Last updated on January 8, 2023
If your organization suffered a serious privacy breach today, how much personal information would it lose?
Would your losses be minimal? Or would they mirror an organization like TJX that encountered one of the largest privacy breaches reported to date simply because they retained personal information for too long and lacked adequate safeguards to protect it?
The longer an organization retains personal information, the greater the liability it incurs.
Knowledge is Power
In today’s information age, knowledge is power. The ability for organizations to collect massive amounts of personal information provides them with a competitive edge, enabling them to make better management decisions, understand their products, services, and customers, and deliver better results.
Companies like Google have showed the world that with enough information, computing power, and brain power, you can deliver results that leave your competitors gasping miles behind for second place.
Learning from TJX’s Privacy Breach
One of the worst reported privacy breaches reported to date belongs to TJX, an off-price retailer with outlets in Canada, the U.S., and Europe. When TJX’s systems were compromised, thieves got away with 45.6 million debit and credit card numbers over a period of more than 18 months.
Despite the fact that TJX lacked adequate safeguards to protect its personal information, the impact of the breach could have been minimized if TJX retained personal information for no longer than necessary to fulfill its purposes.
Personal Information is a Liability
How much liability does your organization needlessly carry?
The more personal information your company collects, the longer it retains it, the effectiveness of its safeguards, and the training your employees receive all indicate your organization’s level of liability with personal information.
Many organizations foolishly believe that their chances of a privacy breach are low. As the amount of personal information your organization retains grows, so does its attractiveness to thieves. If the Pentagon can be infiltrated by hackers, how much more easier should your systems be?
You may employ world-class data security, but an absent-minded, ill-trained, or dishonest employee can make hundreds of thousands of dollars spent on data security seem negligible. A privacy breach has the opportunity to cripple your organization’s image, insomuch that it may never recover from the loss of business or goodwill.
Your Organization’s Privacy Responsibilities
Retaining personal information forever is not an option for organizations in Canada or the United Kingdom.
Canada’s PIPEDA principles and the UK’s eight principles under the Data Protection Act both limit the retention of personal information that your organization collects.
Anonymizing or scrubbing personal information from your databases is often more useful than deleting entire records. With clever database manipulation, your organization can scrub personal information from all its records yet still retain non-identifiable information in such a way that it is useful for statistical analysis.
One of the key responsibilities of your organization’s privacy officer should be to prevent and mitigate the potential losses of a privacy breach. Limiting your organization’s retention of personal information is a critical step.
How to Minimize Your Organziation’s Liability
The key to minimizing your organization’s liability with personal information is to think privacy first.
Think Privacy First
Whenever your organization conducts a new activity where the collection, use, or disclosure of personal information is involved, your organization’s privacy officer should be consulted.
Don’t have one? Every organization that places any value on its personal information should hire a privacy officer.
Thinking privacy-first will save your organization money.
Many organizations deploy products and services whereby personal information is collected, analyzed, and stored for statistical analysis, only to find out later that their organization must comply with privacy legislation that gives individuals the right to request personal information and imposes the obligation to delete personal information after it is no longer needed for its original purposes.
This is known as thinking of privacy later and ends up costing your organization far more in time and money. Think privacy first by designing your business processes with privacy legislation constraints in mind.
Be First to Comment