One can tell that laws and regulations protect privacy and that it is how privacy is protected.
However, a law even correctly enforced without proper implementation and awareness by the actors that process personal information daily won't protect you effectively. Because what matters is to be protected BEFORE the breach occurs or before the sale of your personal information without your consent is closed, NOT AFTER.
As a result, in practice, there's only one way to protect your privacy effectively: by implementing a sound Privacy program (self-regulation).
A Privacy program has three main components and several subcomponents. The three main components are:
- ENSURING THE PERSONAL INFORMATION IS PROCESSED SAFELY AND FAIRLY
- ENSURING THE ACCESS TO YOUR PRIVACY RIGHTS
- SETTING UP THE BREACH NOTIFICATION, BREACH RESPONSE, ACCOUNTABILITY, AND RESPONSIBILITIES
The first component is one of the most important. It ensures that the controls on the information are effective.
- Regarding information security, organizations should use reasonable administrative, technical, and physical safeguards to protect personal information against unauthorized access, use, disclosure, modification, and destruction.
- Regarding information quality, organizations should maintain accurate, complete, and relevant personal information.
In addition to that, part of the first component is to address the life cycle of information, including collection, use and retention, and disclosure:
- Collection: Organizations should collect personal information only for the purposes identified in the notice
- Use and retention: Organizations should limit the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent. Organizations should also retain personal information for only as long as necessary to fulfill the stated purpose.
- Disclosure: Organizations should disclose personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual
The second component is all about the implementation of the individuals' rights, your rights:
- Notice. Organizations should provide notice about their privacy policies and procedures and should identify the purpose for which personal information is collected, used, retained, and disclosed.
- Choice and consent. Organizations should describe the choices available to individuals and should get implicit or explicit consent with respect to the collection, use, retention, and disclosure of personal information.
- Data subject access. Organizations should provide individuals with access to their personal information for review, update, or deletion.
The third component concerning accountability refers to management. Organizations should ensure that they address both management and administration as well as monitoring and enforcement:
- Management and administration: Organizations should define, document, communicate and assign accountability for their privacy policies and procedures.
- Monitoring and enforcement. Organizations should monitor compliance with their privacy policies and procedures and have procedures to address privacy-related complaints and disputes.