Categories: Security Tags:
Vision, Strategy and Leadership – Effective Data Management needs these and more
What am I doing here blogging on Effective Data Management? In the interest of full disclosure, I’m an Information Risk and Compliance Management Professional and do not claim to be an expert on most areas normally classified under the Date Management umbrella. As a matter of fact, Data Security, Privacy and Records Management are the only areas of Data Management that I would be comfortable speaking with any authority.
Data Management as defined in this Wiki link encompasses several areas and that is exactly what leads to my point – that you can not have effective data management unless you have a strong leader with a clear vision and strategy driving the Data Management Program. After all, the nine Data Management areas are typically run by different departments or functions within an organization and speaking from my experience, you would be hard-pressed to find a great deal of co-ordination between them.
For instance, Data Security is typically directed by the Information Security function who sometimes may be responsible for Data Privacy as well unless there is a dedicated Privacy function. On the other hand, Records Management may be handled by Records Manager who in turn could be reporting to any number of different functions including Legal, depending on the organization. The other technology intensive Data Management areas could often be handled as disjointed initiatives by different departments within IT. In fact, many organizations may not even be addressing some of these areas formally.
Regardless of who and how many functions are responsible for the different facets of Data Management, there is surely a dire need for a consensus realization that data is an asset and should be treated as such. What could make the “consensus” part challenging is that different Data Management areas realize the “asset value” of data for different reasons and therefore may have different handling needs for the same piece of data. For example, a Records Manager is usually focused on identifying the records as per a defined taxonomy and maintaining them according to specific retention requirements. At the same time, there could be part of the data that may be sensitive in nature (for different reasons) which will be the focus of Information Security and Privacy areas. Unless the Records Manager can work closely with the Information Security and Privacy teams (and vice versa) it is hard to achieve any effective data management just between those three functions. The magnitude of the the Data Management problem can only grow multi-fold when you involve the other Data Management areas.
So, back to the title of this post… Effective Data management clearly requires extraordinary vision and strategy coupled with exemplary leadership in order to execute on the vision and strategy.
I’m eager to read and hear how the marketplace is handling this challenge.
Categories: Information Risk Tags:
Privacy Statements, Notices, Policies …
How often do we care to read the privacy statements we receive from any number of sources these days? I must say I’m not a regular either if you ask me as a consumer. As a Privacy Professional, however, I am always interested (and sometimes fascinated) in reading them.
Take the following extract of the Web Privacy Statement of a very prominent institution, for example:
“Thanks for visiting the XXXXXXX website and reviewing our privacy policy! Our privacy policy is plain and simple. We collect NO personal information like names or addresses when you visit our website. If you choose to provide that information to us it is only used to fulfill your request for information. We do collect some technical information when you visit to make your visit seamless. The section below explains how we handle and collect technical information when you visit our website…”
This is actually a website that lets you e-file in addition to providing a whole lot of information on their services . As part of e-filing, however, they do collect all kinds of personal information including Date of Birth, Social Security Number, Credit Card Information etc. In this particular case, I suspect they forgot to update their Web Privacy Statement when they introduced the e-filing feature.
Consider another example (and certainly a better one) of a Web Privacy Statement. This one is from Amazon.com.
I am sure you can see the difference and what a good privacy statement or notice should look like.
Privacy Policies, Statements or Notices are often the face of an organization’s Privacy Program. If a privacy policy is lacking details, it is highly likely that the organization hasn’t gotten its act together on privacy and data protection. A good privacy policy must address most if not all of the privacy principles to a reasonable level of detail.
Finally, as consumers, it is always a good practice to take a good read through the privacy statements we receive from time to time via mail or while registering on the Internet for any number of reasons. Given where we are with growing incidents of data breaches, theft and losses, one would be better advised to be safe than sorry.
Categories: Privacy Tags: