Information Governance Project
How strong is the information governance program already in place?
What to do
Implement and/or review your entity's Information Governance Framework and polices to ensure there is adequate holistic information governance reporting. This should include identifying and monitoring privacy compliance across the organisation. Be sure to consider the various areas of privacy and legal, IT and cybersecurity and records and information siloes.
Check that your organisation's enterprise-wide information governance framework is supporting with the co-ordination and collaboration across the organisational siloes.
Promote an information and data protection culture from the top-down to minimise privacy and data breach risks. Think about training, awareness and celebrations to foster a culture of privacy.
A strong and robust information governance programme can help with the minimisation of data and information risks, while empowering the organisation to maximise data and information value.
Appoint a Privacy Officer for your organisation that will be accountable for PIPA compliance. This is an important part of "data privacy & protection by design and by default". This person can be internal or outsourced, but should be empowered to evaluate data privacy & protection policies and the implementation of those policies.
The Privacy Officer should be an advocate of data privacy and understand the value of personal information. The PO's role should be to monitor PIPA compliance, lead on the assessment of data privacy & protection risks, advise on queries about data privacy & protection, and cooperate with regulators.
Draft and sign data sharing agreements with any third parties (or other entitites, suppliers, vendors, consultants, etc.) of which you share personal information belonging to your clients, employees or other stakeholders.
Third-party services may include analytics software, email services, cloud servers, etc. Many services have a standard data processing/sharing agreement available on their websites for prospective clients to review that detail the rights and obligations of each party for the relevant compliance activities. Consider only using vendors that are reliable and can make sufficient data privacy & protection guarantees.