privacy program management: a framework for success [webinar slides]
Post on 11-Apr-2017
1.055 Views
Preview:
TRANSCRIPT
1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Privacy Program Management: A
Framework for Success
March 23, 2017
2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Today’s Speaker
Hilary Wandall
General Counsel
Chief Data Governance Officer
TRUSTe
3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
• Welcome & Introductions
• Policy and Regulatory Origins and Developments
• Choosing a Model
• Framework for Core Program Elements
• 3Ds: Design, Document & Demonstrate
• Q&A
Today’s Agenda
4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Policy and Regulatory Origins and
Developments
5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Policy and Regulatory Origins
• OECD Privacy Guidelines – 1980
– Accountability Principle
• PIPEDA (Canada) – 2000
– Accountability Principle
• APEC Privacy Framework – 2005
– Accountability Principle
• CIPL Accountability Project – 2008
• APEC CBPRs – 2011
• Canada Privacy Management Program – 2012
• Revised OECD Privacy Guidelines – 2013
– Privacy Management Programme
• EU GDPR – 2016
6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
OECD Privacy Guidelines 2013
• New Part III – Implementing Accountability
– Establish a Privacy Management Programme
o Implements requirements of the Guidelines
o Tailored based on structure, scale, sensitivity and
volume of the operations (“risk factors”)
o Safeguards implemented based on privacy risk
assessment
o Integrated with organizational governance and
oversight mechanisms
o Inquiry and incident response mechanisms
o Update based on monitoring and periodic assessment
– Demonstrate the programme to regulators and others
responsible for enforcement
7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
EU GDPR – Example Provisions
• Article 5.2
– Controllers are responsible for demonstrating compliance with the principles of:
o Lawfulness, fairness and transparency
o Purpose limitation
o Data minimization
o Accuracy
o Storage limitation
o Integrity and confidentiality
• Article 24
– Controllers are responsible for implementing organizational and technical measures to ensure and demonstrate that processing is compliant, such as policies and procedures, codes of conduct, or certification
• Article 39 – Tasks of the DPO
– Advice, monitoring compliance, awareness, training, audits
8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Choose a Model
9 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Choose a Model
• Consider organizational structure
– Where are you headquartered?
– Centralized versus distributed
– Is central coordination possible and effective?
– How do other organizational governance functions operate?
• Consider functional alignment and coordination
– Which organizational area is best suited to support sustainable
success of the program?
– Is there a strong executive champion?
– What levels of cross-functional coordination are needed –
strategic vs. tactical?
• Consider legal requirements, ethical obligations and risk
– Legal drivers, culture toward ethical and CSR considerations
– Organizational risk tolerance
10 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Aligning Organizational Governance & Oversight
Legal
Regulatory
Government
Affairs
Compliance
Ethics
CSR
IT
Data &
Records
Mgmt.
Business
Analytics
Risk Mgmt.
Privacy
11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Aligning Organizational Governance & Oversight
• Elements of an Effective Ethics and Compliance Program
– Establish Policies, Procedures and Controls
– Exercise Effective Compliance & Ethics Oversight
– Exercise Due Diligence (third party risk)
– Communicate and Educate Employees
– Monitor and Audit for Effectiveness
– Ensure Consistent Rewards and Sanctions
– Incident Response and Prevention
12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Framework for Core Program Elements
13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Build Your Program – 6 Essential Elements
Build
Establish, maintain and evolve an
integrated privacy and data governance program aligned with
other data management and information risk
functions such as security, IP, trade
secret protection and e-discovery
Integrated
Governance
Identify stakeholders. Establish
program leadership and governance.
Define program mission, vision and
goals.
Risk
Assessment
Identify, assess and classify data-
related strategic, operational, legal
compliance and financial risks.
Resource
Allocation
Establish budgets. Define roles and
responsibilities. Assign competent
personnel.
Policies &
Standards
Develop policies, procedures and
guidelines to define and deploy
effective and sustainable governance
and controls for managing data-
related risks.
Processes Establish, manage, measure and
continually improve processes for
PIAs, vendor assessments, incident
management and breach notification,
complaint handling and individual
rights management.
Awareness &
Training
Communicate expectations. Provide
general & contextual training.
Learn and Evolve Over Time
14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Demonstrate Your Program – 2 Core Standards
Monitoring &
Assurance
Evaluate and audit effectiveness of
controls and risk mitigation initiatives.
Reporting &
Certification
Demonstrate the value and
effectiveness of your program and
controls to customers, employees,
management, the board of directors,
regulators and the public.
Demonstrate
Demonstrate program and practices
compliance, maturity, responsibility and
value to organizational
leadership, regulators, customers, other
stakeholders through monitoring,
assurance, reporting and certification
Learn and Evolve Over Time
15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
3Ds: Design, Document, Demonstrate
16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Tools to Build and Demonstrate Your Program
Supported by the TRUSTe Data Privacy Management Platform
17 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment
18 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment
19 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment
20 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment
21 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment
22 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Questions?
23 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Hilary Wandall
hilary@truste.com
Contact:
24 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Register now for the next webinar in our 2017 Winter/Spring Webinar Series
on April 13, 2017 “Swiss-US Privacy Shield Rollout: What to Expect”
• https://info.truste.com/swiss-us-privacy-shield-rollout-webinar.html
See http://www.truste.com/insightseries for the 2017 Privacy Insight Series
and past webinar recordings.
Thank You!
25 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Register now for the next webinar in our 2017 Winter/Spring Webinar Series
on April 27, 2017 “ROI of Privacy: Building a Case for Investment”
• https://info.truste.com/roi-of-privacy-webinar.html
See http://www.truste.com/insightseries for the 2017 Privacy Insight Series
and past webinar recordings.
Thank You!
top related