A privacy audit is essentially a process to identify, across the organization (and chapters), the types of personal information collected, the ways in which it is protected, and with whom such information is shared. The following risk assessment methodology is a good place to start.
•Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files.
•Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
•Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
•Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
•Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.

The above are general guidelines. As a first step, I typically provide clients with a customized, detailed checklist that is an essential tool for our audit. Not surprisingly, most of these audits reveal a variety of gaps and poor practices, which once addressed and remedied, reduces the likelihood of a breach, and leaves the organization better prepared should one occur.

The post Privacy Audit – Make it Your Organization’s New Year’s Resolution! first appeared on Perlman Sandbox.