Over the past several weeks I have worked with clients and students who have ask if the Privacy Office should have responsibility for an organization\’s overall information protection program. This gets a resounding \”Yes\” as a response without asking about culture, organizational structure, or other considerations.
Privacy and Information Protection have common basic requirements
When you consider the basic steps to establishing a privacy initiative the steps are congruent with those for establishing an overall information protection program. Consider some simplified, typical activities:
- Perform an information inventory;
- Identify the legal, contractual, and organizational data protection requirements;
- Define information classification standards;
- Define protection standards for each classification;
- Publish, train, and start using the standard;
- Identify the gaps and set up remediation plans.
From a high level the steps for personal information and other organizationally protected information is the same. So, at least you should combine the efforts to set up the programs. When you consider that practices and technologies used to protect all of this information is almost identical, it only makes sense to bring the privacy and information programs together.
An added benefit is the creation of a single information protection standard. This will simplify life for your organization\’s employees. They will not have to worry about one standard for personal information and another for everything else collected.
Leave the information protection implementation details to the proper departments
You wonder \”what about the specifics about protecting information?\” Move these details to standards, procedures, and guidelines that support the overall information protection and privacy policy. There are several benefits to this approach:
- Supporting information may be created and maintained by appropriate departments such as IT, Security, or Human Resources. The participation of individual departments will allow these teams to participate in the formation of your program and make it easier for you to get their buy-in.
- As the business, technology, regulatory, and environmental conditions change, your organization will only need to modify the affected supporting information.
- Policies changes usually require executive approval, but supporting information usually is approved using a less intensive process.
Combine Privacy and Information Protection Governance
An added benefit is simplification of oversight. Creating a joint Privacy and Information Management Steering Committee you will at a minimum bring labor savings to your organization.
Combining the oversight committees for information protection and the use of personal information you will be eliminating one committee. This leads to one less meeting for your executive members and elimination of synchronization of these teams\’ activities. This also will give the staff supporting these committees time back to their lives that had previously been used to prepare the same information for two presentations.