Many states have recently passed legislation designed to prevent exploitation of an individual's private data. Following the path forged by the Health Information Portability and Availability Act ("HIPAA"), private data has expanded from Personally Identifiable Information containing health and medical information to information that points to any specific financial or demographic data that is not explicitly publicized by the individual.
Data Privacy Compliance
Service Offerings
News and Events
Contact Us
The ITPMG Data Privacy Compliance offering provides a "Play Book" process that leverages its three phases to help clients develop and execute strategies for effective, sustainable data compliance risk reduction. It should be noted that Phase One is applicable to small organizations with relatively simple privacy requirements and is generally sufficient for their needs. Large and medium size organizations or those with complex data or network requirements would typically need all three phases. The "Play Book" process and key deliverables are outlined below:
Target Audience
CIO, COO, CEO, Board of Directors
Penalties for failure to secure private data range from substantial fines to criminal charges levied against senior management, officers and directors. Response to the privacy regulations includes technology deployments, process management and education. Many organizations are already doing the necessary things to be compliant, but have not benefited from an independent assessment of that fact. Others need an effective prioritized roadmap to wisely and economically strengthen the security and privacy procedures so that management can be assured that all the proper pieces are in place for full data privacy compliance.
These activities will accommodate the common requirements of the recent state laws. Obviously, to be truly compliant, senior management must be uniformly committed to the principles of data privacy, and must be informed and support each of these activities.
As a result of these state laws and regulations, organizations are now charged with implementing procedures and deploying resources that providing for protecting what has been termed private data at rest, in transit and during use. In some instances, these restrictions apply to both physical (paper) data and electronic data elements.
In many cases, these state laws are punitive in that they define and assess fines, penalties and possibly criminal charges that may be attributed to any failure to protect data privacy of individuals or organizations. The recent filings have also been prescriptive in that they define what should be done to help protect this data privacy. These newer regulations can also specify fines, penalties and possible criminal charges that can apply for organizations that do not comply even if no privacy breach occurs. This latter point is important because it is not predicated on an event, but rather can be applied be virtue of an audit or review by the state or an independent authority. In some cases, that may mean an individual (either placid or disgruntled) can bring about an investigation of an organization that they believe may not comply. In short, you are being charged with "doing the right thing" regarding data privacy.
These prescriptive regulations often define very specifically what you must do. Recently passed laws expect organizations that have a business presence in their states, or have customers, employees, contractors, or business partners who reside in their respective states adhere to these regulations. That means that you don't need to have presence in the state to be subject to its laws. These specific items often include:
• A person be appointed to manage the protection of data privacy
• A written information security or data privacy policy
• Training for all employees and business partners regarding the policy
• A process for reporting and correcting violations
Some states go even farther in defining what you must do. Our Data Privacy Compliance offering can help you sort through these regulations and do what is necessary to comply and therefore protect yourself from litigation or even criminal charges.
Obviously, each state law is applied differently, and as one would expect, each state has been cognizant of an organization's size and financial position in applying the regulation. That doesn't excuse any organization from complying with the law, but it does imply the company be at least as diligent as "common practices" would dictate.
Our experienced consultants have developed an effective, comprehensive approach to Data Privacy Compliance that will help companies craft a program that can be judged compliant using the backdrop of these common practices based on the industry and organization size.
Phase One: Compliance Assessment
• Data Security Coordinator Job Description and Credentials
• Information Security and Protection Policy Template
• Identification of most likely data privacy repositories (electronic and paper)
• Assessment of existing data security policies
• Employee Training material and education plan
Key Deliverables
These activities can be completed once the Data Security Coordinator has been appointed and with help from the IT staff and other department representatives from each area where private data may be housed or used.
Phase Two: Technology Plan and Test Exercise
• Risk assessment directed toward reduced attach surface
• Data privacy technology requirements
• Strategic roadmap for full data privacy protection
• Capital expense and three-year operating budget for data protection
• Documented incident management and response plan
Key Deliverables
With all components (technical and procedural) in place and key individuals performing at their expected level, these tasks will help confirm the plan's operation and can serve as a significant tool in refining and improving the data protection strategy.
Phase Three: Incident Management Planning
• Results of privacy protection exercises
• Registration with selected certification resources if included in the strategy
• Drafts of marketing briefs to capitalize on successful data protection program
Key Deliverables
Security and Regulatory Compliance Strategy and Planning Service Offerings
Data Privacy Compliance
Regulatory Compliance IT Support Assessment and Strategy
Gramm-Leach-Bliley Act Compliance Assessment
HIPPA Security Compliance Assessment
Back to Service Offerings
Business Continuity and Disaster Recovery Planning and Assessments
Security and Regulatory Compliance Assessment
Security and Compliance Strategy and Planning Assistance
Privacy Policy
Site Map
Terms of Use