As a result we have data standards ranging from 'let the developer do it all', through to 'perhaps we should have a tick box on this form?' through to 'all personally identifiable information must receive at least one opt in, be captured over SSL and stored in a location the minimal amount of people have access to'.
The latter is obvious where I'm moving to, but there are many challenges in achieving this.
1. Agree a goal
Currently I'm planning to meet with our data compliance people and work out what company wide standards we meet or aim to meet. This will set the minimal standards all sites must reach.
2. Differentiate the requirements
Not all data is equal. If you're capturing an email address on a 'contact us' form, your requirements are far looser than than a long form of personal information for an extend user profile for instance. I need to be able to produce an easy to understand set of guidelines so that business analysts can input their data capture requirements one end, and get a list of coding and data security standards out the other.
3. Sell this!
In the agency world where I work (dammit!) one can't simply improve standards in such a way that can increase analysis, development and operational cost without recovering this cost from the client some way. As such once policies and processes are established, they need to be packaged into a '$companyname secure data practices' document that the sales people can use to justify the expense to their clients.
I thought PPUK might be interested to know this and the fact that advertising companies still are trying to steal all your personal information, but are trying to do it in a responsible fashion.
Also I'm interested if anyone has any input they might want to give since I've not done this yet.