Tips for Auditing Your Company’s Data Privacy and Security Protocols
Imagine that you’ve built an extensive customer base and rabid brand loyalty among a broad base of loyal customers who chose your company for its innovative products and exceptional customer service. Your sophisticated CRM system allows you to capture and leverage customer data to ensure customers stayed informed of new products and product enhancements aligned with their past interests. Unfortunately, over time, security risks emerged but went undetected as your security team grew complacent.
Then a massive security breach occurs. Tens of millions of customer records are compromised, exposing sensitive personal and financial information. The fallout is significant: enormous regulatory fines, customer lawsuits, a media firestorm, and resulting damage to your company’s reputation.
This is the type of calamity companies of all sizes and shapes can face if data privacy and security protocols aren’t well established and regularly reviewed.
These types of actual situations are far too frequent these days, and the consequences are real, not hypothetical. That’s what makes data privacy and security protocols so important.
“It is vitally important for companies to pay attention to security and privacy as it relates to customer data that they collect,” says Peter Berk, a senior attorney with Clark Hill, a law firm with locations across the United States, Ireland, and Mexico. “There are numerous legal requirements surrounding the collection, use, and protection of that data, and failure to follow those requirements can result in liability. Additionally, failures in security and privacy can result in a significant negative public relations impact.”
Lisa Loftis, principal of the global customer intelligence team at SAS, agrees. It really comes down to three factors, she says: frequency, cost, and compliance.
“The frequency of breaches and data security incidents are constant and far reaching,” she says. “I get multiple news items in my inbox every day from the periodicals and trade journals that I follow about security breaches.”
Data from Statista backs that up, revealing 3,205 data compromises affecting 353 million individuals in the United States alone in 2023.
Cost is also a consideration, Loftis says, noting that the cost of data security breaches can be massive. She points to research from IBM indicating that the average data breach costs about $4.5 million.
And that doesn’t include the cost of reputational damage, she points out. A recent brand study by Deloitte, for example, found that 62 percent of consumers say that data security is one of the most important factors in determining which companies to patronize. SAS’ own research, Loftis adds, found that 53 percent of consumers don’t think companies do a good job of informing them how their data will be used.
The third factor—compliance—is also an area that has expanded over the years. “Laws have basically exploded,” Loftis says, noting that companies need to be aware of and compliant with more than just the European Union’s General Data Protection Regulation (GDPR). The United Nations’ Trade and Development Agency says that 71 percent of countries around the world have data protection and privacy legislation on the books and 9 percent more have legislation that is still pending.
For these three reasons—the frequency, cost, and need to remain compliant with a myriad of laws and regulations—companies must have strong protocols in place to minimize risk, Loftis concludes.
WHAT PROTOCOLS SHOULD INCLUDE
“Companies should develop protocols, policies, and procedures with respect to what data they collect, how they collect it, how it is used, and how it is secured,” Berk says.
The protocols, he says, “should address the collection of data and how employees and others interact with the data.”
In addition, “the protocols should include technology elements to further support privacy and security goals,” Berk adds.
Key considerations, he says further, should include “defining which data the company collects and for what purpose, how the data is input into the system, how the data is stored, how the data is used, and who has access to what data.”
Loftis notes that the focus has shifted from the mid-2000s, when data quality was a primary focus, to security. Today, effective data governance should encompass policies, practices, and accountability measures related to data privacy and security, she says. This should include the following:
- Clearly defined decision rights and accountabilities for information-related processes.
- Policies indicating who can take which actions, with which information, and under which circumstances.
- Established policies, requirements, and controls related to data privacy and security.
- Defined roles and responsibilities for performing data stewardship and managing changes to data practices.
- Mechanisms for auditing, testing, and ensuring compliance with data policies and protocols.
- Processes for communicating and educating stakeholders, employees, and customers about data practices.
In addition, Loftis says, it’s important to have a comprehensive understanding of the privacy and security policies of other vendors that are represented in your technology ecosystem.
Loftis recommends that such a framework be formalized with the organization, with a dedicated data governance program that is overseen by high-level stakeholders and sponsors who have the authority and influence to enforce these practices across the organization. Importantly, she stresses, data governance, privacy, and security should not be ad hoc or siloed efforts.
Every company is different, Loftis acknowledges, but she says, “When we look at the protocols, they fall into two major areas—collection, retention, and use; and protection.” The collection, retention, and use area has historically been challenging for organizations because these rules have tended to be “very unpopular, because people don’t like to have to follow any kind of data policies.” Still, they must be in place. And companies must take steps to ensure that their data privacy and security protocols are working.
HOW TO KNOW IF PROTOCOLS ARE WORKING
Audits and tabletop exercises can help verify if protocols are working effectively, Berk says. “Having key personnel involved in data security and privacy walk through a hypothetical security or privacy issue with outside consultants can better prepare them for when the real situation occurs and can also identify in real time gaps in policies or in employee understanding of their roles and policy requirements.”
This can be a good way to test employees’ knowledge and understanding to determine areas where additional training and education might be necessary, he explains.
Loftis recommends regular audits to ensure that data privacy and security protocols are effectively implemented and working as intended to ensure compliance with external regulations, like the GDPR, but also laws in some U.S. states, including California, Colorado, and Virginia, and industry-specific standards like the Healthcare Information Portability and Accountability Act (HIPAA); to identify gaps in existing privacy and security practices; and to establish a baseline to grade protocols and track improvements over time. These audits might include the following:
- Security diagnostics to assess compliance with defined regulations.
- Vulnerability assessments to probe for weaknesses.
- Penetration testing by external experts.
Mike Meyer, senior vice president of information security and corporate technology at Salesloft, stresses that it is important to involve relevant stakeholders, including IT, legal, security, and privacy teams, in the process.
“A lot of companies are creating AI councils, which I think is a great move,” he says, noting that a body like this “could talk about how AI can be deployed in a responsible way: How do we ensure that there’s the right level of human intervention between an AI outcome and a customer; how do we make sure that the AI we’re using doesn’t result in bias; and how do we make sure that we’re driving the outcomes we want.”
In addition to internal staff, it’s also important to seek third-party input, Berk says. “While internal IT can and should regularly audit systems and technology for patches and updates, full audits on all protocols should be conducted on a regular basis by outside vendors, including technology and legal vendors, that can bring an objective view to the task.”
The process might look different for different organizations, he says, depending on the size of the business, its maturity, and the resources and capacity it has available. But there are some other common considerations that organizations should keep in mind to help ensure the integrity of their data privacy and security protocols.
Frameworks like the National Institute of Standards and Technology’s Cybersecurity Framework (NIST-CSF) or ISO 27001 can be great frameworks, Meyer says. A good starting point, he says, is a CRM audit of sales and marketing tech.
A tech stack audit is designed to review security and privacy controls for all of the programs and apps being used. That includes a review of the third parties that have access to customer data, Meyer says. You need to understand “which tools your sales and marketing teams have, how often they use them, and what data is in each of those systems,” he adds.
In addition, Meyer says, it’s important to know the types of transactions that take place within those systems and which kind of data or personal information is shared. For instance, will there be email communications or call recordings?
The bottom line, according to Meyer, is this: “You have to know your third parties. You have to know how they’re configured and who the owners are for those systems. You have to maintain compliance obligations. And you have to understand the data flows across all of these systems.” Then, he says, “you have to develop those findings and present them to the folks that can help you make the investments you need.”
COMMUNICATION—BEFORE, DURING, AND AFTER
Alistair Grange, a director within the government team at global consulting firm Baringa, also has years of experience on Deloitte’s cyberteam conducting external regulatory assurance. He has often been amazed at how often organizations “set up their internal audit process in an adversarial manner.” That, he says, led security and privacy teams “to feel like someone was trying to ‘catch them’ and expose gaps in the way they were performing,” often leading teams to hide some potential problems.
Instead, Grange says, “to run a successful internal audit, good stakeholder engagement is a crucial first step.” It’s important, he adds, to emphasize to security and privacy teams that the process is designed to find issues so they can be remediated—not to evaluate their performance or point fingers. Then, he says, “an even more important second step” is to follow through on that commitment.
Communication, of course, must also extend beyond IT and security teams.
“Results of audits and, more importantly, any recommended changes should be communicated to key stakeholders, including IT, HR, and key C-suite personnel so that changes can be adopted and implemented,” Berk advises. “If an audit determines that there are vulnerabilities or gaps in the company’s protocols, those should be addressed as soon as possible.”
Importantly, he adds: “If an audit reveals a vulnerability and the company decides not to address that vulnerability, it can create legal liability in the future and can also impact insurance coverage and cost.”
Remon Elsayea, an IT consultant and president of TechTrone IT Services, says his company provides detailed reports that outline both data security findings and the steps taken to address any vulnerabilities discovered. The process, he says, “includes a practical timeline and appoints specific responsibilities to ensure accountability.”
Addressing discovered issues proactively is paramount, Elsayea says. “We implement improvements immediately and schedule follow-ups to ensure the measures are effective.”
In addition, to maintain a vigilant approach to potential risks, Elsayea says, “regular training sessions for employees on new security protocols are essential.”
The process has to be ongoing, Berk agrees. “Laws, technology, and threat actors continue to change and evolve,” he notes. “Threat actors are now using AI to assist them in identifying new strategies, creating more convincing communications, and even improving their malware code.”
Regular audits and reviews of your protocols, especially with aid from outside legal and technology experts, can help ensure both legal compliance and protection from threat actions. In addition, Berk says, “insurers may require or offer incentives for conducting audits and implementing recommended changes.”
“These efforts aim to create a robust culture of security within the organization, which is crucial, as even the best technical safeguards can be compromised through human error,” Elsayea says. “By fostering an environment where data protection is a shared responsibility, we increase overall resilience against data breaches.”
Linda Pophal is a freelance business journalist and content marketer who writes for various business and trade publications. Pophal does content marketing for Fortune 500 companies, small businesses, and individuals on a wide range of subjects, from human resource management and employee relations to marketing, technology, healthcare industry trends, and more.