A (gentle) introduction to data privacy regulations for IO Practitioners: Four practical steps for better data privacy

In our last article in the series, we continue with our gentle introduction to data privacy regulations for IO Practitioners by addressing several practical, easy-to-implement steps you can take to ensure that you master data privacy challenges.

Step 1. Get your documentation in order

A big part of data privacy compliance is to make sure that you have the correct policies and documentation in place. This mostly relates to your business website and the information you provide users of that site. In this regard, there are three policy documents that are vital:

  • Privacy policy: This is the single most important document to have ready. Fortunately, there are hundreds of different templates available online, and you shouldn’t have much trouble in finding one that is GDPR/POPI-compliant. For more information on what should be in the privacy policy, you can visit the EU’s excellent, easy-to-understand GDPR site here {link to gdpr.org}. Fortunately, part of data privacy regulations is a move towards everyday, non-legal language. So, writing your own privacy policy is a very real possibility.
  • Terms of use: This document specifies the terms you require for visitors to use your business’s website. This document will often reference your privacy policy and the next document, which is your cookie policy.
  • Cookie policy: Cookies are small packets of information that websites pass among one another to ensure that content and other aspects of the web work as intended. For instance, cookies help remember settings on a website so you always see the content you expect to see. However, since personal information may be passed on by cookies, users must consent to their use. This often involves merely alerting users to the policy’s presence on your site. As with privacy policies, cookie policy templates are easy to find online.

Step 2. Publish your policies

Once you’ve got all your documentation prepared, make sure you place them on an easily accessible, visible part of your website.

Common practice is to position policies in the footer of your site so that they are always accessible from every page of your website. It’s also useful to periodically review these policies and update them when needed.

Step 3. Put security in place

Given the severe reputational and legal penalties at play when data breaches occur, it makes sense to invest some time and resources in implementing security for your data repositories. Of course, some practitioners still rely heavily on paper files and reports, all of which should be stored in a secure, locked file storage facilities.

Since most practitioners also use online systems to conduct assessments and store personal information, testing digital security becomes a priority. This includes both actual online security (e.g. ensuring that your security monitoring software is updated regularly, having a proper firewall in place, conducting penetration tests on your systems, etc.) as well as offline security awareness.

In the case of the latter, it means briefing your staff members on proper security procedures (e.g. not to have reports or passwords lying around the office), making sure they use best-practice passwords and that passwords are not shared across systems, and creating awareness of malicious attacks such as phishing (directing people to fake sites in order to elicit passwords), identity theft and data ransoming (stealing data and then extorting companies for return of their data).

Online security is a complex world and represents an ongoing arms-race between security experts and malicious parties who want to use (or misuse) data for their own purposes.

Being familiar with the current best practices in the field is a good investment of your time, especially if you are one of the responsible data processors in your organisation. Which brings us to the next step.

Step 4. Assign a Chief Data Officer (CDO)

Also sometime known as a Chief Data Protection Officer, this person is, according to acts like POPI and GDPR, the main responsible party in your organisation for ensuring compliance with data privacy regulations.

In large corporates, this position will often be filled from within the executive or IT department, but in a small business, it may fall upon the IO Psychologist or business owner to take responsibility for this function.

Apart from ensuring compliance, other responsibilities of a CDO can be to ensure the correct data architecture is in place, driving the value of Big Data innovations, and aligning the business with data science best practices.

In smaller organisations, the Head of IT or Managing Director may often have to do double duty as de-facto CDO, but data privacy experts agree that this role will become increasingly vital as the world-of-work becomes ever more focused on the uses (and abuses) of data.

Final thoughts

In this series of articles, we’ve covered not only the theory but practice of data privacy. IO Practitioners need not be anxious about data privacy regulations if they inform themselves about the fundamentals and follow some of the basic practices we discussed in this and other articles.

If you have questions about this article, or would like to see what else TTS can help you with, why not drop us a line at info@tts-talent.com?