the global privacy conundrum€¦ · information management practices to better integrate and...
TRANSCRIPT
6/13/2013
1
The Global Privacy Conundrum
Presented to theSCCE Regional Compliance and Ethics Conference
San Francisco, California21 June 2013
Robert E. Glaser, CIPP/USSpecialist Leader
Security & Privacy ServicesDeloitte & Touche LLP
Houston, Texas
[email protected]+1 281.753.4673
Copyright © 2013 Deloitte Development LLC. All rights reserved.1
Agenda
• Introduction
• What Is Privacy?
• Trends in Data Privacy
• Privacy – A Global Issue
• Privacy in the European Union
• Reform of the European Directive
• Corporate Responses
• Governance Considerations
• Operationalizing Privacy
• Final Thoughts
• Questions
6/13/2013
2
What Is Privacy?
2
Copyright © 2013 Deloitte Development LLC. All rights reserved.3
Setting the Stage: Privacy and Security
The rights and obligations of individuals and organizations with respect to the handling of personally identifiable information based on basic principles including notice, choice acceptable use, and cross-border sharing of data.
Safeguarding and controlling data as it moves across the data lifecycle including data
both within the enterprise and as it travels beyond the enterprise’s technical
infrastructure.
Confidentiality
Integrity
Availability
Reliability
Authorization
Authentication
Access Controls
Notice and Choice
Collection Limitation
Use Limitation
Data Quality
Purpose Specification
Openness
Accountability
Access to Data
Data Safeguards
Awareness and Training
Compliance
The rapid influx of data is also increasing the challenges associated with managing and protecting enterprise data assets. While security and privacy requirements may differ among jurisdictions, an effective enterprise data management program provides a framework for achieving the objectives of both.
Privacy Components Security Components
PrivacyStrong privacy requires protecting a user’s
identity and preventing unauthorized access or unintended use of personal information.
SecurityStrong security requires binding a user’s identity
to their behavior in support of monitoring and individual accountability.
The Privacy and Security Paradox
Pri
vacy
Secu
rity
6/13/2013
3
Copyright © 2013 Deloitte Development LLC. All rights reserved.4
What is Privacy?Common Terms Used
- Personal Data - Sensitive Personal Data
- Personal Information - Personally Identifiable Information (PII)
- Protected Health Information - Individually Identifiable Health Information
Whose Privacy are We Concerned About?- Employees - Consumers / Customers
- Physicians - Patients / Caregivers
- Anyone your company (or vendors who work for you) can identify as an individual and/or those about whom we know something specific
Takeaways: • Privacy is NOT just the Health Insurance Portability and Accountability Act
(HIPAA)
• The environment is changing on a near-daily basis‒ New rules, laws, and regulations around the world
‒ Ever-increasing enforcement
• Privacy regulations impact many persons and roles anywhere in or associated with our companies, both domestically and abroad
Copyright © 2013 Deloitte Development LLC. All rights reserved.5
Personal Data / PII
• There are ethical and regulatory obligations to protect the personal information, personally identifiable information, and protected health information (collectively "PII") that companies, as well as consultants and vendors working on a company’s behalf, collect, store, use, or transmit.
• PII
• Any information in physical or electronic form that identifies an individual or could reasonably be used to identify an individual.
• Sensitive [Personal] Information
• Information relating to the racial or ethnic origin, political opinion, religious belief, trade union membership, health, sexual preference or activity, or criminal convictions of the subject of the information.
• Protected Health Information
• A regulatory related term used to describe personal information associated with HIPAA.
6/13/2013
4
Copyright © 2013 Deloitte Development LLC. All rights reserved.6
Privacy and Security Legal Challenges
Privacy and security regulations are constantly evolving with inconsistent and often conflicting requirements, compelling organizations to stay abreast of emerging
regulations and trends.
Significant privacy and security regulations and requirements have been developed within the U.S. as well as internationally, governing how organizations handle, use, store and transfer personal information.
Category Regulations / Guidance* (Examples) Enforcement Body (Examples)
US Federal Fair Credit Reporting (FCR) ActHIPAAChildren's Online Privacy Protection Act (COPPA)Safe Harbor
Securities and Exchange CommissionDepartment of Health and Human Services / Office for Civil RightsDepartment of LaborFederal Trade Commission
US States Massachusetts 201 CMR 17.00 Nevada NRS 597.970 State Breach Notification Laws
State Attorneys GeneralState Office of Consumer Affairs
International European Union (EU) Data ProtectionDirectiveAPEC Policy Framework PIPEDA (Canada)PIPA (Japan)
International Governments
Industry Payment Card Industry Data Security Standard Commercial Contractual Requirements
Payment Card IndustryThird Party Business Partners
* Illustrative examples only, not meant to be an exhaustive list
Copyright © 2013 Deloitte Development LLC. All rights reserved.7
Scope of Privacy TodayCommercial
• Direct-to-Consumer Marketing, including e-Marketing • Health Care Professional Data / Profiling• Brands• Sales and Marketing, including Sales Force
Automation • Joint Ventures, Licensing and Other Partnerships• Call Centers• Pricing and Reimbursement• Consumer Loyalty Programs
Research, Development and Pharmacovigilence
• Trial Practices and Data• Secondary Use• Subject Recruitment• Pharmacovigilence/Safety• Contract Research Organizations (CRO)/Service
Provider Safeguards• Medical Affairs • Sample Repositories• Records Based Research
Human Resources• Compensation• Benefits• Workers’ Compensation• Call Center/Employee Resource Center• HIPAA/Health Information Technology for Economic
and Clinical Health (HITECH) Act• Vehicle, Travel, and Credit Card Reimbursements• Recruitment• Training
Information Technology, Compliance, Legal and Procurement
• Device Encryption and Loss Reporting• Physical Security, Investigations and Other Areas -
Litigation• Help Desk Log• Vendor Management/Accreditation• Contracting/Procurement• Breach Notification and Response• Call Centers – Physician and patient• Cross-Border Data Transfer• Records, E-Discovery, Investigations, Foreign Corrupt
Practices Act, other Law/Compliance Areas• Internal Audit, Investor Relations, Corporate Functions• Records Management
Finance• Payroll• Expense Reports• Corporate Credit Cards• Accounts Payable
6/13/2013
5
Copyright © 2013 Deloitte Development LLC. All rights reserved.8
In The End…. What Requires Protection?
• Name• Drug Enforcement Administration
(DEA) Number
• Date of Birth (excluding year by itself) • Vehicle Identifiers and Serial Numbers (including license plate tags)
• Social Security Number
• Full Face Photographic Images or Comparable Images • Signature
• Passport Information • Biometric Identifiers (including finger and voice prints)• Financial Data
• Account Numbers • Drivers License Number
• Health Information • Credit Card Information
• Health Plan Beneficiary Numbers • Physical Characteristics
• Certificate / License Numbers • Medical Record Numbers
• Any unique identifying numbers, characteristics, codes, or combinations that allow identification of a single individual
Trends in Data Privacy
9
6/13/2013
6
Copyright © 2013 Deloitte Development LLC. All rights reserved.10
Growth of DataOver one trillion gigabytes of information was created and replicated as of 2010, surpassing the total from five years ago by a factor of nine. Seventy five percent of this information was developed by individuals while enterprises have liability for eighty percent of it.1
The evolution of data is forcing organizations to reevaluate and refocus their information management practices to better integrate and leverage data in core
business processes.1 IDC Extracting Value from Chaos, June 2011
Data Growth
“40% projected growth in global data generated per year vs. 5% growth in global IT spending”
“$600 billion potential annual
consumer surplus from using personal location data globally”
“1.5 million more data – savvy managers needed to take full advantage of big data in US”
Consumerization
“On an aggregate, 56% of companies say yes to consumerization and allow employees to use their personal devices for work – related activities.”
“31% of the mobile devices connecting to the corporate network are owned by the employees: 66% are laptops, 25% smartphones and 9% are tablets.”
Globalization
“By 2014 emerging markets will have overtaken developed economies in terms of share of global GDP.”
“70% of economic growth over the next decade will come from emerging markets, with China and India accounting for 40% of that growth.”
Globalization has changed us into a company that searches the world, not just to sell or to
source, but to find intellectual capital - the world's best talents and greatest ideas.
Source: McKinsey Global Institute – Big data: The next frontier for innovation, competition, and productivity.
Source: World Economic Outlook Database, International Monetary Fund, Jack Welch quote
Source: Trend Micro Consumerization Report 2011
Copyright © 2013 Deloitte Development LLC. All rights reserved.11
Privacy Related Regulatory Factors (a partial list)
International• Data Privacy Laws (e.g., EU, Switzerland, Singapore, Canada, Japan, Mexico, Australia, Mexico)
• Sensitive Personal Data• Cross-Border Data Transfers
• Notice, Choice, and Consent• Safe Harbor
• Internet Protocol (IP) Addresses• Binding Corporate Rules
US Federal• HIPAA• FCR Act• CAN-SPAM Act• National Do-Not-Call Registry
• Gramm-Leach-Bliley• COPPA• Junk Fax Protection Act
• Unfair / Deceptive Trade• Red Flags Rule• Telemarketing Sales Rule• Telephone Consumer Protection
US State• SSN / EIN / TIN Protection• Medical Marketing• Data Security / Encryption• Consumer Protection • Driver License• Employee ID Number• Voice• Vehicle Identifiers / Serial Numbers
• Medical Privacy (Including Record #)• Marketing to Children• Data Transmission• Video Privacy• Prescriber Data Restriction• Bank Account • Photographic Images• Signature• Physical Characteristics
• Marketing Opt In / Opt Out• Children’s Information• Portable Device• Unfair / Deceptive Trade• DEA Number Restriction• Credit Card / PIN Number• Video Images• Certificate / License Numbers• DNA / Biobanking
• Other Unique Identifying Numbers, Characteristics, Codes, or Combinations
Contractual• American Medical Association Physician Masterfile• Employee Notice / Consent• Data Breach Notification• Ethical Data Collection / Use
• Vendor Certification• Data Ownership / Data Use • Indemnification • Payment Card Industry
• Informed Consent• Data Security• Right of Audit
6/13/2013
7
Copyright © 2013 Deloitte Development LLC. All rights reserved.12
Data Centric Business Trends Affecting Privacy and SecurityAs more information is developed and collected by organizations, several trends have evolved regarding data centricity which have a significant impact on privacy and security capabilities.
Data Centric Business Trends:
Increase in data value derived from the collection of meaningful customer data
Brand globilization is requiring personal information to bridge national boundaries
Consumer demand for a personalized experience in real time has lead to greater demands of openness
Storage of valuable data leads to increased threats on the enterprise
Transfer of personal information across national boundaries compounds privacy and security regulatory hurtles
Openness of personal information requires more granular control to confirm only appropriate information is shared
1
2
3
Copyright © 2013 Deloitte Development LLC. All rights reserved.13
Resulting Business Impacts and Constraints
5 Years Out
Per
son
al I
nfo
rmat
ion
Acc
ess
and
Usa
ge
Low
High
Today
Time
Increasing Scope of Privacy
10 Years
Ago
5 YearsAgo
15 Years
Ago
Regulatory/Contractual Limits
6/13/2013
8
Copyright © 2013 Deloitte Development LLC. All rights reserved.14
Cyber and Breach Response ChallengesThe profile of cyber attacks and resulting breaches has evolved from simple “capture the flag” pranks to establishing a sustained presence representing a sustained and persistent threat against enterprise systems for monetary gain or competitive advantage. With more pervasive and successful breaches comes a corresponding rise in security and privacy laws and regulations. Notification of stakeholders when a privacy breach occurs is becoming a global regulatory requirement.
Data breaches cost $214 per compromised record 1
Data breaches averaged $7.2 million per data breach 1
According to the Verizon 2011 Data Breach Report, ~56% of breaches occurred within Retail and Hospitality, 35% within Financial Services, and 9% All Others 2
46 out of 50 states have varying breach notification regulations with varying levels of enforcement 1
The prevalence and public nature of privacy breaches within the industry requires organizations to evaluate their capabilities to identify and respond to a breach
Compromised data types by number and percent of breaches and percent of records
Source: Verizon 2011 Data Breach Investigations Report
1 Ponemon Cost of a Data Breach 2011 2 Verizon 2011 Data Breach Investigations Report
Privacy – A Global Issue
15
6/13/2013
9
Copyright © 2013 Deloitte Development LLC. All rights reserved.16
Global Regulatory Landscape – Some Key Challenges
• Global regulatory landscape is becoming increasingly complex
• Privacy laws now exist in 89 countries worldwide
• Emerging jurisdictions: DIFC, Mexico, Russia, and Ukraine
• No global harmonization - different requirements across different jurisdictions, meaning international data transfers become an increasingly complex issue
• EU requirements are generally more restrictive (in particular: Germany, France, and Spain)
Copyright © 2013 Deloitte Development LLC. All rights reserved.17
Global Regulatory Landscape
Australia
Australian Federal Privacy Act 1988, AmsendedPrivacy Act, Anti-Spam Act 2004
California
California Online Privacy Protection Act 2003,
Security Breach Notice (Civil Code 1798 Formerly SB 1386)
European Union
EU Data Protection Directive, EU Safe Harbor Regs 95/46 EC, Communications Data Retention Directive (2006), EU Privacy and Electronic Communications Directive as implemented by 27 different Member State Data Protection Laws
South Africa
Electronic Communications and Transactions Act
US Federal
HIPAA, GLBA, COPPA, CAN-SPAM, Do Not Call, Safe Harbor Principles, FCRA
Hong Kong
Personal Data Privacy Ordinance
Canada
PIPEDA, Privacy Act 1988 and Provincial Privacy Laws
Japan
Personal Information Protection Act (PIPA) Effective April 1, 2005, Law for Protection of Computer Produced Data held by Administrative Organs 1988
Argentina
Personal Data Protection Law 2000, Confidentiality of Information Law
South Korea
Act on Promotion of Information and Communications Network Utilization and Data Protection 2000
Taiwan
Computer-Processed Personal Data Protection Law
New Zealand
Privacy Act 1993, Privacy Amendment Act 1993 & 1994
India
Legislative proposals under discussion, Information Technology Act 2000
PhilippinesData Privacy Law proposed by ITECC, Right of Privacy in Civil Law
Chile
Law for the Protection of Private Life, Act on Protection of Personal Data 1998
Switzerland
Federal Data Protection
Act 1992
Russia
Federal Law of July 27tth 2006
No 152-FZ on personal data
Dubai
Data Protection Act 2007
6/13/2013
10
Copyright © 2013 Deloitte Development LLC. All rights reserved.18
Regional Differences
U.S.
• Once personal data is provided, the organization becomes the data owner.
• Except for sector-specific privacy legislation, the organization can determine the use of that data.
EU
• The individual retains rights around his/her personal data.
• Organizations are “custodians,” responsible for protecting personal data and using it only in accordance with the law.
APEC
• Accountability: organizations must design privacy protections to prevent harm to individuals.
• Organizations are accountable and obligated to exercise due diligence.
Privacy in theEuropean Union
19
6/13/2013
11
Copyright © 2013 Deloitte Development LLC. All rights reserved.20
Privacy in the EU
• EU Data Protection Directive 1995:
• Establishes baseline principles of data protection
• Is technologically neutral
• Affords individuals certain rights in protecting their personal data
• Creates civil and criminal penalties for serious breaches (UK)
Source: http://ec.europa.eu/justice/data-protection/index_en.htm
Copyright © 2013 Deloitte Development LLC. All rights reserved.21
Privacy in the EU
• Privacy and Electronic Communications EC Directive (Amendment) Regulations 2009
• Covers use of electronic messaging to communicate with customers
• Establishes opt-in requirements for electronic marketing
• Covers use of “cookies” and other “tracking technology”
Source: http://ec.europa.eu/justice/data-protection/index_en.htm
6/13/2013
12
Copyright © 2013 Deloitte Development LLC. All rights reserved.22
The Role of the European Regulators
• Enforce legislation and promote good practice
• Provide guidance to individuals and organizations
• Process and investigate complaints from individuals
• Take appropriate action when the law is broken – holding companies accountable; all member states have the power to fine but to varying degrees
• The Article 29 Working Party:• Made up of:
• Representatives from the data protection authority of each EU member state,
• European Data Protection Supervisor
• European Commission
• Roles: • Provides expert advice
• Produces best practices documents
• Sets Policy
Copyright © 2013 Deloitte Development LLC. All rights reserved.23
EU Data Protection – General Themes
• Fair and lawful collection
• Specify purposes
• Adequacy and relevance
• No excessive collection!
• Accuracy and completeness
• Retention
• Individual’s rights (right to access, rectify, block and erase)
• Security (organization and technical measures)
• Limitations on transfer outside of European Economic Area (EEA)
6/13/2013
13
Copyright © 2013 Deloitte Development LLC. All rights reserved.24
e-Privacy Directive
Key requirements
• Provides additional marketing rules
• Main focus: email, telephone, fax, and short message service (SMS)
• Establishes opt-in rules for some forms of e-marketing
• Amended in 2009 to cover:
• Use of “cookies” and other tracking technologies used by businesses; consent required for use and full disclosure of types of technologies used
• Breach notification for telecoms sector
• Enables European regulators fining power of up to £500,000 ($778,600)for breaches
Copyright © 2013 Deloitte Development LLC. All rights reserved.25
e-Privacy Directive
New ‘cookie’ requirements
• Requires consent before cookies can be placed on users’ devices
• Requirements enforced by the Information Commissioner’s Office (ICO) as of May 26, 2012
• Concerning how to achieve compliance:
• Consent required prior to dropping cookies?
• Implied consent will suffice?
• Browser-level preferences to be used?
• What cookies are exempt?
6/13/2013
14
Reform of theEuropean DirectiveA Few Highlights of the “Proposed”General EU Data Protection Regulation
26
Copyright © 2013 Deloitte Development LLC. All rights reserved.27
Legislative Background
• Current EU legal Framework:
• Directive 95/46/EC and transposition in legislation in each EU Member State
• Harmonized framework, with significant differences in implementation
• Proposed EU legal Framework:
• General Data Protection Regulation
• Direct applicability in all EU Member States
• National Data Protection (DP) laws will be replaced
• Legislative Status:
• The Committee on Civil Liberties, Justice and Home Affairs (LIBE) of the European Parliament provided amendments
• Current Goal: political agreement in 2013 (likely end of 2013); entry into force: 2 years after adoption
Source: European Commission Press Release (Jan. 28, 2013), http://europa.eu/rapid/press-release_IP-13-57_en.htm
6/13/2013
15
Copyright © 2013 Deloitte Development LLC. All rights reserved.28
Applicability of the Regulation
• Now also applicable to data controllers outside the EU aimed at:
• The offering of (paid or free) goods or services to data subjects in EU; or
• The monitoring of data subjects.
• Direct obligations and liability of processors inserted in several sections.
• New concept: “data producers” (e.g., hardware and software producers):
• Some clauses are also applicable to them; such as the privacy principles (privacy by design and minimizing data collection).
Copyright © 2013 Deloitte Development LLC. All rights reserved.29
Internal Privacy Organization
• Appointment of a data protection officer (DPO):
• Required:
– For public authorities and enterprises processing personal data of + 500 persons/year;
– Regular and systematic monitoring or profiling; or
– Sensitive personal data processing.
• Minimal qualification and position requirements
• Set of minimal tasks, including Single Point of Contact (SPOC) for Data Protection Authorities (DPA)
• Privacy by Design to be integrated in all processes and organization (e.g., personal data must be processed in a way that effectively allows the data subject to exercise his or her rights).
• Privacy Impact assessments (PIA) required if there are specific risks (list included)
• Independent internal or external audits, “if proportionate.”
6/13/2013
16
Copyright © 2013 Deloitte Development LLC. All rights reserved.30
Interaction with the Data Protection Authorities
• DPA notifications/registrations abolished and replaced by:
• The duty to keep such information internally and have it available for the DPA.
• DPA prior authorization or prior consultation required if:
• “List to be published by DPAs”
• Privacy impact assessment indicate a “high risk.”
• For international companies, the DPA of the ‘main establishment’ shall act as a single contact point and shall lead the coordination with other DPAs.
• Increased cooperation between DPAs and creation of the European Data Protection Board (now Article 29 Working Party (WP)).
Copyright © 2013 Deloitte Development LLC. All rights reserved.31
Security
• Appropriate technical and organizational measures and procedures required
• Information Security Risk Assessments required
• Data Breach Notification:
• To DPA
– Within 24 hours, unless “reasonable justification”
– Minimal content (standard forms to be developed)
• To Data Subject
– If there is an adverse effect (examples included);
– “without undue delay”
• Keep internal documentation
• The supervisory authority will keep a public register of the types of breaches notified (=> not on a named basis(?) )
• Commission may impose specific security requirements
6/13/2013
17
Copyright © 2013 Deloitte Development LLC. All rights reserved.32
Enforcement
• Increased DPA powers:
• Power to order compliance (up to banning processing)
• Full investigative powers
• Any person who has suffered damage, including non-pecuniary loss, has the right to receive compensation from the controller or the processor.
• Power to sanction with administrative offences
• Maximum fine is 1 million EUR or 2% of annual worldwide turnover.
• Class action suits enabled.
• Increased cooperation between DPAs.
Copyright © 2013 Deloitte Development LLC. All rights reserved.33
Notice to Data Subjects
•Stricter Requirements
• Legal requirement to have it in an intelligible form, using clear and plain language, adapted to the data subject
• Much more information to be included:
– The categories of personal data processed;
– The right to lodge a complaint to DPA;
– Data recipients (not categories!);
– International data transfers;
– Joint data controllers and their roles & responsibilities;
– Information on profiling;
– The right and mechanisms to avoid/oppose the processing;
– Information on legal grounds for processing.
• The current wording implies layered notices and standardized icons
6/13/2013
18
Copyright © 2013 Deloitte Development LLC. All rights reserved.34
Right to be Forgotten
• Right to obtain erasure and no further transfer, if:
• Data is no longer necessary for the collection purpose
• Consent withdrawn, no legal basis, consent duration expired
• Objection of data subject (only in some cases such as direct marketing, processing based on “legitimate interest,” …)
• Processing does not comply with the Regulation
• Several mediating provisions.
• Note: Reference to “data provided before adulthood” is removed.
Corporate Responses
35
6/13/2013
19
Copyright © 2013 Deloitte Development LLC. All rights reserved.36
Corporate Response to Privacy and Security Challenges
Critical privacy and security challenges require a corporate response involving collaboration across the organization. Cohesive responses enable organizations to minimize risks associated with breaches and navigate the complex regulatory environment.
Implement privacy and security governance, risk and compliance structures involving:
Senior management sponsorship
Centralization of Risk
Programmatic Response
Implement a variety of data protection technology solutions including:
Data Loss Prevention
Digital Rights Management
Encryption / Obfuscation
Expand from contractual remedies to proactive program management focusing on risk to information assetsImplement internal and external assurance
programs to verify program and process compliance with policies and regulations
Transition from SAS 70 to SOC 1 and 2
Organizations should implement a multi-layered approach focusing on the top down to mitigate the risks associated with privacy and security challenges
Copyright © 2013 Deloitte Development LLC. All rights reserved.37
Initial Scope
The recommended approach helps a company to begin demonstrating progress against the longer term privacy and data protection roadmap:
Recommended Approach First steps in the roadmap
Vision
Requirements Baseline
Identify and rationalize
requirements to develop a
baseline set of requirements
Policies, Procedures,
Controls
Design policies, procedures, and
controls that aligns with business objectives and
strategies
Continuous Improvement
Monitor the program and identify opportunities to
make on going improvements
Governance
Optimize the privacy office , assign
ownership, define roles, responsibilities,
reporting
Implementation
Roll out programmatic, process, and technology remediation
Data Inventory & Mapping
Identify representative data inventory and data
lifecycle, associated processes, technical
requirements
Gap Analysis
Determine gap between identified requirements and current state and
recommend remediation
Bu
sin
es
s V
alu
e
Broadened Scope
Further initiatives including additional
sectors
6/13/2013
20
Copyright © 2013 Deloitte Development LLC. All rights reserved.38
Early Design of Privacy
• Firm up a governance model
• Establish or assign single point accountability within the governance structure
• Responsibility of both privacy and governance
• Bandwidth / demand vs. capacity
• Executive oversight and executive accountability
• Identification of the focus area(s):
• Requirement rationalization
• Development of policies / rollout of training
• Cross border data transfer mechanisms
• Prioritization of global regions
• Organizational accountabilities / audit, monitoring, investigation(s)
Copyright © 2013 Deloitte Development LLC. All rights reserved.39
Privacy Operationalization (Early Establishment)
• Single point accountability
• Global network of privacy contacts
• Divisional or by Country
• Formal governance structure leading to senior leadership
• Leadership appointed – level that can make decisions
• Privacy Training
• Governance Council
• High Risk Area Employees
• Striate remainder
• Inventory and standardization of privacy notices across the enterprise
• Validation of Privacy Promises
• Re-Opt[in] for any material changes to privacy policy(ies)
• Social Medial Policy / Training / Monitoring
6/13/2013
21
Copyright © 2013 Deloitte Development LLC. All rights reserved.40
• Privacy by Design
• Formalize incorporation of privacy into new system or operational initiatives
• Written Information Security Program that encompasses privacy
• Data Retention / Records Management
• Data Classification
• Contracts “Privacy Playbook”
• Vendor Certification / Accreditation
• A go-forward scenario
• Device Management
• Inventory and recovery on exit, etc.
• Privacy Incident Response Plan
• Appropriate notification in case of loss or theft
Privacy Operationalization (Early Establishment)
Copyright © 2013 Deloitte Development LLC. All rights reserved.41
• Selective Privacy Audits
• A protective measure for companies ensuring they are complying with their own promises
• HIPAA Privacy and HIPAA Security Programs
• U.S. requirement – complex but necessary
• Data Inventory / Data Mapping
• Either global strategy or by area or by system
• Map data flows against selected regulatory requirements
• Data rationalization [necessity] from the perspective of collection and access when collected
Privacy Operationalization (Early Establishment)
6/13/2013
22
Copyright © 2013 Deloitte Development LLC. All rights reserved.42
• Compliance with the US-EU / US-Switzerland requirements for cross border data transfer
• Model Contracts
• Safe Harbor Framework for cross border data transfer
• Employee rights / monitoring / notifications / works councils
• Evaluation of new “proposed” EU Data Protection Regulation and potential exposure or impact to the potential new terms
• E-Discovery and Privacy’s involvement with discovery processes potentially affecting personal data
• Encryption of Portable Devices
Privacy Operationalization (Early Establishment)
Governance Considerations
43
6/13/2013
23
Copyright © 2013 Deloitte Development LLC. All rights reserved.44
Key Components of Privacy GovernanceWith ever growing emphasis on privacy and data protection, the role and the responsibility of a privacy office goes beyond merely monitoring compliance.
Privacy Office
Privacy Governance
(Strategy and Organization)
Privacy Requirements
Legal Compliance
Complaint Resolution
Audit and Monitoring
Policy Development
Training and Awareness
Some Key Components
Privacy Requirements:
− Manages the integration of privacy requirements (e.g., privacy of sensitive data shared with third parties) into all projects, initiatives, and campaigns
Policy Development:
− Proposes that the privacy program is commensurate with privacy legislation by continually defining and implementing policies and procedures to accurately reflect the privacy practices of the company
Legal Compliance:
− Interprets the implications that new and changing regulatory requirements have on privacy management practices, and provide guidance, as needed.
Compliant Resolution:
− Serves as the primary contact point for customer and employee related privacy complaints and issues escalated by business divisions and affiliates. It also co-ordinates incident response efforts in an event of a privacy breach
Training and Awareness:
− Works closely with all business divisions and functional teams to create and deliver privacy-related training programs and workshops that specifically addresses the team’s PII handling
Audit and Monitoring:
− Coordinates the performance of regular/annual privacy audits and manages ongoing compliance monitoring system and metrics development
Copyright © 2013 Deloitte Development LLC. All rights reserved.45
Dedicated structure: The privacy office is part of the executive management team and provides top down governance through out the business units
Cross functional structure: The privacy office reports to the executive management and has representation from various business units which work together to provide collaborative governance. This structure has a corporate presence but is supported heavily in geographies and businesses through part time and/or privacy liaisons
The privacy function is separate but complementary to information security
The privacy function is elevated above information security depending on the privacy risk posture of the organization
The privacy office with in IT is empowered to work directly with the IT operations head and compliance leader to ensure the effectiveness of privacy and data protection controls
The privacy office with in IT has easy access to the privacy liaisons with in the business units
The privacy function within IT can have different reporting relationships based on the governance structure:
Centralized structure: Works closely with the corporate privacy office and follows their lead in implementing IT controls, data protection solutions, and ensuring compliance
Distributed structure: Reports to corporate privacy office but runs an autonomous program
Hybrid structure: Has representation from corporate as well as businesses across the geographies
Organization
Structure
Privacy Function and Information Technology
(IT)
Reporting
Through our experience working with multiple clients across various industries and geographies, we have identified the following as some of the key attributes of an effective privacy governance model.
Some Key Insights
6/13/2013
24
Copyright © 2013 Deloitte Development LLC. All rights reserved.46
Measuring effectiveness of Privacy Governance
In order to measure the effectiveness of the Privacy Governance, various metrics maybe used.
Metrics provide views into the effectiveness, efficiency, and success of Privacy Governance and presents opportunity for ongoing adjustments.
Sample Metrics Sample Dashboards
Programmatic Metrics measure the progress of various structural components of Privacy Governance:
− Remediation of privacy controls across regions and businesses
− Implementation of privacy operational processes
− Assignment of privacy liaisons
− Communication to leadership
− Publishing privacy policy, guidelines and templates
Operational Metrics measure the performance of various operational components of Privacy Governance:
− Response activities implemented
− Notification and communication activities
− Remediation activities
− Recommendations provided to executive leadership
− Response times
Compliance Metrics measure the compliance activities of the Privacy Governance:
− Self assessment and internal audit findings
− Remediation activities
− Number of contracts with privacy requirements
− Types of contracts with privacy requirements
− Contractual requirements addressing privacy
0
20
Jan Feb Mar Apr May Jun Jul Aug Sept Oct Nov Dec
Number of communications from the Privacy Office
Percentage of Contracts with Privacy Requirements
10% 15%
35%40%
Final Thoughts
47
6/13/2013
25
Copyright © 2013 Deloitte Development LLC. All rights reserved.48
Final Thoughts
• Privacy is really about “data protection” and “doing the right thing”
• Emphasis should be placed on:
• Strategy
• Operations
• Technology
• Methodologies should be consistent
• Risk Centric – focuses on the type of risk / organizational risk tolerance
• Data Centric – focuses on the criticality of the data
• Process Oriented – manage the processes and not just the data
• Global Orientation
• Cultural Divisions
• Regulatory Divisions
• Operating Divisions
• One Additional Consideration
• Everything is not important / attributes are important. Govern and protect what is really important.
Questions
49
6/13/2013
26
Copyright © 2013 Deloitte Development LLC. All rights reserved.50
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor.
Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.