About Data Privacy
Whether you know it or not, data privacy is of chief concern to certain consumers and is a growing concern to the general public. Large corporations and government organizations are bearing the brunt of the scrutiny but that does not mean small business is immune. California in particular has passed existing laws and is actively developing privacy compliance regulations sending an eastward ripple of litigation outward from there. As a service provider for applications and websites we offer supplementary data privacy consulting services to help you mitigate risk.
It’s extremely important for businesses operating a website and collecting personal data (virtually every business) to manage their risk and cast a wide compliance net by taking consumer data privacy and information security seriously.
Tortoise and Hare Software can assist with many aspects of data protection and data privacy compliance, however Tortoise and Hare Software is not an attorney, law firm, or provider of legal services. All services are provided on a best efforts risk mitigation basis. Compliance efforts are made through a digital lens and not a legal lens. Ultimately you are responsible for complying with applicable privacy law. Our data privacy consulting services are no substitute for a legal consultation. Tortoise and Hare Software can refer you to a qualified data privacy attorney or you can contact an attorney in your local area for more comprehensive compliance coverage.
The first step in a successful data privacy program is to put policies in place.
Privacy Policies, Web Accessibility Policies, and Terms of Service documents are documents that no business with a public facing website or application should be operating without and in some cases may be required to comply with applicable law.
Policies manage your risk and build trust with your prospects and customers. Get your policies in place today.
Collection and Consent Management
The next step in compliance is to control the inflow of personal data from consumers. This starts with collecting the appropriate data and managing data collection consent.
Managing consent for collection of personal data in the form of cookies or fingerprinting is quickly becoming a standard in business. We can help guide you through the estimated requirements of collecting consent based off factors like your target customer base, size of your company, and geography.
Tortoise and Hare Software can provide advisement services to make sure your collecting the appropriate data and in a manner that is transparent and safe.
Data Storage And Handling
Once you've collected personal information your business must still take appropriate steps to ensure the data is stored safely, accurately, and for no longer than is necessary for your business purpose.
Procedures must also be in place to allow data subjects to manipulate their data to maintain it's accuracy, have it transferred, or have it removed.
There are both technical and procedural concerns associated with data storage and handling.
In certain cases application providers have a duty to secure their applications from injection attacks and and other malicious parties from hijacking personal information as part of their privacy compliance plan. The OWASP Top 10 demonstrates a reasonable compliance effort. Tortoise and Hare Software can help you patch your attack vectors and document compliance efforts.
For larger organizations, the burden of compliance with privacy regulations can include stringent security standards for personal data both at rest and in transmission within a data store. These requirements can vary from industry to industry and HIPAA law in the healthcare industry is a great example of this. We can assist with the more technical aspects of data privacy compliance such as data encryption and certificate configuration.
Cloud & Network
Cloud and network security is not exempt from a data privacy compliance plan and in some cases, such as HIPAA, is required. Reasonable cloud and network security measures should be taken to protect consumer's personal information, such as isolating application components, like the database, application code, web services, etc, into containers and controlling access and communication between them.