Privacy Health Quiz Results
Implementing good privacy at an organization depends on many factors, but some key risk indicators are:
1) Geographic footprint
Privacy laws vary by jurisdiction.
Jurisdictions with increased privacy controls include the United States, Canada, Europe, and Brazil.
Businesses that operate online also have increased risk since many privacy laws "attach" to individuals who are residents of those areas, even when they are outside of their home country.
Understanding a business’s privacy compliance requirements starts by understanding the current and planned geographic footprint of the business, including where its operations and users are.
2) Data holdings
The more (and more sensitive) data a business holds, the greater its risk profile.
If your business collects sensitive information such as:
Financial or payment information
Precise geolocation
Information from children under 16
Health or medical information
Biometric information
Genetic information
Government-issued identifiers such as Social Security number, driver’s license number, or passport number
Demographic information such as race, religion, gender, sexual orientation, political or philosophical beliefs
Then elevated privacy and/or security control requirements may apply, such as those in:
General Data Protection Regulation (GDPR)
California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA)
Other U.S. State laws (Colorado, Utah, Virginia, etc.)
Health Insurance Portability and Accountability Act (HIPAA)
Confidentiality of Medical Information Act (CMIA)
Gramm–Leach–Bliley Act (GLBA)
Fair Credit Report Act (FCRA)
Payment Card Information Data Security Standards (PCI/DSS)
U.S. state biometrics laws
Children's Online Privacy Protection Act (COPPA)
3) Data practices
What you do with data also impacts your privacy risk profile.
Some common activities that impact compliance needs are:
Sharing data with third parties
Marketing products to or for children
Profiling individuals
Engaging in programmatic advertising
Certain types of marketing activities
In broad strokes, good privacy depends on two things:
1) Transparency
Transparency is a legal requirement in every jurisdiction and is fundamental to good privacy.
Transparency starts with internal conversations around what is legal, appropriate, and "on brand” for the organization in terms of data practices.
Legally, it is only permissible to collect data that is relevant to a purpose. But beyond mere legal compliance, organizations have different ethos and varying degrees of comfortability with regard to data collection and data use.
The organization should align on data practices and principles, and communicate those practices and principles to individuals through a Privacy Policy and through other opportunistic notices, such as "just-in-time" or other pop-up notifications around data collection.
2) Internal Controls
A privacy program includes:
People (headcount, education, and training)
Process (documented policies, procedures, and standards)
Technology (tools to operationalize privacy and data protection)
that are customized to your business's risk profile, risk appetite, and resources.
People, process, and technology needs will change as the organization grows and evolves, and often organizations have renewed or changed privacy needs because of geographic expansion, new initiatives, developments, or pivots, funding diligence, sale events, or IPOs.