don’t start from scratch! - iapp ppt.pdf · don’t start from scratch! ... • giving pii...

Don’t Start from Scratch! Leverage Your Compliance Programme to Deliver Privacy Compliance

2

Designing a flexible privacy program Stuart Muir, Dell Inc.

Addressing regulatory complexity by applying existing standards Stefan Weiss, Swiss Re

Discussion and your involvement

DON'T START FROM SCRATCH!

April 25, 2013

03:30 – 04:30 PM

3

Stuart Muir Global Legal & Compliance Manager Dell Inc.

DESIGNING A FLEXIBLE PRIVACY PROGRAM

WHAT IS A COMPREHENSIVE PRIVACY PROGRAMME?

• A Structured Approach

• Demystifying Privacy Management

• Providing a Framework

• Allows for Proactive Management

• Demonstrable

4

Assess + Protect + Sustain + Respond

COMPLIANCE BY DESIGN (CbD)

• Based on Privacy by Design, the governance model is about organizations taking responsibility & holding themselves accountable, building protections into their products & services design work streams.

• We use this model across the compliance portfolio to provide effective governance & controls to ensure we meet these responsibilities.

• We leverage the framework to strategically ‘Move the Needle’ to the highest maturity level for each component of our programme.

5

. Dale Skivington Global Compliance

& Chief Privacy Officer

Privacy Managers

Global Team aligned to meet the compliance &

privacy challenges worldwide for our

developing businesses

The Privacy Team

Operational Compliance

Team Global Marketing Data Quality, Governance &

Marketing Privacy Managers

6

Regional Legal DP Counsel

ACCOUNTABILITY

Chief Privacy Officer

DATA PROTECTION & MANAGEMENT COUNCIL (DPMC)

Director

Knowledge Assurance

7

Data Management Stewards: • Commercial • Financial Services • Domain Solutions • Finance • HR • IT • Legal • Marketing • Services • Software • Supply Chain Ops

Business & Function Leadership: • Chief Ethics & Compliance

Officer • Regional Business Leaders • Chief Information Security

Officer • Chief Security Officer • Global Audit & Transformation • Legal Representation • Corporate Communications • Business Controls Mgmt.

PRIVACY MATURITY MODEL

Level Description

1 Ad Hoc

Processes not documented In a state of dynamic change Tending to be driven in an ad hoc, uncontrolled, or reactive

manner

2 Initial

Repeatable, possibly with consistent results Lacks rigorous process discipline Minimal documentation Processes executed regularly but infrequently, & difficult to

standardize

3 Formal Defined & documented standard procedures Subject to some degree of improvement over time Consistency across the organization

4 Validated

Steps taken to formally approve & validate the effectiveness of the processes

Formal processes subject to the approval of senior management, or are subject to independent assessment or audit

5 Monitored Processes monitored using formal measures & procedures Changes made to maintain effectiveness over time May involve in-process monitoring or frequent assessment or audit

8

1 Ad hoc

2 Initial

3 Formal

4 Validated

5 Monitored

Policy None written Limited

distribution & understanding

Formal but may be

inconsistent

Globally consistent & enforceable

Reviewed & updated as per

business

Governance None

established

Discrete, informal, &

limited

Corporate oversight & exec level

Management involvement at all levels

Scorecard reporting & rectification

Risk Management Incomplete

& inconsistent

Risk assessment,

not management

Risk assessment & management

Cross-functional, executive validation

Embedded Component

of ERM

Procedures & Controls None written Limited

coverage Consistent &

global

Subject to self-

assessment & audit

Exception reporting & resolution

3rd Party Management No standards

Some standards

May be inconsistent

Consistent, cross-

functional coordination

Proactive monitoring &

self-assessment

Independent external audit

Compliance & Monitoring

None established

Informal & limited

Audit-driven, remedial actions

endorsed

Analytics technology;

cross-functional

Accountability-driven, extends beyond

enterprise

Incident Management Ad hoc &

inconsistent

Some consistency

Little analysis

Root cause analysis,

global standards

Issue tracking

Technology in place

Effectiveness & efficiency

metrics

Training & Awareness None General,

infrequent, single media

Custom-tailored,

recurring, multi-media

Role-specific awareness; 3rd parties

Enterprise wide

awareness

‘MOVING THE NEEDLE’ with GAPP

9

• Based on the Globally Accepted Privacy Principles - AICPA/CICA

• Project delivery momentum drives PMM maturity transparently

PRIVACY IMPACT ASSESSMENT

10

• Assess privacy risk: PIAs anticipate likely issues & determine solutions before a design is complete.

• Help avoid inadequate solutions that not only can prove very costly to remediate, but can have serious implications for both the customer & the company.

• On-line questionnaire used, embedded within our Secure Systems Development Life Cycle (SSDLC).

• Our Data Protection & Privacy Review Process works to ensure design flaws are identified & remediated during the development phases of projects where the collection, use & disclosure of personal information is planned.

METRICS & TRENDING

11

0

1

2

3

4

5

6

7

8

9

10

11

12

3rd Party

Access

Accuracy

Notice & Choice

Purpose Limitation

Security

Transfer

Rectifications per Process

IN SUMMARY

• Engage & develop a supportive organization – you are the enterprise

• Management of your programme, demonstrating commitment & accountability – consistent execution

• Getting your arms around your organization - embedding privacy & raising awareness

12

13

Stefan Weiss Global Data Protection Officer Swiss Re

ADDRESSING REGULATORY COMPLEXITY

14

What are adequate data protection safeguards?

Let's think about a risk-based approach …

Factors determining adequacy:

• Nature of the data • Potential harm to

individual • Risk • Current technology

available • Standards, best

practices • Costs

PROPORTIONALITY

15

Data Business Applications Safeguards

RISK-BASED APPROACH

Risk Factor Short Description 1. Business context Inherent data protection risk to the business unit

and the involved data processes; potential risk impact of strategic changes

2.

People Management's awareness of data protection risks, sufficiency of resources and know how

3.

External environment Local regulations, regulatory changes and actions, fines, press coverage on other companies

4. Control environment Existence (maturity) and effectiveness of compliance control environment

5. Issues, losses, incidents

Experienced control failures, breaches, and fines by data protection authorities

16

RISK-ASSESSING THE BUSINESS

17

Regulatory attention

Strength of safeguards

High

Low

Low High

Personal data

Sensitive personal data

Confidential business data

Internal or public business data

DATA CATEGORIES

18

Other business applications

Financial reporting

relevant

applications

Personal data

processing

applications

Sensitive personal

data applications

Confidential/restricted data processing

applications

APPLICATION CATEGORIES

19

Approach with global standards or principles

Add local, sector, or risk specific requirements as needed

SAFEGUARDS

• A global programme requires you to set-up a principles-based approach

• We have used these principles because they cover about 80% in a 80/20 approach or …

• … you can use the ISO/IEC 29100 Privacy Principles

20

Accountability Purpose

Specification

Limiting

Use,

Disclosure

and

Retention

Security

Safeguards

Individual

Access

Notice

and

Consent

Collection

Limitation

Data

Accuracy Openness Awareness

DATA PROTECTION AND PRIVACY PRINCIPLES

1. Consent and choice

2. Purpose legitimacy and specification

3. Collection limitation

4. Data minimization

5. Use, retention and disclosure limitation

6. Accuracy and quality

7. Openness, transparency and notice

8. Individual participation and access

9. Accountability

10. Information security

11. Privacy compliance

21

ISO/IEC 29100 PRINCIPLES

22

ISO/IEC 29100 CONTROL STANDARDS

• The standards lists control standards that address each principle

• These control standards can be used for your global data protection policy and they

– cover 80% of what you need to do

– ask for local specifications where needed

23

ESSENTIALS THAT MATTER

• Focus on the data protection risks in your business

• Use existing standards and best practices

• Apply the 80/20 approach rather than focusing only on a few detailed requirements in low risk environments

DISCUSSION Building a comprehensive privacy programme

25

APPENDIX

ISO/IEC 29100:2011 – Privacy framework

The following control standards are only examples and partial quotes from the standard document.

For the complete text, please go to the ISO store and purchase the standard for your own use: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=45123

http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=45123

26


Example "Consent and choice"

• providing PII principals with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice and to give consent in relation to the processing of their PII at the time of collection, first use or as soon as practicable thereafter; and

• implementing the PII principal’s preferences as expressed in their consent

27


Example "Purpose legitimacy and specification"

• ensuring that the purpose(s) complies with applicable law and relies on a permissible legal basis;

• communicating the purpose(s) to the PII principal before the time the information is collected or used for the first time for a new purpose;

• using language for this specification which is both clear and appropriately adapted to the circumstances; and

• …

28


Example "Collection limitation"

• limiting the collection of PII to that which is within the bounds of applicable law and strictly necessary for the specified purpose(s)

29


Example "Collection limitation"

• limiting the collection of PII to that which is within the bounds of applicable law and strictly necessary for the specified purpose(s)

30


Example "Data minimization"

• minimize the PII which is processed and the number of privacy stakeholders and people to whom PII is disclosed or who have access to it;

• ensure adoption of a “need-to-know” principle, i.e. one should be given access only to the PII which is necessary for the conduct of his/her official duties in the framework of the legitimate purpose of the PII processing;

• use or offer as default options, wherever possible, interactions and transactions which do not involve the identification of PII principals, reduce the observability of their behaviour and limit the linkability of the PII collected; and

• …

31


Example "Use, retention and disclosure limitation"

• limiting the use, retention and disclosure (including transfer) of PII to that which is necessary in order to fulfil specific, explicit and legitimate purposes;

• limiting the use of PII to the purposes specified by the PII controller prior to collection, unless a different purpose is explicitly required by applicable law;

• retaining PII only as long as necessary to fulfil the stated purposes, and thereafter securely destroying or anonymizing it; and

• …

32


Example "Accuracy and quality"

• ensuring that the PII processed is accurate, complete, up-to-date (unless there is a legitimate basis for keeping outdated data), adequate and relevant for the purpose of use;

• ensuring the reliability of PII collected from a source other than from the PII principal before it is processed;

• verifying, through appropriate means, the validity and correctness of the claims made by the PII principal prior to making any changes to the PII (in order to ensure that the changes are properly authorized), where it is appropriate to do so;

• establishing PII collection procedures to help ensure accuracy and quality; and

• …

33


Example "Openness, transparency and notice"

• providing PII principals with clear and easily accessible information about the PII controller’s policies, procedures and practices with respect to the handling of PII;

• including in notices the fact that PII is being processed, the purpose for which this is done, the types of privacy stakeholders to whom the PII might be disclosed, and the identity of the PII controller including information on how to contact the PII controller;

• disclosing the choices and means offered by the PII controller to PII principals for the purposes of limiting the processing of, and for accessing, correcting and removing their information; and

• …

34


Example "Individual participation and access"

• giving PII principals the ability to access and review their PII, provided their identity is first authenticated with an appropriate level of assurance and such access is not prohibited by applicable law;

• allowing PII principals to challenge the accuracy and completeness of the PII and have it amended, corrected or removed as appropriate and possible in the specific context; and

• …

35


Example "Accountability"

• documenting and communicating as appropriate all privacy-related policies, procedures and practices;

• assigning to a specified individual within the organization (who might in turn delegate to others in the organization as appropriate) the task of implementing the privacy-related policies, procedures and practices;

• setting up efficient internal complaint handling and redress procedures for use by PII principals; and

• …

36


Example "Information security"

• protecting PII under its authority with appropriate controls at the operational, functional and strategic level to ensure the integrity, confidentiality and availability of the PII, and protect it against risks such as unauthorized access, destruction, use, modification, disclosure or loss throughout the whole of its life cycle;

• choosing PII processors that provide sufficient guarantees with regard to organizational, physical and technical controls for the processing of PII and ensuring compliance with these controls;

• basing these controls on applicable legal requirements, security standards, the results of systematic security risk assessments as described in ISO 31000, and the results of a cost/benefit analysis; and

• …

37


Example "Privacy compliance"

• verifying and demonstrating that the processing meets data protection and privacy safeguarding requirements by periodically conducting audits using internal auditors or trusted third-party auditors;

• developing and maintaining privacy risk assessments in order to evaluate whether program and service delivery initiatives involving PII processing comply with data protection and privacy requirements; and

• …

don’t start from scratch! - iapp ppt.pdf · don’t start from scratch! ... • giving pii...

Documents