We often hear of AUPs (Acceptable Usage Policies) in the domain of internet service providers, but seldom stop to think about them in our own work environments. The truth is, AUPs are vitally important to your Data Privacy Strategy, as they can and should define where and how data is stored within the organisation. Normally when an AUP is implemented it leans towards regulating time spent on Facebook or similar, but it can also be used as a management tool for internal data handling.
Part and parcel of GDPR, POPIA and many other data privacy legislations is that reasonable measures are taken to secure data. In order to do this, you need to know where the data is, what the data is, and how it got there. Instead of just hoping that data gets to a single location, an AUP helps define to teams (and indeed your data subjects) how data should be handled internally when it enters your process streams.
Have a Single Location
A single location for particular types of data allows you to easily manage how it is stored, be it a shared folder on an encrypted Network Attached Storage (NAS) device or an online service. Looking after data in one place that is defined and regulated is a lot easier than trying to manage data in unknown locations on staff equipment like laptops, mobile phones, or heaven forbid external storage. Part of an individual’s right to be forgotten (GDPR) or the fact that your data subjects should be allowed to participate (POPIA) rests on knowing where the data is to actually update or remove it with certainty.
Knowing What You Collect
Another part of legislation is taking only the data that is necessary. If you only need a name, surname, and contact number, you need to avoid collecting things like address, email details and anything else – this is part of your process limitation in accordance with the law. Having a defined process for collecting and storing data affords you the opportunity to evaluate your and your staff’s collection of data against privacy responsibilities.
Enforcing the Process
And this is where your AUP comes in. As part of policy you need to ensure your teams know where and how data should be stored in the organisation. You don’t need to define every location in your AUP, but you need to define that if there is a single location, it is to be used instead of storage on other mediums. You can work out the nitty gritty detail in process documentation, however, your policy should be your “safety blanket” for staff education and onboarding.
If you feel you need a hand with the policies and processes detailed in this article, please reach out for a meeting. Data Privacy and business process management can be daunting given the level of attention needed in addition to your already busy day, so why not outsource to a network of trusted advisors such as those partnered with Ross G Saunders.