1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Building a Privacy Governance

Program

October 21, 2016

2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Today’s Speakers

Eleanor Treharne-Jones (Moderator)

Vice President Consulting

TRUSTe

Michelle Fleury,

Senior Director, Supply Chain Operations,

Cisco

Patrick Curry,

Director, Privacy and Compliance,

McKesson

3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

• Welcome & Introductions

• Understanding the Role of Data in Corporate

Strategy

• Building Data Protection Programs

• Steps for Rapid Deployment

• Q&A

Today’s Agenda

4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Strategic Partners

Key Activities

Key Resources

Relationships

Distribution Channels

Customers

#DigitalBusiness Depends on #Data

The Business Model Canvas by @strategyzer

Intellectual

Property

Deal

Prospects

Corporate

Strategy

Employee

Information

Trade Secrets

Brand Strategy

Support Data

Product

Roadmaps

Customer Sat

Ratings

Sales Records

Pricing Details

Discount

Rates

Cisco’s Strategy

6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

180+ Years in Health Care

7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Healthcare Trends

Innovation Global Shift in Demographics

Chronic Diseases

Regulatory Change

Value-Based Care ` Rise of

Consumerism 2/3 of the market by 20203

Ongoing growth in 65+ years1

Diabetes - worldwide: 55%

percent increase by 20352

` Cost Containment

Consolidation

110 Projections for the Global Population in 2050, Pew Research Center, Feb. 2, 2014. 22014 IDF Diabetes Atlas, International Diabetes

Foundation. 3The State of Value-Based Reimbursement and the Transition from Volume to Value in 2014, McKesson Health Solutions, 2014.

Patient-centered model = Health data for millions of patients

8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Strategic Considerations

8

Cisco’s Data Protection Program

S

Customer &

Market Expectations

Competitive

Differentiation Risk Landscape

Legal

Obligations

9 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Guiding Principles

Involve the

Business in the

Program

Manage Complexity

and Ambiguity

through Iteration

Leverage Your

Operational

Strengths

10 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Awareness and

Education

Incident

Response

Data Risk and

Organizational Maturity

Identification and

Classification

Policies and

Standards

Cisco’s Data Protection Program

Oversight and

Enforcement Privacy by Design &

Int’l Privacy Policy

Security by Design &

Data Loss Prevention

11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

McKesson US Pharmaceuticals Privacy Program

• Based on Federal Sentencing Guidelines/HHS OIG guidance

• GRC-based; process harnessed for privacy, IT security risk

• PHI is king: Priority to regulatory & legal obligations

• Helps coordinate multi-faceted approach

• Provides functional backdrop and process for analysis for considerations of choice, data use, consent, collection, etc.

Program Governance &

Resources

Policies & Procedures

Communications

Training

Monitoring

Investigations & Response

Enforcement, Discipline & Incentives

Risk Assessment

12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

McKesson case example: Programmatic PIA

Program Governance & Resources

Policies & Procedures

Awareness

Training

Monitoring

Investigation & Response

Enforcement

Risk Assessment

•Observation: risk of changes to data

use without review

•“Follow the circle:”

–What structures need to be in place

–Who owns / manages the process

–What policies / procedures are needed

–Who needs to know what about the

updates to the process

–How do we know the process is

effective?

–What do we do if people don’t follow the

rules?

Outcome: stable and documented process; general awareness of

goals and changes; auditable framework

13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Steps for Rapid Deployment of a DPP

1 Form a multi-disciplinary team,

including Privacy and Security

Collect and connect capabilities

and processes 5

2 Inventory your data – start with

high-risk categories & PII

Identify and prioritize most

significant gaps 6

3 Assess your organization’s data protection maturity

Take “agile” approach to address

gaps – wise to iterate 7

4 Choose a program framework and

set goals

Get the word out – people as

important as technology 8

14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Questions?

15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Michelle Fleury mfleury@cisco.com

Patrick Curry Patrick.Curry@McKesson.com

Eleanor Treharne-Jones eleanor@truste.com

Contacts

16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Details of our 2016 Summer/Fall Webinar Series are now available. Register

now for our next webinar on November 10 “Understanding new EU

Guidance on DPIA/PIA requirements”

See http://www.truste.com/insightseries for the 2016 Privacy Insight Series

and past webinar recordings.

Thank You!