ensure your information is both accurate and clear. Aim to communicate at a high school reading level. These usability and web accessibility tips from Yale can help. You can apply them to your other web content as well.
To protect your business and reinforce trust with your customers, proactive transparency goes a long way. According to the International Association of Privacy Professionals (IAPP) Privacy and Consumer Trust Report, “Globally, only 29% of consumers said it is easy for them to understand how well a company protects their personal data.”
In addition to being readable and easy to locate, your policies should make it easy to identify:
What types of information you collect
Who processes consumer information
How and with whom you share information
How long you keep consumer data
What your incident response plan is
The GDPR and California Consumer Privacy Act (CCPA) both require that businesses respond to “right of access” requests from consumers, employees, and third parties. With that in mind, putting your company’s contact information in a prominent place on your website is a good place to start. Include your documented process for responding to these requests in your privacy policy.
According to expert tips published in Compliance Week, establishing how you’ll verify the identity of the person requesting their data, data mapping, and adjusting your workflows are key to preparing for data subject access requests (DSARs).
Think of this as your internal standard operating procedures (SOPs) for handling data. Like your outward-facing communication, it should make your standards and processes clear to your team.
Set your business up for success with practices that reinforce security-conscious practices with your team. Try implementing the following to boost your organization’s resilience to potential cyberattacks:
Two-factor authentication for logins
Requiring routine password updates
Regular software updates
Proactive cybersecurity training to keep your team on the same page
Periodic review and updating of security SOPs
Consider a professional software audit to pinpoint weak points in the code you rely on before integrating new software with aging or outdated systems.
To build trust with your customers — and avoid information request headaches — don’t collect data that isn’t relevant to providing what your organization offers.
Decide how long you’ll retain that data, and don’t keep it any longer than necessary.
According to an IAPP article’s guidelines for a GDPR-compliant retention policy, “records of processing activities encourage you to group data by type of individuals, data categories and relevant purposes, and it is prudent to relate retention times to such processing activities.”
If you use cookies for analytics, taking an opt-in approach aligns with stricter GDPR guidelines. CCPA and other state laws only require that consumers are able to opt out of data collection. In either case, a prominent cookie banner that asks a user to make a conscious decision about their data helps you avoid accidental violations.