First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

When a privacy policy is not enough!

Image: Stuart Miles |

Does your organization have an IT risk management program in place that draws upon various stakeholders to identify and prioritize privacy risks and related mitigations? Does your IT risk management program maintain appropriate records and provisions for access to information and privacy? And, have you implemented a privacy policy, only to find out that during internal audits there was a lack of compliance?

The Ontario Information and Privacy Commissioner is calling on organizations to make privacy part of their corporate culture. Dr. Ann Cavoukian, says it is not enough for organizations to have a privacy policy in place – they must take steps on an ongoing basis to make sure it is reflected in every aspect of their operations.

She released a new how-to guide on putting privacy policies into practice. The guide entitled, A Policy is Not Enough: It Must be Reflected in Concrete Practices provides a 7-step action plan on how to effectively execute an appropriate privacy policy and embed it in the concrete practices of an organization.

With an angle on how to use these 7 steps in your IT risk management program, it may be a good idea to suggest step 5 become step 1. Doing so may help you ensure your privacy expert is engaged as early as possible in your IT risk management program. With your privacy expert engaged from the start, they can collaborate with you on the development and implementation of action plans to ensure the completeness and application of the privacy policy relative to your IT risk management program.

Of course, just focusing on the title of the guide above for a second, it may also be a good idea to proactively ensure your chief audit executive is engaged as early as possible in your IT risk management program too. Doing so could mean better internal audit reports in the future (e.g., reports which go wider or deeper, are more risk-centric, and at minimum do not simply point to a lack of adherence to policy).

What may be best about the guide above is that it recognizes that implementing policy effectively requires doing things which help embed it into the culture so it is inherent within the mindset for overall quality. In this way policy then becomes better engrained, understood, used or complied with.

Also, regardless of the order of the steps in the above noted guide, perhaps try replacing the word “privacy” with the word “risk” and you may get some good ideas for improving adherence to your risk management policy, and related IT risk management program. The following questions may further help you to see this.

  • Do you have a central “go to” person for IT risk management related queries within the organization?
  • Do you have a risk management policy that reflects the IT risk management needs and risks of the organization?
  • How often do you conduct effective IT risk management impact assessments and how effective is your organization at identifying, logging and managing IT risks?
  • Have you linked each requirement within your risk policy to a concrete, actionable item—IT operational processes, controls and procedures, translating each policy item into a specific practice that must be executed?
  • What do you do to demonstrate how each practice item will actually be implemented? Have you developed and conducted IT risk management education and awareness training programs to ensure all employees in IT, using IT services, or working on IT projects understand the required policies and procedures as well as the obligations they impose? Can new employees quickly access the education, training and awareness programs and demonstrations (e.g., are they online and replayable at anytime, is there a test to measure understanding, and is there a link or button learners can push to engage an expert in a related dialogue)?
  • Does your organization verify both employee and organizational execution of the risk policy and operational processes and procedures (including in regards to IT risk management), and does your organization proactively prepare for a potential IT risk to materialize by establishing related protocols to effectively manage the risk?
  • Are your IT risks being managed consistently across your various projects?
  • Are IT risks really getting the attention they should? Are risks logged early in a project, not sufficiently mitigated and largely forgotten about?
  • Is your organization happy with IT operational and project outcomes?
  • Has your organization established sufficient documented policies (including for IT), and are they enough?
  • Are policies current with best practices? Are any policies missing? Are policies sufficiently complied with?

Based on your answers it may be time to ask ‘what is your organization doing when your privacy policy is not enough’.

Ron Richard
Quality Management Specialist

Follow me

Ron Richard

Quality, Information Technology and Enterprise Risk Management specialist at Ron Richard Consulting
Ron Richard, Quality, Information Technology and Enterprise Risk Management specialist has held positions at most any level of an organization, and acquired more than 30 years of relevant experience including related work done at the College of the North Atlantic. Ron is author of Inherent Quality Simplicity and the Inside Internal Control newsletter Modern Quality Management series. Read more
Follow me
Send to Kindle

, , , , , , , , ,

Comments are currently closed.

One thought on “When a privacy policy is not enough!