Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Data Privacy and Information Security in a Global Company
Eric G. Hansen, CIPP/CISSP [email protected]
Jeff Johnson, CIPP/CISSP [email protected]
Today, we’ll be looking at the following:
1. Compliance on a Global Scale
2. Cooperation between Data Privacy/Protection* & Information Security
3. Role of Binding Corporate Rules
4. E-Discovery & Resolving Conflicts outside US
5. Building a Global Environment for Data Privacy and Protection
*Data Privacy and Data Protection are the same for this
presentation.
Data Privacy and Information Security in a Global Company
Why they two of us are here today:
Employed by Siemens AG
Operations in 190 countries
336,000 full-time employees globally
Employees & customers in all 50 US States
Operating Businesses
Energy
Healthcare
Industry
DP and ISEC Professionals
Data Privacy and Information Security in a Global Company
Staff (thousands)
Revenue (Billion EUR)
Major production plants
€
F
Approx. 1,250 majority owned companies
Americas
Europe
(excl. Germany)
Africa, Middle East, GUS
Asia-Pacific
29%
77
27%
19,3
23%
91
F €
1% 3
9%
6,8 2% 10
F €
23%
59
32%
22,8
27%
106
F €
28%
74
17%
12,6
32%
126
F €
Germany
19%
51
15%
10,9
16%
66
F €
Data Privacy and Information Security in a Global Company
Siemens is required to comply with:
EU Data Protection Directive (95/46)
Germany’s BDSG
Canada’s & Mexico’s Data Protection Laws
All US state data breach & protection laws
HIPAA/HITECH (Covered Entity/Business Assoc)
SOA, FISMA, FCRA, PCI DSS, etc
Data Protection laws of all countries where we do business
Data Privacy and Information Security in a Global Company
1. How can we hope to achieve compliance on a global scale?
Solution: Establish global Data Protection Org.
Executive Board Member at the top
Chief Data Protection Officer reports to Board
Central Data Protection acting as “Coaches”
Dual Regional (Cluster) and Sector (Business) based organization Region understands local laws/regulations
Sector understands industrial rules/regs
Appoint Data Protection Advisors within larger groups
Data Privacy and Information Security in a Global Company
1. Why a Globally dispersed Data Protection architecture works for us:
Spreads out responsibility for data protection
“Bottom” understands local requirements/laws
“Top” understands overall impact on Company
Together, able to comply on a global scale with often conflicting requirements
Provides flexible solutions on a global scale that is adjustable at a local level
Data Privacy and Information Security in a Global Company
2. How do you enable cooperation between Data Protection and Information Security?
Solution: Bring both into Data Protection Org.
Most Regional/Sector Data Protection members are part of Information Security
Central Data Protection “coaches” are attorneys
Information Security understands technical requirements to protect data
Attorneys understand the legal requirements to protect data
Data Privacy and Information Security in a Global Company
3. How can we protect the privacy rights of international data subjects globally?
Solution: Binding Corporate Rules (BCR’s)
A BCR is a intra-corporate global privacy policy
that satisfies EU standards BCR’s are enforced through Inter-Company
Agreements which protect data subject rights
“Binding” means everyone, everywhere
Applies to all companies and all locations
Siemens working with Version 1 of BCR Ver. 2 in development/review 2.5 years
Data Privacy and Information Security in a Global Company
4. How do you resolve a conflict like e-Discovery?
Solution: Business Conduct Guidelines (Internal)
“Behavior which Abides by the Law” “Observance of the law and the legal system is a fundamental principle of our Company. Every employee shall obey the laws and regulations of the legal systems within which they are acting. Violation the law must be avoided under all circumstances…”
Provides internal direction to act “locally”
Information Security provides transparent solution for e-discovery
Includes information, guidance & support to employees, globally
Data Privacy and Information Security in a Global Company
5. How do you really build a global environment for the protection of data?
Solutions:
Training & Education Data Protection Organization & All Employees
Certification & Accreditation Encourage Data Protection to pursue CIPP, CISSP, etc.
Cooperation & Collaboration Communicate expectations and reasons
Provide guidance and governance
Actively resolve conflicts
Be transparent
Data Privacy and Information Security in a Global Company
In Summary:
1. Compliance on a Global Scale achieved through a global Data Protection Organization
2. Information Security is an integral part of Data Protection along with Legal
3. Binding Corporate Rules provide global protection for all data subjects
4. E-Discovery conflicts can be resolved when you tell employees to abide by local laws
5. Through training, guidance and transparency, you can build a Global Environment for Data Privacy & Protection
Data Privacy and Information Security in a Global Company
Thank you for attending!
Questions?
Eric G. Hansen, CIPP/CISSP
Jeff Johnson, CIPP/CISSP
Data Privacy and Information Security in a Global Company