Discuss the implications of the lack of controls over the available data and its use by commercial organizations.
An organization’s private data can be considered a corporate asset, and its value can be positive or negative based on the control exercised over it. Well-controlled and appropriately used data can enhance an organization’s worth, providing additional value to its customers. Disclosed personal data becomes a liability, reducing customer confidence and increasing the risk of legal and regulatory activity. Management may be reluctant to assign monetary values to privacy until it is lost. A corporate classification program for privacy-protected data will assist in prioritizing the data. Assigning a sensitivity level — such as proprietary, confidential, or public — to data assists in evaluating the appropriateness of the controls over the technology and business processes that handle it. The auditor can ask the following questions: • What are the regulatory penalties for mishandling privacy protected data? What legal recourse would the impacted individuals have? • How has data ownership been assigned, and have appropriate controls been established in handling the data? • Has the data been classified? Are the levels of classification appropriate for ensuring adequate privacy controls? • How widely would a privacy breach be disclosed? Who would need to be notified? How will they be notified? • How costly would it be to remediate various types of unauthorized privacy disclosures? • How would a privacy breach impact customer, citizen (in case of a public entity), or investor confidence? How much would it cost to recover trust and confidence.
Get Answers For Free
Most questions answered within 1 hours.