Privacy Program: The First Step in Protecting Your Organization from Cybersecurity Threats

Date January 23, 2023
Article Authors
Justin Krentz

Cybersecurity Essentials: Part 1

All organizations need to protect their systems and data from cyber attacks, which means that all organizations need to implement a cybersecurity program. This five-part series titled Cybersecurity Essentials will address each element of a program to ensure you are accounting for privacy concerns, compliance issues, and the policies and procedures critical to maintaining a secure organization and a culture of cybersecurity.

The first item on your cybersecurity checklist is to create and document a privacy program that will include developing an internal privacy policy, training employees on that policy, and creating an internal policy for data retention.

Internal policy

Your internal privacy policy is an employee-centric policy that addresses leadership’s expectations around the use of email and internet, systems and access. Privacy concerns extend to employee records, client or customer records and communications, and the use of mobile devices.

  • What does leadership expect from employees relative to their emails and use of the internet?
  • What are your systems and who has access to each?
  • What is your policy on the use of mobile devices, including personal mobile phones and ipads?
  • Are you bound by specific laws and regulations, such as HIPPA regulations that govern privacy as it related to healthcare patients?
  • Your privacy policy is written language, a document that can be shared with employees and new hires that clearly outlines your expectations related to privacy and the policies and guidelines you have developed to ensure your expectations are met.

    Employee training

    Once you have developed your policies and documented that they have been attested to by your employees, it is essential to conduct employee training on a regular basis, at least annually, to ensure employees not only are kept up to date, but that they understand your internal privacy policy and their ongoing obligations.

    A training program will include:

  • Reviewing your privacy stance and key aspects of your program
  • Updating employees on policy changes and new policies
  • Allowing time for questions to clarify issues and clear up misunderstandings and ensure employees understand the content
  • Data retention policy

    Data is the most important aspect or component of your privacy policy. You should develop a “retention policy” that details how long you retain different types of data. Your policy might be driven by industry regulations, for example, HIPPA regulations requiring healthcare providers to retain certain patient data for a specific period of time. Your policy will be driven by compliance requirements, but also by when data can and should be expunged. It should include protocols on how data should archived as well as how long it will be kept, and on how it should be expunged.

    Delete data when you can to:

  • Reduce the extent of potential damage you could suffer from a data breach
  • Reduce your legal exposure from expired data
  • Maintain compliance with laws and industry regulations
  • Reduce data storage costs
  • If you have questions or concerns, our Vertilocity team can evaluate your cybersecurity strategy and discuss your options with you. Call us at 412-220-5744, or email me at jkrentz@vertilocity.com.

    Speak to one of our professionals about your organizational needs

    "*" indicates required fields