Monitoring a privacy programme
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
Every privacy programme monitoring is key in every data privacy framework. The continual observation of the programme is pivotal in a company’s privacy programme. Business function leaders and every stakeholder within the company must test some of the workings of what has been implemented. Yet, many stakeholders fail to monitor what has been created and leave new processes to “rot”.
Privacy depends on a lot of components within the business—information security, human resource, marketing, customer success, customer relations etc— and therefore needs consistent monitoring. What areas therefore need monitoring?
Sometimes, many stakeholders would argue that only business areas with “high risk” processes should be monitored. However, I would argue that that’s a flawed way of looking at privacy monitoring because monitoring is much more than monitoring business processes alone. It also entails monitoring staffs and how they handle, behave and work with information in their possession. Privacy professionals, in the bid however, to prioritise workflow would first focus on business process.
Business process monitoring process consists of the collection of metrics created by business processes, examining these metrics, transforming these metrics into key risk and key performance indicators, and reporting these indicators to management. This would help the privacy professional determine what needs to be monitored and what needs to be improved. Each business process must be measured so that management can know how many different types of events—expected and not expected—which may occur in any given period.
It is much more than a numbers game. For example, a human resource department keeps experiencing errors by their staffs sending out pay information and addresses of their staff to third party companies. This has happened for three times. The human resource department needs to retrace their steps, carry out a root cause analysis and figure out why there is a repeat of these errors. And more importantly, there needs to be a check on staff training and what needs to be done to stop these errors from recurring.
The logging of privacy and security related events and the proactive monitoring of these logs are considered essential in privacy practices. These activities will help an organisation detect an array of activities, from misbehaviour by an employee to an active attack by a cybercriminal.
In my experience, this event monitoring also feeds into building a new strategy companies can employ in the treatment of privacy risks. Monitoring activities related to data access can help any organisation identify improper uses of personal information. The monitoring activity is historically practiced by highly regulated organisations, however, more organisations are implementing this and getting results from this.
Companies can either employ the services of an external auditor to carry out this monitoring or set monitoring standards within their organisation to ensure that controls and procedures are working to meet their privacy goals. It is key in any privacy strategy to create a monitoring scheme because this can help the company detect privacy risks and ensure that the treatment of these risks is prioritised and push the privacy agenda in positively forward approach.