THEY DID WHAT?

Top Privacy Mistakes To Watch

Out For (and How To Avoid Them)
Chris Pahl, CIPP/C, CIPP/E, CIPP/G, CIPP/US, CIPM, CIPT, FIP,
Southern California Edison

International Association of Privacy Professionals

 Employees are required to remember seemingly countless privacy regulations and policies, which
requires privacy programs to monitor and reinforce positive behaviors all the time. Still, when a
privacy incident is reported the privacy office, it’s easy to become dismayed at how the mistake
could have possibly occurred.

Many incidents occur even as employees believe they are doing the right thing, but are instead
burdening the company with unnecessary risk. In my experience, these are the top mistakes
employees make, absent proper awareness and training.

TOP MISTAKES
4. Multi-tasking

1. Being overly helpful Most employees are busy, and they may have
multiple system windows open. However, with
Employees are focused on meeting the needs more system windows comes an increase in
of their internal and external clients. However, the likelihood of a privacy incident. Employees
being overly helpful may result in an employee may enter information in the incorrect screen,
providing unnecessary information to complete resulting in the incorrect transmission of data.
a task, which increases the risk of a privacy
incident. For example, without proper guidance, 5. Over-collection of data
a well-intended employee may provide more
personal information than required. If that Companies have privacy policies and notices
information is provided to unauthorized explaining how information is collected and
individuals, it may result in mandatory breach used. However, remembering the details of
notifications. the privacy policy and notice may quickly be
forgotten by employees, as there are many other
2. Unsecured transmission daily demands. Over-collection of data may not
only result in a privacy incident but potential
Employees are in a rush and may transmit legal action by federal and state entities, or civil
data without using proper encryption or data suits, for failure to follow a company’s promise to
protection steps. This misstep occurs when its customers.
technology is too difficult to use, the recipient
cannot read encrypted transmissions, or the
employee was not properly trained.
Mitigating risk is an ongoing
process and requires the privacy
3. Sending files to the incorrect recipient office to establish a network
of champions.
This may be the most common, and difficult,
issue to tackle at a company. Many of today’s
email clients store past email addresses. 6. Inconsistent business processes
However, this can increase the chances of a
mistake as employees may use the incorrect, Most companies must respond rapidly to
auto-filled email address and fail to double-check business needs but forget to notify the privacy
the recipient’s name. It is only after the email is office regarding potential required changes
sent, or when the recipient notifies the sender to the privacy policy, notice and documented
of the incorrect transmission, that the error is controls. As stated above, inconsistent processes,
discovered. not supported by the documented privacy policy

International Association of Privacy Professionals

 or notice, may result in legal or civil actions. champions, within each business unit, may be
Additionally, unvetted business controls may an effective way to gain employee support and
lead to unacceptable risk or potential negative feedback.
impacts to downstream processes.
3. Privacy leads

WHAT TO DO Appoint privacy leads in major business units,

responsible for handling and processing personal
Of course, mistakes will happen. It’s part of doing information. Privacy leads should be a mid- or
business. However, these risks can be mitigated senior-level manager, with sufficient authority
by taking the following steps. and oversight of controls within their area.
Privacy leads can be the privacy program’s
advocates to ensure controls are kept current
1. Train and privacy incidents are elevated.

Training must be targeted and ongoing. Rolling 4. Data minimization

out a one-time, web-based training may be an
effective way to reach out to many employees Employees must understand data minimization
at once, but it must be followed up with and be able to place it in operation. Using
targeted training. These training sessions should internal identifiers, for example, instead of
address common issues within that business government identification numbers like Social
unit. If possible, conduct a knowledge check Security numbers, reduces risk if the data is lost.
three to six months after the training to gauge Truncating, masking or scrambling information
understanding. is another way to lower risk.

2. Make technology easy 5. Implement change control

Employees are overburdened with performance A privacy impact assessment, or other change
quotas and many times will develop a work- control process, must be implemented to ensure
around for cumbersome processes. Ensure it meets an acceptable level of risk and impacts
technology is easy to use for both the employee to other processes are considered. Control
and recipient. Job aids or other helpful wikis can changes must also be documented in a central
assist a user with common issues. Technology repository for future auditing.

Mitigating risk is an ongoing process and requires the privacy office to establish a network of
champions. The privacy office must be active in the field to build relationships and understand
business challenges, which can be used to develop job aids or other training material. When a
privacy incident happens, the privacy office must evaluate the breakdown, assess potential control
weaknesses, and conduct a trend analysis to prevent future occurrences.

Improving privacy controls is an ongoing journey. One that is more effective when the journey is
taken as a group, rather than alone.

FOR MORE PRIVACY

AWARENESS IDEAS
visit the Employee Awareness and
Education page in the IAPP Resource Center.

International Association of Privacy Professionals