Hong Kong Accountability Benchmarking Micro-Study

Hong Kong Accountability Benchmarking Micro-Study Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong

http://www.nymity.com/

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

What we will do:

• Provide background on the Study and Nymity Accountability Research that supports Benchmarking

• Discuss highlights of the Study and analysis of privacy management programs in participating organizations

• Guide you through learning how to benchmark your own privacy management program

• Learn from your experience and knowledge

Interactive Workshop Your participation:

• Interact – share your experiences and perspectives

• Gain insight on core privacy initiatives for accountable privacy management

• Ask a lot of questions

• Help shape the future of Accountability Research and Reports


The latest insights on privacy management

programme and accountability benchmarking

Practical knowledge to measure and enhance your organization’s privacy management performance

by learning:

• How does my privacy management program compare to others?

• In which privacy activities have most organizations invested?

• What are the privacy management program priorities for the future?

Attendees will Receive 1. A copy of the Hong Kong

Accountability Benchmarking Micro-Study Report and Workshop presentation

2. Nymity Benchmarking Worksheet Template

3. Nymity Privacy Management Program Accountability Framework

4. Hong Kong PMP Best Practice Guide

What will you leave with?

BACKGROUND


PCPD and Nymity Collaborated to Conduct Micro-Study The PCPD has advocated and promoted the adoption of Privacy Management Programmes (PMP) in organizations as a strategic framework to protect personal data privacy

• A Best Practice Guide to facilitate organizations to embrace personal data

protection and implement good practices (18 February 2014)

• Key data users in Hong Kong have pledged to implement PMP in their respective organizations


A Data Privacy Research Company Focus: Dedicated to global data privacy compliance research Established: 2002 Headquarters: Toronto, Canada Research: Inventor of several compliance methodologies & frameworks Funding: Partially funded by government R&D grants.

Solutions for the Privacy Office Privacy Management Solutions:

Nymity Attestor™ Nymity Benchmarks™ Nymity Templates™

Compliance Research Solutions:

PrivaWorks® Nymity MofoNotes® Nymity LawTables™

Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity’s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance. Nymity’s research is funded in part by government research & development grants.

Introducing Nymity

Presenter

Presentation Notes

Welcome to Nymity. Nymity is a research company. Through ongoing research, we develop tools for the privacy office. Founded in 2002, our tools and research are purely focused on global data privacy compliance. Based in Toronto, Canada, we have customers of all sizes located around the world in a wide range of industries and sectors. Nymity has also invented several compliance methodologies and frameworks, some of which we make available for free as is the case with our latest book, downloadable at www.nymity.com. Nymity has also recently number of new whitepapers, available at www.nymity.com/whitepapers. All of our research is applied into the tools that we make available for the privacy office – data privacy compliance is what we do. Today, I would like to talk about our latest tools for the privacy office.


Nymity Privacy Management Accountability Framework™

• Nymity views privacy management as a set of ongoing organizational privacy management activities – not a checklist

• Accountability = responsible privacy management activities

• For years, Nymity has been conducting ongoing research through workshops, implementations of privacy management solutions, creation of templates, and Nymity’s traditional research, all of which is:

Global Jurisdictional Neutral Sector/Industry Neutral

• Framework was developed to communicate the status of the privacy program i.e.

demonstrate accountability (13 processes, 152 “PMAs”)

Presenter

Presentation Notes

The Privacy Management Accountability Framework (PMAF) was developed to communicate the status of the privacy program, in other words for “demonstrating accountability.” It is a comprehensive listing of over 150 Privacy Management Activities (PMAs) identified through Nymity's global data privacy accountability research. The PMAs are structured in 13 privacy management processes, and are jurisdiction and industry neutral.

8

Nymity Privacy Management Accountability Framework™

Each privacy management process contains a number of Privacy Management Activities (PMAs), each of which is supported by a Scope and Business Case, for example:

BACKGROUND

Business Case At many organizations, privacy is a new or still-undeveloped organizational function but all organizations are critically dependant on the work of its people to achieve privacy compliance. If an organization has not clarified its privacy roles and responsibilities, it is much less likely to be successful with other tasks related to privacy compliance, e.g., if the responsibility for privacy training and awareness has not yet been assigned, the probability is high that this job is not being done adequately. Therefore, defining clear roles and responsibilities in a job description is an essential prerequisite for all privacy activities. The benefits of having specific documented role and responsibility statements include: • Greater respect and greater resources; • Demonstrable senior management support; • Clarifying the privacy function and where it fits into the organizational structure; • Development of formal communication channels with senior management that can be used to help get

important projects underway; • Proactive privacy compliance; • Reducing costs to adequately handle privacy; and • Legal compliance.

Scope To help the organization meet its privacy mission statement and legal obligations around appointing data protection officers, individuals responsible for privacy have clear roles and job descriptions. Roles that may be defined include: • Chief Privacy Officer; • Privacy Managers; • Data Protection Officers (DPO); • Privacy Analysts; • Business line Privacy leaders/stewards; and • Incident response team members. Outside the scope of this privacy management activity is a sectoral and regional salary and benefit determination.

Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers)

MEASURING ACCOUNTABILITY

Hong Kong Privacy Management Programme Benchmarking Research


Nymity Benchmarking Research: Participating Organizations

• 16 organizations – Pledging organizations and members of the DPOC

– All have a “Privacy Office”

– In various stages of implementing a privacy management programme

Data as of 3 September 2014

Presenter

Presentation Notes

Sixteen organizations fully completed the Study for the purpose of this targeted Micro-Study. Amongst them, 70% reflect Bureaux and Departments within the Hong Kong Special Administrative Region Government and the remaining 30% are found in the financial, insurance, and utility sectors. Over half of the organizations have between 100-1000 employees. Almost 90% of the organizations have 5 or fewer people dedicated to privacy, with the majority stating that there are between 3-5 people in the privacy office.


Nymity Privacy Management Benchmarking Research

16 Organizations identified 152 Privacy Management Activities as either:

Implemented Planned Desired N/A

Implemented and are either:

Core: Fundamental to privacy

management, mandatory; or

Elective: Advanced, beyond the

minimum required.

In progress OR scheduled to

be implemented in the next

12 months.

Privacy office could anticipate

or wish to implement if no

resource constraints.

Not desired, required,

applicable or justified based

on privacy risk and business

priorities.

Research Results: Privacy Management Activity Status

97 Implemented


Topics

Overview of Privacy Management

Top Implemented Privacy Management Activities

Top Desired Privacy Management Activities

The Status of Privacy Management in Relation to the PMP Best Practice

TOP IMPLEMENTED AND DESIRED ACTIVITIES

Overview of Privacy Management:


Top Implemented Activities Prioritize Compliance with PDPO “Implemented” activities are those that are resourced, developed, maintained, and documented

Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code 100% Maintain a data privacy policy DPP 5

100% Integrate data privacy into records retention practices DPP 2

100% Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) DPP 4

100% Provide data privacy notice at all points where personal data is collected DPP 1 35 C, J

100% Maintain procedures to respond to access/correction requests DPP 6 17A – 25, 27, 28 and 29

100% Maintain policies/procedures for collecting consent preferences DPP 3

100% Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates) DPP 2. 4 65

100% Maintain procedures to restrict access to personal information (e.g. role-based access, segregation of duties)

DPP 4

100% Maintain policies/procedures for collection and use of sensitive personal data (including biometric data)

DPP 1, 3

100% Integrate data privacy into employee background check practices Code of Practice on HR Management

100% Maintain a data privacy notice for employees (processing of employee personal data) Code of Practice on HR Management

100% Assign accountability at a senior level -

Presenter

Presentation Notes

Have participants guess what they think are the top 5 implemented - Jessica to record guesses on flip chart Note that the list includes some that are not in the top 10 Start with top 5 and then narrow to 3 and to one For Reference Maintain a documented data privacy incident/breach response protocol - 60% Conduct PIAs for new programs, systems, processes – 45% Maintain a Privacy by Design framework for all system and product development 26%

https://www.pcpd.org.hk/english/data_privacy_law/6_data_protection_principles/principles.html

https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/code.html


Top Implemented Activities cont.

Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code

93% Maintain a separate employee data privacy policy Code or Practice on HR Management

93% Maintain policies/procedures for secure destruction of personal data DPP 4

93% Maintain procedures to address complaints -

93% Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel)

-

93% Maintain procedures to execute contracts or agreements with all processors

DPP 2, 4 65

93% Maintain policies/procedures for maintaining data quality DPP 2

93% Maintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media

DPP 4

93% Document guiding principles for consent DPP 3

Presenter

Presentation Notes

Have participants guess what they think are the top 5 implemented - Jessica to record guesses on flip chart Note that the list includes some that are not in the top 10 Start with top 5 and then narrow to 3 and to one For Reference Maintain a documented data privacy incident/breach response protocol - 60% Conduct PIAs for new programs, systems, processes – 45% Maintain a Privacy by Design framework for all system and product development 26%

https://www.pcpd.org.hk/english/data_privacy_law/6_data_protection_principles/principles.html

https://www.pcpd.org.hk/english/data_privacy_law/code_of_practices/code.html


Highest-Ranking “Desired” Privacy Management Activities

“Desired” activities are defined as those activities that the privacy office could anticipate or wish to implement if there were no resource constraints.

Presenter

Presentation Notes

Introduce top 5 –


Top Ranked “Desired” Privacy Management Activities The top “desired” activities that are identified as applicable to privacy management programmes span 5 key privacy management process areas within the Nymity Accountability Framework:

Privacy Management Activity % Desired

Data Breach Privacy Management Program

Conduct periodic testing of breach protocol and document findings and changes made

60

Monitor for New Operational Practices

Metrics for PIAs 60

Procedures to address issues identified during PIAs 53

Privacy by Design framework for all system and product development 40

PIA guidelines and templates 40

Presenter

Presentation Notes

Low-hanging fruit Easy to do Responsible Organizations Given the ever-changing privacy legal landscape and the ongoing enactment of new or amended data protection and privacy laws around the world, it is not a surprise that activities associated with ‘staying current with new developments in the law’ are well resourced and are highly prioritized. In fact: The top 3 most-implemented privacy management initiatives overall relate to tracking new compliance requirements, expectations, and best practices:� 85% of organizations conduct ongoing research on developments in law 82% maintain subscriptions to a compliance reporting service/law firm updates to stay informed on new developments 81% attend/participate in privacy conferences, industry associations, or think-tank events� In addition to these top 3 activities, other privacy management initiatives related to ‘staying current on compliance requirements and best practices’ are also well resourced:� 72% seek legal opining regarding recent developments in law 50% either have implemented or plan to implement a process to record/report on the tracking of new Rule Sources or amendments to Rule Sources 73% provide ongoing education and training for those that are responsible for privacy �


Top Ranked “Desired” Privacy Management Activities cont. Privacy Management Activity % Desired

Training and Awareness

Internal data privacy intranet, blog, FAQ etc. 47

Second-level training program 47

One-time, one-off tactical training and communication around relevant topics 40

Deliver a privacy newsletter of incorporate into existing corporate communications 40

Manage Third Party Risk

Ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment

53

Review long-term contracts for new or evolving data protection risks 47

Procedures for Inquiries and Complaints

Customer frequently asked questions 53

Metrics for data protection complaints 47

Procedures to identify root causes for data protection complaints 40

Presenter

Presentation Notes

As we noted above, the top implemented activities focus on areas of legal compliance. In comparison, the top “desired” activities demonstrate the wish to expand privacy management beyond legal compliance and toward a more robust and comprehensive privacy management programme. �


Top Implemented and Planned Activities

Presenter

Presentation Notes

The Nymity Accountability Framework identifies 9 privacy management activities associated with the process “Maintain Procedures for Inquires and Complaints.” Each activity correlates to the maintenance of effective procedures for interactions with individuals. Many privacy and data protection laws around the world include legal requirements to address complaints, respond to access requests, and correct the personal data that an organization holds about an individual if it needs to be updated or revised. Some of the top implemented activities in privacy management programs within organizations relate to this area.

Benchmarking Exercise


Data as of 4 March 2015


9. Maintain Procedures for Inquiries and Complaints

Presenter

Presentation Notes

Activity: Benchmark “Maintain Governance Structure”


9. Maintain Procedures for Inquiries and Complaints

Ranking of Implemented "Maintain Procedures for Inquiries and Complaints" Privacy Management Activities Status of All Organizations

Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain procedures to respond to

access requests 100 0 0 0

2 Maintain procedures to address complaints

93 0 7 0

3 Maintain procedures to respond to requests for information

93 0 0 7

4 Maintain procedures to respond to requests to update or revise personal

data

87 0 13 0

5 Maintain procedures to respond to requests to opt-out

86 0 7 7

6 Maintain escalation procedures for serious complaints or complex access

requests

87 0 13 0

7 Maintain procedures to investigate root causes of data protection complaints

60 0 40 0

8 Maintain metrics for data protection complaints (e.g. number, root cause)

47 7 46 0

9 Maintain customer Frequently Asked Questions

33 0 54 13

Presenter

Presentation Notes

The Nymity Accountability Framework identifies 9 privacy management activities associated with the process “Maintain Procedures for Inquires and Complaints.” Each activity correlates to the maintenance of effective procedures for interactions with individuals. Many privacy and data protection laws around the world include legal requirements to address complaints, respond to access requests, and correct the personal data that an organization holds about an individual if it needs to be updated or revised. Some of the top implemented activities in privacy management programs within organizations relate to this area.

The Status of Privacy Management in Relation to the PMP Best Practice Guide


Highlights

Targeted organizations have made significant strides in proactively embracing privacy and data protection

Organizational commitment

Data inventory

Data privacy policy and privacy notices

Core training activities

Additional resources are desired in order to more fully develop key areas of a comprehensive privacy management programme

Build out of PIA processes and procedures and PbD

More training and awareness activities

Managing third-party risk


Structure of the PMP Best Practice Guide

Part A – Baseline Fundamentals of a Privacy Management Programme 1. Organisational Commitments

a. Buy-in from the Top b. Data Protection Office and/or

Officer c. Reporting

2. Programme Controls a. Personal Data inventory b. Policies c. Risk Assessment Tools d. Training and Education

Requirements e. Breach Handling f. Data Processor Management g. Communication

Part B – Ongoing Assessment and Revision a. Develop and oversight and review plan b. Assess and Revise Programme Controls

The PMP Best Practice Guide suggests three management commitments, seven programme controls, and two processes to implement an accountability framework

Presenter

Presentation Notes

Have group guess top 3. Jessica to keep track on flip chart Narrow to top 1 NOTE: there are some on list that are not top 10 Use Binding Corporate Rules as a Data Transfer Mechanism – 7% implemented, 7% planned Obtain data privacy breach insurance 35% implemented, 6% planned 36% N/A


PMP and Nymity Accountability Framework

The aggregated results of the Micro-Study will be discussed within each area of the PMP Best Practice Guide and compared to the actual privacy management activities identified in the Nymity Privacy Management Accountability Framework.

Presenter

Presentation Notes

Introduce top 5 – Important note: the Accountability Framework includes 13 security-related activities within the privacy management process entitled “Manage Information Security Risk.” Several of these activities rank in the top most implemented activities. This was expected as responsible organizations have been addressing personal data security long before implementing a privacy management program. We have removed these activities from our analysis in order to highlight privacy management that excludes an information security program. Of the remaining activities, the top 20 implemented overall represent a diverse array of privacy management activity throughout the organization:


Part A – Baseline Fundamentals of a Privacy Management Programme A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure)

“This first component is an internal governance structure that fosters a privacy respectful culture.” PMP Best Practice Guide Nymity Accountability Framework

a) Buy-in from the Top Top management support is key to a successful privacy management programme and essential for a privacy respectful culture. b) Data Protection Officer/Data Protection Office Organisations should appoint or designates someone to manage the privacy management programme. c) Reporting Reporting mechanisms should be established, and reflected in the organisation’s programme controls.


A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure)

Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)

1 Assign accountability for data privacy at a senior level 100 0 0 0

2 Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel)

93 0 0 7

3 Assign responsibility for data privacy throughout the organization 93 7 0 0

4 Require employees to acknowledge and agree to adhere to the data privacy policies

87 0 0 13

5 Conduct an Enterprise Privacy Risk Assessment 80 7 13 0

6 Maintain a privacy strategy 80 7 13 0

7 Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers)

80 0 20 0

8 Conduct regular communication between individuals accountable and responsible for data privacy

80 0 20 0

9 Maintain a privacy program charter/mission statement 73 7 13 7

Presenter

Presentation Notes

The results in this area demonstrate that the participating organizations maintain high levels of organizational commitment. It is particularly notable that 100% of organizations have “buy-in from the top” (accountability for data privacy is assigned at a senior level) and almost all organizations have resources allocated to adequately implement the privacy programme.


A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) cont.


10 Report, on a scheduled basis, on the status of the privacy program (e.g. board of directors, management board)

73 0 27 0

11 Consult with stakeholders throughout the organization on data privacy matters

73 0 27 0

12 Integrate data privacy into a Code of Conduct 73 0 13 13

13 Maintain a strategy to align activities with legal requirements (e.g. address conflicts, differences in standards, creating rationalized rule sets)

73 0 7 20

14 Integrate data privacy into ethics guidelines 67 0 7 27

15 Integrate data privacy into business risk assessments/reporting 60 0 27 13

16 Report periodically on the status of the privacy program to external stakeholders, as appropriate (e.g. annual reports, third-parties, clients)

33 0 20 47

17 Appoint a representative in member states where the organization does not maintain a physical presence

13 0 7 80

Presenter

Presentation Notes

The results in this area demonstrate that the participating organizations maintain high levels of organizational commitment. It is particularly notable that 100% of organizations have “buy-in from the top” (accountability for data privacy is assigned at a senior level) and almost all organizations have resources allocated to adequately implement the privacy programme.


A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework)

“Programme controls form the second component of a privacy management programme. These help ensure that what is mandated in the governance structure is implemented in the organisation.”



A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework) cont.



A. 2 (a) Programme Controls: Personal Data Inventory (Nymity Privacy Management Process: Maintain Personal Data Inventory)

Status of All Organizations


1 Maintain an inventory of key personal data holdings (what personal data is held and where)

87 7 7 0

2 Classify personal data holdings by type (e.g. sensitive, confidential, public)

80 13 7 0

3 Obtain approval for data processing (where prior approval is required)

80 0 20

4 Maintain flow charts for key data flows (e.g. between systems, between processes, between countries)

40 0 27 33

Presenter

Presentation Notes

Among the privacy community, there is a great deal of interest in understanding how organizations assess privacy risk. Our ongoing Research has analyzed this issue and our Accountability Framework identifies, scopes, and tracks 14 different privacy management activities (see list in the sidebar). Of the 14 privacy management activities, on average organizations have implemented 5 and plan 2 activities. 3 activities are prioritized for 2015.


HK Organizations Compared to Global Organizations


A. 2 (b) Programme Controls: Policies (Nymity Privacy Management Process: Maintain Data Privacy Policy)



1 Maintain a data privacy policy 100 0 0 0

2 Maintain a separate employee data privacy policy 93 0 0 7

3 Document guiding principles for consent 93 0 7 0

4 Document legal basis for processing personal data 73 0 13 13

5 Obtain board approval for data privacy policy 67 0 7 27

Presenter

Presentation Notes

As noted in the previous section, activities such as creating a data privacy policy are legal compliance requirements within the PDPO. These activities are well resourced within participating organizations.


A. 2 (c) Programme Controls: Risk Assessment



1 Conduct a security risk assessment which considers data privacy risk 87 0 13 0

2 Conduct an Enterprise Privacy Risk Assessment 80 7 13 0

3 Conduct due diligence around the data privacy and security posture of potential vendors/processors

73 0 20 7

4 Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)

67 7 27 0

5 Conduct PIAs for new programs, systems, processes 67 0 33 0

6 Integrate data privacy into business risk assessments/reporting 60 0 27 13

7 Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit)

53 0 33 13

8 Conduct ad-hoc walk-throughs 53 0 40 7

9 Conduct self-assessments managed by the Privacy Office 47 7 47 0

10 Maintain a Privacy by Design framework for all system and product development

47 0 40 13

11 Maintain a vendor data privacy risk assessment process 47 0 33 20

12 Review long-term contracts for new or evolving data protection risks 40 0 47 13

13 Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment

33 0 53 13

14 Conduct assessments through use of third-party verification 20 0 33 47

Presenter

Presentation Notes

Among the privacy community, there is a great deal of interest in understanding how organizations assess privacy risk. Our ongoing Research has analyzed this issue and our Accountability Framework identifies, scopes, and tracks 14 different privacy management activities (see list in the sidebar). Of the 14 privacy management activities, on average organizations have implemented 5 and plan 2 activities. The PMP Best Practice Guide identifies Risk Assessment tools as a fundamental component of a privacy management programme. Among the privacy community, there is a great deal of interest in understanding how organizations assess privacy risk. Our ongoing research has analyzed this area and Nymity Accountability Framework identifies, scopes, and tracks 14 different privacy management activities across several privacy management processes within the Nymity Accountability Framework. Of the 14 privacy management activities, on average organizations have implemented 5 and plan 2 activities. The above statistics show that participating organizations in this Micro-Study have already dedicated significant resources to specific risk assessment activities, based on the high implementation rates and in key risk areas such as, “security risk assessment”, “enterprise privacy risk assessment”, “privacy due diligence of potential vendors and processors”, and “privacy incident/breach metrics.” The high rates of “desired” activities suggest that many more risk activities (such as self-assessments by the Privacy Office or maintaining Privacy by Design frameworks”) would be implemented if not for resource constraints. 3 activities are prioritized for 2015.


A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness)



1 Maintain a core training program for all employees 80 0 20 0

2 Conduct training for newly appointed employees upon assignment to privacy-sensitive positions

80 0 20 0

3 Integrate data privacy into other training programs, such as HR, security, call centre, retail operations training

80 0 13 7

4 Provide ongoing education and training for the Privacy Office (e.g. conferences, webinars, guest speakers)

80 0 20 0

5 Conduct regular refresher training to reflect new developments

73 0 27 0

6 Measure participation in data privacy training activities (e.g. numbers of participants, scoring)

73 0 27 0

7 Maintain ongoing awareness material (e.g. posters and videos)

67 0 27 7

8 Conduct one-off, one-time tactical training and communication dealing with specific, highly-relevant issues/topics

60 0 40 0

9 Maintain a second level training program reflecting job specific content

47 0 47 7

Presenter

Presentation Notes

The PMP Best Practice Guide identifies training and privacy education as fundamental to a privacy management programme. The Nymity Accountability Framework identifies 17 privacy management activities to provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks. The PDPO does not require employee training or education but it is a guiding principle within the PMP Best Practice Guide. This is an area in which it is clear that the participating organizations have gone well beyond legal requirements and are implementing best practice guidance. As noted in the previous section, several of the activities in this process area are also among the highest “desired” for implementation.


A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness)



10 Maintain an internal data privacy intranet, privacy blog, or repository of privacy FAQs and information

47 0 47 7

11 Deliver a privacy newsletter, or incorporate privacy into existing corporate communications

47 0 40 13

12 Conduct data privacy training needs analysis by position/job responsibilities

40 0 53 7

13 Provide data privacy information on system logon screens 27 0 47 27

14 Require completion of data privacy training as part of performance reviews

13 0 40 47

15 Maintain certification for individuals responsible for data privacy, including continuing professional education

13 0 53 33

16 Hold an annual data privacy day/week 7 0 67 27

17 Measure comprehension of data privacy concepts using exams

0 0 33 67

Presenter

Presentation Notes

The PMP Best Practice Guide identifies training and privacy education as fundamental to a privacy management programme. The Nymity Accountability Framework identifies 17 privacy management activities to provide ongoing training and awareness to promote compliance with the data privacy policy and to mitigate operational risks. The PDPO does not require employee training or education but it is a guiding principle within the PMP Best Practice Guide. This is an area in which it is clear that the participating organizations have gone well beyond legal requirements and are implementing best practice guidance. As noted in the previous section, several of the activities in this process area are also among the highest “desired” for implementation.


Global Statistics for Employee Training

Of the 102 countries that have omnibus privacy or data protection laws in place, only 14 require employee training


Education and Training Activities in Organizations: Awareness Activities in Organizations • 73% provide ongoing education and training for individuals

responsible for privacy in the organization (e.g. conferences, webinars, and guest speakers)

• 70% maintain a core training program for all employees and 20% plan this for 2015

• 55% consider that certification for individuals responsible for data privacy, including continuing professional education is requirement of their privacy program

• 53% conduct training for newly appointed employees upon assignment to privacy-sensitive positions and 17% plan to offer and maintain such training this year

• 54% maintain an internal data privacy intranet, privacy blog,

or repository of privacy FAQs and an additional 20% are planning this

• 42% maintain ongoing awareness material (e.g. posters and videos)

• 37% deliver a privacy newsletter or incorporate privacy into existing corporate communications

• 29% hold an annual data privacy day/week

Presenter

Presentation Notes

It is also interesting to note that of the 102 countries that have omnibus privacy or data protection laws in place, only 14 require employee training. In a previous Nymity Accountability The PDPO does not require employee training or education but it is a guiding principle within the PMP Best Practice Guide. This is an area in which it is clear that the participating organizations have gone well beyond legal requirements and are implementing best practice guidance. As noted in the previous section, several of the activities in this process area are also among the highest “desired” for implementation. Benchmarking Study (referenced above), we noted that despite the low threshold for legal requirements, this is an area in which organizations go above and beyond compliance requirements. Not only do most organizations provide training, but there are also many implemented activities related to general privacy awareness. Out of 102 countries that have omnibus privacy or data protection laws in place, 14 require employee training: Australia, Belgium, Canada, Colombia, Germany, Japan, Kosovo, Mexico, Norway, Russia, Singapore, Slovakia, Spain, and South Korea.


A. 2 (e) Programme Controls: Breach Handling (Nymity Privacy Management Process: Maintain Data Breach Management Program)


Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%)

N/A (%)

1 Maintain a documented data privacy incident/breach response protocol

87 0 13 0

2 Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol

87 0 13 0

3 Maintain a breach incident log to track nature/type of all breaches 80 7 13 0

4 Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)

67 7 27 0

5 Maintain a record preservation protocol to protect relevant log history

40 0 27 33

6 Conduct periodic testing of breach protocol and document findings and changes made

33 7 60 0

7 Engage a breach response remediation provider 20 0 20 60

8 Engage a forensic investigation team 20 0 20 60

9 Obtain data privacy breach insurance coverage 13 0 20 67

Presenter

Presentation Notes

We note again that the PDPO does not legally require activities in this area. The high implementation rates of key privacy management activities such as documenting data privacy incident/breach response protocols demonstrate strong efforts to comply with the PMP Best Practice Guide.


A. 2 (f) Programme Controls: Data Processor Management (Nymity Privacy Management Process: Manage Third Party Risk)



1 Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates)

100 0 0 0

2 Maintain procedures to execute contracts or agreements with all processors

93 0 0 7

3 Maintain procedures to address instances of non-compliance with contracts and agreements

73 0 27 0

4 Conduct due diligence around the data privacy and security posture of potential vendors/processors

73 0 20 7

5 Maintain a vendor data privacy risk assessment process 47 0 33 20

6 Review long-term contracts for new or evolving data protection risks

40 0 47 13

7 Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment

33 0 53 13

8 Maintain a policy governing use of cloud providers 13 0 27 60

Presenter

Presentation Notes

We note again that the PDPO does not legally require activities in this area. The high implementation rates of key privacy management activities such as documenting data privacy incident/breach response protocols demonstrate strong efforts to comply with the PMP Best Practice Guide.


A. 2 (g) Programme Controls: Communication (Nymity Privacy Management Processes: Maintain Notices and Maintain Procedures for Inquiries and Complaints)



1 Provide data privacy notice at all points where personal data is collected

100 0 0 0

2 Maintain a data privacy notice for employees 100 0 0 0

3 Maintain a data privacy notice that details the organization’s personal data handling policies

93 0 7 0

4 Provide notice in all forms, contracts and terms 87 0 13 0

5 Provide notice by means of on-location signage, posters 74 0 13 13

6 Provide notice in marketing communications (e.g. emails, flyers, offers)

60 0 7 33

7 Maintain scripts for use by employees to explain the data privacy notice

60 0 27 13

8 Provide data privacy education to individuals (e.g. preventing identity theft)

60 0 33 7

9 Maintain a privacy Seal or Trustmark to increase customer trust

13 0 20 67

Maintain Notices

Presenter

Presentation Notes

The PMP identifies that organizations should take all practical steps to ensure employees and customers can ascertain their personal data policies and practices. The Nymity Accountability Framework identifies many procedures associated with this objective and they fall within two key areas: “maintain notices” and “maintain procedures for inquires and complaints”. As highlighted by the status percentages below, many of these activities are among the top-implemented by participating organizations. Maintain Notices��The following table ranks the 9 privacy management activities to “maintain notices” to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance. On average, participating organizations implement 6 of these activities.�


A. 2 (g) Programme Controls: Communication cont.

Maintain Procedures for Inquiries and Complaints



1 Maintain procedures to respond to access requests 100 0 0 0

2 Maintain procedures to address complaints 93 0 7 0

3 Maintain procedures to respond to requests for information

93 0 0 7

4 Maintain procedures to respond to requests to update or revise personal data

87 0 13 0

5 Maintain procedures to respond to requests to opt-out

87 0 7 7

6 Maintain escalation procedures for serious complaints or complex access requests

87 0 13 0

7 Maintain procedures to investigate root causes of data protection complaints

60 0 40 0

8 Maintain metrics for data protection complaints (e.g. number, root cause)

47 7 47 0

9 Maintain customer Frequently Asked Questions 33 0 53 13

Presenter

Presentation Notes

As noted in the first section of this Report, several of the top implemented activities identified in these privacy management process areas correspond to legal compliance obligations of the PDPO. However, many other privacy management activities that are benchmarked demonstrate that the targeted organizations are investing in activities that go beyond legal compliance (e.g. developing scripts for use by employees, creating escalation procedures for serious complaints, and procedures to investigate root causes of data protection complaints) thus, creating a more extensive and robust privacy management programme.


Part B – Ongoing Assessment and Revision

PMP Best Practice Guide Nymity Accountability Framework 1. Develop an Oversight and Review Plan An oversight and review plan will help the organisation keep its privacy management programme on track and up to date. 1. Assess and Revise Programme Controls The effectiveness of programme controls should be monitored, periodically audited, and where necessary, revised.

Presenter

Presentation Notes

Part B of the PMP Best Practice Guide outlines the basic tasks involved in the maintenance of a privacy management programme to ensure ongoing effectiveness, compliance, and accountability. In order to properly protect personal data and meet legal obligations, organizations should monitor, assess, and revise their framework to ensure it remains relevant and effective. The activities described in this section compare to the activities identified within privacy management process 12 of the Nymity Accountability Framework: Monitor Data Handling Practices.


Develop an Oversight and Review Plan and Assess and Revise Programme Controls (Nymity Accountability Framework: Monitor Data Handling Practices)


Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%)

N/A (%)

1 Conduct ad-hoc audits/assessments based on complaints/inquiries/breaches

73 0 27 0

2 Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit)

53 0 33 13

3 Conduct ad-hoc walk-throughs 53 0 40 7

4 Conduct self-assessments managed by the Privacy Office 47 7 47 0

5 Benchmark results of audits/assessments (e.g. comparison to previous audit, comparison to other business units)

40 0 47 13

6 Maintain privacy program metrics 33 0 67 0

7 Conduct assessments through use of third-party verification 20 0 33 47

Presenter

Presentation Notes

The Nymity Accountability Framework tracks 7 privacy management activities to verify operational practices comply with the data privacy policy and operational policies and procedures. Several privacy management activities in this process area are highly “desired” and may require additional resources to implement.

QUESTIONS, COMMENTS AND FUTURE ACCOUNTABILITY RESEARCH

Wrap-Up


What did we learn? What would you like to see in the Future?

Presenter

Presentation Notes

Privacy Management Activity Analytics� Risk Assessment Activity BCR Activity Safe Harbor Activity Audience/Stakeholders: Board of Directors Data Subjects (includes both customers and employees) DPAs/Regulators Operational Units Privacy Community Privacy Office Third Parties Risk Mitigation Activity: All risks Excessive Collection Inappropriate Use Inaccurate/Outdated Data Lost or Stolen Data Unauthorized Transfer Organizational Risk (non-compliance or cost) Inability to Demonstrate Accountability� Note: Italics categories above are the CIPL risk categories. Contact Nymity for more information. Organization Analytics� Industry - Sector Organization Size Location Privacy Office In Safe Harbor�(Can’t do BCR due to BCR being �approved prior to full implementation) Multinationals What is missing?


For More Information

For questions about the Study, please contact Teresa Troester-Falk at [email protected]

For more information on Nymity Benchmarks

please contact [email protected].

mailto:[email protected]

mailto:[email protected]

mailto:benchmarks@nymity?subject=Presentation: Request Access Benchmarks

Documents

Hong Kong Accountability Benchmarking Micro-Study