The Issue –
Companies that collect personal information are under increasing scrutiny by both consumers and governments in the United States and internationally. According to the Privacy Journal’s Compilation of State and Federal Privacy Laws, there are more than 700 state and federal laws on privacy and surveillance, including two major pieces of federal legislation – the Heath care Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA). Forty-five states currently have laws requiring businesses to notify individuals of any data security breach of personal information. The European Union (EU) established a Data Protection Directive that requires each EU member country to enact laws prohibiting the transfer of personal information to non-EU countries that do not adequately protect privacy. With this large number of laws, it seems like a complex and overwhelming task to determine the privacy/data protection laws that apply to your business and to actually comply with them.
Most businesses would like to comply with privacy laws, but efficiency is key in business today. A cumbersome privacy compliance process that diminishes the profitability of your company won’t work, but a multi-million dollar lawsuit over your privacy practices is not an option either. As a start, a verification or “audit” is a practical solution for determining the scope, quality and integrity of your company’s current privacy practices.
Like your other business systems, privacy practices and policies need strategy, planning and process to be efficient. Planning for and executing an audit includes each of these steps. Ultimately, a completed third party or external audit of your privacy practices can engender trust with consumers and be a competitive differentiator for your company.
But how do you begin to implement a privacy compliance system and prepare for an audit? Reviewing the American Institute of Certified Public Accounts’ (AICPA) and Canadian Institute of Chartered Accountants’ (CICA) Generally Accepted Privacy Principles (GAPP) is a great first step. GAPP’s privacy framework, principles and criteria assist organizations in the design and implementation of sound privacy practices and policies. GAPP was also designed to guide CPAs when auditing an organization’s privacy practices.