Major corporations with multiple divisions face significant challenges with mapping their data landscape for privacy compliance purposes. Every new project, every new application, even new clients alter the data map. How can orgs stay on top of all that? And how about automating Data Subject Access Requests (DSARs)?
To share data privacy best practices, a recent episode of The Virtual CISO Podcast features Rosemary Martorana, CPO at Corning. The show’s host is John Verry, Pivot Point Security CISO and Managing Partner.
Every business is different
Corning is a major multinational corporation with about 61,000 employees in 150 locations across 30 countries, whose products and services span five market access platforms. You can imagine what that means for Corning’s data flows.
“Yes, we do leverage assessment automation tools and data mapping tools to help us understand, manage, and process where our [personal] data is at any given point in time,” explains Rosemary. “And we’ve worked very closely with our information security team to understand some of the information flows as well.”
But as a B2B company, Corning doesn’t currently receive large numbers of DSARs. Thus, they focus primarily on diagramming their data flows, and tackle DSARs in a largely manual fashion.
“Make sure you understand what your company does and where you really can best apply those technologies before you open that checkbook,” advises Rosemary.
Transparency pays off
When businesses are transparent and upfront about their privacy policies, this can help reduce the number of DSARs because people don’t feel they need to protect their data from misuse.
Secondarily, some DSARs come from individuals with suspect motives. These include opportunistic “potential plaintiffs” seeking to harass or even blackmail orgs with non-compliant privacy policies. A few bogus DSARs, ironically, come from privacy software marketers posing as customers to get a foot in the door. A transparent and mature privacy program eliminates these illicit DSARs as well.
It’s also important to be transparent with employees and new hires about privacy.
“As soon as new employees come into Corning, they understand what our data privacy practices are on day one,” Rosemary states. “They know how Corning will manage their data throughout its lifecycle as an employee with our corporation. Similarly, we provide that transparency to all of our customers, vendors, and suppliers upfront, too.”
The benefit of this transparency, in Rosemary’s view, is that it helps people understand what Corning is doing with their information and why having certain data is important to Corning. This reduces DSAR requests. Regular ongoing communication, especially about changes to how personal data is managed, is also important.
To listen to this podcast episode all the way through, click here.
Working on a data privacy impact assessment? Here’s how automation can help: How Automation Can Help with Data Privacy Impact Assessment