Maximizing your Privacy Management Program · A structured approach for maximizing privacy management in your organization to ensure ongoing compliance and ultimately accountability

Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM

Getting to Accountability Maximizing your Privacy Management Program

IAPP Breakout Session: October 1, 2015


Session Description

• Stephen Bolinger, CIPM, CIPP/E, CIPP/G, CIPP/US, CPO, VP of Legal, TeleSign

• Constantine Karbaliotis, CIPM, CIPP/C, CIPP/E, CIPP/US, CIPT, VP of Privacy Office Solutions, Nymity Whether you have a mature privacy program or are starting a new one, this session will help you first identify the existing resources available in your organization, and then leverage those resources to maximize your privacy management program. Gain insight into the underlying resource requirements for implementing privacy management activities and maintaining them, based on Nymity’s extensive research and innovation in privacy management and accountability. First, you will learn how to broaden the scope of your privacy program to include implemented privacy management activities found throughout your organization which are not typically considered part of a privacy program (for example, HR policies and procedures). You will then learn an approach to building the business case to obtain additional resources to ensure a successful privacy management program. You will also learn three strategies for defining a successful program: the managed privacy strategy, the advanced privacy strategy, and the demonstrating accountability and compliance strategy, including the detailed approach for each. What you’ll take away: Free tools for assessing privacy management, reporting, building a business case, building a privacy program and demonstrating accountability

A structured approach for maximizing privacy management in your organization to ensure ongoing compliance and ultimately accountability

Insights into real-world examples


Agenda

• Accountability Fundamentals

• Privacy Management Status

• Privacy Management Program Strategy

• Develop a Resource-Based Plan to execute the Strategy


Introductions

CONSTANTINE KARBALIOTIS CIPM, CIPP/C, CIPP/E, CIPP/US, CIPT

Vice President of Privacy Office Solutions – NYMITY and former CPO

STEPHEN BOLINGER CIPM, CIPP/E, CIPP/G, CIPP/US

General Counsel and CPO, TeleSign


1. Present Your Privacy Management Status Identify current state including

owners of activities

2. Present a Privacy Management Program Strategy

3. Develop a Plan to execute the Strategy

Identify applicable privacy management activities

Prioritize based on resources and articulate a business case for additional resources

Building your program on Accountability


“an obligation or willingness to accept responsibility

or to account for one's actions “ www.merriam-webster.com/dictionary/accountability

“the obligation of an individual or organization to account for its activities,

accept responsibility for them, and to disclose the results in a transparent manner”

www.businessdictionary.com/definition/accountability.html

Accountability Defined

http://www.merriam-webster.com/dictionary/accountability



http://www.businessdictionary.com/definition/accountability.html


Evolution of Accountability as a Privacy and Data

Protection Principle

7

Guidelines on the Protection of Privacy

and Transborder Flows of Personal

Data

Article 29 Data Protection

Working Party Opinion

3/2010 on the Principle of

Accountability

PIPEDA Schedule 1 4.1

Principle 1: Accountability

U.S. Federal Trade

Commission Enforcement

Actions

APEC Privacy Framework

Canada: Getting Accountability Right

With a Privacy Management Program

OECD Revised

Guidelines

Columbia: Guide for the Implementation of Accountability

in Organizations

EU: General Data Protection

Regulation

Hong Kong: Privacy Management

Programme Best Practice Guide

Australia: Privacy

Management Framework

EU: General Data Protection

Regulation

1980 2000 2005 2010 2011 2012 2013 2014 2015


FTC – Elements of a Comprehensive Privacy Program

• FTC has stated that the Google Order is intended to “serve as a guide” to industry

Facebook Order similar

• Requirement to establish and maintain a comprehensive privacy program:

Designate an employee to be responsible for the privacy program

Identify reasonably-foreseeable, material risks

Design and implement reasonable privacy controls and procedures

Regularly test or monitor the effectiveness of the safeguards’ key controls and procedures

Manage third-party risk through due diligence and contractual obligations

Evaluate and adjust privacy program on an ongoing basis


Europe: Accountability under the EU General Data

Protection Regulation (GDPR)

• Three drafts of Regulation currently being discussed in the trilogue

• The 3 versions differ but generally include the following:

Appointment of a data protection officer (DPO)

Adoption of a privacy policy

Adoption of measures to demonstrate that an organisation’s processing of personal data complies with the Regulation

Implementation of technical and organizational methods to protect data against unauthorized or unlawful processing

Keeping records of the processing of personal data

Carrying out data protection impact assessments and implementing privacy by design


Europe: Accountability under the EU GDPR (Continued)

• Accountability becomes a compliance obligation

• Article 22.1 of the Council version of the Regulation relating to the Obligations of the controller provides that:

“Taking into account the nature, scope, context and purposes of the processing as well as the likelihood and severity of risk for the rights and freedoms of individuals, the controller shall implement appropriate measures and be able to demonstrate that the processing of personal data is performed in compliance with this Regulation”.

IMPACT: A business established outside the EU will also be subject to the GDPR if the business:

1. Offers goods or services to EU residents; or 2. Monitors the behavior of EU residents


Nymity’s Research on Accountability

Nymity breaks down the concept of Accountability into three components:

• Responsibility: The organization maintains an effective privacy management program consisting of ongoing privacy management activities.

• Ownership: An individual is answerable for the management and monitoring of privacy management activities.

• Evidence: The Privacy Office can support, with documentation, the completion of privacy management activities


Compliance – an Outcome of Accountability

“An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.”

The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia

https://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.pdf


Accountability and Compliance The evolving privacy landscape

COMPLIANCE ACCOUNTABILITY SHIFT

TOWARD

Privacy Program Outcomes Privacy Program Infrastructure

Laws and regulations

Enforcement actions

Binding Corporate Rules

Responsibility

Ownership

Evidence


UK Data Protection

Act

Rule 4

Rule 1

Rule 2

Rule 3

Rule 5

Binding Corporate

Rules

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

EU General Data

Protection Reg.

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Hong Kong

Ordinance

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Mexico Data

Protection Act

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Traditional Compliance Assessment Approach Assess compliance with each requirement individually

PHI Policies & Procedures

Audit and Monitoring

Many Regulatory Requirements Many Privacy Programs & Activities to

Training and Awareness

Company Policies and Procedures

Complaints and Investigations

Records Management

Information Security

Vendor Management

Human Resources

Legal


☑ Demonstrating Accountability


Accountability Based Approach Leverage evidence of accountability to demonstrate compliance

Evidence of Privacy Management Activities exists throughout the organization (within the

Privacy Program as well as Operations)

Evidence is collected in a centralized repository, structured in line with the 13

Privacy Management Processes

Evidence of Accountability is

mapped to requirements, allowing the

organization to Demonstrate Compliance

with laws and regulations

on-demand, supported by

Evidence

UK Data Protection

Act

Rule 4

Rule 1

Rule 2

Rule 3

Rule 5

Binding Corporate

Rules

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

EU General Data

Protection Reg.

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Hong Kong

Ordinance

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

Mexico Data

Protection Act

Rule 1

Rule 2

Rule 3

Rule 4

Rule 5

One Accountable Privacy Program Many Regulatory Requirements to


x = Law/regulation contains compliance requirements related to the Privacy Management Process

Accountability Goes Above and Beyond Compliance

Accountability Compliance

Privacy Management Processes BCR UK South Korea Mexico

1 Maintain Governance Structure X X X X

2 Maintain Personal Data Inventory X X X X

3 Maintain Data Privacy Policy X X X X

4 Embed Data Privacy into Operations X X X X

5 Maintain Training and Awareness Program X X X

6 Manage Information Security Risk X X X X

7 Manage Third-Party Risk X X X X

8 Maintain Notices X X X X

9 Maintain Procedures for Inquiries and Complaints X X X X

10 Monitor for New Operational Practices X X

11 Maintain a Data Privacy Breach Management Program

X X

12 Monitor Data Handling Practices X X

13 Track External Criteria X



Workbook Approach Nymity Accountability Status Workbook

Nymity Privacy Management Accountability Framework™

Privacy Management Processes and ActivitiesStatus Owner(s)

Resources to

Implement

Resources to

Maintain

Business

Case

Core?

(Y/N)

Description/

CommentEvidence

8. Maintain Notices

Maintain notices to individuals consistent with the data

privacy policy, legal requirements, and operational risk

tolerance

Maintain a data privacy notice that details the organisation’s

personal data handling policies

Implemented Privacy Office Compliance Y Privacy Notice

Provide data privacy notice at all points where personal data is

collected

Implemented Business Units Identify all forms

and contracts

that collect

personal data

Compliance Y PIA Guidelines,

Templates

Provide notice by means of on-location signage, posters N/A

Provide notice in marketing communications (e.g. emails, flyers,

offers)

Implemented Marketing Compliance Y

Provide notice in all forms, contracts and terms Desired Business Units Periodically

review. Have a

process for new

forms.

Compliance Y Marketing Guidelines

Maintain scripts for use by employees to provide the data privacy

notice

Desired Privacy Office Process update

from Customer

Service/ Call

Centre Team

Risk

Management

N Sample Language

Maintain a data privacy notice for employees (processing of

employee personal data)

N/A Scripts

Maintain a privacy Seal or Trustmark to increase customer trust N/A Call Centre Work Flow

Provide data privacy education to individuals (e.g. preventing

identity theft)

Implemented Business Units Alignment with

Business

Objectives

N Web Application

Content


Implemented Planned Desired N/A

The activity is already in

place and have sufficient

resources to be maintained.

The decision has already

been made, resources

allocated, and action may

be underway toward

implementing the activity.

The activity is applicable or

relevant to the privacy

program, but is not

currently implemented or

resourced (planned).

Not applicable or relevant

to the organization.

Pg. 12 in Accountability Paper

Identify Status of Privacy Management Activities


Privacy Management Process Activities Owned by the Privacy

Office – Examples

Activities Owned by Operational Units –

Examples

1. Maintain Governance

Structure

Maintain a Privacy Strategy Owner: Human Resources

Require employees to acknowledge and

agree to adhere to the data privacy policies

3. Maintain Data Privacy

Policy

Maintain a data privacy policy Owner: Human Resources

Maintain a separate employee data privacy

policy

5. Maintain Training and

Awareness Program

Maintain a core training program for

all employees

Owner: Customer Service

Integrate data privacy into other training

programs, such as HR, security, call centre,

retail operations training

10. Monitor for New

Operational Practices

Maintain PIA guidelines and

templates

Owner: Information Technology

Conduct PIAs for new programs, systems,

processes

Ownership for Privacy Management Activities

Privacy Office Activities Operational Activities

Privacy management activities that are the responsibility of the privacy office.

Privacy management activities that are the responsibility of operational units, including, Marketing, HR, IT, Legal, Procurement, Business Units, etc.


Core and Elective Activities

• Core activities are fundamental to the organization for privacy management; they are identified by the privacy office as being mandatory

Maintain a data privacy notice that details the organization’s personal data handling policies (PMP8)

Most laws around the world contain a transparency principle and require notice to individuals; this activity is core because it is mandatory for compliance

Maintain a core training program for all employees (PMP5)

Very few laws explicitly require privacy training, but the privacy office usually deems it critical to managing the privacy risk that can arise from employees that do not understand their obligations with regard to privacy; this activity is core because it is fundamental for managing risk

• Elective activities are the activities that go above and beyond the minimum for compliance and risk management. They are the activities the organization has elected to implement to further embed privacy throughout the organization.

Activities may be Elective because they are not directly tied to privacy compliance or risk such as Hold an annual data privacy day/week (PMP 5), or because they are sophisticated such as Maintain privacy program metrics (PMP 12).

Pg. 20

https://www.nymity.com/data-privacy-resources/privacy-management-tools/maintain-training-awareness-program.aspx?a=12?utm_source=Paper&utm_medium=PDF&utm_content=PMP5PMA12&utm_campaign=PMP5PMA12

https://www.nymity.com/data-privacy-resources/privacy-management-tools/monitor-data-handling-practices.aspx?a=7?utm_source=Paper&utm_medium=PDF&utm_content=PMP12PMA7&utm_campaign=PMP12PMA7


Privacy Management Program Strategies


Which Organizations

Choose a Managed

Privacy Strategy?

Which Organizations Choose an

Advanced Privacy Strategy?

Which Organizations Choose to Demonstrate

Accountability and Compliance?

Low risk related to the processing of personal data • Sensitivity, complexity,

volume of data

• High level of privacy risk or a

culture of compliance, and a low

tolerance for compliance risk

• Have had a major breach or are

subject to enforcement action

Organizations that have a business need to justify the need to

stand ready to demonstrate account

• Abiding by the binding corporate rules to monitor

compliance and make the results available to data

protection authorities on demand

• Maintaining documentation for Trustmarks or

accountability agents, ex., organizations participating in the

APEC Cross-Border Privacy Rules system

• Preparing to self-certify under US-EU Safe Harbor, or

preparing for a third party auditability and/or compliance

Organizations where

processing data is not the

core business but more of

a support or administrative

function

Organizations preparing for binding

corporate rules, APEC, CBPR, or some

other optional data transfer

mechanisms that goes beyond

compliance

• Complying with future legal requirements for

demonstrating compliance ex. EU GDPR

• Meeting expectations of privacy and data protection

regulators

A new privacy program,

where the Managed

Privacy Strategy is a

starting point

Organizations wishing to fully

integrate privacy into all product and

program development to manage

privacy risk or to make privacy a

competitive differentiator or to

exceed client requirements

• Lowering the cost of audit/independent assessment by

gathering documentation and information in advance and

presenting it to auditors

• Providing meaningful management reporting at various

levels


Documentation as Evidence

• The documentation to be used as evidence already exists: documentation is a by-product of implemented privacy management activities.

• You don’t create evidence just for the sake of demonstrating accountability/ compliance. You just identify and log the evidence that already exists.

Privacy Management

Activities Evidence/ Documentation

Maintain a data privacy

policy

Data Privacy Policy

Integrate data privacy into e-

mail monitoring practices

E-mail monitoring policy and

procedure

Measure comprehension of

data privacy concepts using

exams

System generated report of

data privacy exam scores

Provide notice in all

marketing communications

(e.g. emails, flyers, offers)

Examples of e-mail marketing

communications

Pg. 33


Planning: Selection and Prioritization of Activities which

demonstrate Accountability

Compliance with

Laws and Regulations

Privacy Risk Management

Select Activities Based on

Business Objectives

Prioritize Based

on Resources

Understanding

Expectations from

Privacy and Data

Protection Regulators

Understanding the Law

• Risk of harm to the individual

data subject

• Risk of enforcement due to

non-compliance or

complaints

• Risk of unauthorized use of

personal data

• Risk of loss to the

organization

• Risk of breach due to stolen

data

• Risk of misuse of personal

data

• Risk of class-action lawsuit

• And others (see page 48)

Align privacy management

program strategy with

organizational objectives such

as:

• Global expansion goals

• Moving to paperless

record keeping

• Mergers and acquisitions

• Competitive advantage

• Product innovation

• Cloud computing

• Others?

• Determine your resource profile

• Leverage existing resources

• Prioritize what can be supported

• Prioritize what can be maintained


Determine your Initial Resource Profile

Low • Part-time privacy officer

Medium • Business and organizational support

High

• True management support and a funded privacy office


Low Resources: Part-time Privacy Officer

Often there is a single individual for whom the role of privacy officer is a secondary role, for example, they are also the General Counsel, an HR manager, or a marketing professional. The organization can only provide the privacy officer with limited resources, possibly because:

• small organization

• organization that does not process a high volume of personal data

• privacy officer role is only part time

• organization with financial constraints

• unable to achieve senior management buy-in

• unable to attain resources from most of the operational and business units such as HR, IT, and marketing

• the privacy risk is perceived as low compared to other challenges or opportunities

Pg. 15


Medium Resources: Business and Organizational

Support

Medium resourced privacy offices have buy in from the operational and business units. The organization may also have:

• a full time privacy officer

• a culture of compliance such as in a highly regulated industry

• processing of personal data is the organization’s core business

• experienced data breaches and management is worried about future breaches and the resulting media coverage or regulatory consequences

• contractual obligations to comply with privacy requirements

• a major project or restructuring underway which presents an opportunity to build privacy in from the outset

• in place or be pursuing cross border transfer mechanisms such as Binding Corporate Rules , US EU Safe Harbor, or APEC Cross Border Privacy Rules

Pg. 15


Highly Resources: True Management Support and a

Funded Privacy Office

A high resourced privacy office is a fully staffed privacy office and may also use external consulting or legal firms. There is true management buy-in and full support from the operational and business units, possibly in an organization:

• with a low risk tolerance or a culture of compliance

• where privacy has reached the board or executive level, and resources and responsibility are allocated

• where a major breach has taken place either at the organization or with a competitor that has brought the issue of privacy to the attention of senior leadership

• that has had an enforcement action issued by a privacy or data protection regulator

• that abides by recommendations from trusted law firm or consulting firm

Pg. 15


Leverage Existing Resources

• Rely on privacy management activities that are already partially or fully implemented.

Example:

Human resources department is already maintaining policies and procedures for monitoring employees

Privacy office has buy-in from human resources

Therefore, it is relatively low effort to implement and maintain the activity Integrate data privacy into practices for monitoring employees (PMP 4) since the structure is already in place.

Page 18


Prioritize What is Supported

• Support from the operational and business units is critical to the success of the program - lack of it can present an obstacle to success.

• Example:

• Maintain policies/procedures for secondary use of personal data (PMP 4) may be influenced by the privacy office but owned by an operational unit such as marketing

If the privacy office tries to implement the activity without the support of marketing, it will likely not be adopted

Even though the activity is important to protecting data, it would not be implemented effectively and would not be the best use of limited resources

• The privacy office should prioritize activities that are supported by key stakeholders.

Page 18


Prioritize What Can Be Maintained

• Accountability is an ongoing state – not a point in time status. Implement privacy management activities that can be maintained based on the ongoing resources available.

Example:

• To implement the activity Maintain a Data Privacy Policy (PMP 3)

Initial effort requires medium resources

Policy must be socialized with key stakeholders in order to achieve buy in and improve the chances of adoption (ultimately it should be approved be executive leadership)

Publishing or issuing the policy is just the first step

o It must then be reviewed on a periodic basis

o Not keeping it up-to-date will result in increased privacy risk

Page 18


Identifying Resources in Your Organization

People Processes Technology Tools

Employees – full or

partial headcount

Buy in or support from

Executives/ Senior

Management

Other departments or

groups such as Internal

Audit, Compliance, ERM

Shared Services (Info Sec,

IT, Legal, Procurement)

External Consultants/

Advisors/ Auditors/

Service Providers

Workflows for

approval/sign-off

Monitoring/ Reviewing

controls or mechanisms

Communication/

Meetings

Training/knowledge

sharing

Escalation paths

File/document sharing

platforms

Collaboration tools

Information

Security/Data Protection

controls

ERP Systems

Ticketing Systems

E-Learning System

Compliance research

subscriptions

Subscription newsletter

to stay informed

Templates and samples

Privacy management

systems

Privacy/ Risk/

Compliance Reporting

Software

PIA solutions

Rationalized rules table

generators

Benchmarking solutions

Pg. 13


Three Plans to Get Started Pg. 37


Conclusions

• Accountability yields a capacity to meet compliance and program objectives that is inherently more flexible and powerful than ‘mere’ compliance

• Accountability is determined by what the organization prioritizes and resources – not by an external standard of ‘what ought to be’

• Accountability helps the organization by ‘getting credit’ for establishing a framework to yield the right results – even where there are individual failures, it can be demonstrated they are not systemic

Documents

Maximizing your Privacy Management Program · A structured approach for maximizing privacy management in your organization to ensure ongoing compliance and ultimately accountability