Language Translation
  Close Menu

Section

Breadcrumbs

Got Privacy? New Indiana Privacy Toolkit Offers Practical, Easy-to-Use Resource for Small Business, Non-Profits & Local Government

The purpose of the Indiana Privacy Toolkit is to provide a practical, FREE-to-download resource intended to help organizations gain a better understand of how privacy “works” and why it’s important. It is meant to be a step-by-step guide, with information tailored to fit the needs of a variety of small businesses and not-for-profit organizations, as well as local government.

Compiled by the Indiana Executive Council on Cybersecurity's (IECC) Privacy Working Group, the information in the Toolkit is drawn from the Group's members' knowledge and expertise in privacy and cybersecurity as leaders from the public and private sectors.

Think of it as your own, in-house privacy handbook, from which you can rely on to help you navigate through the myriad of challenges related to technology and cyber threats.

The guidance in this document is provided “as is”. Accordingly, the document does not, and is not intended to constitute compliance or legal advice. Readers should confer with their respective advisors and subject matter experts to obtain advice based on their individual circumstances.


A Bit of History

Just as it’s true that a lot of success stories begin with an intriguing bit of history, let’s take a quick look at the history of privacy and how it’s evolved, not only here in the United States, but around the world.

  • In 1890, U.S. Supreme Court Justices Warren and Brandeis published an article in the Harvard Law Review describing the need to establish a person's right to privacy.
  • Published in 1947, the Treaty of Rome in Europe made Privacy a Human Right.
  • The U.S. is considered Sectoral in its implementation of privacy-related laws.
  • Privacy is reflected in the regulations, as defined with HIPAA (healthcare), FERPA (education), and COPPA (children online).
  • There are implementations of Privacy around the globe including GDPR (EU), PIPEDA (Canada), LGPD (Brazil) and PIPL (China).
  • The strictest is the GDPR in the EU.  Particularly, around gaining consent and data transfers which we will discuss later.
  • The US doesn’t have an overarching Privacy law as of yet.  However, there are a number of individual states that have implemented Privacy Protections.  The most stringent amongst these states is California with CCPA/CPRA.

What You Need to Know to Get Started:


  • Step 1 - Learn the Basics of Information and Data Privacy 101

    Personal Data

    • Any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (such as an IP address) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

    Sensitive Data

    • Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

    There are several key aspects of Privacy. And while there are many concepts in the Privacy world to be aware of, such as data portability, right to remove data, retention, the biggest ones to be concerned with are Consent and Data Transfer.

    Consent, in its easiest to understand form, is that you must ask to hold data on an individual. The permission should include some description of what information is being collected and for what purpose.

    Data Transfer means you must know what is moving (PII), do you have consent and do the countries the data will move to respect Privacy Rights in the manner the sending country does?

    For instance, moving data from the U.S. to the European Union is not a significant issue. However, going the other way from the EU to the U.S. is a very big deal and can get your organization in a challenging situation. To help with navigating some of the rules of the road around GDPR, visit: https://www.leadgenius.com/resources/the-ultimate-guide-to-gdpr-compliance-a-comprehensive-blueprint-for-revenue-and-legal-leaders.

  • Step 2 - Know What You Have; Conduct a Data Asset Inventory

    What is a data asset inventory?

    Similar to cybersecurity, you must know your data asset inventory before you can secure and protect the personal information held by your organization. It also serves as the cornerstone of a good privacy compliance program.

    • The purpose of a data asset inventory is to create a structured inventory of an organization's data holdings, including both structured (in a database) and unstructured (on a network shared drive, email, etc.) data.
    • It typically includes details such as the name of the data asset, its description, location, storage medium, owner or custodian, data format, data source, and relevant metadata.
    • Conducting a data asset inventory also allows you to determine the purpose for collecting the personal information, understanding how it’s collected and who it is (or will be) shared with.
    • All of those items combined give you the data lifecycle, which can be mapped out in visual format for easier understanding of data lifecycle for personal data collected by an organization.

    Why is this important?

    • A well-maintained data asset inventory provides a clear understanding of an organization's data landscape, facilitates effective data governance, helps identify data dependencies, supports data management and compliance efforts, and enables better decision-making related to data initiatives, data privacy, data security, and data lifecycle management.

    Definitions

    • Data asset inventory - a record or catalog that documents and describes the data assets -- including personal information -- held by an organization. It is simply a list, spreadsheet, or database that provides information about the data elements, datasets, databases, files, or any other data resources maintained within an organization.
    • Data lifecycle – is a map of personal data, usually by creating a flow-chart, that documents the path data takes as it flows through the organization. Typically, it will include:
      • Collection (source of the data),
      • Storage (where data is kept – physically/virtually and country/jurisdiction, as well as encryption status),
      • Permissions attached to the data.
      • Usage (who uses and has access to it),
      • Sharing (who the data is shared with), and
      • Destruction plans and documentation.

    Who does this?

    • The roles and individuals responsible for documenting an organization's data asset inventory will vary based on the size, sophistication, and structure of the organization.
    • Large organizations may have resources to establish a Data Governance Team that is responsible for establishing and enforcing data governance policies and procedures within the organization. They may oversee the development and maintenance of the data asset inventory as part of their broader data governance activities. Larger organizations may also have Data Stewards. They are individuals responsible for ensuring the proper management, quality, and use of specific data assets within the organization. They may contribute to the documentation process by providing detailed information about the data assets they steward.
    • Depending on the size of the organization and its regulatory requirements, there could also be a Compliance Team. These teams focus on data security, privacy, and compliance with relevant regulations. They may contribute to the data asset inventory by documenting the classification, security requirements, and regulatory implications of the data assets.
    • Most organizations, especially small businesses, will not have the resources for governance team and data stewards, or a full-time compliance team. Therefore, the responsibility for documenting the data asset inventory falls upon a single person or several individuals from different teams. Typically, those teams or persons that will create the inventory are from the IT Department and the Business Unit / Data Owners. Folks from these teams will collaborate to ensure accurate documentation of the data asset inventory.
      • For the organizations that lack some of these resources should consider implementing policies and processes to identify operational accountability to document the data asset inventory.
    • Most importantly, an organization must establish clear roles and responsibilities for documenting and maintaining the data asset inventory within the organization. Additionally, who is involved in the process is less important than making sure that there is an owner assigned that understands their responsibilities regarding the documentation of the data asset inventory.

    Example:

    Here is an example of a simple data asset inventory sheet, that can be created using Sheets/Excel:

  • Step 3 - Developing a Privacy Notice and a Privacy Policy

    What is a Privacy Notice?

    Creating a privacy notice is like drafting instructions to tell people how their personal information will be used, stored, shared and protected by your website or service.  It helps people understand what will happen to their information once they share it with you.  Additionally, it serves as a go-to place for contact details if people have questions or concerns.

    So, do I need a Notice or Policy, or both?

    The short answer is BOTH. A Notice is the EXTERNALLY facing document, usually directed towards your customers and the Policy is the INTERNALLY facing document, directed towards employees. This guide is focused on the externally facing Notice.

    • Notice and Policy Definitions:
      • What is a Notice? A privacy notice is a legal document that outlines how an organization or website collects, uses, shares, and protects the personal information of its users or customers.
      • What is a Policy? A privacy policy is a legal document that outlines how an organization collects, uses, shares, and protects the personal information of employees.
    • Why do I need this?
      • A privacy notice is a critical tool for not only complying with legal requirements, but also and more importantly, to inform individuals about the company's data practices, therefore building trust by being transparent with customers.
        • There are several reasons why a notice is important, including:
          • Most laws, abroad and in the US, including every state law passed so far, require one.
          • Builds transparency and trust between your organization and your customers.
          • Empowers individuals to make informed decisions about sharing their information.
          • Mobile app stores require them before publishing your company app.
          • Demonstrates you take privacy and security seriously.
          • Outlines measures the company takes to protect personal information.
          • Establishes the company’s accountability and liability for handling personal information.
          • Describes and data sharing with third parties.

    Creating a Privacy Policy

    While there is no "one-size-fits-all" approach to writing a privacy notice, these notices generally include several key sections, including:

    • What personal information is processed?
    • How is personal Information being used?
    • Is personal information being sold or shared?
    • Is data being disclosed to 3rd parties?
    • What are the consumer’s data protection rights, and how can they be exercised?
    • Will personal data be transferred to the United States?
    • How is personal data being stored?
    • How is personal Information kept secure?
    • Is the data of a minor being collected?
    • Contact Information

    In Indiana, the Indiana Consumer Data Protection Law mandates the contents of a privacy notice.  According to this law, privacy notices should address:

    • Categories of Personal Data Processed: Outline what types of personal data the controller is managing.
    • Purpose for Processing Personal Data: Explain why the data is being collected and used.
    • Consumer Rights: Inform consumers about their rights under IC 24-15-3 and the process of appealing a controller's decision.
    • Data Sharing with Third Parties: If applicable, describe the types of data shared with third parties and list these entities.
    • Categories of Third Parties: Name the categories of third parties with whom the personal data is shared.

    Comparing these requirements, you will see notable similarities between the structure of privacy notices and the specifications laid out by Indiana law.

    LEGAL ASSISTANCE

    Whether you choose to draft your own privacy notice, or use a tool for assistance, consider consulting a legal professional or privacy expert to verify the adequacy of your privacy notice and ensure it aligns with applicable laws.

  • Step 4 - Following Rules and Regulations That Apply to Your Organization

    In Indiana, there are privacy rules and regulations that businesses and local government should be aware of (and consider discussing with your IT department). Here are some key laws and regulations:

    1. Indiana Data Breach Notification Law (Indiana Code 24-4.9): This law requires businesses that experience a data breach containing personal information to notify affected individuals and the Attorney General’s office under certain circumstances.
    2. Indiana enacted a comprehensive privacy law that goes into effect in January 2026.

    Here is a link to the Indiana data breach notification form.

    There are many privacy and cybersecurity laws and regulations that may be relevant to your business. Determining the answers to these questions should help determine other laws and regulations that may apply, including:

    • What type of data does the business collect and store (contact information, health, financial)?
    • Where is the business headquartered or registered?
    • Where are business customers located (local, state, federal, international)?
    • Do you transfer data across national borders? If yes, which countries are involved?
    • Do you share data with third-party vendors or service providers? If yes, which countries are these vendors based in? Do the contracts with those vendors and service providers include appropriate data protection language?
    • Do you offer goods or services to individuals located in the European Union or United Kingdom?

    Here's some additional best practices for privacy:

    • Obtain User/Customer Consent: When collecting and processing user data, obtain explicit consent for data collection and use required by applicable privacy laws including an option to opt out or control data use preferences.
    • Data Retention: Retain user data only for as long as necessary to fulfill the purpose for which it was collected. Regularly review and delete outdated or unnecessary data to minimize privacy risks.
    • Cookies and Tracking Technologies: Adhere to best practices and legal requirements regarding the use of cookies or similar tracking technologies on your organization's website or mobile applications. Provide clear information about the types of cookies used and obtain user consent where required.
    • Privacy Impact Assessment: Conduct a privacy impact assessment to identify and evaluate potential privacy risks associated with your data processing activities. This assessment helps ensure compliance with legal requirements and enables you to implement appropriate safeguards.
    • Data Security Measures: Implement technical and organizational measures to protect the security and confidentiality of user data. This includes measures such as encryption, access controls, regular system updates, and employee training on data protection best practices.
    • Data Subject Requests: Establish processes to handle data subject requests, such as requests for access, correction, or deletion of personal data. Respond to these requests promptly and provide a transparent process for users to exercise their privacy rights.
    • Data Breach Response: Prepare a data breach response plan that outlines the steps to be taken in the event of a data breach. This includes notifying affected individuals, authorities, and taking necessary actions to mitigate the impact of the breach.
    • Privacy Notice and Policy: Regularly update or create your public-facing Privacy Notice and internal Privacy Policy. These documents should clearly communicate your data collection practices, how user data is used, and the rights and choices available to users.
    • Vendor/Sub-processor Agreements: Review and update agreements with vendors or sub-processors to include privacy provisions. Ensure that they handle user data in compliance with applicable privacy laws and provide sufficient data protection measures.
    • Map Business Processes: Understand and map your business processes to identify where user data is collected, stored, and shared. This helps to assess privacy risks and implement appropriate safeguards.
    • Website Updates: Update your external Privacy Notice, Cookie Policy, and banners (if applicable) to reflect your current data collection and processing practices. Clearly inform users about how their data is used and provide options for managing their preferences.
    • Use Encryption, Tokenization, or Anonymization: Whenever possible, use encryption, tokenization, or anonymization to protect your data. For example, look for services that use end-to-end encryption, especially for messaging and file-sharing.

    By following these additional privacy practices, you can enhance your privacy measures and demonstrate a commitment to protecting user data.

  • Step 5 - Make Headway on Cybersecurity Actions to Protect Your Data
    • Basics and definitions
      • Cybersecurity is an important aspect of protecting data privacy; it is the process of protecting networks, devices, and data from unlawful access or criminal use and the practice of guaranteeing confidentiality, integrity, and availability of information.
      • NICSS acronyms and glossary
      • NIST glossary
    • Why is this important?
      • Cyberattacks continue to increase in number and sophistication, including phishing, social engineering, ransomware, malware and other blunt force attacks.
      • Organizations that suffer cybersecurity breaches may face significant costs including reparations to each affected individual, government fines and penalties, and reputational damage.
      • Robust cybersecurity measures help organizations bolster defenses to help protect themselves from experiencing a cyber incident or a cyberattack, whether by theft or loss.
      • New regulations and reporting requirements make cybersecurity risk oversight a challenge. Leaders need assurance from management that its cyber risk strategies will reduce the risk of attacks and limit financial and operational impacts.
    • How do data privacy, cybersecurity and physical security intersect?

    • Cybersecurity 101 resources: A "Must Read" for Your Information Technology Staff
      • The Center for Internet Security (CIS) is a nonprofit responsible for the CIS Critical Security Controls and CIS Benchmarks.
        • These are globally recognized practices for securing IT systems and data.
        • At minimum, ensure your organization continually adheres to the latest version of the CIS Controls.
        • These are prioritized and simplified best practices.
        • The Global Cyber Alliance (GCA) creates and equips communities to deliver a more trustworthy Internet for all. Checkout GCA toolkits for small business, nonprofits, elections officials and more.
        • Healthcare Cyber in a Box 2.1 provides hospitals and healthcare providers and organizations with three levels of expert guidance – basic, intermediate, and mature – involving 23 critical areas of cybersecurity – as a FREE to download resource for keeping your operations secure while, at the same time, helping to protect your patients and preserving both their digital, as well as physical, well-being.
    • Key Cybersecurity Policies - across all types of organizations, which present the highest risk to most. Focus on those and those that all employees should sign, including:
      • Acceptable Use
      • Use of Removable Media
      • Cloud File Storage
      • Remote Access
    • Example of an action plan
      • Incident Planning and Management (see Apocalypse Now)

    Learn more about Privacy Regulations

    If some of this seems a little overwhelming with where to start, another option (that is highly recommended) to consider is for the IT Team to adhere to the CIS Controls.

  • Step 6 - Apocalypse Now: Hope for the Best, Prepare for the Worst - It’s When, Not If

    At a time when cyber breaches are happening frequently to many organizations, it can be helpful use the information that is available from trusted sources, such as CISA, to stay better protected.

    Organization Type

    Attacks

    Breaches

    Public Administration

    3,273

    584

    Large Businesses

    489

    223

    Small Businesses

    699

    381

    Healthcare Organizations

    522

    433

    Source: 2023 Verizon Data Breach Investigation Report

    A Security Incident Could Be in Your Future

    More Than a Phase: Incident Response Plans Involves Five Critical Steps

    Phase One - Plan, Prepare and Be Ready

    • Know Your Organization and Who You’re Accountable To
      • Local government
      • Small business
      • Nonprofit
    • Know your apps, systems, data, components, and secure them
    • Identify and codify who will help in an incident before it happens
    • Author and announce incident response policies
    • Write and exercise incident response plans
    • Determine who you must communicate with
    • Train people on what to report, to whom, and how

    Phase Two - Identify and Report

    • Teammates are trained to inform you of breach indications.
    • Report analyzed incidents and events to those who can help.
    • Inform your regulators according to their requirements.

    Phase Three - Assess and Analyze

    Determine

    • What happened and when did it occur.
    • Source and targets of attack.
    • Data, applications, systems, and components that may have been compromised.
    • Whether the attack is continuing.
    • What must be done to defend, recover, and reconstitute.

    Phase Four - Update and Recommend

    Inform the following groups of the information from the Assess and Analyze slide, as necessary.

    • Organizational leadership.
    • Customers—what happened, impact to them, and actions they should take.
    • Regulators

    Phase Five - Defend, Recover and Reconstitute

    Contact internal, contracted, state, and federal incident response partners to help.

    • Fail over to disaster recovery sites if possible.
    • Defend against and stop continuing attacks.
    • Develop and execute recovery and reconstitution plans.
    • Formulate communications with employees, customers, and others.
    • Collaborate with federal agencies on investigations, if necessary.

    In the Event…

    • Cyber incidents and cyberattacks never happens the way you planned for it.
    • Be sure to use your incident response plan and lessons learned from exercises.
    • Be flexible!

    Guidance for Local Government:

    1. Data Protection and Privacy Laws: Local governments must comply with relevant data protection and privacy laws specific to their jurisdiction. These laws may impose obligations on government entities to protect sensitive data, implement security measures, and notify individuals in the event of a data breach.

    2. Breach Notification Requirements: Depending on the jurisdiction, local governments may be required to notify affected individuals, regulatory authorities, or other relevant stakeholders following a data breach or loss. The specific notification timelines, content, and procedures can vary, so it's important to consult the applicable laws and regulations.

    3. Record Retention and Destruction Policies: Local governments often have regulations outlining record retention and destruction requirements. It's crucial to establish appropriate policies and procedures for the retention, storage, and disposal of data to mitigate the risk of data breaches and ensure compliance with these regulations.

    4. Compliance with Industry-Specific Standards: Local governments may need to adhere to industry-specific standards or frameworks pertaining to data security and privacy. For example, in the United States, the National Institute of Standards and Technology (NIST) provides guidelines and frameworks, such as the NIST Cybersecurity Framework, which can help inform best practices for data protection and incident response.

    Small Business:

    1. General Data Protection Regulation (GDPR): If a Small operates within the European Union or handles personal data of EU citizens, compliance with the GDPR is crucial. The GDPR enforces obligations on organizations to safeguard personal data, inform relevant supervisory authorities and affected individuals in case of a data breach, and implement appropriate security measures.

    2. California Consumer Privacy Act (CCPA): If a small business collects personal information from California residents and meets certain criteria, you may need to comply with the CCPA. It requires providing specific notices to affected individuals in the event of a data breach.

    3. Health Insurance Portability and Accountability Act (HIPAA): If a small business deals with protected health information (PHI) in the healthcare industry, you must comply with HIPAA regulations. HIPAA necessitates reporting data breaches to affected individuals, the U.S. Department of Health and Human Services (HHS), and in certain cases, the news media.

    4. Payment Card Industry Data Security Standard (PCI DSS): If a small business accepts credit card payments, you must comply with PCI DSS requirements. PCI DSS includes guidelines for securing cardholder data, detecting and responding to breaches, and notifying payment card brands and individuals affected by a breach.

    Non-Profit Organizations:

    1. General Data Protection Regulation (GDPR): If a nonprofit operates within the European Union or handles personal data of EU citizens, compliance with the GDPR is crucial. The GDPR enforces obligations on organizations to safeguard personal data, inform relevant supervisory authorities and affected individuals in case of a data breach, and implement appropriate security measures.

    2. Data Breach Notification Laws: Nonprofits must adhere to data breach notification laws specific to their jurisdiction. These laws typically demand organizations to swiftly notify affected individuals, regulatory authorities, and sometimes even the media about data breaches. The notification requirements may differ in terms of timing, content, and the specific circumstances that trigger the obligation to notify.

    3. State or Provincial Privacy Laws: Nonprofits operating within particular states or provinces must follow specific privacy laws that outline requirements regarding data breaches or losses. These laws may include provisions for reporting breaches, informing affected individuals, and implementing security measures to protect personal information.

    4. Nonprofit-Specific Regulations: Depending on a nonprofit's mission, activities, or funding sources, there could be particular regulations or standards applicable to the organization. For instance, nonprofits in the healthcare sector might need to comply with the Health Insurance Portability and Accountability Act (HIPAA), which includes breach notification requirements for protected health information (PHI).

    Gotta Have a Plan and Take Time to Practice

    One of the best ways to measure the effectiveness of a plan, once it's developed, is to conduct an exercise (and routinely practice) as a solution for achieving the best outcome for your business or organization. The following are some (free to download) examples, from trusted sources, that can help, including:

  • Step 7 – Start with Communication Strategy Basics for Internal and External Stakeholders

    Proactively developing a cybersecurity communication plan is a critical element to raising awareness for the need to protect sensitive data maintained by your organization. The following are some key elements to consider when developing this plan:

    • You’re on a Budget (and that’s OK) - Work closely with your executive leadership to develop a “priority” list of your most valuable assets that should be protected within your organization. These priorities will be the focus of your communication plan.
    • Who’s your audience? -When it comes to creating awareness, it’s important to deliver the right message to the people you’re trying to reach. As an example, consider:
    • Executive leadership may need to be educated on the financial and/or reputational harm that could be caused by a cybersecurity incident.
    • Middle management should be involved in the development and implementation of policies and procedures for protecting these assets.
    • Front line staff should be properly educated on these policies and procedures as well as the consequences of noncompliance.
    • Messaging is key - In addition to creating awareness materials that are brief and memorable, it’s a good idea to keep in mind that people process information in different ways and consider the roles of your employees, skills levels, and preferred communication methods and use a variety of tactics (e.g., wall posters, online training, newsletters, team meetings, etc.) as part of your awareness campaign.
    • Incident Response: Follow the policy, know who (and when) to call - Clearly communicating your incident management procedures will be your best opportunity for protecting your organization while, at the same time, helping to make sure your employees understand how to report a cybersecurity incident, what details to report and when to report it.
      • Your employees are your greatest asset, but they can be (and are) the primary source for why a cyber incident can happen. “Being in the know” will help make a difference.
    • Keep it Coming - Every day, we have all kinds of information coming at us and our attention span can be very short. Because of this, regular communication efforts are very helpful for assuring that everyone understand this is a priority. Keeping the campaign going, in different ways, is also a great reminder.
    • Is it working? - Having ready a process to re-evaluate your communication campaigns will help you get some great feedback and it’ll help answer the question as to how they’re taking it all in and the job you’re doing in delivering the message. It’s OK, too, if you need the rethink your plan, including things such as the frequency and target group of your message.
    • Resources for Additional Information: