Following are some basic recommendations to consider when developing a privacy program:
Define Company Culture: Company culture sets the tone of an organization and is the foundation for all components of internal control and structure. Company culture includes the integrity, ethical values, and competence of the entity’s people; management philosophy; and, operating style. By better understanding the culture of an organization, one can better establish the framework within which risk to the company should be measured. It is important to unify the company culture in terms of risk tolerance as it relates to compliance and identify priorities for process improvements.
Conduct Risk Assessments: Risk assessment can be defined as the identification and analysis of risks relevant to the achievement of objectives. All organizations face a certain degree of risk from external and internal sources that must be assessed. A precondition of assessing risk is the establishment of operating objectives. This forms a basis for how risks should be managed. Departments within an organization need to agree on what standards they will use to assess risk and to identify priorities for process improvement.
Document Policies and Procedures: Pertinent information must be identified, captured, and communicated in a form that enables people to carry out their responsibilities. It is important that organizations develop, document and implement polices and procedures related to their background checking activities. Regulators are increasingly focusing on a company’s established written policies and procedures and whether or not they are actually being enforced.
Communicate and Train: Pertinent policies and procedures must be communicated and personnel trained in order to enable people to carry out their responsibilities.
Monitor and Identify Breaches: Ongoing monitoring is required to ensure internal processes are being adhered to. The scope and frequency of monitoring depends primarily on an assessment of risk and the effectiveness of ongoing monitoring procedures. Internal breaches should be reported to the appropriate operational hierarchy and prompt action should be taken to rectify any policy breach.
