In addition to having a dedicated individual or team responsible for privacy matters, organizations must ensure their information security and IT staffs are knowledgeable about data privacy issues, says Trevor Hughes, CEO of the International Association of Privacy Professionals.
"Saying that an organization has a privacy professional is clearly an insufficient answer for managing the risks associated with data in today's enterprises," he says in an interview with Information Security Media Group.
"What we are seeing across the board in the marketplace is that anyone who touches data is a risk vector when it comes to privacy. And information security and IT pros touch lots of data," he notes. "So saying that an organization has a chief privacy officer or privacy professional responsible for privacy, or saying, 'hey, there's a privacy statement up on our website,' or 'we have privacy policies inside the organization' - all those things are great, but [are] insufficient answers in terms of responding to the risk associated with information privacy today."
Information security and IT professionals who have access to sensitive data need to broaden their knowledge of privacy matters, Hughes says.
"Make no mistake, having a privacy team in place [is] absolutely important. Having privacy statements, privacy policies, good privacy management [are] absolutely critical, without question. But equally as critical is having information security and IT professionals today understand the fundamentals of information privacy," he says.
In the interview (see audio link below photo), Hughes also discusses:
- Ways that information security and information technology professionals can bolster their privacy expertise;
- How "tension" between information security and privacy professionals can play out in organizations;
- Top privacy concerns related to the Internet of Things.
Hughes is an attorney specializing in e-commerce, privacy and technology law. In his role as president and CEO of the IAPP, he leads the world's largest association of privacy professionals. Hughes has testified before the U.S. Congress Commerce Committee, the U.S. Senate Commerce Committee, the U.S. Federal Trade Commission and the EU Parliament on issues of privacy and data protection, spam prevention and related technologies.