Presentation 2 - International Association of Privacy Professionals

privacyassociation.org

Presentation 2 - International Association of Privacy Professionals

Getting accountability right through

GETTING privacy management ACCOUNTABILITY

programs

RIGHT THROUGH PRIVACY

MANAGEMENT FRAMEWORKS

Presented by: Robin Gould-Soil

May 10, 2012


AGENDA

1. Goal and Outcomes

2. 8 Step Process to

Building a Privacy

Management

Framework

3. Lessons Learned

4. The End Game


PRIVACY MANAGEMENT FRAMEWORK

Goal:

• Ability to demonstrate to your company, that you are

compliant with privacy laws

• Ability to demonstrate to a Regulator that your company

has an effective, up-to-update program in place in the

event of a complaint investigation or audit

• Ensure that privacy-related obligations and risks are

properly identified - Privacy by default or Privacy by

Design principles.

An effective Program should:

• Identify information management practice weaknesses

• Prove good practices are working

• Demonstrate due diligence


8 STEPS TO BUILD A PRIVACY

MANAGEMENT FRAMEWORK

1. Choosing the Right Person

2. Positioning Privacy properly

3. Understanding the importance

of internal relations

4. Securing executive recognition

and commitment

5. Assessing current privacy

environment

6. Develop a privacy governance

structure

7. Creation of tools and controls

8. Ongoing review and revision


CHOOSING THE RIGHT PERSON

A successful privacy leader will

•Excel at being an effective change agent

and collaborator

•See the “big picture” from an organizational

perspective

•Have high energy, presence with executives

•Excellent communication and interpersonal

skills

•Decisiveness and sound judgment

•Team player, respect a diversity of opinion,

work styles and personalities

•Sell ideas and persuade others

•Value privacy principles

•Ability to understand and interpret

legislation


POSITIONING PRIVACY PROPERLY

Privacy is Not just a legal or compliance issue

• Understand the organizations operations, the

business model, and what drives the revenue

stream and how privacy and security fits within

the model.

• You need to understand the risk to the

organization, as it will be different for every

business.

• Position yourself and your role as a person that

protects your company’s brand and doesn’t

waist time and resources to get the job done.

You focus on what matters to the organization.

• Embed privacy practices into existing corporate

initiatives where possible

• Seek support from and involvement of

management and business units across the

enterprise

• Partner with other team groups, branches, or

department that share common interests


SECURING EXECUTIVE RECOGNITION

AND COMMITMENT

• Demonstrating how it hits your

bottom line and brand

• Build a privacy mission statement

that aligns with your company’s

goals

• Treating privacy exposures and

gaps as an opportunity to enhance

information protection practices

and build customer

trust/relationship

• Using stories or events from other

companies to illustrate the good,

the bad, and the ugly


ASSESSING CURRENT PRIVACY

ENVIRONMENT

• Evaluate current process,

procedures, use of data and it

should include:

– Analysis of legal requirements

– Evaluation of existing privacy

standards, practices

– Evaluation of information security

practices

– Collection, use, disclosure

practices

– Access practices

– Data integrity

– Data retention and destruction

– Employee knowledge and

understanding

– Documented processes


PRIVACY GOVERNANCE

Include:

• Scope

• Defines reporting structure and escalation protocols

• Roles and responsibilities

• Reporting

• Change management protocols

• Ownership and Approvals

• Review process

• Timeframes

• Exception process


Controls – your tools

• Personal Information Inventory

• Policies/Procedures/Guidelines/St

andards

• Risk Assessment tools

• Training and Education

requirements

• Breach and incident management

response

• Service Provider Management

• External Communication

• Other


ONGOING REVIEW AND REVISION

–Develop an Oversight and

Review Plan

–Assess and Revise

Program Controls

–Reporting and Metrics


LESSONS LEARNED

• Make Privacy a business issue and not just

a compliance issue

• Align the privacy strategy with company

business strategy

• Need a culture of privacy – embed privacy

– rather than a silo

• Watch for emerging trends locally and

globally

• Integrate training and compliance into

employee job responsibilities and make it

part of annual review.

• Build relationship with all Privacy Commissioners where your business

operations

• Know your position and your role – You need to a salesperson, partner,

champion, ambassador, preacher and a cop.

• Don’t try and build everything at once- Test and Learn

• Do embed privacy practices into existing corporate initiative where possible

• Recognize that business needs to make money, so you need to be creative in

your controls and policies and standards


THE END GAME

Effective Program will:

•Will be flexible to adapt to changes in business

models, technology changes, and legal and

societal norm shift

•Make the accountability of your program

operation transparent for all to see

•Provide advice, backed up by tangible,

measurable results

•Integrate operations into your organization’s

existing processes

•Leverage existing staff, technology and

programs

•Build a strong foundation of best-in class

policies, procedures and practices that address

the access, use, disclosure and disposal of

business and personal information consistent with

industry standards and privacy laws

More magazines by this user
Similar magazines