Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Hong Kong Accountability Benchmarking Micro-Study Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
What we will do:
• Provide background on the Study and Nymity Accountability Research that supports Benchmarking
• Discuss highlights of the Study and analysis of privacy management programs in participating organizations
• Guide you through learning how to benchmark your own privacy management program
• Learn from your experience and knowledge
Interactive Workshop Your participation:
• Interact – share your experiences and perspectives
• Gain insight on core privacy initiatives for accountable privacy management
• Ask a lot of questions
• Help shape the future of Accountability Research and Reports
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
The latest insights on privacy management
programme and accountability benchmarking
Practical knowledge to measure and enhance your organization’s privacy management performance
by learning:
• How does my privacy management program compare to others?
• In which privacy activities have most organizations invested?
• What are the privacy management program priorities for the future?
Attendees will Receive 1. A copy of the Hong Kong
Accountability Benchmarking Micro-Study Report and Workshop presentation
2. Nymity Benchmarking Worksheet Template
3. Nymity Privacy Management Program Accountability Framework
4. Hong Kong PMP Best Practice Guide
What will you leave with?
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
PCPD and Nymity Collaborated to Conduct Micro-Study The PCPD has advocated and promoted the adoption of Privacy Management Programmes (PMP) in organizations as a strategic framework to protect personal data privacy
• A Best Practice Guide to facilitate organizations to embrace personal data
protection and implement good practices (18 February 2014)
• Key data users in Hong Kong have pledged to implement PMP in their respective organizations
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A Data Privacy Research Company Focus: Dedicated to global data privacy compliance research Established: 2002 Headquarters: Toronto, Canada Research: Inventor of several compliance methodologies & frameworks Funding: Partially funded by government R&D grants.
Solutions for the Privacy Office Privacy Management Solutions:
Nymity Attestor™ Nymity Benchmarks™ Nymity Templates™
Compliance Research Solutions:
PrivaWorks® Nymity MofoNotes® Nymity LawTables™
Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity’s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance. Nymity’s research is funded in part by government research & development grants.
Introducing Nymity
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Nymity Privacy Management Accountability Framework™
• Nymity views privacy management as a set of ongoing organizational privacy management activities – not a checklist
• Accountability = responsible privacy management activities
• For years, Nymity has been conducting ongoing research through workshops, implementations of privacy management solutions, creation of templates, and Nymity’s traditional research, all of which is:
Global Jurisdictional Neutral Sector/Industry Neutral
• Framework was developed to communicate the status of the privacy program i.e.
demonstrate accountability (13 processes, 152 “PMAs”)
8
Nymity Privacy Management Accountability Framework™
Each privacy management process contains a number of Privacy Management Activities (PMAs), each of which is supported by a Scope and Business Case, for example:
BACKGROUND
Business Case At many organizations, privacy is a new or still-undeveloped organizational function but all organizations are critically dependant on the work of its people to achieve privacy compliance. If an organization has not clarified its privacy roles and responsibilities, it is much less likely to be successful with other tasks related to privacy compliance, e.g., if the responsibility for privacy training and awareness has not yet been assigned, the probability is high that this job is not being done adequately. Therefore, defining clear roles and responsibilities in a job description is an essential prerequisite for all privacy activities. The benefits of having specific documented role and responsibility statements include: • Greater respect and greater resources; • Demonstrable senior management support; • Clarifying the privacy function and where it fits into the organizational structure; • Development of formal communication channels with senior management that can be used to help get
important projects underway; • Proactive privacy compliance; • Reducing costs to adequately handle privacy; and • Legal compliance.
Scope To help the organization meet its privacy mission statement and legal obligations around appointing data protection officers, individuals responsible for privacy have clear roles and job descriptions. Roles that may be defined include: • Chief Privacy Officer; • Privacy Managers; • Data Protection Officers (DPO); • Privacy Analysts; • Business line Privacy leaders/stewards; and • Incident response team members. Outside the scope of this privacy management activity is a sectoral and regional salary and benefit determination.
Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers)
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Nymity Benchmarking Research: Participating Organizations
• 16 organizations – Pledging organizations and members of the DPOC
– All have a “Privacy Office”
– In various stages of implementing a privacy management programme
Data as of 3 September 2014
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Nymity Privacy Management Benchmarking Research
16 Organizations identified 152 Privacy Management Activities as either:
Implemented Planned Desired N/A
Implemented and are either:
Core: Fundamental to privacy
management, mandatory; or
Elective: Advanced, beyond the
minimum required.
In progress OR scheduled to
be implemented in the next
12 months.
Privacy office could anticipate
or wish to implement if no
resource constraints.
Not desired, required,
applicable or justified based
on privacy risk and business
priorities.
Research Results: Privacy Management Activity Status
97 Implemented
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Topics
Overview of Privacy Management
Top Implemented Privacy Management Activities
Top Desired Privacy Management Activities
The Status of Privacy Management in Relation to the PMP Best Practice
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Top Implemented Activities Prioritize Compliance with PDPO “Implemented” activities are those that are resourced, developed, maintained, and documented
Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code 100% Maintain a data privacy policy DPP 5
100% Integrate data privacy into records retention practices DPP 2
100% Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) DPP 4
100% Provide data privacy notice at all points where personal data is collected DPP 1 35 C, J
100% Maintain procedures to respond to access/correction requests DPP 6 17A – 25, 27, 28 and 29
100% Maintain policies/procedures for collecting consent preferences DPP 3
100% Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates) DPP 2. 4 65
100% Maintain procedures to restrict access to personal information (e.g. role-based access, segregation of duties)
DPP 4
100% Maintain policies/procedures for collection and use of sensitive personal data (including biometric data)
DPP 1, 3
100% Integrate data privacy into employee background check practices Code of Practice on HR Management
100% Maintain a data privacy notice for employees (processing of employee personal data) Code of Practice on HR Management
100% Assign accountability at a senior level -
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Top Implemented Activities cont.
Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code
93% Maintain a separate employee data privacy policy Code or Practice on HR Management
93% Maintain policies/procedures for secure destruction of personal data DPP 4
93% Maintain procedures to address complaints -
93% Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel)
-
93% Maintain procedures to execute contracts or agreements with all processors
DPP 2, 4 65
93% Maintain policies/procedures for maintaining data quality DPP 2
93% Maintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media
DPP 4
93% Document guiding principles for consent DPP 3
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Highest-Ranking “Desired” Privacy Management Activities
“Desired” activities are defined as those activities that the privacy office could anticipate or wish to implement if there were no resource constraints.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Top Ranked “Desired” Privacy Management Activities The top “desired” activities that are identified as applicable to privacy management programmes span 5 key privacy management process areas within the Nymity Accountability Framework:
Privacy Management Activity % Desired
Data Breach Privacy Management Program
Conduct periodic testing of breach protocol and document findings and changes made
60
Monitor for New Operational Practices
Metrics for PIAs 60
Procedures to address issues identified during PIAs 53
Privacy by Design framework for all system and product development 40
PIA guidelines and templates 40
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Top Ranked “Desired” Privacy Management Activities cont. Privacy Management Activity % Desired
Training and Awareness
Internal data privacy intranet, blog, FAQ etc. 47
Second-level training program 47
One-time, one-off tactical training and communication around relevant topics 40
Deliver a privacy newsletter of incorporate into existing corporate communications 40
Manage Third Party Risk
Ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment
53
Review long-term contracts for new or evolving data protection risks 47
Procedures for Inquiries and Complaints
Customer frequently asked questions 53
Metrics for data protection complaints 47
Procedures to identify root causes for data protection complaints 40
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Top Implemented and Planned Activities
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
9. Maintain Procedures for Inquiries and Complaints
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
9. Maintain Procedures for Inquiries and Complaints
Ranking of Implemented "Maintain Procedures for Inquiries and Complaints" Privacy Management Activities Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain procedures to respond to
access requests 100 0 0 0
2 Maintain procedures to address complaints
93 0 7 0
3 Maintain procedures to respond to requests for information
93 0 0 7
4 Maintain procedures to respond to requests to update or revise personal
data
87 0 13 0
5 Maintain procedures to respond to requests to opt-out
86 0 7 7
6 Maintain escalation procedures for serious complaints or complex access
requests
87 0 13 0
7 Maintain procedures to investigate root causes of data protection complaints
60 0 40 0
8 Maintain metrics for data protection complaints (e.g. number, root cause)
47 7 46 0
9 Maintain customer Frequently Asked Questions
33 0 54 13
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Highlights
Targeted organizations have made significant strides in proactively embracing privacy and data protection
Organizational commitment
Data inventory
Data privacy policy and privacy notices
Core training activities
Additional resources are desired in order to more fully develop key areas of a comprehensive privacy management programme
Build out of PIA processes and procedures and PbD
More training and awareness activities
Managing third-party risk
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Structure of the PMP Best Practice Guide
Part A – Baseline Fundamentals of a Privacy Management Programme 1. Organisational Commitments
a. Buy-in from the Top b. Data Protection Office and/or
Officer c. Reporting
2. Programme Controls a. Personal Data inventory b. Policies c. Risk Assessment Tools d. Training and Education
Requirements e. Breach Handling f. Data Processor Management g. Communication
Part B – Ongoing Assessment and Revision a. Develop and oversight and review plan b. Assess and Revise Programme Controls
The PMP Best Practice Guide suggests three management commitments, seven programme controls, and two processes to implement an accountability framework
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
PMP and Nymity Accountability Framework
The aggregated results of the Micro-Study will be discussed within each area of the PMP Best Practice Guide and compared to the actual privacy management activities identified in the Nymity Privacy Management Accountability Framework.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Part A – Baseline Fundamentals of a Privacy Management Programme A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure)
“This first component is an internal governance structure that fosters a privacy respectful culture.” PMP Best Practice Guide Nymity Accountability Framework
a) Buy-in from the Top Top management support is key to a successful privacy management programme and essential for a privacy respectful culture. b) Data Protection Officer/Data Protection Office Organisations should appoint or designates someone to manage the privacy management programme. c) Reporting Reporting mechanisms should be established, and reflected in the organisation’s programme controls.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure)
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
1 Assign accountability for data privacy at a senior level 100 0 0 0
2 Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel)
93 0 0 7
3 Assign responsibility for data privacy throughout the organization 93 7 0 0
4 Require employees to acknowledge and agree to adhere to the data privacy policies
87 0 0 13
5 Conduct an Enterprise Privacy Risk Assessment 80 7 13 0
6 Maintain a privacy strategy 80 7 13 0
7 Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers)
80 0 20 0
8 Conduct regular communication between individuals accountable and responsible for data privacy
80 0 20 0
9 Maintain a privacy program charter/mission statement 73 7 13 7
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) cont.
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
10 Report, on a scheduled basis, on the status of the privacy program (e.g. board of directors, management board)
73 0 27 0
11 Consult with stakeholders throughout the organization on data privacy matters
73 0 27 0
12 Integrate data privacy into a Code of Conduct 73 0 13 13
13 Maintain a strategy to align activities with legal requirements (e.g. address conflicts, differences in standards, creating rationalized rule sets)
73 0 7 20
14 Integrate data privacy into ethics guidelines 67 0 7 27
15 Integrate data privacy into business risk assessments/reporting 60 0 27 13
16 Report periodically on the status of the privacy program to external stakeholders, as appropriate (e.g. annual reports, third-parties, clients)
33 0 20 47
17 Appoint a representative in member states where the organization does not maintain a physical presence
13 0 7 80
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework)
“Programme controls form the second component of a privacy management programme. These help ensure that what is mandated in the governance structure is implemented in the organisation.”
Data as of 4 March 2015
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework) cont.
Data as of 4 March 2015
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2 (a) Programme Controls: Personal Data Inventory (Nymity Privacy Management Process: Maintain Personal Data Inventory)
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
1 Maintain an inventory of key personal data holdings (what personal data is held and where)
87 7 7 0
2 Classify personal data holdings by type (e.g. sensitive, confidential, public)
80 13 7 0
3 Obtain approval for data processing (where prior approval is required)
80 0 20
4 Maintain flow charts for key data flows (e.g. between systems, between processes, between countries)
40 0 27 33
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
HK Organizations Compared to Global Organizations
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2 (b) Programme Controls: Policies (Nymity Privacy Management Process: Maintain Data Privacy Policy)
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
1 Maintain a data privacy policy 100 0 0 0
2 Maintain a separate employee data privacy policy 93 0 0 7
3 Document guiding principles for consent 93 0 7 0
4 Document legal basis for processing personal data 73 0 13 13
5 Obtain board approval for data privacy policy 67 0 7 27
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2 (c) Programme Controls: Risk Assessment
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
1 Conduct a security risk assessment which considers data privacy risk 87 0 13 0
2 Conduct an Enterprise Privacy Risk Assessment 80 7 13 0
3 Conduct due diligence around the data privacy and security posture of potential vendors/processors
73 0 20 7
4 Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)
67 7 27 0
5 Conduct PIAs for new programs, systems, processes 67 0 33 0
6 Integrate data privacy into business risk assessments/reporting 60 0 27 13
7 Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit)
53 0 33 13
8 Conduct ad-hoc walk-throughs 53 0 40 7
9 Conduct self-assessments managed by the Privacy Office 47 7 47 0
10 Maintain a Privacy by Design framework for all system and product development
47 0 40 13
11 Maintain a vendor data privacy risk assessment process 47 0 33 20
12 Review long-term contracts for new or evolving data protection risks 40 0 47 13
13 Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment
33 0 53 13
14 Conduct assessments through use of third-party verification 20 0 33 47
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness)
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
1 Maintain a core training program for all employees 80 0 20 0
2 Conduct training for newly appointed employees upon assignment to privacy-sensitive positions
80 0 20 0
3 Integrate data privacy into other training programs, such as HR, security, call centre, retail operations training
80 0 13 7
4 Provide ongoing education and training for the Privacy Office (e.g. conferences, webinars, guest speakers)
80 0 20 0
5 Conduct regular refresher training to reflect new developments
73 0 27 0
6 Measure participation in data privacy training activities (e.g. numbers of participants, scoring)
73 0 27 0
7 Maintain ongoing awareness material (e.g. posters and videos)
67 0 27 7
8 Conduct one-off, one-time tactical training and communication dealing with specific, highly-relevant issues/topics
60 0 40 0
9 Maintain a second level training program reflecting job specific content
47 0 47 7
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness)
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
10 Maintain an internal data privacy intranet, privacy blog, or repository of privacy FAQs and information
47 0 47 7
11 Deliver a privacy newsletter, or incorporate privacy into existing corporate communications
47 0 40 13
12 Conduct data privacy training needs analysis by position/job responsibilities
40 0 53 7
13 Provide data privacy information on system logon screens 27 0 47 27
14 Require completion of data privacy training as part of performance reviews
13 0 40 47
15 Maintain certification for individuals responsible for data privacy, including continuing professional education
13 0 53 33
16 Hold an annual data privacy day/week 7 0 67 27
17 Measure comprehension of data privacy concepts using exams
0 0 33 67
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Global Statistics for Employee Training
Of the 102 countries that have omnibus privacy or data protection laws in place, only 14 require employee training
Data as of 4 March 2015
Education and Training Activities in Organizations: Awareness Activities in Organizations • 73% provide ongoing education and training for individuals
responsible for privacy in the organization (e.g. conferences, webinars, and guest speakers)
• 70% maintain a core training program for all employees and 20% plan this for 2015
• 55% consider that certification for individuals responsible for data privacy, including continuing professional education is requirement of their privacy program
• 53% conduct training for newly appointed employees upon assignment to privacy-sensitive positions and 17% plan to offer and maintain such training this year
• 54% maintain an internal data privacy intranet, privacy blog,
or repository of privacy FAQs and an additional 20% are planning this
• 42% maintain ongoing awareness material (e.g. posters and videos)
• 37% deliver a privacy newsletter or incorporate privacy into existing corporate communications
• 29% hold an annual data privacy day/week
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2 (e) Programme Controls: Breach Handling (Nymity Privacy Management Process: Maintain Data Breach Management Program)
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%)
N/A (%)
1 Maintain a documented data privacy incident/breach response protocol
87 0 13 0
2 Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol
87 0 13 0
3 Maintain a breach incident log to track nature/type of all breaches 80 7 13 0
4 Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)
67 7 27 0
5 Maintain a record preservation protocol to protect relevant log history
40 0 27 33
6 Conduct periodic testing of breach protocol and document findings and changes made
33 7 60 0
7 Engage a breach response remediation provider 20 0 20 60
8 Engage a forensic investigation team 20 0 20 60
9 Obtain data privacy breach insurance coverage 13 0 20 67
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2 (f) Programme Controls: Data Processor Management (Nymity Privacy Management Process: Manage Third Party Risk)
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
1 Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates)
100 0 0 0
2 Maintain procedures to execute contracts or agreements with all processors
93 0 0 7
3 Maintain procedures to address instances of non-compliance with contracts and agreements
73 0 27 0
4 Conduct due diligence around the data privacy and security posture of potential vendors/processors
73 0 20 7
5 Maintain a vendor data privacy risk assessment process 47 0 33 20
6 Review long-term contracts for new or evolving data protection risks
40 0 47 13
7 Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment
33 0 53 13
8 Maintain a policy governing use of cloud providers 13 0 27 60
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2 (g) Programme Controls: Communication (Nymity Privacy Management Processes: Maintain Notices and Maintain Procedures for Inquiries and Complaints)
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
1 Provide data privacy notice at all points where personal data is collected
100 0 0 0
2 Maintain a data privacy notice for employees 100 0 0 0
3 Maintain a data privacy notice that details the organization’s personal data handling policies
93 0 7 0
4 Provide notice in all forms, contracts and terms 87 0 13 0
5 Provide notice by means of on-location signage, posters 74 0 13 13
6 Provide notice in marketing communications (e.g. emails, flyers, offers)
60 0 7 33
7 Maintain scripts for use by employees to explain the data privacy notice
60 0 27 13
8 Provide data privacy education to individuals (e.g. preventing identity theft)
60 0 33 7
9 Maintain a privacy Seal or Trustmark to increase customer trust
13 0 20 67
Maintain Notices
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A. 2 (g) Programme Controls: Communication cont.
Maintain Procedures for Inquiries and Complaints
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
1 Maintain procedures to respond to access requests 100 0 0 0
2 Maintain procedures to address complaints 93 0 7 0
3 Maintain procedures to respond to requests for information
93 0 0 7
4 Maintain procedures to respond to requests to update or revise personal data
87 0 13 0
5 Maintain procedures to respond to requests to opt-out
87 0 7 7
6 Maintain escalation procedures for serious complaints or complex access requests
87 0 13 0
7 Maintain procedures to investigate root causes of data protection complaints
60 0 40 0
8 Maintain metrics for data protection complaints (e.g. number, root cause)
47 7 47 0
9 Maintain customer Frequently Asked Questions 33 0 53 13
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Part B – Ongoing Assessment and Revision
PMP Best Practice Guide Nymity Accountability Framework 1. Develop an Oversight and Review Plan An oversight and review plan will help the organisation keep its privacy management programme on track and up to date. 1. Assess and Revise Programme Controls The effectiveness of programme controls should be monitored, periodically audited, and where necessary, revised.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Develop an Oversight and Review Plan and Assess and Revise Programme Controls (Nymity Accountability Framework: Monitor Data Handling Practices)
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%)
N/A (%)
1 Conduct ad-hoc audits/assessments based on complaints/inquiries/breaches
73 0 27 0
2 Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit)
53 0 33 13
3 Conduct ad-hoc walk-throughs 53 0 40 7
4 Conduct self-assessments managed by the Privacy Office 47 7 47 0
5 Benchmark results of audits/assessments (e.g. comparison to previous audit, comparison to other business units)
40 0 47 13
6 Maintain privacy program metrics 33 0 67 0
7 Conduct assessments through use of third-party verification 20 0 33 47
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
What did we learn? What would you like to see in the Future?
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
For More Information
For questions about the Study, please contact Teresa Troester-Falk at [email protected]
For more information on Nymity Benchmarks
please contact [email protected].