IBM Global Privacy Assessment
1. IBM’s Global Privacy Assessment (GPA) - background
2. Considerations in designing the latest version of the GPA
3. The structure of GPA self assessment – 5 stage process
4. Designing & developing the GPA
5. Making it mandatory
6. What went well / further evolution
5 stage self-assessment
Visual progress / status
Creating a global privacy impact assessment process in Barclays
1. Why develop a single, global approach to privacy impact
assessment?
2. The process of development - recognising different
business requirements and jurisdictional differences
3. The risk assessment process
4. Next steps – automation and fully global role out
Barclays – screening questions
Barclays – the assessment
LexisNexis – two different approaches
• Risk Solutions: PIA for new product
• Legal: online compliance questions
LexisNexis Risk Solutions small-scale local PIA process
What are the risks?
What are the solutions?
Privacy issue Individual risk Corporate risk Compliance risk (DPA)
Risk Solution(s) Risk eliminated, reduced or accepted Evaluation: is the final impact on
individuals after implementing
each solution a justified,
compliant and proportionate
response to the aims of the
project?
LexisNexis Risk Solutions small-scale local PIA process
Sign off and record the outcomes
Integrate outcomes into action plan
Risk Approved solution Approved by
Action point Date for completion and progress Responsibility
LexisNexis Legal online compliance questions
Links and resources
• ICO PIA guidance: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf
• NIST privacy harms: http://www.nist.gov/itl/csd/privacy-engineering-workshop-september-15-16-2014.cfm