It’s the time of year when its typical to focus on self-betterment, so let’s not leave the organization you work for out. Nonprofit organizations hold a variety of personal information on behalf of their constituents and employees. Unfortunately, most organizations could be doing more to protect this information. The fact is that with each passing year, the number of data breaches grows, and the financial cost and reputational harm along with it. Additionally, the regulatory landscape is becoming more complex, requiring organizations to comply with an increasing number of requirements or face penalties. The good news – a significant portion of data breaches and related risks can be avoided or minimized with a bit of due care. As such, it has never been more critical to have a more practical understanding of the types of personal information collected, stored and shared by your organization. A first step for any organization wishing to better understand (and minimize) their privacy risk is to conduct a privacy audit.
A privacy audit is essentially a process to identify, across the organization (and chapters), the types of personal information collected, the ways in which it is protected, and with whom such information is shared. The following risk assessment methodology is a good place to start.
•Inventory Locate the places in the organization (and vendors operating on its behalf) that house/store Personally Identifying Information (“PII”), identifying both electronic files/databases and physical files.
•Safeguards Assess the safeguards in place – including the physical, administrative and technical controls – and whether they are adequate and reasonable considering the type of PII being stored (SSN vs. email address for example might have different levels of protection).
•Gaps Determine the compliance gap – essentially the difference between that what it should be doing, and the organizations actual practices.
•Risk Assessment For most organizations there will be a number of gaps. As a first step, for the PII held in various locations and with various vendors, assess the risk of non-compliance, determine the impact of non-compliance and likelihood of risk occurrence, and use this to help prioritize compliance efforts.
•Remediation Depending upon the finding/conclusions in the previous steps, remediation should be a joint effort among various members of the organization to address and remedy any identified shortfalls/gaps.
The above are general guidelines. As a first step, I typically provide clients with a customized, detailed checklist that is an essential tool for our audit. Not surprisingly, most of these audits reveal a variety of gaps and poor practices, which once addressed and remedied, reduces the likelihood of a breach, and leaves the organization better prepared should one occur.