Upload
truste
View
2.248
Download
0
Embed Size (px)
Citation preview
1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Metrics for Success: Quantifying
the Value of the Privacy Function
December 8, 2016
2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Today’s Speakers
Deidre Rodriguez
Director, Corporate Privacy Office
Anthem, Inc
Marcus Morissette
Global Privacy Officer
eBay
Kevin Trilli,
SVP Product,
TRUSTe
3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Privacy Metrics and Dashboard
Kevin Trilli, SVP Product, TRUSTe
4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Speaker Intros
• Metrics and Privacy Organization
• Categories and types of Metrics
• Building / establishing a Monitoring Program
• Challenges and Recommendations
Agenda
5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Privacy Metrics
6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Purposes and Categories of Metrics
Target Audience Audience Purpose
Privacy Officer /
Privacy Manager
Internal • Program development
• Organizational Management
Executives / BOD Internal • Communicate overall risk
posture
• Resource requests
Auditors /
Regulators
External • Demonstrate program
accountability and effectiveness
• Transparency
7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Initial stage is strategy planning and development
– Requires selecting and planning a set of program activities
– Establish required set of resources
• On-going management
– Program and goal management
– Resource utilization
– Gaps / program maturity velocity
CPO/Privacy Manager:
Program Establishment, Evolution and Budgeting
8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Example: Privacy Program Management
9 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Inbound inquiries to privacy team (tickets/advise/projects)
– % utilization
• Policies under management
–Reflective of external and internal laws, regs, policies shows scope
• Assets under management
– Data processing applications and systems
• Projects (risk assessments, PIAs, etc)
– #, state, aging, response time
– risk issues identified and remediated
• Incidents (breach, data release, reg inquiries)
– #, type and risk levels, remediation plan
• All are mapped to each BU to show status across enterprise
–Includes HR, IT and Marketing functional groups as needed
CPO/Privacy Manager: Operational Management
10 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Example: Risk Assessment and Remediation Metrics
11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Privacy Program Overview / Budgeting
– Program to Goal (%)
– Overall Resource allocation
– Budget justification
• Risks
– Incidents
– Regulatory enquiries
– Related fines/investigations (vertical)
– Heat Map
Executive / BOD
12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Derived from internal metrics/dashboard, but may need
sanitizing
• Have ready on-demand to demonstrate program
– Ideal: Technological system of record that can grow and aggregate
project/project
– Maintained for data integrity
• Basics:
– Database of data processing assets (#, classified by risk) with metadata
– Construction of key data transfers (EU, APEC)
– Consumer metrics (inquiries/disputes and resolution paths)
• Needs to accompanied by evidence/documentation
External Reporting
13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Example: Asset Inventory characterized by risk
14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Where to Start
15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• First socialize with stakeholders / execs
• Determine what matters most / scope
• Prioritize to get started
• Assess current capabilities
Starting a Monitoring Program
16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
•Document your privacy program plan to get ready
–Will you need to develop emails or templates for use during monitoring
(announcement emails, SharePoint sites created, who will be responsible for
what)
–Determine where you will store data and who will have access
–Are there callouts/disclaimers that need to added to metrics?
–When will metrics be produced and by whom
–Stagger monitoring so that it will not create negative impact for the business
–Understand any reporting/monitoring that may be done in the business that will
have potential impact
–Write desktop procedure for how everything will happen A-Z
• Communicate across broader organization
Starting a Monitoring Program
17 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Beginning to Monitor
18 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
•Identify lead that will be responsible for monitoring a specific piece of
work
•Put everything on the calendar
–Date you will start sending requests to business
–Date you will analyze data
–Date that you will document findings
–Date you will review metrics
–Date that you will release metrics
–Date corrective action plans will be due
–Any ongoing follow up or re-monitoring to ensure issue has been adequately
addressed
•Keep leadership informed of roll out and any changes to program that
may impact them
Beginning to Monitor
19 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Continuing to Grow Monitoring
Program
20 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
•Continue to monitor risks and what matters most
•Identify plan to grow program
–What will be monitored next and why
–Doing it by risk is easiest to explain
–Continue to lobby for resources to expand program
•Continue to collect feedback on metrics
•Document all findings and do follow up on corrective action plans
–This enables you to show leadership the positive impact of your program (what
were you able to find and correct)
•Partner with Internal Audit
•Roll up data by quarter and produce annual metrics
Growing Monitoring Program
21 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Challenges and Takeaways
22 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• How to do actual job but also measure and
document
• Control of data sources that feed metrics
• Dealing with aspects of privacy
management that don’t have easy metrics
Challenges
23 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Deidre Rodrigeuz [email protected]
Marcus Morissette [email protected]
Kevin Trilli [email protected]
Contacts
24 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Details of our 2017 Winter/Spring Webinar Series will be available shortly.
See http://www.truste.com/insightseries for all the 2016 Privacy Insight
Series and past webinar recordings.
Thank You!