the global privacy conundrum€¦ · information management practices to better integrate and...

6/13/2013

1

The Global Privacy Conundrum

Presented to theSCCE Regional Compliance and Ethics Conference

San Francisco, California21 June 2013

Robert E. Glaser, CIPP/USSpecialist Leader

Security & Privacy ServicesDeloitte & Touche LLP

Houston, Texas

[email protected]+1 281.753.4673

Copyright © 2013 Deloitte Development LLC. All rights reserved.1

Agenda

• Introduction

• What Is Privacy?

• Trends in Data Privacy

• Privacy – A Global Issue

• Privacy in the European Union

• Reform of the European Directive

• Corporate Responses

• Governance Considerations

• Operationalizing Privacy

• Final Thoughts

• Questions

6/13/2013

2

What Is Privacy?

2


Setting the Stage: Privacy and Security

The rights and obligations of individuals and organizations with respect to the handling of personally identifiable information based on basic principles including notice, choice acceptable use, and cross-border sharing of data.

Safeguarding and controlling data as it moves across the data lifecycle including data

both within the enterprise and as it travels beyond the enterprise’s technical

infrastructure.

Confidentiality

Integrity

Availability

Reliability

Authorization

Authentication

Access Controls

Notice and Choice

Collection Limitation

Use Limitation

Data Quality

Purpose Specification

Openness

Accountability

Access to Data

Data Safeguards

Awareness and Training

Compliance

The rapid influx of data is also increasing the challenges associated with managing and protecting enterprise data assets. While security and privacy requirements may differ among jurisdictions, an effective enterprise data management program provides a framework for achieving the objectives of both.

Privacy Components Security Components

PrivacyStrong privacy requires protecting a user’s

identity and preventing unauthorized access or unintended use of personal information.

SecurityStrong security requires binding a user’s identity

to their behavior in support of monitoring and individual accountability.

The Privacy and Security Paradox

Pri

vacy

Secu

rity

6/13/2013

3


What is Privacy?Common Terms Used

- Personal Data - Sensitive Personal Data

- Personal Information - Personally Identifiable Information (PII)

- Protected Health Information - Individually Identifiable Health Information

Whose Privacy are We Concerned About?- Employees - Consumers / Customers

- Physicians - Patients / Caregivers

- Anyone your company (or vendors who work for you) can identify as an individual and/or those about whom we know something specific

Takeaways: • Privacy is NOT just the Health Insurance Portability and Accountability Act

(HIPAA)

• The environment is changing on a near-daily basis‒ New rules, laws, and regulations around the world

‒ Ever-increasing enforcement

• Privacy regulations impact many persons and roles anywhere in or associated with our companies, both domestically and abroad


Personal Data / PII

• There are ethical and regulatory obligations to protect the personal information, personally identifiable information, and protected health information (collectively "PII") that companies, as well as consultants and vendors working on a company’s behalf, collect, store, use, or transmit.

• PII

• Any information in physical or electronic form that identifies an individual or could reasonably be used to identify an individual.

• Sensitive [Personal] Information

• Information relating to the racial or ethnic origin, political opinion, religious belief, trade union membership, health, sexual preference or activity, or criminal convictions of the subject of the information.

• Protected Health Information

• A regulatory related term used to describe personal information associated with HIPAA.

6/13/2013

4


Privacy and Security Legal Challenges

Privacy and security regulations are constantly evolving with inconsistent and often conflicting requirements, compelling organizations to stay abreast of emerging

regulations and trends.

Significant privacy and security regulations and requirements have been developed within the U.S. as well as internationally, governing how organizations handle, use, store and transfer personal information.

Category Regulations / Guidance* (Examples) Enforcement Body (Examples)

US Federal Fair Credit Reporting (FCR) ActHIPAAChildren's Online Privacy Protection Act (COPPA)Safe Harbor

Securities and Exchange CommissionDepartment of Health and Human Services / Office for Civil RightsDepartment of LaborFederal Trade Commission

US States Massachusetts 201 CMR 17.00 Nevada NRS 597.970 State Breach Notification Laws

State Attorneys GeneralState Office of Consumer Affairs

International European Union (EU) Data ProtectionDirectiveAPEC Policy Framework PIPEDA (Canada)PIPA (Japan)

International Governments

Industry Payment Card Industry Data Security Standard Commercial Contractual Requirements

Payment Card IndustryThird Party Business Partners

* Illustrative examples only, not meant to be an exhaustive list


Scope of Privacy TodayCommercial

• Direct-to-Consumer Marketing, including e-Marketing • Health Care Professional Data / Profiling• Brands• Sales and Marketing, including Sales Force

Automation • Joint Ventures, Licensing and Other Partnerships• Call Centers• Pricing and Reimbursement• Consumer Loyalty Programs

Research, Development and Pharmacovigilence

• Trial Practices and Data• Secondary Use• Subject Recruitment• Pharmacovigilence/Safety• Contract Research Organizations (CRO)/Service

Provider Safeguards• Medical Affairs • Sample Repositories• Records Based Research

Human Resources• Compensation• Benefits• Workers’ Compensation• Call Center/Employee Resource Center• HIPAA/Health Information Technology for Economic

and Clinical Health (HITECH) Act• Vehicle, Travel, and Credit Card Reimbursements• Recruitment• Training

Information Technology, Compliance, Legal and Procurement

• Device Encryption and Loss Reporting• Physical Security, Investigations and Other Areas -

Litigation• Help Desk Log• Vendor Management/Accreditation• Contracting/Procurement• Breach Notification and Response• Call Centers – Physician and patient• Cross-Border Data Transfer• Records, E-Discovery, Investigations, Foreign Corrupt

Practices Act, other Law/Compliance Areas• Internal Audit, Investor Relations, Corporate Functions• Records Management

Finance• Payroll• Expense Reports• Corporate Credit Cards• Accounts Payable

6/13/2013

5


In The End…. What Requires Protection?

• Name• Drug Enforcement Administration

(DEA) Number

• Date of Birth (excluding year by itself) • Vehicle Identifiers and Serial Numbers (including license plate tags)

• Social Security Number

• Full Face Photographic Images or Comparable Images • Signature

• Passport Information • Biometric Identifiers (including finger and voice prints)• Financial Data

• Account Numbers • Drivers License Number

• Health Information • Credit Card Information

• Health Plan Beneficiary Numbers • Physical Characteristics

• Certificate / License Numbers • Medical Record Numbers

• Any unique identifying numbers, characteristics, codes, or combinations that allow identification of a single individual

Trends in Data Privacy

9

6/13/2013

6


Growth of DataOver one trillion gigabytes of information was created and replicated as of 2010, surpassing the total from five years ago by a factor of nine. Seventy five percent of this information was developed by individuals while enterprises have liability for eighty percent of it.1

The evolution of data is forcing organizations to reevaluate and refocus their information management practices to better integrate and leverage data in core

business processes.1 IDC Extracting Value from Chaos, June 2011

Data Growth

“40% projected growth in global data generated per year vs. 5% growth in global IT spending”

“$600 billion potential annual

consumer surplus from using personal location data globally”

“1.5 million more data – savvy managers needed to take full advantage of big data in US”

Consumerization

“On an aggregate, 56% of companies say yes to consumerization and allow employees to use their personal devices for work – related activities.”

“31% of the mobile devices connecting to the corporate network are owned by the employees: 66% are laptops, 25% smartphones and 9% are tablets.”

Globalization

“By 2014 emerging markets will have overtaken developed economies in terms of share of global GDP.”

“70% of economic growth over the next decade will come from emerging markets, with China and India accounting for 40% of that growth.”

Globalization has changed us into a company that searches the world, not just to sell or to

source, but to find intellectual capital - the world's best talents and greatest ideas.

Source: McKinsey Global Institute – Big data: The next frontier for innovation, competition, and productivity.

Source: World Economic Outlook Database, International Monetary Fund, Jack Welch quote

Source: Trend Micro Consumerization Report 2011


Privacy Related Regulatory Factors (a partial list)

International• Data Privacy Laws (e.g., EU, Switzerland, Singapore, Canada, Japan, Mexico, Australia, Mexico)

• Sensitive Personal Data• Cross-Border Data Transfers

• Notice, Choice, and Consent• Safe Harbor

• Internet Protocol (IP) Addresses• Binding Corporate Rules

US Federal• HIPAA• FCR Act• CAN-SPAM Act• National Do-Not-Call Registry

• Gramm-Leach-Bliley• COPPA• Junk Fax Protection Act

• Unfair / Deceptive Trade• Red Flags Rule• Telemarketing Sales Rule• Telephone Consumer Protection

US State• SSN / EIN / TIN Protection• Medical Marketing• Data Security / Encryption• Consumer Protection • Driver License• Employee ID Number• Voice• Vehicle Identifiers / Serial Numbers

• Medical Privacy (Including Record #)• Marketing to Children• Data Transmission• Video Privacy• Prescriber Data Restriction• Bank Account • Photographic Images• Signature• Physical Characteristics

• Marketing Opt In / Opt Out• Children’s Information• Portable Device• Unfair / Deceptive Trade• DEA Number Restriction• Credit Card / PIN Number• Video Images• Certificate / License Numbers• DNA / Biobanking

• Other Unique Identifying Numbers, Characteristics, Codes, or Combinations

Contractual• American Medical Association Physician Masterfile• Employee Notice / Consent• Data Breach Notification• Ethical Data Collection / Use

• Vendor Certification• Data Ownership / Data Use • Indemnification • Payment Card Industry

• Informed Consent• Data Security• Right of Audit

6/13/2013

7


Data Centric Business Trends Affecting Privacy and SecurityAs more information is developed and collected by organizations, several trends have evolved regarding data centricity which have a significant impact on privacy and security capabilities.

Data Centric Business Trends:

Increase in data value derived from the collection of meaningful customer data

Brand globilization is requiring personal information to bridge national boundaries

Consumer demand for a personalized experience in real time has lead to greater demands of openness

Storage of valuable data leads to increased threats on the enterprise

Transfer of personal information across national boundaries compounds privacy and security regulatory hurtles

Openness of personal information requires more granular control to confirm only appropriate information is shared

1

2

3


Resulting Business Impacts and Constraints

5 Years Out

Per

son

al I

nfo

rmat

ion

Acc

ess

and

Usa

ge

Low

High

Today

Time

Increasing Scope of Privacy

10 Years

Ago

5 YearsAgo

15 Years

Ago

Regulatory/Contractual Limits

6/13/2013

8


Cyber and Breach Response ChallengesThe profile of cyber attacks and resulting breaches has evolved from simple “capture the flag” pranks to establishing a sustained presence representing a sustained and persistent threat against enterprise systems for monetary gain or competitive advantage. With more pervasive and successful breaches comes a corresponding rise in security and privacy laws and regulations. Notification of stakeholders when a privacy breach occurs is becoming a global regulatory requirement.

Data breaches cost $214 per compromised record 1

Data breaches averaged $7.2 million per data breach 1

According to the Verizon 2011 Data Breach Report, ~56% of breaches occurred within Retail and Hospitality, 35% within Financial Services, and 9% All Others 2

46 out of 50 states have varying breach notification regulations with varying levels of enforcement 1

The prevalence and public nature of privacy breaches within the industry requires organizations to evaluate their capabilities to identify and respond to a breach

Compromised data types by number and percent of breaches and percent of records

Source: Verizon 2011 Data Breach Investigations Report

1 Ponemon Cost of a Data Breach 2011 2 Verizon 2011 Data Breach Investigations Report

Privacy – A Global Issue

15

6/13/2013

9


Global Regulatory Landscape – Some Key Challenges

• Global regulatory landscape is becoming increasingly complex

• Privacy laws now exist in 89 countries worldwide

• Emerging jurisdictions: DIFC, Mexico, Russia, and Ukraine

• No global harmonization - different requirements across different jurisdictions, meaning international data transfers become an increasingly complex issue

• EU requirements are generally more restrictive (in particular: Germany, France, and Spain)


Global Regulatory Landscape

Australia

Australian Federal Privacy Act 1988, AmsendedPrivacy Act, Anti-Spam Act 2004

California

California Online Privacy Protection Act 2003,

Security Breach Notice (Civil Code 1798 Formerly SB 1386)

European Union

EU Data Protection Directive, EU Safe Harbor Regs 95/46 EC, Communications Data Retention Directive (2006), EU Privacy and Electronic Communications Directive as implemented by 27 different Member State Data Protection Laws

South Africa

Electronic Communications and Transactions Act

US Federal

HIPAA, GLBA, COPPA, CAN-SPAM, Do Not Call, Safe Harbor Principles, FCRA

Hong Kong

Personal Data Privacy Ordinance

Canada

PIPEDA, Privacy Act 1988 and Provincial Privacy Laws

Japan

Personal Information Protection Act (PIPA) Effective April 1, 2005, Law for Protection of Computer Produced Data held by Administrative Organs 1988

Argentina

Personal Data Protection Law 2000, Confidentiality of Information Law

South Korea

Act on Promotion of Information and Communications Network Utilization and Data Protection 2000

Taiwan

Computer-Processed Personal Data Protection Law

New Zealand

Privacy Act 1993, Privacy Amendment Act 1993 & 1994

India

Legislative proposals under discussion, Information Technology Act 2000

PhilippinesData Privacy Law proposed by ITECC, Right of Privacy in Civil Law

Chile

Law for the Protection of Private Life, Act on Protection of Personal Data 1998

Switzerland

Federal Data Protection

Act 1992

Russia

Federal Law of July 27tth 2006

No 152-FZ on personal data

Dubai

Data Protection Act 2007

6/13/2013

10


Regional Differences

U.S.

• Once personal data is provided, the organization becomes the data owner.

• Except for sector-specific privacy legislation, the organization can determine the use of that data.

EU

• The individual retains rights around his/her personal data.

• Organizations are “custodians,” responsible for protecting personal data and using it only in accordance with the law.

APEC

• Accountability: organizations must design privacy protections to prevent harm to individuals.

• Organizations are accountable and obligated to exercise due diligence.

Privacy in theEuropean Union

19

6/13/2013

11


Privacy in the EU

• EU Data Protection Directive 1995:

• Establishes baseline principles of data protection

• Is technologically neutral

• Affords individuals certain rights in protecting their personal data

• Creates civil and criminal penalties for serious breaches (UK)

Source: http://ec.europa.eu/justice/data-protection/index_en.htm


Privacy in the EU

• Privacy and Electronic Communications EC Directive (Amendment) Regulations 2009

• Covers use of electronic messaging to communicate with customers

• Establishes opt-in requirements for electronic marketing

• Covers use of “cookies” and other “tracking technology”

Source: http://ec.europa.eu/justice/data-protection/index_en.htm

6/13/2013

12


The Role of the European Regulators

• Enforce legislation and promote good practice

• Provide guidance to individuals and organizations

• Process and investigate complaints from individuals

• Take appropriate action when the law is broken – holding companies accountable; all member states have the power to fine but to varying degrees

• The Article 29 Working Party:• Made up of:

• Representatives from the data protection authority of each EU member state,

• European Data Protection Supervisor

• European Commission

• Roles: • Provides expert advice

• Produces best practices documents

• Sets Policy


EU Data Protection – General Themes

• Fair and lawful collection

• Specify purposes

• Adequacy and relevance

• No excessive collection!

• Accuracy and completeness

• Retention

• Individual’s rights (right to access, rectify, block and erase)

• Security (organization and technical measures)

• Limitations on transfer outside of European Economic Area (EEA)

6/13/2013

13


e-Privacy Directive

Key requirements

• Provides additional marketing rules

• Main focus: email, telephone, fax, and short message service (SMS)

• Establishes opt-in rules for some forms of e-marketing

• Amended in 2009 to cover:

• Use of “cookies” and other tracking technologies used by businesses; consent required for use and full disclosure of types of technologies used

• Breach notification for telecoms sector

• Enables European regulators fining power of up to £500,000 ($778,600)for breaches


e-Privacy Directive

New ‘cookie’ requirements

• Requires consent before cookies can be placed on users’ devices

• Requirements enforced by the Information Commissioner’s Office (ICO) as of May 26, 2012

• Concerning how to achieve compliance:

• Consent required prior to dropping cookies?

• Implied consent will suffice?

• Browser-level preferences to be used?

• What cookies are exempt?

6/13/2013

14

Reform of theEuropean DirectiveA Few Highlights of the “Proposed”General EU Data Protection Regulation

26


Legislative Background

• Current EU legal Framework:

• Directive 95/46/EC and transposition in legislation in each EU Member State

• Harmonized framework, with significant differences in implementation

• Proposed EU legal Framework:

• General Data Protection Regulation

• Direct applicability in all EU Member States

• National Data Protection (DP) laws will be replaced

• Legislative Status:

• The Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament provided amendments

• Current Goal: political agreement in 2013 (likely end of 2013); entry into force: 2 years after adoption

Source: European Commission Press Release (Jan. 28, 2013), http://europa.eu/rapid/press-release_IP-13-57_en.htm

6/13/2013

15


Applicability of the Regulation

• Now also applicable to data controllers outside the EU aimed at:

• The offering of (paid or free) goods or services to data subjects in EU; or

• The monitoring of data subjects.

• Direct obligations and liability of processors inserted in several sections.

• New concept: “data producers” (e.g., hardware and software producers):

• Some clauses are also applicable to them; such as the privacy principles (privacy by design and minimizing data collection).


Internal Privacy Organization

• Appointment of a data protection officer (DPO):

• Required:

– For public authorities and enterprises processing personal data of + 500 persons/year;

– Regular and systematic monitoring or profiling; or

– Sensitive personal data processing.

• Minimal qualification and position requirements

• Set of minimal tasks, including Single Point of Contact (SPOC) for Data Protection Authorities (DPA)

• Privacy by Design to be integrated in all processes and organization (e.g., personal data must be processed in a way that effectively allows the data subject to exercise his or her rights).

• Privacy Impact assessments (PIA) required if there are specific risks (list included)

• Independent internal or external audits, “if proportionate.”

6/13/2013

16


Interaction with the Data Protection Authorities

• DPA notifications/registrations abolished and replaced by:

• The duty to keep such information internally and have it available for the DPA.

• DPA prior authorization or prior consultation required if:

• “List to be published by DPAs”

• Privacy impact assessment indicate a “high risk.”

• For international companies, the DPA of the ‘main establishment’ shall act as a single contact point and shall lead the coordination with other DPAs.

• Increased cooperation between DPAs and creation of the European Data Protection Board (now Article 29 Working Party (WP)).


Security

• Appropriate technical and organizational measures and procedures required

• Information Security Risk Assessments required

• Data Breach Notification:

• To DPA

– Within 24 hours, unless “reasonable justification”

– Minimal content (standard forms to be developed)

• To Data Subject

– If there is an adverse effect (examples included);

– “without undue delay”

• Keep internal documentation

• The supervisory authority will keep a public register of the types of breaches notified (=> not on a named basis(?) )

• Commission may impose specific security requirements

6/13/2013

17


Enforcement

• Increased DPA powers:

• Power to order compliance (up to banning processing)

• Full investigative powers

• Any person who has suffered damage, including non-pecuniary loss, has the right to receive compensation from the controller or the processor.

• Power to sanction with administrative offences

• Maximum fine is 1 million EUR or 2% of annual worldwide turnover.

• Class action suits enabled.

• Increased cooperation between DPAs.


Notice to Data Subjects

•Stricter Requirements

• Legal requirement to have it in an intelligible form, using clear and plain language, adapted to the data subject

• Much more information to be included:

– The categories of personal data processed;

– The right to lodge a complaint to DPA;

– Data recipients (not categories!);

– International data transfers;

– Joint data controllers and their roles & responsibilities;

– Information on profiling;

– The right and mechanisms to avoid/oppose the processing;

– Information on legal grounds for processing.

• The current wording implies layered notices and standardized icons

6/13/2013

18


Right to be Forgotten

• Right to obtain erasure and no further transfer, if:

• Data is no longer necessary for the collection purpose

• Consent withdrawn, no legal basis, consent duration expired

• Objection of data subject (only in some cases such as direct marketing, processing based on “legitimate interest,” …)

• Processing does not comply with the Regulation

• Several mediating provisions.

• Note: Reference to “data provided before adulthood” is removed.

Corporate Responses

35

6/13/2013

19


Corporate Response to Privacy and Security Challenges

Critical privacy and security challenges require a corporate response involving collaboration across the organization. Cohesive responses enable organizations to minimize risks associated with breaches and navigate the complex regulatory environment.

Implement privacy and security governance, risk and compliance structures involving:

Senior management sponsorship

Centralization of Risk

Programmatic Response

Implement a variety of data protection technology solutions including:

Data Loss Prevention

Digital Rights Management

Encryption / Obfuscation

Expand from contractual remedies to proactive program management focusing on risk to information assetsImplement internal and external assurance

programs to verify program and process compliance with policies and regulations

Transition from SAS 70 to SOC 1 and 2

Organizations should implement a multi-layered approach focusing on the top down to mitigate the risks associated with privacy and security challenges


Initial Scope

The recommended approach helps a company to begin demonstrating progress against the longer term privacy and data protection roadmap:

Recommended Approach First steps in the roadmap

Vision

Requirements Baseline

Identify and rationalize

requirements to develop a

baseline set of requirements

Policies, Procedures,

Controls

Design policies, procedures, and

controls that aligns with business objectives and

strategies

Continuous Improvement

Monitor the program and identify opportunities to

make on going improvements

Governance

Optimize the privacy office , assign

ownership, define roles, responsibilities,

reporting

Implementation

Roll out programmatic, process, and technology remediation

Data Inventory & Mapping

Identify representative data inventory and data

lifecycle, associated processes, technical

requirements

Gap Analysis

Determine gap between identified requirements and current state and

recommend remediation

Bu

sin

es

s V

alu

e

Broadened Scope

Further initiatives including additional

sectors

6/13/2013

20


Early Design of Privacy

• Firm up a governance model

• Establish or assign single point accountability within the governance structure

• Responsibility of both privacy and governance

• Bandwidth / demand vs. capacity

• Executive oversight and executive accountability

• Identification of the focus area(s):

• Requirement rationalization

• Development of policies / rollout of training

• Cross border data transfer mechanisms

• Prioritization of global regions

• Organizational accountabilities / audit, monitoring, investigation(s)


Privacy Operationalization (Early Establishment)

• Single point accountability

• Global network of privacy contacts

• Divisional or by Country

• Formal governance structure leading to senior leadership

• Leadership appointed – level that can make decisions

• Privacy Training

• Governance Council

• High Risk Area Employees

• Striate remainder

• Inventory and standardization of privacy notices across the enterprise

• Validation of Privacy Promises

• Re-Opt[in] for any material changes to privacy policy(ies)

• Social Medial Policy / Training / Monitoring

6/13/2013

21


• Privacy by Design

• Formalize incorporation of privacy into new system or operational initiatives

• Written Information Security Program that encompasses privacy

• Data Retention / Records Management

• Data Classification

• Contracts “Privacy Playbook”

• Vendor Certification / Accreditation

• A go-forward scenario

• Device Management

• Inventory and recovery on exit, etc.

• Privacy Incident Response Plan

• Appropriate notification in case of loss or theft



• Selective Privacy Audits

• A protective measure for companies ensuring they are complying with their own promises

• HIPAA Privacy and HIPAA Security Programs

• U.S. requirement – complex but necessary

• Data Inventory / Data Mapping

• Either global strategy or by area or by system

• Map data flows against selected regulatory requirements

• Data rationalization [necessity] from the perspective of collection and access when collected


6/13/2013

22


• Compliance with the US-EU / US-Switzerland requirements for cross border data transfer

• Model Contracts

• Safe Harbor Framework for cross border data transfer

• Employee rights / monitoring / notifications / works councils

• Evaluation of new “proposed” EU Data Protection Regulation and potential exposure or impact to the potential new terms

• E-Discovery and Privacy’s involvement with discovery processes potentially affecting personal data

• Encryption of Portable Devices


Governance Considerations

43

6/13/2013

23


Key Components of Privacy GovernanceWith ever growing emphasis on privacy and data protection, the role and the responsibility of a privacy office goes beyond merely monitoring compliance.

Privacy Office

Privacy Governance

(Strategy and Organization)

Privacy Requirements

Legal Compliance

Complaint Resolution

Audit and Monitoring

Policy Development

Training and Awareness

Some Key Components

Privacy Requirements:

− Manages the integration of privacy requirements (e.g., privacy of sensitive data shared with third parties) into all projects, initiatives, and campaigns

Policy Development:

− Proposes that the privacy program is commensurate with privacy legislation by continually defining and implementing policies and procedures to accurately reflect the privacy practices of the company

Legal Compliance:

− Interprets the implications that new and changing regulatory requirements have on privacy management practices, and provide guidance, as needed.

Compliant Resolution:

− Serves as the primary contact point for customer and employee related privacy complaints and issues escalated by business divisions and affiliates. It also co-ordinates incident response efforts in an event of a privacy breach

Training and Awareness:

− Works closely with all business divisions and functional teams to create and deliver privacy-related training programs and workshops that specifically addresses the team’s PII handling

Audit and Monitoring:

− Coordinates the performance of regular/annual privacy audits and manages ongoing compliance monitoring system and metrics development


Dedicated structure: The privacy office is part of the executive management team and provides top down governance through out the business units

Cross functional structure: The privacy office reports to the executive management and has representation from various business units which work together to provide collaborative governance. This structure has a corporate presence but is supported heavily in geographies and businesses through part time and/or privacy liaisons

The privacy function is separate but complementary to information security

The privacy function is elevated above information security depending on the privacy risk posture of the organization

The privacy office with in IT is empowered to work directly with the IT operations head and compliance leader to ensure the effectiveness of privacy and data protection controls

The privacy office with in IT has easy access to the privacy liaisons with in the business units

The privacy function within IT can have different reporting relationships based on the governance structure:

Centralized structure: Works closely with the corporate privacy office and follows their lead in implementing IT controls, data protection solutions, and ensuring compliance

Distributed structure: Reports to corporate privacy office but runs an autonomous program

Hybrid structure: Has representation from corporate as well as businesses across the geographies

Organization

Structure

Privacy Function and Information Technology

(IT)

Reporting

Through our experience working with multiple clients across various industries and geographies, we have identified the following as some of the key attributes of an effective privacy governance model.

Some Key Insights

6/13/2013

24


Measuring effectiveness of Privacy Governance

In order to measure the effectiveness of the Privacy Governance, various metrics maybe used.

Metrics provide views into the effectiveness, efficiency, and success of Privacy Governance and presents opportunity for ongoing adjustments.

Sample Metrics Sample Dashboards

Programmatic Metrics measure the progress of various structural components of Privacy Governance:

− Remediation of privacy controls across regions and businesses

− Implementation of privacy operational processes

− Assignment of privacy liaisons

− Communication to leadership

− Publishing privacy policy, guidelines and templates

Operational Metrics measure the performance of various operational components of Privacy Governance:

− Response activities implemented

− Notification and communication activities

− Remediation activities

− Recommendations provided to executive leadership

− Response times

Compliance Metrics measure the compliance activities of the Privacy Governance:

− Self assessment and internal audit findings

− Remediation activities

− Number of contracts with privacy requirements

− Types of contracts with privacy requirements

− Contractual requirements addressing privacy

0

20

Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec

Number of communications from the Privacy Office

Percentage of Contracts with Privacy Requirements

10% 15%

35%40%

Final Thoughts

47

6/13/2013

25


Final Thoughts

• Privacy is really about “data protection” and “doing the right thing”

• Emphasis should be placed on:

• Strategy

• Operations

• Technology

• Methodologies should be consistent

• Risk Centric – focuses on the type of risk / organizational risk tolerance

• Data Centric – focuses on the criticality of the data

• Process Oriented – manage the processes and not just the data

• Global Orientation

• Cultural Divisions

• Regulatory Divisions

• Operating Divisions

• One Additional Consideration

• Everything is not important / attributes are important. Govern and protect what is really important.

Questions

49

6/13/2013

26


This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.

the global privacy conundrum€¦ · information management practices to better integrate and...

Documents