Given the current privacy reform and cyber threat environment, the question we get asked a lot is – what are the privacy risks that should be assessed in our organisation and how do we prioritise these? Unfortunately this isn't always a 'one size fits all' answer but there are some basic matters you can check as to whether your organisation is considering privacy risks proactively.
- Governance, culture and training. Have appropriate and robust privacy and security governance arrangements in place including training, resources and documented policies and procedures. A 2021 report by Tessian found that 43% of employees have made mistakes that have put sensitive information at risk while working remotely. Staff should still be privacy aware while working remotely.
- ICT Security. Having robust ICT security measures in place help mitigate the risks of internal and external attacks and the damage caused by malware, computer viruses and other harmful programs.
- Access security. Reviewing who has access to what and whether this is necessary is important. Ensure your organisation has appropriate access security and monitoring controls in place to protect your organisation against internal and external risks. Personal Information should only be accessed by authorised persons.
- Implement 'privacy by design'. 'Privacy by design', is a process for embedding good privacy practices into the design specifications of technologies, business practices and infrastructures so privacy risks can be managed proactively rather than retrospectively. The best way to do this can be via a Privacy Impact Assessment (PIA) prior to implementing or altering a product or service so it addresses any privacy issues that come to light proactively rather than retrospectively.
If you're doing all these things well you'll go a long way to strengthening your organisation's defences and lessening the consequences of a cyberattack or data breach.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.