Over the past several weeks I have worked with clients and students who have ask if the Privacy Office should have responsibility for an organization’s overall information protection program. This gets a resounding “Yes” as a response without asking about culture, organizational structure, or other considerations.
Privacy and Information Protection have common basic requirements
When you consider the basic steps to establishing a privacy initiative the steps are congruent with those for establishing an overall information protection program. Consider some simplified, typical activities:
- Perform an information inventory;
- Identify the legal, contractual, and organizational data protection requirements;
- Define information classification standards;
- Define protection standards for each classification;
- Publish, train, and start using the standard;
- Identify the gaps and set up remediation plans.
From a high level the steps for personal information and other organizationally protected information is the same. So, at least you should combine the efforts to set up the programs. When you consider that practices and technologies used to protect all of this information is almost identical, it only makes sense to bring the privacy and information programs together.
An added benefit is the creation of a single information protection standard. This will simplify life for your organization’s employees. They will not have to worry about one standard for personal information and another for everything else collected.
Leave the information protection implementation details to the proper departments
You wonder “what about the specifics about protecting information?” Move these details to standards, procedures, and guidelines that support the overall information protection and privacy policy. There are several benefits to this approach: