maximizing your privacy management program · a structured approach for maximizing privacy...
TRANSCRIPT
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Getting to Accountability Maximizing your Privacy Management Program
IAPP Breakout Session: October 1, 2015
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Session Description
• Stephen Bolinger, CIPM, CIPP/E, CIPP/G, CIPP/US, CPO, VP of Legal, TeleSign
• Constantine Karbaliotis, CIPM, CIPP/C, CIPP/E, CIPP/US, CIPT, VP of Privacy Office Solutions, Nymity Whether you have a mature privacy program or are starting a new one, this session will help you first identify the existing resources available in your organization, and then leverage those resources to maximize your privacy management program. Gain insight into the underlying resource requirements for implementing privacy management activities and maintaining them, based on Nymity’s extensive research and innovation in privacy management and accountability. First, you will learn how to broaden the scope of your privacy program to include implemented privacy management activities found throughout your organization which are not typically considered part of a privacy program (for example, HR policies and procedures). You will then learn an approach to building the business case to obtain additional resources to ensure a successful privacy management program. You will also learn three strategies for defining a successful program: the managed privacy strategy, the advanced privacy strategy, and the demonstrating accountability and compliance strategy, including the detailed approach for each. What you’ll take away: Free tools for assessing privacy management, reporting, building a business case, building a privacy program and demonstrating accountability
A structured approach for maximizing privacy management in your organization to ensure ongoing compliance and ultimately accountability
Insights into real-world examples
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Agenda
• Accountability Fundamentals
• Privacy Management Status
• Privacy Management Program Strategy
• Develop a Resource-Based Plan to execute the Strategy
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Introductions
CONSTANTINE KARBALIOTIS CIPM, CIPP/C, CIPP/E, CIPP/US, CIPT
Vice President of Privacy Office Solutions – NYMITY and former CPO
STEPHEN BOLINGER CIPM, CIPP/E, CIPP/G, CIPP/US
General Counsel and CPO, TeleSign
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
1. Present Your Privacy Management Status Identify current state including
owners of activities
2. Present a Privacy Management Program Strategy
3. Develop a Plan to execute the Strategy
Identify applicable privacy management activities
Prioritize based on resources and articulate a business case for additional resources
Building your program on Accountability
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
“an obligation or willingness to accept responsibility
or to account for one's actions “ www.merriam-webster.com/dictionary/accountability
“the obligation of an individual or organization to account for its activities,
accept responsibility for them, and to disclose the results in a transparent manner”
www.businessdictionary.com/definition/accountability.html
Accountability Defined
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Evolution of Accountability as a Privacy and Data
Protection Principle
7
Guidelines on the Protection of Privacy
and Transborder Flows of Personal
Data
Article 29 Data Protection
Working Party Opinion
3/2010 on the Principle of
Accountability
PIPEDA Schedule 1 4.1
Principle 1: Accountability
U.S. Federal Trade
Commission Enforcement
Actions
APEC Privacy Framework
Canada: Getting Accountability Right
With a Privacy Management Program
OECD Revised
Guidelines
Columbia: Guide for the Implementation of Accountability
in Organizations
EU: General Data Protection
Regulation
Hong Kong: Privacy Management
Programme Best Practice Guide
Australia: Privacy
Management Framework
EU: General Data Protection
Regulation
1980 2000 2005 2010 2011 2012 2013 2014 2015
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
FTC – Elements of a Comprehensive Privacy Program
• FTC has stated that the Google Order is intended to “serve as a guide” to industry
Facebook Order similar
• Requirement to establish and maintain a comprehensive privacy program:
Designate an employee to be responsible for the privacy program
Identify reasonably-foreseeable, material risks
Design and implement reasonable privacy controls and procedures
Regularly test or monitor the effectiveness of the safeguards’ key controls and procedures
Manage third-party risk through due diligence and contractual obligations
Evaluate and adjust privacy program on an ongoing basis
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Europe: Accountability under the EU General Data
Protection Regulation (GDPR)
• Three drafts of Regulation currently being discussed in the trilogue
• The 3 versions differ but generally include the following:
Appointment of a data protection officer (DPO)
Adoption of a privacy policy
Adoption of measures to demonstrate that an organisation’s processing of personal data complies with the Regulation
Implementation of technical and organizational methods to protect data against unauthorized or unlawful processing
Keeping records of the processing of personal data
Carrying out data protection impact assessments and implementing privacy by design
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Europe: Accountability under the EU GDPR (Continued)
• Accountability becomes a compliance obligation
• Article 22.1 of the Council version of the Regulation relating to the Obligations of the controller provides that:
“Taking into account the nature, scope, context and purposes of the processing as well as the likelihood and severity of risk for the rights and freedoms of individuals, the controller shall implement appropriate measures and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation”.
IMPACT: A business established outside the EU will also be subject to the GDPR if the business:
1. Offers goods or services to EU residents; or 2. Monitors the behavior of EU residents
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Nymity’s Research on Accountability
Nymity breaks down the concept of Accountability into three components:
• Responsibility: The organization maintains an effective privacy management program consisting of ongoing privacy management activities.
• Ownership: An individual is answerable for the management and monitoring of privacy management activities.
• Evidence: The Privacy Office can support, with documentation, the completion of privacy management activities
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Compliance – an Outcome of Accountability
“An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.”
The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia
https://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.pdf
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Accountability and Compliance The evolving privacy landscape
COMPLIANCE ACCOUNTABILITY SHIFT
TOWARD
Privacy Program Outcomes Privacy Program Infrastructure
Laws and regulations
Enforcement actions
Binding Corporate Rules
Responsibility
Ownership
Evidence
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
UK Data Protection
Act
Rule 4
Rule 1
Rule 2
Rule 3
Rule 5
Binding Corporate
Rules
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
EU General Data
Protection Reg.
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Hong Kong
Ordinance
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Mexico Data
Protection Act
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Traditional Compliance Assessment Approach Assess compliance with each requirement individually
PHI Policies & Procedures
Audit and Monitoring
Many Regulatory Requirements Many Privacy Programs & Activities to
Training and Awareness
Company Policies and Procedures
Complaints and Investigations
Records Management
Information Security
Vendor Management
Human Resources
Legal
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
☑ Demonstrating Accountability
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Accountability Based Approach Leverage evidence of accountability to demonstrate compliance
Evidence of Privacy Management Activities exists throughout the organization (within the
Privacy Program as well as Operations)
Evidence is collected in a centralized repository, structured in line with the 13
Privacy Management Processes
Evidence of Accountability is
mapped to requirements, allowing the
organization to Demonstrate Compliance
with laws and regulations
on-demand, supported by
Evidence
UK Data Protection
Act
Rule 4
Rule 1
Rule 2
Rule 3
Rule 5
Binding Corporate
Rules
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
EU General Data
Protection Reg.
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Hong Kong
Ordinance
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Mexico Data
Protection Act
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
One Accountable Privacy Program Many Regulatory Requirements to
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
x = Law/regulation contains compliance requirements related to the Privacy Management Process
Accountability Goes Above and Beyond Compliance
Accountability Compliance
Privacy Management Processes BCR UK South Korea Mexico
1 Maintain Governance Structure X X X X
2 Maintain Personal Data Inventory X X X X
3 Maintain Data Privacy Policy X X X X
4 Embed Data Privacy into Operations X X X X
5 Maintain Training and Awareness Program X X X
6 Manage Information Security Risk X X X X
7 Manage Third-Party Risk X X X X
8 Maintain Notices X X X X
9 Maintain Procedures for Inquiries and Complaints X X X X
10 Monitor for New Operational Practices X X
11 Maintain a Data Privacy Breach Management Program
X X
12 Monitor Data Handling Practices X X
13 Track External Criteria X
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Workbook Approach Nymity Accountability Status Workbook
Nymity Privacy Management Accountability Framework™
Privacy Management Processes and ActivitiesStatus Owner(s)
Resources to
Implement
Resources to
Maintain
Business
Case
Core?
(Y/N)
Description/
CommentEvidence
8. Maintain Notices
Maintain notices to individuals consistent with the data
privacy policy, legal requirements, and operational risk
tolerance
Maintain a data privacy notice that details the organisation’s
personal data handling policies
Implemented Privacy Office Compliance Y Privacy Notice
Provide data privacy notice at all points where personal data is
collected
Implemented Business Units Identify all forms
and contracts
that collect
personal data
Compliance Y PIA Guidelines,
Templates
Provide notice by means of on-location signage, posters N/A
Provide notice in marketing communications (e.g. emails, flyers,
offers)
Implemented Marketing Compliance Y
Provide notice in all forms, contracts and terms Desired Business Units Periodically
review. Have a
process for new
forms.
Compliance Y Marketing Guidelines
Maintain scripts for use by employees to provide the data privacy
notice
Desired Privacy Office Process update
from Customer
Service/ Call
Centre Team
Risk
Management
N Sample Language
Maintain a data privacy notice for employees (processing of
employee personal data)
N/A Scripts
Maintain a privacy Seal or Trustmark to increase customer trust N/A Call Centre Work Flow
Provide data privacy education to individuals (e.g. preventing
identity theft)
Implemented Business Units Alignment with
Business
Objectives
N Web Application
Content
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Implemented Planned Desired N/A
The activity is already in
place and have sufficient
resources to be maintained.
The decision has already
been made, resources
allocated, and action may
be underway toward
implementing the activity.
The activity is applicable or
relevant to the privacy
program, but is not
currently implemented or
resourced (planned).
Not applicable or relevant
to the organization.
Pg. 12 in Accountability Paper
Identify Status of Privacy Management Activities
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Privacy Management Process Activities Owned by the Privacy
Office – Examples
Activities Owned by Operational Units –
Examples
1. Maintain Governance
Structure
Maintain a Privacy Strategy Owner: Human Resources
Require employees to acknowledge and
agree to adhere to the data privacy policies
3. Maintain Data Privacy
Policy
Maintain a data privacy policy Owner: Human Resources
Maintain a separate employee data privacy
policy
5. Maintain Training and
Awareness Program
Maintain a core training program for
all employees
Owner: Customer Service
Integrate data privacy into other training
programs, such as HR, security, call centre,
retail operations training
10. Monitor for New
Operational Practices
Maintain PIA guidelines and
templates
Owner: Information Technology
Conduct PIAs for new programs, systems,
processes
Ownership for Privacy Management Activities
Privacy Office Activities Operational Activities
Privacy management activities that are the responsibility of the privacy office.
Privacy management activities that are the responsibility of operational units, including, Marketing, HR, IT, Legal, Procurement, Business Units, etc.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Core and Elective Activities
• Core activities are fundamental to the organization for privacy management; they are identified by the privacy office as being mandatory
Maintain a data privacy notice that details the organization’s personal data handling policies (PMP8)
Most laws around the world contain a transparency principle and require notice to individuals; this activity is core because it is mandatory for compliance
Maintain a core training program for all employees (PMP5)
Very few laws explicitly require privacy training, but the privacy office usually deems it critical to managing the privacy risk that can arise from employees that do not understand their obligations with regard to privacy; this activity is core because it is fundamental for managing risk
• Elective activities are the activities that go above and beyond the minimum for compliance and risk management. They are the activities the organization has elected to implement to further embed privacy throughout the organization.
Activities may be Elective because they are not directly tied to privacy compliance or risk such as Hold an annual data privacy day/week (PMP 5), or because they are sophisticated such as Maintain privacy program metrics (PMP 12).
Pg. 20
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Privacy Management Program Strategies
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Which Organizations
Choose a Managed
Privacy Strategy?
Which Organizations Choose an
Advanced Privacy Strategy?
Which Organizations Choose to Demonstrate
Accountability and Compliance?
Low risk related to the processing of personal data • Sensitivity, complexity,
volume of data
• High level of privacy risk or a
culture of compliance, and a low
tolerance for compliance risk
• Have had a major breach or are
subject to enforcement action
Organizations that have a business need to justify the need to
stand ready to demonstrate account
• Abiding by the binding corporate rules to monitor
compliance and make the results available to data
protection authorities on demand
• Maintaining documentation for Trustmarks or
accountability agents, ex., organizations participating in the
APEC Cross-Border Privacy Rules system
• Preparing to self-certify under US-EU Safe Harbor, or
preparing for a third party auditability and/or compliance
Organizations where
processing data is not the
core business but more of
a support or administrative
function
Organizations preparing for binding
corporate rules, APEC, CBPR, or some
other optional data transfer
mechanisms that goes beyond
compliance
• Complying with future legal requirements for
demonstrating compliance ex. EU GDPR
• Meeting expectations of privacy and data protection
regulators
A new privacy program,
where the Managed
Privacy Strategy is a
starting point
Organizations wishing to fully
integrate privacy into all product and
program development to manage
privacy risk or to make privacy a
competitive differentiator or to
exceed client requirements
• Lowering the cost of audit/independent assessment by
gathering documentation and information in advance and
presenting it to auditors
• Providing meaningful management reporting at various
levels
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Documentation as Evidence
• The documentation to be used as evidence already exists: documentation is a by-product of implemented privacy management activities.
• You don’t create evidence just for the sake of demonstrating accountability/ compliance. You just identify and log the evidence that already exists.
Privacy Management
Activities Evidence/ Documentation
Maintain a data privacy
policy
Data Privacy Policy
Integrate data privacy into e-
mail monitoring practices
E-mail monitoring policy and
procedure
Measure comprehension of
data privacy concepts using
exams
System generated report of
data privacy exam scores
Provide notice in all
marketing communications
(e.g. emails, flyers, offers)
Examples of e-mail marketing
communications
Pg. 33
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Planning: Selection and Prioritization of Activities which
demonstrate Accountability
Compliance with
Laws and Regulations
Privacy Risk Management
Select Activities Based on
Business Objectives
Prioritize Based
on Resources
Understanding
Expectations from
Privacy and Data
Protection Regulators
Understanding the Law
• Risk of harm to the individual
data subject
• Risk of enforcement due to
non-compliance or
complaints
• Risk of unauthorized use of
personal data
• Risk of loss to the
organization
• Risk of breach due to stolen
data
• Risk of misuse of personal
data
• Risk of class-action lawsuit
• And others (see page 48)
Align privacy management
program strategy with
organizational objectives such
as:
• Global expansion goals
• Moving to paperless
record keeping
• Mergers and acquisitions
• Competitive advantage
• Product innovation
• Cloud computing
• Others?
• Determine your resource profile
• Leverage existing resources
• Prioritize what can be supported
• Prioritize what can be maintained
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Determine your Initial Resource Profile
Low • Part-time privacy officer
Medium • Business and organizational support
High
• True management support and a funded privacy office
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Low Resources: Part-time Privacy Officer
Often there is a single individual for whom the role of privacy officer is a secondary role, for example, they are also the General Counsel, an HR manager, or a marketing professional. The organization can only provide the privacy officer with limited resources, possibly because:
• small organization
• organization that does not process a high volume of personal data
• privacy officer role is only part time
• organization with financial constraints
• unable to achieve senior management buy-in
• unable to attain resources from most of the operational and business units such as HR, IT, and marketing
• the privacy risk is perceived as low compared to other challenges or opportunities
Pg. 15
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Medium Resources: Business and Organizational
Support
Medium resourced privacy offices have buy in from the operational and business units. The organization may also have:
• a full time privacy officer
• a culture of compliance such as in a highly regulated industry
• processing of personal data is the organization’s core business
• experienced data breaches and management is worried about future breaches and the resulting media coverage or regulatory consequences
• contractual obligations to comply with privacy requirements
• a major project or restructuring underway which presents an opportunity to build privacy in from the outset
• in place or be pursuing cross border transfer mechanisms such as Binding Corporate Rules , US EU Safe Harbor, or APEC Cross Border Privacy Rules
Pg. 15
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Highly Resources: True Management Support and a
Funded Privacy Office
A high resourced privacy office is a fully staffed privacy office and may also use external consulting or legal firms. There is true management buy-in and full support from the operational and business units, possibly in an organization:
• with a low risk tolerance or a culture of compliance
• where privacy has reached the board or executive level, and resources and responsibility are allocated
• where a major breach has taken place either at the organization or with a competitor that has brought the issue of privacy to the attention of senior leadership
• that has had an enforcement action issued by a privacy or data protection regulator
• that abides by recommendations from trusted law firm or consulting firm
Pg. 15
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Leverage Existing Resources
• Rely on privacy management activities that are already partially or fully implemented.
Example:
Human resources department is already maintaining policies and procedures for monitoring employees
Privacy office has buy-in from human resources
Therefore, it is relatively low effort to implement and maintain the activity Integrate data privacy into practices for monitoring employees (PMP 4) since the structure is already in place.
Page 18
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Prioritize What is Supported
• Support from the operational and business units is critical to the success of the program - lack of it can present an obstacle to success.
• Example:
• Maintain policies/procedures for secondary use of personal data (PMP 4) may be influenced by the privacy office but owned by an operational unit such as marketing
If the privacy office tries to implement the activity without the support of marketing, it will likely not be adopted
Even though the activity is important to protecting data, it would not be implemented effectively and would not be the best use of limited resources
• The privacy office should prioritize activities that are supported by key stakeholders.
Page 18
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Prioritize What Can Be Maintained
• Accountability is an ongoing state – not a point in time status. Implement privacy management activities that can be maintained based on the ongoing resources available.
Example:
• To implement the activity Maintain a Data Privacy Policy (PMP 3)
Initial effort requires medium resources
Policy must be socialized with key stakeholders in order to achieve buy in and improve the chances of adoption (ultimately it should be approved be executive leadership)
Publishing or issuing the policy is just the first step
o It must then be reviewed on a periodic basis
o Not keeping it up-to-date will result in increased privacy risk
Page 18
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Identifying Resources in Your Organization
People Processes Technology Tools
Employees – full or
partial headcount
Buy in or support from
Executives/ Senior
Management
Other departments or
groups such as Internal
Audit, Compliance, ERM
Shared Services (Info Sec,
IT, Legal, Procurement)
External Consultants/
Advisors/ Auditors/
Service Providers
Workflows for
approval/sign-off
Monitoring/ Reviewing
controls or mechanisms
Communication/
Meetings
Training/knowledge
sharing
Escalation paths
File/document sharing
platforms
Collaboration tools
Information
Security/Data Protection
controls
ERP Systems
Ticketing Systems
E-Learning System
Compliance research
subscriptions
Subscription newsletter
to stay informed
Templates and samples
Privacy management
systems
Privacy/ Risk/
Compliance Reporting
Software
PIA solutions
Rationalized rules table
generators
Benchmarking solutions
Pg. 13
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Three Plans to Get Started Pg. 37
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Conclusions
• Accountability yields a capacity to meet compliance and program objectives that is inherently more flexible and powerful than ‘mere’ compliance
• Accountability is determined by what the organization prioritizes and resources – not by an external standard of ‘what ought to be’
• Accountability helps the organization by ‘getting credit’ for establishing a framework to yield the right results – even where there are individual failures, it can be demonstrated they are not systemic