6 Steps Toward Ensuring Data Privacy6 Steps Toward Ensuring Data Privacy

U.S. companies and other organizations that handle lots of employee and customer data (isn't that just about everyone?) need to view privacy as a formal practice, to the point where it can become a competitive differentiator, according to one of the nation's leading privacy executives.Speaking Monday evening at the Society for Information Management's SIMposium in Orlando, Fla., Dr. Kenneth Washington, who was named Lockheed Martin's first "chief privacy leader" in May, laid out a six-step process for U.S. organizations to consider in ensuring data privacy in this age of hyper-connectivity and ever-more-sophisticated information security threats:

• Conduct a privacy assessment or audit. Know what information your organization is gathering, where it's kept, who has access to it, why you're gathering certain types of information, and what you're doing with it all.

• Pick an accountable person to oversee privacy. That responsibility doesn't have to fall to a chief privacy officer -- in this day and age, few companies have the budget for yet another c-suite czar. Opinions differ on whether that person should live in IT, HR, legal, compliance, or some combination. Washington previously served as CTO of Lockheed Martin Enterprise Information Systems and also chaired the company's IT Architecture Council. And he has a Ph.D. in nuclear engineering -- probably not a prerequisite for the privacy job.

• Create a comprehensive privacy program that includes governance policies and procedures, as well as employee education and training and a plan to regularly communicate policies, to customers as well as employees. That program should also include a breach response plan -- few episodes are as embarrassing as a company scrambling to get its act together on the fly.

• Use a risk-based approach to privacy, stressing prevention (see comprehensive program above).

• Anticipate changes to the legal and regulatory landscape -- though good luck with that one. Washington noted that 43 states now have distinct information privacy laws, and laws vary country by country. Then there are the industry regs (Gramm-Leach-Bliley, HIPAA, etc.) and the content-specific one (Can-Spam).

• Apply successes "to create differentiated value." In other words, all else being equal, customers value companies that respect their privacy more than companies that don't. So do potential employees -- especially the younger generation.

Washington concedes that "complete privacy is out of the question. Now it's a matter of degree." But he exhorts companies to start drawing some lines.