This is the second article of a six-piece series by FireEye’s Chief Privacy Officer, Shane McGee. In this series, Shane explores six fundamental steps to building an effective privacy program. While there are many critical pieces to consider, Shane chose to highlight the following:
- Give Privacy a Voice
- Follow the Data
- Communicate Clearly, Carefully and Candidly
- Become Part of the Process
- Build a Culture of Privacy
- Rinse and Repeat
Follow the Data
Chief Privacy Officers have a lot of different responsibilities. We monitor new legislation, make policy, meet with clients to explain our information practices, attend conferences to keep current on best practices, participate in working groups and speak publicly about the company’s commitment to privacy. And while that’s all important, none of it addresses what I believe should be the primary responsibility of a CPO: ensuring that your company collects, stores, uses and shares data consistent with the law, company policies and reasonable customer expectations. This, of course, requires a solid understanding of the nature of the data collected and where it resides.
When it comes to data, understanding what you have and where it sits is more difficult than most people think. In fact, it’s frequently the case that any given company will collect more data – and more types of data – than a simple inquiry would indicate. To obtain a true inventory, one must follow the data.
Following the data isn’t easy. You can ask your company’s engineers to provide you with a data map, but what you receive may not turn out to be particularly helpful. Engineers deal with technology and information architectures, and you’re much more likely to receive an architectural flow than something that presents an organized picture of the data the company collects. And if you’re lucky enough to receive a ‘real’ data map, it may be out-of-date or unintelligible to someone without engineering superpowers.
So what do you do? Conduct a friendly data deposition! Sit the engineers down and ask questions – lots and lots of questions. If you don’t understand something, concede your ignorance and ask them to explain. And while they may be more interested in telling you about the technology, your questions should be focused on the data. Although each data deposition should be tailored to fit the situation, some examples of questions to ask are:
- How is the data collected?Is it validated or sanitized?
- If collected via a web browser, are HTTP referrers stored? If so, is user data removed?
- If collected online, is the contributor’s IP or MAC address stored?
- Is the data associated with any type of unique identifier that could be used to identify a person?
- List the database fields in which the data is stored.
- Are there any narrative/text fields that can store information that wasn’t solicited?
- When data is reportedly deleted, is the record overwritten or just ‘unlinked’ or marked as deleted?
Take copious notes during the data deposition and, after you’re done, draft your own data map while it’s still fresh in your head. Send that back to the engineers and ask them to review, correct any mistakes and bless the final version.
Finally, without giving away any of the yet-to-be disclosed secrets in our sixth article, Rinse and Repeat, make certain you keep apprised of changes. Ask your engineers to update you when something changes on the data map they blessed, and schedule regular checkpoints to catch anything that falls through the cracks. If you do all this, you’ll be better situated to accomplish your primary mission as CPO.