As CIO, you may think that you know where the company has stored all the personal data of its customers. But the privacy experts interviewed for this article say that is very unlikely. “You’d be surprised how many CIOs don’t know where all the personal information resides,” says Larry Ponemon, founder and chairman of the Ponemon Institute.
So a good place to start in building a sound privacy framework is to find out what personal data you have on customers and where it is stored, says Tess Kolczek, chief privacy officer at E-loan. That requires discussions with the heads of each business unit and possibly midlevel managers to find out exactly what has been squirreled away in hard-to-find files and databases. Such discussions can unearth the hidden troves of data that could create a privacy breach for the business if accessed by someone not authorized to do so.
Once you find the data, a good practice to follow is to classify it into three categories, Ponemon says: first, highly sensitive, which if accessed or abused could lead to a lawsuit or make it easy for identity theft (names, addresses, Social Security and credit card numbers, medical information); second, somewhat sensitive, which if released could embarrass individuals or be used to discriminate against them (life events such as anniversaries and birthdays); and third, not-so-sensitive, which cannot harm any individual (usually aggregate data). The categories will let you know what security and privacy protections you should put in place; the more sensitive the data is, the stricter the measures.
It’s also important for CIOs to know how personal information flows throughout the company and outside to third parties with whom the company has signed service contracts. At E-loan, Kolczek says she conducts a data flow audit, a chart that shows where the data enters the system, how it flows to other parts of the company and how each group uses the information. “You don’t have to know everyone’s job intimately,” she says, “but you need to know what each group does with the information and how it transfers it out.”