{"id":7316,"date":"2020-08-04T11:31:42","date_gmt":"2020-08-04T15:31:42","guid":{"rendered":"https:\/\/www.sage.com\/en-us\/blog\/?p=7316"},"modified":"2026-02-12T05:03:54","modified_gmt":"2026-02-12T10:03:54","slug":"data-protection-how-to-create-a-wisp","status":"publish","type":"post","link":"https:\/\/www.sage.com\/en-us\/blog\/data-protection-how-to-create-a-wisp\/","title":{"rendered":"Data protection: How to create a written information security policy (WISP)"},"content":{"rendered":"
\n\t
\n\t\t
\n\t\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\t\t\t\t
\n\t\t\t\t\t\t\tStrategy, Legal & Operations<\/a>\t\t\t\t\t\t<\/div>\n\t\t\t\t\n\t\t\t\t
\n\t\t\t\t\t

\n\t\t\t\t\t\tData protection: How to create a written information security policy (WISP)\t\t\t\t\t<\/h1>\n\t\t\t\t<\/div>\n\n\t\t\t\t\t\t\t\t\t

\n\t\t\t\t\t\t\t\t\t\t\t<\/p>\n\t\t\t\t\n\t\t\t\t\n\t\t\t\t\n\t\t\t<\/div>\n\n\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n\t\t

\n\t\t
\n\t\t\t
\n\t
\n\t\t
\n\t\t\t\t\t\t\t
\n\t\t\t\t\t\n\t\t
\n\t\t\t\n\t\t\t\t\"\"\t\t\t\tMike Goodwin<\/span>\n\t\t\t<\/a>\n\n\t\t\t\t\t<\/div>\n\n\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t<\/div>\n<\/div>\n\n\n\n

The implementation of the General Data Protection Regulation<\/a> (GDPR) in Europe served as a wake-up call for several U.S. states.<\/p>\n\n\n\n

While several introduced legislation, New York and California, in particular, have enacted similar although not identical statutes intended to protect the personal information of individuals: the SHIELD Act, and the California Consumer Privacy Act (CCPA),<\/p>\n\n\n\n

In both cases, the new legislation builds on existing laws in an attempt to fully modernize in our digital age. The CCPA is the more substantial<\/a> in terms of new or additional requirements, placing restrictions on business while affording new rights to individuals. In comparison, the SHIELD Act is limited to protecting personal information owned or used by businesses and individuals, and is intended to deal with data breaches.<\/p>\n\n\n\n

The value of a WISP<\/h2>\n\n\n\n

Both pieces of legislation demonstrate the vital need for a written information security policy, or WISP, within businesses across the U.S.<\/p>\n\n\n\n

It’s advisable to do this even if there is no express legal requirement for it within the state where the business is based. Should your business face litigation following a data breach, having a good-quality, consistently implemented, and followed WISP is likely to be key to constructing a defense.<\/p>\n\n\n\n

The value of a WISP is found also in its creation, because it prompts the business to assess risks in relation to consumer data and implement appropriate protective measures. It can also educate employees and others inside or outside the business about data protection measures.<\/p>\n\n\n\n

You may find creating a WISP to be a task that requires external help, and this is a route many businesses take. Data protection consultants can be found easily online, but try to find recommendations from businesses similar to your own. Often the perspective of an outsider can be invaluable in identifying data protection issues within your business.<\/p>\n\n\n\n

How to create a WISP<\/h2>\n\n\n\n

Creating a high-quality WISP is likely to involve examination of all parts of a business, because there are very few functions and employees that do not handle data in some fashion. In this regard, it’s worth remembering that legislation such as the CCPA covers not just computer data but also written data.<\/p>\n\n\n\n

Start by assigning an owner. All plans need a single point of contact; a single person owns the plan and can delegate. This needn’t necessarily be a senior member of staff. However, employees and external stakeholders need to know who it is. This person should be the key sense-checker for the WISP\u2014the person who ensures the program makes sense, and that nothing has been assumed.<\/p>\n\n\n\n

Invite input from all sources. Information should be gathered from all functions, departments, employees and other individuals. The question asked of each should simply be: What data do you handle, and how sensitive is it? Note that some departments or individuals may not actively deal with data, but may store historic data within their remit. You should ensure no department us excluded, either accidentally or deliberately.<\/p>\n\n\n\n

All sources should also identify what legislation covers their specific function or roles, or notify you if there is a need to seek legal counsel if they are unsure or simply do not know. Compliance with this should then be built into the program.<\/p>\n\n\n\n

Risk assessment should also be part of this planning and outlining stage. This can be an extensive process to undertake and is one area in particular where you might require external guidance from a data protection expert.<\/p>\n\n\n\n

You should consider your entire ecosystem\u2014internally and externally, from supplier to customer (or client). Your program may include specific plans detailing how to deal with individual suppliers or customer\/clients, especially those that present data protection challenges, such as businesses you buy\/sell data with, or those who require you to share data.<\/p>\n\n\n\n