The age of data privacy protection: Are you compliant?

Whether you like it or not, your company has to comply with the provisions of the Philippine Data Privacy Act (DPA) regarding collecting and using personal data. Don’t miss the compliance deadlines, and train your employees regarding your policies to keep data safe.

Here are five types of policies that companies must ensure they have in place and have trained employees on in the age of Data Privacy Protection:

1. Encryption policies

Most companies lack policies around data encryption and most people who are data owners are unaware of whether their data is encrypted or not. In other words, if you don’t have policies on data encryption in place, you are overdue to create the policies and see to it that they are implemented.

2. Acceptable use policies

An acceptable use policy should covers things like what applications are allowed, what web searching and social media habits are appropriate for the business, and the potential threats to brand reputation. At the ‘age of digitalization’, data breaches happen when there are no clear rules regarding the use of gadgets in the company, regarding web activities and new media usage. If you don’t have the ‘acceptable use policy’ in place, do it now.

3. Password policies

Passwords remain a common digital entry point into an organization for hackers. Even if, in the best case scenario, employees use complex passwords that are changed often and not shared, human error and carelessness can still put a business at risk. One of the easiest ways to breach a company is to put somebody on the janitorial staff and go looking at desks; People often have Post-it notes on monitors with passwords on them.

Let me repeat: as employees remain the no. 1 cause of company data breaches, it's key for security leaders to look to a common digital entry point for hackers: Passwords.

Long term, the terminology around 'password' may not disappear, but we are already seeing the shift in action with the use of biometrics and facial recognition on smartphones and other devices.

4. Email policies

IT should have an email policy in place that hardens systems and can detect spam and viruses. The kind of information that can be disclosed via email should be spelled out very clearly.

5. Data processing policies

Companies need to do data process flow mapping to see what data is being collected, how it's being processed, and who is receiving processed copies.

Employee training is paramount for ensuring these policies are enforced. Raising awareness of the threat landscape and common vulnerabilities can help counteract human error.

Security awareness and training is the cornerstone of any security program. Here are a few tips for helping all employees understand cyber risk and best practices.

a. Perform "live fire" training exercises

The best training today is "live fire" training, in which the users undergo a simulated attack specific to their job.

b. Start cyber awareness during the onboarding process

The first time employees come through the door, start building the mindset as all new hires go through security training from day one.

c. Conduct evaluations

Don't be afraid to perform evaluations of both employees and systems to find out how vulnerable your organization is to attack.

d. Communicate

Create a plan for how best to communicate cybersecurity information to all employees to get all departments on board with training and learning best practices.

e. Appoint cybersecurity culture advocates

Appoint a cybersecurity culture advocate in every department of your organization as these advocates can act as an extension of the Data Privacy Officer and keep employees trained and motivated.

f. Stress the importance of security at work and at home

Help employees understand the importance of cyber hygiene not just in the workplace, but also at home.

g. Reward employees

Reward users that find malicious emails, and share stories about how users helped thwart security issues.