Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Getting to Accountability Maximizing Your Privacy Management Program
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
• Introductions
• Accountability Fundamentals
• Privacy Management Status
• Privacy Management Program Strategy
• Develop a Resource-Based Plan to execute the Strategy
Agenda
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Getting to Accountability: Maximize the effectiveness of your privacy management program
Learn how to:
1. Present Your Privacy Management Status
Identify current state including owners of activities
2. Select a Privacy Management Program Strategy
3. Develop a Plan to execute the Strategy
Identify applicable privacy management activities
Prioritize based on resources and articulate a business case for additional resources
Workshop Takeaways
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Accountability Workbook and Framework
Document the Status of Privacy Management
Define Required Resources
Record the Business Case for Additional Resources
Demonstrate Accountability
Accountability Paper
Privacy Program Strategy
Define Components of Privacy Program Strategy
Prioritized Program Implementation
Feedback Form
How can help you?
How we can improve workshop?
Workshop Materials
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Introductions
Facilitator Participants
TERESA TROESTER FALK Chief Global Privacy Strategist – NYMITY
and former Associate General Counsel (Privacy), Information Services
Please introduce yourself: • Name • Company • Role • Size of company • Industry/Sector • How many years of experience in privacy? • Size of privacy office • How would you characterize your program (just
getting started, average, mature, other)
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
A Data Privacy Research Company
Focus: Dedicated to global data privacy compliance research Established: 2002 Headquarters: Toronto, Canada Research: Inventor of several compliance methodologies & frameworks Funding: Partially funded by government R&D grants
Software Solutions for the Privacy Office
Privacy Management Solutions:
Nymity Attestor™ Nymity Benchmarks™ Nymity Templates ™
Compliance Research Solutions: Nymity Research™ Nymity LawTables™ Nymity MofoNotes
Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity’s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance.
Introducing Nymity
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
• Learn about the evolution of accountability in the context of privacy and data protection
• Understand the current global discussion on accountability, why it is important, and how it applies to you
• See how compliance can be an outcome of accountability
• Learn how Nymity helps put accountability theory, discussion and guidelines into practice
Module Objective
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM 10
Guidelines on the Protection of Privacy
and Transborder Flows of Personal
Data
Article 29 Data Protection
Working Party Opinion
3/2010 on the Principle of
Accountability
PIPEDA Schedule 1 4.1
Principle 1: Accountability
U.S. Federal Trade
Commission
Enforcement Actions
APEC Privacy Framework
Canada: Getting Accountability Right
With a Privacy Management Program
OECD Revised
Guidelines
Columbia: Guide for the Implementation of Accountability in
Organizations
EU: General Data Protection
Regulation
Hong Kong: Privacy
Management Programme
Best Practice Guide
Australia: Privacy
Management Framework
EU: General Data Protection
Regulation
1980 2000 2005 2010 2011 2012 2013 2014 2015
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM 07/09/2015 Data Privacy Asia 2015: Your
Business Imperative - 25 – 27 August 2015
11
Requirement on data controllers to:
• Implement a privacy management program • Demonstrate, on-demand, privacy management
program to regulators or other accountability agents
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Asia Pacific Privacy Authorities: Accountability
includes a Privacy Management Program
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Part A – Baseline Fundamentals of a Privacy Management Programme 1. Organisational Commitments
a. Buy-in from the Top b. Data Protection Office and/or
Officer c. Reporting
2. Programme Controls a. Personal Data inventory b. Policies c. Risk Assessment Tools d. Training and Education
Requirements e. Breach Handling f. Data Processor Management g. Communication
Part B – Ongoing Assessment and Revision
a. Develop an oversight and review plan b. Assess and Revise Programme
Controls
Canada, Hong Kong, Columbia
Accountability Today – Best Practice Guidelines
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Nymity’s Research on Accountability
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
☑ Demonstrating Accountability
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Nymity breaks down the concept of Accountability into three components:
• Responsibility: The organization maintains an effective privacy management program consisting of ongoing privacy management activities.
• Ownership: An individual is answerable for the management and monitoring of privacy management activities.
• Evidence: The Privacy Office can support, with documentation, the completion of privacy management activities
Nymity Research on Accountability
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
The organization maintains an effective privacy management program consisting of ongoing privacy management activities
Privacy management activities are procedures, policies, systems, measures and other mechanisms impacting the processing of personal data.
Responsibility
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
An individual is answerable for the management and monitoring of the Privacy Management Activities
Privacy Office Activities Privacy officer responsibilities:
Operational Activities Privacy officer influences/observes:
Privacy Management Activities that are the Responsibility of the privacy office.
Privacy Management Activities that are the responsibility of operational units, including, Marketing, HR, IT, Legal, Procurement, and Product Development.
Ownership
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Documentation is a by-product of Privacy Management Activities
Privacy Management
Activities
Evidence/
Documentation Source/ Role Formal/ Informal
Maintain a data privacy policy Data Privacy Policy Produced by privacy office Formal
Integrate data privacy into e-
mail monitoring practices
E-mail monitoring
policy and procedure
Influenced by privacy office
Produced by Information
Technology
Formal
Measure comprehension of
data privacy concepts using
exams
System generated
report of data privacy
exam scores
Collected by privacy office
Produced by Human Resources
Informal
Provide notice in all
marketing communications
(e.g. emails, flyers, offers)
Examples of e-mail
marketing
communications
Influenced by privacy office
Produced by Marketing
Informal
Evidence
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Compliance is an Accountability Outcome
“A privacy management programme serves as a strategic framework to assist an organization in building a robust privacy infrastructure supported by an effective on-going review and monitoring process to facilitate compliance.” Privacy Management Programme: A Best Practice Guide – Hong Kong – Office of the Privacy Commissioner for Personal Data, Hong Kong http://www.pcpd.org.hk/english/publications/files/PMP_guide_e.pdf
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Accountability and Compliance The Evolving Privacy Landscape
COMPLIANCE COMPLIANCE ACCOUNTABILITY ACCOUNTABILITY SHIFT TOWARD
SHIFT TOWARD
Privacy Program Outcomes Privacy Program Infrastructure
Laws and regulations
Enforcement actions
Binding Corporate Rules
Responsibility
Ownership
Evidence
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Hong Kong –
Personal Data
(Privacy) Ordinance
Rule 4
Rule 1
Rule 2
Rule 3
Rule 5
Hong Kong –
Personal Data
(Privacy) Ordinance
Hong Kong –
Personal Data
(Privacy) Ordinance
Rule 4
Rule 1
Rule 2
Rule 3
Rule 5
Macau – Personal
Data Protection Act
8/2005
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Macau – Personal
Data Protection Act
8/2005
Macau – Personal
Data Protection Act
8/2005
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Malaysia – Personal
Data Protection Act
2010
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Malaysia – Personal
Data Protection Act
2010
Malaysia – Personal
Data Protection Act
2010
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Singapore –
Personal Data
Protection Act 2012
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Singapore –
Personal Data
Protection Act 2012
Singapore –
Personal Data
Protection Act 2012
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
South Korea –
Personal
Information
Protection Act Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
South Korea –
Personal
Information
Protection Act
South Korea –
Personal
Information
Protection Act Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Traditional Compliance Assessment Approach Assess compliance with each requirement individually
PHI Policies & Procedures PHI Policies & Procedures
Audit and Monitoring Audit and Monitoring
Many Regulatory Requirements Many Privacy Programs & Activities to to
Training and Awareness Training and Awareness
Company Policies and Procedures Company Policies and Procedures
Complaints and Investigations Complaints and Investigations
Records Management Records Management
Information Security Information Security
Vendor Management Vendor Management
Human Resources Human Resources
Legal Legal
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Rationalized Rules/Requirements Approach
Identify common elements and address outliers
Many Regulatory Requirements One Rationalized Rule Set
Hong Kong –
Personal Data
(Privacy) Ordinance
Hong Kong –
Personal Data
(Privacy) Ordinance
Rule 4
Rule 1
Rule 2
Rule 3
Rule 5
Macau – Personal
Data Protection Act
8/2005
Macau – Personal
Data Protection Act
8/2005
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Malaysia – Personal
Data Protection Act
2010
Malaysia – Personal
Data Protection Act
2010
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Singapore –
Personal Data
Protection Act 2012
Singapore –
Personal Data
Protection Act 2012
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
South Korea –
Personal
Information
Protection Act
South Korea –
Personal
Information
Protection Act Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Macau – registration requirement
Hong Kong – direct marketing provisions
South Korea – Breach Notification
Rule 1
Rule 2
Rule 1
Rule 2
Rule 1
Rule 2
Rule 1
Rule 2
Rationalized Rule Set
Rule A
Rule B
Rule C
Rule D
Rule E
to to
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Accountability Compliance
Nymity Privacy Management Processes Malaysia – Personal Data Protection Act,
2010
Hong Kong Personal Data
(Privacy) Ordinance
Singapore – Personal Data Protection Act,
2012
1 Maintain Governance Structure x x
2 Maintain Personal Data Inventory
3 Maintain Data Privacy Policy x x x
4 Embed Data Privacy into Operations x x x
5 Maintain Training and Awareness Program x
6 Manage Information Security Risk x x x
7 Manage Third-Party Risk x x x
8 Maintain Notices x x x
9 Maintain Procedures for Inquiries and Complaints x x x
10 Monitor for New Operational Practices
11 Maintain a Data Privacy Breach Management Program
12 Monitor Data Handling Practices X
13 Track External Criteria = Law/regulation contains compliance requirements related to the Privacy Management Process
Accountability goes above and beyond compliance
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Accountability Based Approach Leverage EVIDENCE of Accountability to DEMONSTRATE Compliance
One Accountable Privacy Program Many Regulatory Requirements
Hong Kong –
Personal Data
(Privacy) Ordinance
Hong Kong –
Personal Data
(Privacy) Ordinance
Rule 4
Rule 1
Rule 2
Rule 3
Rule 5
Macau – Personal
Data Protection Act
8/2005
Macau – Personal
Data Protection Act
8/2005
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Malaysia – Personal
Data Protection Act
2010
Malaysia – Personal
Data Protection Act
2010
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
Singapore –
Personal Data
Protection Act 2012
Singapore –
Personal Data
Protection Act 2012
Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
South Korea –
Personal
Information
Protection Act
South Korea –
Personal
Information
Protection Act Rule 1
Rule 2
Rule 3
Rule 4
Rule 5
to to
Evidence of Privacy Management Activities exists throughout the organization (within the Privacy
Program as well as Operations)
Evidence is collected in a centralized repository, structured in line with the 13 Privacy Management
Processes
Evidence of Accountability is mapped to requirements, allowing
the organization to Demonstrate Compliance with laws and regulations
on-demand, supported by Evidence
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
The Nymity Approach to Accountability
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Initial Status – Baselining Privacy Management
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
1. Identify the status of privacy management activities
2. Identify and record owners
Initial Status – Baselining Privacy Management
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Implemented Planned Desired N/A
The activity is already in
place and have sufficient
resources to be
maintained.
The decision has already
been made, resources
allocated, and action may
be underway toward
implementing the activity.
The activity is applicable
or relevant to the
privacy program, but is
not currently
implemented or
resourced (planned).
Not applicable or
relevant to the
organization.
Identify Status of Privacy Management Pg. 12
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Privacy Office Activities Privacy officer responsibilities:
Operational Activities Privacy officer influences/observes:
Privacy Management Activities that are the Responsibility of the privacy office.
Privacy Management Activities that are the responsibility of operational units, including, Marketing, HR, IT, Legal, Procurement, and Product Development.
Identify Owners of Privacy Management Activities
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Examples of Privacy Management Activities
Privacy Office Activities Privacy officer responsibilities:
Operational Activities Privacy officer influences /observes:
Examples: maintain a data privacy policy maintain core training for all
employees maintain a data privacy notice that
details the organization’s personal data handling policies
consult with stakeholders throughout the organization on privacy matters
Examples: maintain an information security
policy maintain technical security
measures (e.g. intrusion detection, firewalls, monitoring)
maintain data privacy requirements for third parties
integrate data privacy into practices for monitoring employees
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
My Experience – Maintain Training and Awareness Program
Workbook Exercise – Initial Status
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
My Experience – Maintain Training and Awareness Program CONT.
Workbook Exercise – Initial Status
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
My Experience – “Maintain Notices”
Workbook Exercise – Initial Status
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
You will have 10 minutes to complete this exercise.
Please refer to the Accountability Workbook Instructions.
Workbook Exercise – You Do It!
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Data as of 4 March 2015
Status of All Organizations
Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%)
1 Maintain a data privacy notice that details the organization’s personal data handling policies
79.77% 8.99% 7.87% 3.37%
2 Provide data privacy notice at all points where personal data is collected
66.29% 8.99% 19.1% 5.62%
3 Provide notice in all forms, contracts and terms
58.89% 7.78% 17.78% 15.56%
4 Provide notice in marketing communications (e.g. emails, flyers, offers)
56.67% 8.89% 14.44% 20%
5 Maintain a data privacy notice for employees (processing of employee personal data)
47.19% 13.48% 28.09% 11.24%
6 Provide data privacy education to individuals (e.g. preventing identity theft)
42.23% 7.78% 36.67% 13.33%
7 Provide notice by means of on-location signage, posters
38.88% 4.44% 14.44% 42.22%
8 Maintain scripts for use by employees to explain the data privacy notice
26.67% 7.78% 42.22% 23.33%
Ranking of Implemented "Maintain Notices" Privacy Management Activities
How do you compare?
Nymity Benchmark Study research
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Getting to Accountability: Maximize the effectiveness of your privacy management program
You will be able to definitively:
1. Present Your Privacy Management Status Identify current state including owners of activities
2. Select a Privacy Management Program Strategy
3. Develop a Plan to execute the Strategy
Identify required privacy management activities
Prioritize based on resources and articulate a business case for additional resources
Review
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
PRIVACY MANAGEMENT PROGRAM STRATEGIES
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Module objectives:
• Understand three distinct privacy management strategies
• Learn about the kind of organizations that chose each strategy
• Select one that best suits your organization
Privacy Management Strategies Pg. 19
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Privacy Management Program Strategies
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Core activities are fundamental to the organization for privacy management; they are identified by the privacy office as being mandatory.
Core Activities
Pg. 20
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
• Industry/sector
• Jurisdiction
• Size of organization
• Nature of processing
• Type of personal data
• Organizational risk appetite
Core Activities Vary from One Organization
to the Next
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Examples of Core Privacy Management
Activities
Core activity related to compliance:
• Maintain a data privacy notice that details the organization’s personal data handling policies (PMP8)
• Most laws around the world contain a transparency principle and require notice to individuals.
Core activity related to managing risk:
• Maintain a core training program for all employees (PMP5) • Very few laws explicitly require privacy training, but the privacy office
usually deems it critical to managing the privacy risk that can arise from employees that do not understand their obligations with regard to privacy.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Elective activities are the activities that go beyond the minimum for compliance and risk management. They are the activities the organization has elected to implement to further embed privacy throughout the organization.
Activities may be Elective (non-Core) because they are not directly tied to privacy compliance or risk such as Hold an annual data privacy day/week (PMP 5), or because they are sophisticated such as Maintain privacy program metrics (PMP 12).
Elective Privacy Management Activities
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Core vs. Elective Activities The following table provides examples of Core and Elective activities that are typical for selected industries/sectors – Page 31
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
1. Managed Privacy Strategy Seeks to achieve and maintain the level of accountability that meets but does not exceed the minimum requirements necessary to maintain privacy management activities that are fundamental to the organization and are identified by the privacy office as being mandatory.
Pg. 19
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Which organizations choose Managed Privacy Strategy?
• low risk related to the processing of personal data – Sensitivity, complexity, volume of data
• Organizations where processing data is not the core business but more of a support or administrative function
• a new privacy program, where the Managed Privacy Strategy is a starting point
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
2. Advanced Privacy Management Strategy
• Builds on the Managed Privacy Strategy
• Goes beyond the minimum to also incorporate additional privacy management activities throughout the organization (Elective Activities)
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Which Organizations Choose Advanced Privacy Strategy?
• with a high level of privacy risk
• with a culture of compliance, and a low tolerance for compliance risk
• have had a major breach or are subject to enforcement action
• to fully integrate privacy into all product and program development to manage privacy risk
• to make privacy a competitive differentiator or to exceed client requirements
• to prepare for binding corporate rules, APEC, CBPR, or some other optional data transfer mechanisms that goes beyond compliance
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
3. Demonstrate Accountability and Compliance Strategy
Demonstrating accountability: Being able to provide on demand reporting on the status and/or ongoing maintenance of privacy management activities, supported by evidence.
Demonstrating compliance: Being able to contextualize evidence to rules of law.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Documentation as Evidence
The documentation to be used as evidence already exists:
• Documentation is a by-product of implemented privacy management activities.
• You don’t create evidence just for the sake of demonstrating accountability/compliance. You just identify and log the
evidence that already exists.
Privacy Management
Activities Evidence/ Documentation
Maintain a data privacy
policy
Data Privacy Policy
Integrate data privacy into e-
mail monitoring practices
E-mail monitoring policy and
procedure
Measure comprehension of
data privacy concepts using
exams
System generated report of
data privacy exam scores
Provide notice in all
marketing communications
(e.g. emails, flyers, offers)
Examples of e-mail marketing
communications
Pg. 33
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Demonstrate Accountability using the
Accountability Status Workbook
Populate the Evidence column in the Accountability Status Workbook with all available documentation to show that the activity is in place and maintained
Privacy Management
Activity Status Owner(s)
Core
(Y/N)
Resources
to
Implement
Resources to
Maintain Business Case
Description/
Comment Evidence
Assign accountability
for data privacy at a
senior level (PMP 1)
Implemen
ted
Privacy
Office
Yes % FTE for Chief
Privacy Officer
Role
Ensure
effectiveness of
the privacy
management
program
The Privacy Officer
is John Smith, who
is at a VP level and
reports through
the Chief
Compliance Officer
CPO Job
Description
Org Charts
Privacy
Policy
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Which organizations choose this strategy?
Organizations that have a business need to justify the need to stand ready to demonstrate accountability and/or compliance, including:
• Preparing for a regulatory investigation
• Complying with future legal requirements for demonstrating compliance ex. EU GDPR
• Abiding by the binding corporate rules to monitor compliance and make the results available to data protection authorities on demand
• Meeting expectations of privacy and data protection regulators
• Preparing to self-certify under EU-US Safe Harbor, or preparing for a third party audit
• Lowering the cost of independent assessment by gathering documentation and information in advance and presenting it to auditors
• Maintaining documentation for Trustmarks or accountability agents, ex., organizations participating in the APEC Cross-Border Privacy Rules system
• Desiring a competitive differentiator ex., outsourcing and data processing providers
• Providing meaningful management reporting at various levels
• Demonstrating that they lead by example
Pg. 32
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Choose a Strategy
Managed Advanced Demonstrate Accountability and Compliance
Business Case
Compliance and Risk Management Protect brand reputation
Build culture of privacy Privacy as a competitive differentiator Further reduce privacy risk Prepare for future compliance requirements Regulator activity External press coverage
BCR Safe Harbor GDPR CBPR Prepare for Inspections Management Reporting Audit
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
You will be able to definitively:
1. Present Your Privacy Management Status Identify current state including owners of activities
2. Select a Privacy Management Program Strategy
3. Develop a Plan to execute the Strategy
Identify required privacy management activities
Prioritize based on resources and articulate a business case for additional resources
Review
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
DEVELOP A PLAN TO EXECUTE THE STRATEGY
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
• Learn how to Plan and execute your selected Strategy - Select Privacy Management Activities (PMAs) and prioritize
• Learn how to build a business case for more resources
• Learn about which activities other organizations implemented first and what they are focused on now
Module Objective
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Select activities based on:
• Legal, compliance and regulatory obligations
• Privacy risk
• Business objectives
Prioritize activities based on your Resource Profile:
• Identify your resource profile
• Leverage existing resources
• Prioritize what can be supported
• Prioritize what can be maintained
Developing Your Plan
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Select based on Legal, Compliance and
Regulatory Requirements
• Understanding Expectations from Privacy and Data Protection Regulators
• Understanding the Law
Page 16
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
• Risk of harm to the individual data subject
• Risk of enforcement due to non-compliance or complaints
• Risk of unauthorized use of personal data
• Risk of loss to the organization
• Risk of breach due to stolen data
• Risk of misuse of personal data
• Risk of class-action lawsuit
• And others (see page 48)
Which of these is most important to the organization?
Select based on Risk Page 18
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Align privacy management program strategy with organizational objectives such as:
• Global expansion goals
• Moving to paperless record keeping
• Mergers and acquisitions
• Competitive advantage
• Product innovation
• Cloud computing
• Others?
Select based on Business Objectives Page 18
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Page 23
Common Core Privacy Management Activities
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Workbook Exercise – Selecting Privacy
Management Activities My Experience - “Maintain Notices”
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Workbook Exercise – Selecting Privacy
Management Activities
My Experience - “Maintain Training and Awareness Program”
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Workbook Exercise – Selecting Privacy
Management Activities
My Experience - “Maintain Training and Awareness Program” cont.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Workbook Exercise – You Do It!Determine which PMA’s are core in your workbook and identify a business case for your Core desired activities
Identify which activities are Core and which are Elective (Pg. 20)
• Core - Fundamental to privacy management; they are identified by the privacy office as being mandatory.
• Elective – Activities that are not core, but are applicable to the organization. Elective activities go above and beyond the minimum for compliance and risk management.
Identify the Business Case (Pg. 27)
• For PMAs that are desired (resources have not been allocated), note the business case. For example, compliance with laws and regulations, managing risk, alignment with organizational objectives, or implementing best practices.
Revisit “Desired” Activities because if there is no business case, it is N/A
Note: Some of you may want to change your previous selections based on your new understanding of Core
You will have 30 minutes to complete this exercise.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Review Getting to Accountability: Maximize the effectiveness of your privacy management program
You will be able to definitively:
1. Present Your Privacy Management Status Identify current state including owners of activities
2. Select a Privacy Management Program Strategy 3. Develop a Plan to execute the Strategy
Identify applicable privacy management activities Prioritize based on resources and articulate a business case for
additional resources
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Prioritize Based on Resources
I. Determine your resource profile
II. Leverage existing resources
III. Prioritize what can be supported
IV. Prioritize what can be maintained
Page 18
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Identifying Resources in Your Organization
People Processes Technology Tools Employees – full or
partial headcount
Buy in or support from
Executives/ Senior
Management
Other departments or
groups such as
Internal Audit,
Compliance, ERM
Shared Services (Info
Sec, IT, Legal,
Procurement)
External Consultants/
Advisors/ Auditors/
Service Providers
Workflows for
approval/sign-off
Monitoring/
Reviewing controls or
mechanisms
Communication/
Meetings
Training/knowledge
sharing
Escalation paths
File/document sharing
platforms
Collaboration tools
Information
Security/Data
Protection controls
ERP Systems
Ticketing Systems
E-Learning System
Compliance research
subscriptions
Subscription
newsletter to stay
informed
Templates and
samples
Privacy management
systems
Privacy/ Risk/
Compliance Reporting
Software
PIA solutions
Rationalized rules
table generators
Benchmarking
solutions
Pg. 13
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
II. Leverage Existing Resources
Rely on privacy management activities that are already partially or fully
implemented.
Example:
Human resources department is already maintaining policies and
procedures for monitoring employees
Privacy office has buy-in from human resources
Therefore, relatively low effort to implement and maintain the activity
Integrate data privacy into practices for monitoring employees (PMP 4)
since the structure is already in place.
Page 18
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
III. Prioritize What is Supported
Support from the operational and business units is critical to the success of the
program - lack of it can present an obstacle to success.
Example:
• Maintain policies/procedures for secondary use of personal data (PMP 4)
may be influenced by the privacy office but owned by an operational unit such
as marketing
– If the privacy office tries to implement the activity without the support of
marketing, it will likely not be adopted
– Even though the activity is important to protecting data, it would not be
implemented effectively and would not be the best use of limited
resources
Privacy office should prioritize activities that are supported by key stakeholders.
Page 18
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
IV. Prioritize What Can Be Maintained
Accountability is an ongoing state – not a point in time status. Implement
privacy management activities that can be maintained based on the ongoing
resources available.
Example:
To implement the activity Maintain a Data Privacy Policy (PMP 3)
– Initial effort requires medium resources
– Policy must be socialized with key stakeholders in order to achieve buy in
and improve the chances of adoption (ultimately it should be approved be
executive leadership)
– Publishing or issuing the policy is just the first step
• It must then be reviewed on a periodic basis
• Not keeping it up-to-date will result in increased privacy risk
Page 18
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Workbook Exercise – Identify Resources
My Experience – “Maintain Notices”
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Workbook Exercise – Identify Resources
My Experience – Maintain Training and Awareness Program
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
You Do it
Columns F and G: Identify the resources required to implement the privacy management activity, and to maintain it. Resource generally fall into the categories of people, processes, technology and tools, e.g. organizational support or buy-in, existing processes or technologies, privacy management tools.
People Processes Technology Tools Employees – full or
partial headcount
Buy in or support
from Executives/
Senior Management
Other departments
or groups such as
Internal Audit,
Compliance, ERM
Shared Services (Info
Sec, IT, Legal,
Procurement)
External
Consultants/
Advisors/ Auditors/
Service Providers
Workflows for
approval/sign-off
Monitoring/
Reviewing controls
or mechanisms
Communication/
Meetings
Training/knowledge
sharing
Escalation paths
File/document
sharing platforms
Collaboration tools
Information
Security/Data
Protection controls
ERP Systems
Ticketing Systems
E-Learning System
Compliance research
subscriptions
Subscription
newsletter to stay
informed
Templates and
samples
Privacy management
systems
Privacy/ Risk/
Compliance
Reporting Software
PIA solutions
Rationalized rules
table generators
Benchmarking
solutions Pg. 13
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Wrap-Up
Questions, Comments and Future Accountability Research
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
You will be able to definitively: 1. Present Your Privacy
Management Status Identify current state including
owners of activities
2. Present a Privacy Management
Program Strategy
3. Develop a Plan to execute the Strategy Identify applicable privacy
management activities Prioritize based on resources
and articulate a business case for additional resources
Recap
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Copyright © 2015 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in this document are the intellectual property of Nymity Inc. unless otherwise indicated. Reproduction, modification, transmission, use or quotation of any content, including text, images, photographs etc., requires the prior written permission of Nymity Inc., 366 Bay Street, Suite 1200, Toronto, Ontario, Canada M5H 4B2.
Please feel free to contact us with any questions or comments concerning this workshop at [email protected].
Thank You!
Please take a moment to fill out the feedback forms.
If you wish to learn more about Nymity products or wish to receive a free Benchmark report, please fill the Demo
Request Form.