In devising procedures for compliance with applicable privacy- and data security-related laws and regulations, the following transaction checklist may be helpful:
- Determine the scope of the laws and regulations applicable to the company, including whether the business activities of the company require collection of information from consumers and/or fall within specialized regulated areas such as financial services or health care;
- Review the steps that should be followed in order to develop a privacy and data security compliance program;
- Designate a chief privacy officer and invest sufficient resources to staff a privacy compliance unit and procure the necessary technology to implement an effective privacy and data security program;
- Consult applicable laws and regulations to develop a definition of the nonpublic personal information that must be covered by the company’s privacy and data security compliance program;
- Conduct an assessment of the information previously collected by the company and the current and projected collection activities of the company to create an inventory of where nonpublic personal information is collected, used, stored and transferred;
- Prepare and implement privacy-related policies and procedures, including general privacy policies and notices and procedures for collection and use of nonpublic personal information;
- Establish training programs on privacy-related compliance issues for employees, contractors and other agents of the company;
- Prepare and implement security requirements for nonpublic personal information, including information security policies and procedures;
- Prepare procedures and contractual documents with respect to handling of the company’s nonpublic personal information by business partners and outside service providers;
- Prepare and implement procedures for proper and effective disposal of nonpublic personal information that is no longer needed by the company to conduct its business activities;
- Establish procedures for investigation and notification of security breaches; and
- Establish and follow procedures for regular audits of the effectiveness of the company’s privacy and data security compliance program.
The content in this post has been adapted from material that appears in Business Transactions Solutions and is presented with permission of Thomson/West. Copyright 2008 Thomson/West. For more information or to order call 1-800-762-5272.