Data Privacy Day 2021 was on January 28th, but if you are like most privacy-first companies, every day is data privacy day. Finding, classifying, understanding, controlling and protecting the sensitive data your company has access to is a 365-day a year undertaking.

The Spirion team is passionate about protecting the sensitive personal data of our colleagues, our customers and our communities. Sharing our knowledge of the latest data privacy issues, solutions and best practices is part of our mission.

Spirion hosted a live chat on Twitter for Data Privacy Day, where our experts answered questions about topics ranging from scaling data privacy and compliance programs to new classes of sensitive information.

We thought the questions were so good this year that we wanted to share them with you. Our experts—privacy and compliance attorney Scott Giordano and data protection product manager Aaron Stine—provided thoughtful and concise answers to all of the questions we received.

Follow @Spirion on Twitter at

Q1 How can companies turn the protection of consumer data into a competitive business advantage? #AskSpirion

By telling consumers that your products and services are superior because of the care that you take with consumer personal information. Said another way, that care is representative of how you approach everything that you do as a hospital, bank, media company, etc. —Scott

Follow @Spirion on Twitter at

Q2 What can organizations do to better scale their data privacy and compliance programs to accommodate consumers’ rights over their data – including the right to be forgotten? #AskSpirion

Scaling implies a combination of compliance strategy, processes to implement that strategy, and controls to prevent anything from falling through the cracks. One method I use is to conduct a thought experiment: what if we were to receive a million RtbF requests? How would we scale to accomplish that? —Scott

Follow @Spirion on Twitter at

Q3 How can organizations better guard against insider breaches? #AskSpirion

The key to minimizing insider breaches is to conduct an inventory of the personal information that your organization has in its possession and eliminating everything that you don’t need or is otherwise duplicative. From there, classifying that information according to sensitivity and placing controls on it such as DLP will serve to prevent it from leaving the network or cloud data store. –Scott

Follow @Spirion on Twitter at

Q4 How does a #dataprivacy tool help me de-identify sensitive data so it can be safely stored and reused for analysis, monetization use with 3rd parties?

Data privacy tools can remove elements of personal data that are unnecessary or duplicative while keeping elements that enable legitimate analysis, research, and monetization. De-identifying data in a way that keeps it usable for research is difficult. De-identified data can be combined with other sources (private/public) to re-identify the data. Be sure to consider outside sources that could impact privacy when using data for research. –Aaron

Follow @Spirion on Twitter at

Q5 More than half of all states have proposed data privacy legislation. What steps can organizations take to ensure they are building global privacy capabilities for the regulatory future? #AskSpirion

First, organizations should conduct a privacy risk assessment. It’s critical to understand just what data qualifies as personal, both on the surface and as used in practice. Second, they need to understand where it’s stored and how it’s used and who has access to it. Finally, they should review their set of controls, both administrative and technical, and determine what changes need to be made in order to mitigate any identified risks. –Aaron

Follow @Spirion on Twitter at

Q6 What measures and best practices should organizations take to ensure their data security practices are legally adequate? #AskSpirion

All (or nearly all) modern privacy laws require that organizations conduct a risk assessment in order to apply proper controls, both administrative and technical. Those organizations should review their assessments to make sure they account for changes in the kind of personal data used and how it’s being used. –Scott

Follow @Spirion on Twitter at

Q7 #CPRA seeks to protect a new class of personal information, known as “sensitive personal information.” What should #CISOs do to prepare for this new reality?

CISOs should review the list of elements included in this new class, confer with the organization’s privacy leader, and determine what, if any, new controls need to be added. –Scott

Every day is data privacy day at Spirion and we’re here to answer your questions. Tag us @Spirion on Twitter and we will respond.