19
1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Changing Role of the CPO in Today's Privacy Ecosystem September 22, 2016

[Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

  • Upload
    truste

  • View
    3.485

  • Download
    1

Embed Size (px)

Citation preview

Page 1: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Changing Role of the CPO in

Today's Privacy Ecosystem

September 22, 2016

Page 2: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Today’s Speakers

Barbara Lawler

Chief Privacy Officer

Intuit

Hilary Wandall

General Counsel & Chief Data Governance Officer

TRUSTe

Scott Taylor

AVP Compliance & Chief Privacy Officer

Merck & Co., Inc.

Page 3: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

• Welcome & Introductions

• Evolution of the Role

• Core Responsibilities

• Making it Operational

• Addressing the EU GDPR’s DPO Requirements

• Q & A

Today’s Agenda

Page 4: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Evolution of the Role

Page 5: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

• 1970s: First Privacy Officer positions were created in Germany

• 1991: First CPO appointed in the U.S. in 1991

• 2002: International Association of Privacy Professionals (IAPP) created

• 2003: HIPAA Privacy Officer positions required in the U.S.

• 2007: EU WD 153 - Elements and Principles for BCRs - Governance

• 2011: Designated individual required by APEC Cross-Border Privacy

Rules

• 2004-2014: Data Protection Officer (DPO) roles required outside U.S.

and EU, such Canada, Colombia, Ghana, India, Israel, Korea, Mexico,

Montenegro, Philippines, Russia, Singapore, South Africa, Ukraine

• 2016: U.S. Federal Agencies required to appoint a Senior Agency

Official for Privacy (SAOP)

• 2018: GDPR requires appointment of mandatory DPOs with specific

statutory criteria for expertise, professional qualities, responsibilities,

resourcing, independence and reporting

How the role has developed over more than a half century

Page 6: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Core Responsibilities

Page 7: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Driven by organizational experience, culture, resources, business

aspirations

Program Goals: Compliance. Accountability. Governance.

Regulatory Compliance

Accountability & Stewardship

Strategic Data Governance

• Privacy notices

• Consents

• Opt-outs

• Contracts

• Security program

• Breach management

and notification

• Complaint and

individual rights

requests handling

Regulatory Compliance +

• Management ownership

• Privacy leader or team

• Comprehensive policies

• Awareness and training

• Risk assessment

• Privacy by design

• Ongoing assurance

• Continuous improvement

Accountability + • Holistic approach • Interoperable across

jurisdictions • Data as an asset • Integrated with other

data-driven obligations, e.g..: • data security • IP & trade secrets • e-discovery • records management

Page 8: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

According to IAPP-EY Annual Privacy Governance Report 2016

Page 9: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

Privacy Framework

Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board)

Demonstrate capacity to external stakeholders (Trust Agents, Regulators)

Demonstrate capacity to individual data subjects

DE

MO

NS

TR

AT

ION

Commitment Implementation Validation

• Solid policies aligned to

external criteria

• Management commitment

• Full transparency

• Mechanisms to ensure

policies and commitments

are put into effect with

employees

• Monitoring and assurance

programs that validate both

coverage and effectiveness

of implementation

EF

FE

CT

IVE

AP

PR

OA

CH

Identify Risks and Opportunities Integrated Governance

OV

ER

SIG

HT

Page 10: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

Intuit Confidential and Proprietary

Data Stewardship in an Evolving Digital World Is the role of the CPO changing?

What’s Remains the Same

• Promoting trust online (and

offline)

• Global and local tensions

about appropriate and ethical

collection, transfer and uses

of data

• Data Stewardship Principles

and FIPPs-based privacy

policies

• Customer first

• Product-focused

• PbD & PIA

What’s Changed

• Enabling or driving innovation

• Promoting digital trust

everywhere

• Data at the center of every

discussion

• Robust analytics machine

learning A.I.

• Platforms and distributed

services

• Demonstrating (and

documenting) compliance

Eco-

systems

Privacy in products

and services

Data governance and

privacy across product

ecosystems

Products

Page 11: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Making it Operational

Page 12: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Putting Policies and Standards into Practice

We often hear from privacy professionals that are starting up

a program or looking to take it to the next stage that they

find it difficult to translate legal opinions and the letter of

laws and regulations into effective, sustainable practices

within their organizations.

1. How have you addressed this challenge in your career?

2. Are there any best practices that you would recommend?

3. Do you have any insights for SMEs?

Page 13: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Addressing the GDPR’s DPO

Requirements

Page 14: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

According to IAPP-EY Annual Privacy Governance Report 2016

Page 15: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

Compliance and Accountability: EU GDPR DPO Role

Controllers and

Processors are

Required to

Appoint If:

• The organization’s core activities consist of processing on a large scale of sensitive

data (e.g., health, race, ethnicity, biometric, religion) or criminal data

• The organization’s core activities consist of processing that requires regular and

systematic monitoring of individuals on a large scale

• Processing is carried out by a public authority or body

• Mandated by EU country law (e.g., Germany)

DPO

Competencies

• Expertise in data protection law

• Professional qualities (e.g., leadership, communications, program management,

business acumen, understanding of technology, strategic thinking, influence)

Role and

Responsibilities

• Governance: employee or contractor, single appointee for corporate group as long

as readily accessible from any location of the organization

• Transparency: DPO contact details published and communicated to DPAs

• Professional responsibility: independent decisions, reports to senior

management, no conflicts, protected from dismissal, duty of confidentiality

• Training and awareness of staff

• Monitoring and assurance: advice to staff on obligations and assurance of

implementation, risk assessment, consultation and monitoring on DPIAs, auditing

• Complaint handling: individuals can raise concerns and exercise rights with DPO

• Regulatory liaison: primary contact to DPAs, cooperation with DPAs on

complaints, investigations, demonstration of organizational accountability, prior

consultation on DPIAs and breaches

• Organizational support and resources: organizations must ensure timely and

proper involvement of the DPO in all data protection-related issues, as well as to

provide proper resources for DPO to fulfill responsibilities and maintain expertise

Page 16: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

According to IAPP-EY Annual Privacy Governance Report 2016

Page 17: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

17 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Questions?

Page 18: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

18 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Hilary Wandall [email protected]

Scott Taylor [email protected]

Barb Lawler [email protected]

Contacts

Page 19: [Privacy Webinar Slides] Changing Role of the CPO in Today's Privacy Ecosystem

19 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Details of our 2016 Summer/Fall Webinar Series are now available. Register

now for our next webinar on October 21 “Building a Privacy Governance

Program”

See http://www.truste.com/insightseries for the 2016 Privacy Insight Series

and past webinar recordings.

Thank You!