1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Building a Privacy Governance
Program
October 21, 2016
2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Today’s Speakers
Eleanor Treharne-Jones (Moderator)
Vice President Consulting
TRUSTe
Michelle Fleury,
Senior Director, Supply Chain Operations,
Cisco
Patrick Curry,
Director, Privacy and Compliance,
McKesson
3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Welcome & Introductions
• Understanding the Role of Data in Corporate
Strategy
• Building Data Protection Programs
• Steps for Rapid Deployment
• Q&A
Today’s Agenda
4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Strategic Partners
Key Activities
Key Resources
Relationships
Distribution Channels
Customers
#DigitalBusiness Depends on #Data
The Business Model Canvas by @strategyzer
Intellectual
Property
Deal
Prospects
Corporate
Strategy
Employee
Information
Trade Secrets
Brand Strategy
Support Data
Product
Roadmaps
Customer Sat
Ratings
Sales Records
Pricing Details
Discount
Rates
Cisco’s Strategy
6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
180+ Years in Health Care
7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Healthcare Trends
Innovation Global Shift in Demographics
Chronic Diseases
Regulatory Change
Value-Based Care ` Rise of
Consumerism 2/3 of the market by 20203
Ongoing growth in 65+ years1
Diabetes - worldwide: 55%
percent increase by 20352
` Cost Containment
Consolidation
110 Projections for the Global Population in 2050, Pew Research Center, Feb. 2, 2014. 22014 IDF Diabetes Atlas, International Diabetes
Foundation. 3The State of Value-Based Reimbursement and the Transition from Volume to Value in 2014, McKesson Health Solutions, 2014.
Patient-centered model = Health data for millions of patients
8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Strategic Considerations
8
Cisco’s Data Protection Program
S
Customer &
Market Expectations
Competitive
Differentiation Risk Landscape
Legal
Obligations
9 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Guiding Principles
Involve the
Business in the
Program
Manage Complexity
and Ambiguity
through Iteration
Leverage Your
Operational
Strengths
10 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Awareness and
Education
Incident
Response
Data Risk and
Organizational Maturity
Identification and
Classification
Policies and
Standards
Cisco’s Data Protection Program
Oversight and
Enforcement Privacy by Design &
Int’l Privacy Policy
Security by Design &
Data Loss Prevention
11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
McKesson US Pharmaceuticals Privacy Program
• Based on Federal Sentencing Guidelines/HHS OIG guidance
• GRC-based; process harnessed for privacy, IT security risk
• PHI is king: Priority to regulatory & legal obligations
• Helps coordinate multi-faceted approach
• Provides functional backdrop and process for analysis for considerations of choice, data use, consent, collection, etc.
Program Governance &
Resources
Policies & Procedures
Communications
Training
Monitoring
Investigations & Response
Enforcement, Discipline & Incentives
Risk Assessment
12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
McKesson case example: Programmatic PIA
Program Governance & Resources
Policies & Procedures
Awareness
Training
Monitoring
Investigation & Response
Enforcement
Risk Assessment
•Observation: risk of changes to data
use without review
•“Follow the circle:”
–What structures need to be in place
–Who owns / manages the process
–What policies / procedures are needed
–Who needs to know what about the
updates to the process
–How do we know the process is
effective?
–What do we do if people don’t follow the
rules?
Outcome: stable and documented process; general awareness of
goals and changes; auditable framework
13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Steps for Rapid Deployment of a DPP
1 Form a multi-disciplinary team,
including Privacy and Security
Collect and connect capabilities
and processes 5
2 Inventory your data – start with
high-risk categories & PII
Identify and prioritize most
significant gaps 6
3 Assess your organization’s data protection maturity
Take “agile” approach to address
gaps – wise to iterate 7
4 Choose a program framework and
set goals
Get the word out – people as
important as technology 8
14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Questions?
15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Michelle Fleury [email protected]
Patrick Curry [email protected]
Eleanor Treharne-Jones [email protected]
Contacts
16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Details of our 2016 Summer/Fall Webinar Series are now available. Register
now for our next webinar on November 10 “Understanding new EU
Guidance on DPIA/PIA requirements”
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
Thank You!