As CIO, you may think that you know where the company has stored all the personal data of its customers. But the privacy experts interviewed for this article say that is very unlikely. “You’d be surprised how many CIOs don’t know where all the personal information resides,” says Larry Ponemon, founder and chairman of the Ponemon Institute. So a good place to start in building a sound privacy framework is to find out what personal data you have on customers and where it is stored, says Tess Kolczek, chief privacy officer at E-loan. That requires discussions with the heads of each business unit and possibly midlevel managers to find out exactly what has been squirreled away in hard-to-find files and databases. Such discussions can unearth the hidden troves of data that could create a privacy breach for the business if accessed by someone not authorized to do so.Once you find the data, a good practice to follow is to classify it into three categories, Ponemon says: first, highly sensitive, which if accessed or abused could lead to a lawsuit or make it easy for identity theft (names, addresses, Social Security and credit card numbers, medical information); second, somewhat sensitive, which if released could embarrass individuals or be used to discriminate against them (life events such as anniversaries and birthdays); and third, not-so-sensitive, which cannot harm any individual (usually aggregate data). The categories will let you know what security and privacy protections you should put in place; the more sensitive the data is, the stricter the measures. SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe It’s also important for CIOs to know how personal information flows throughout the company and outside to third parties with whom the company has signed service contracts. At E-loan, Kolczek says she conducts a data flow audit, a chart that shows where the data enters the system, how it flows to other parts of the company and how each group uses the information. “You don’t have to know everyone’s job intimately,” she says, “but you need to know what each group does with the information and how it transfers it out.” Related content feature 4 reasons why gen AI projects fail Data issues are still among the chief reasons why AI projects fall short of expectations, but the advent of generative AI has added a few new twists. By Maria Korolov Oct 04, 2023 9 mins Data Science Data Science Data Science feature What a quarter century of digital transformation at PayPal looks like Currently processing a volume of payments worth over $1.3 trillion, PayPal has repeatedly staked its claim as a digital success story over the last 25 years. But insiders agree this growth needs to be constantly supported by reliable technological ar By Nuria Cordon Oct 04, 2023 7 mins Payment Systems Digital Transformation Innovation news analysis Skilled IT pay defined by volatility, security, and AI Foote Partners’ Q3 report on IT skills pay trends show AI and security skills were in high demand, and the value of cash-pay premiums was more volatile but their average value across a broad range of IT skills and certifications was slightly do By Peter Sayer Oct 04, 2023 6 mins Certifications Technology Industry IT Skills brandpost Future-Proofing Your Business with Hyperautomation By Veronica Lew Oct 03, 2023 7 mins Robotic Process Automation Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe