Fri, December 28, 2007 — CIO — In the waning days of the 20th century, privacy was more a marketing hook than an obligation, focused on customer preference and features to help companies earn a competitive edge. Privacy today is a concept more closely associated with the potential for abuse and the very real threat of inappropriate access or exposure, identity theft and fraud—with the responsibility resting squarely on the shoulders of any organization handling personal information for consumers, customers, employees or business partners.

The privacy landscape, particularly relative to IT, is becoming increasingly complex, shaped not just by the tenets of good business but by the demands of a regulatory environment with newly stringent standards. Faced with a plethora of national privacy and data protection laws, labor laws, and trade union and works council agreements, organizations are in a constant exercise to protect the information they hold and the privacy of their workforce. Also weighing in are C-suite leaders and stakeholders who expect more from their IT function than securing personal information. In fact, meeting privacy standards has become inextricably linked with meeting strategic business initiatives as IT professionals find themselves in more demand and with more on their plates.

As all eyes begin to focus on IT, these are some of the areas that deserve close scrutiny and may warrant immediate action.

Information Is Power: Keeping Data Classification up to Date

While many organizations have data classification policies in place, they may fall short if they're outdated, overly broad and limited to high-level categories, or inaccurate in designating risk thresholds among specific data elements. Along with addressing records management requirements, IT can raise issues and develop solutions related to accurate and complete data classification, privacy, information security and intellectual property protection across all systems, databases and repositories. IT reviews must be conducted periodically to ensure that data classification policies are keeping pace with relevant privacy regulations and risks.

Less Is More: Minimizing the Use of Personal Information

Responsive organizations are exploring opportunities to eliminate, truncate, redact or obfuscate personal information, particularly in three primary situations—data transfer, including storage and communication of personal information via portable devices; specific data elements, such as Social Security and credit card numbers and how they're used; and disclosure to third parties, with requirements for transparency regarding use, access and exposure.

Data warehouses can maintain terabytes and petabytes of personal information about customers and employees. Similar amounts are written to disk or tape, pushed to laptop computers and transmitted through e-mail systems to handheld devices. Loss or theft of such equipment and media is the foremost trigger for security breach notification—one that can be avoided if leading safeguards become common practice.