don’t start from scratch! - iapp ppt.pdf · don’t start from scratch! ... • giving pii...
TRANSCRIPT
2
Designing a flexible privacy program Stuart Muir, Dell Inc.
Addressing regulatory complexity by applying existing standards Stefan Weiss, Swiss Re
Discussion and your involvement
DON'T START FROM SCRATCH!
April 25, 2013
03:30 – 04:30 PM
WHAT IS A COMPREHENSIVE PRIVACY PROGRAMME?
• A Structured Approach
• Demystifying Privacy Management
• Providing a Framework
• Allows for Proactive Management
• Demonstrable
4
Assess + Protect + Sustain + Respond
COMPLIANCE BY DESIGN (CbD)
• Based on Privacy by Design, the governance model is about organizations taking responsibility & holding themselves accountable, building protections into their products & services design work streams.
• We use this model across the compliance portfolio to provide effective governance & controls to ensure we meet these responsibilities.
• We leverage the framework to strategically ‘Move the Needle’ to the highest maturity level for each component of our programme.
5
. Dale Skivington Global Compliance
& Chief Privacy Officer
Privacy Managers
Global Team aligned to meet the compliance &
privacy challenges worldwide for our
developing businesses
The Privacy Team
Operational Compliance
Team Global Marketing Data Quality, Governance &
Marketing Privacy Managers
6
Regional Legal DP Counsel
ACCOUNTABILITY
Chief Privacy Officer
DATA PROTECTION & MANAGEMENT COUNCIL (DPMC)
Director
Knowledge Assurance
7
Data Management Stewards: • Commercial • Financial Services • Domain Solutions • Finance • HR • IT • Legal • Marketing • Services • Software • Supply Chain Ops
Business & Function Leadership: • Chief Ethics & Compliance
Officer • Regional Business Leaders • Chief Information Security
Officer • Chief Security Officer • Global Audit & Transformation • Legal Representation • Corporate Communications • Business Controls Mgmt.
PRIVACY MATURITY MODEL
Level Description
1 Ad Hoc
Processes not documented In a state of dynamic change Tending to be driven in an ad hoc, uncontrolled, or reactive
manner
2 Initial
Repeatable, possibly with consistent results Lacks rigorous process discipline Minimal documentation Processes executed regularly but infrequently, & difficult to
standardize
3 Formal Defined & documented standard procedures Subject to some degree of improvement over time Consistency across the organization
4 Validated
Steps taken to formally approve & validate the effectiveness of the processes
Formal processes subject to the approval of senior management, or are subject to independent assessment or audit
5 Monitored Processes monitored using formal measures & procedures Changes made to maintain effectiveness over time May involve in-process monitoring or frequent assessment or audit
8
1 Ad hoc
2 Initial
3 Formal
4 Validated
5 Monitored
Policy None written Limited
distribution & understanding
Formal but may be
inconsistent
Globally consistent & enforceable
Reviewed & updated as per
business
Governance None
established
Discrete, informal, &
limited
Corporate oversight & exec level
Management involvement at all levels
Scorecard reporting & rectification
Risk Management Incomplete
& inconsistent
Risk assessment,
not management
Risk assessment & management
Cross-functional, executive validation
Embedded Component
of ERM
Procedures & Controls None written Limited
coverage Consistent &
global
Subject to self-
assessment & audit
Exception reporting & resolution
3rd Party Management No standards
Some standards
May be inconsistent
Consistent, cross-
functional coordination
Proactive monitoring &
self-assessment
Independent external audit
Compliance & Monitoring
None established
Informal & limited
Audit-driven, remedial actions
endorsed
Analytics technology;
cross-functional
Accountability-driven, extends beyond
enterprise
Incident Management Ad hoc &
inconsistent
Some consistency
Little analysis
Root cause analysis,
global standards
Issue tracking
Technology in place
Effectiveness & efficiency
metrics
Training & Awareness None General,
infrequent, single media
Custom-tailored,
recurring, multi-media
Role-specific awareness; 3rd parties
Enterprise wide
awareness
‘MOVING THE NEEDLE’ with GAPP
9
• Based on the Globally Accepted Privacy Principles - AICPA/CICA
• Project delivery momentum drives PMM maturity transparently
PRIVACY IMPACT ASSESSMENT
10
• Assess privacy risk: PIAs anticipate likely issues & determine solutions before a design is complete.
• Help avoid inadequate solutions that not only can prove very costly to remediate, but can have serious implications for both the customer & the company.
• On-line questionnaire used, embedded within our Secure Systems Development Life Cycle (SSDLC).
• Our Data Protection & Privacy Review Process works to ensure design flaws are identified & remediated during the development phases of projects where the collection, use & disclosure of personal information is planned.
METRICS & TRENDING
11
0
1
2
3
4
5
6
7
8
9
10
11
12
3rd Party
Access
Accuracy
Notice & Choice
Purpose Limitation
Security
Transfer
Rectifications per Process
IN SUMMARY
• Engage & develop a supportive organization – you are the enterprise
• Management of your programme, demonstrating commitment & accountability – consistent execution
• Getting your arms around your organization - embedding privacy & raising awareness
12
14
What are adequate data protection safeguards?
Let's think about a risk-based approach …
Factors determining adequacy:
• Nature of the data • Potential harm to
individual • Risk • Current technology
available • Standards, best
practices • Costs
PROPORTIONALITY
Risk Factor Short Description 1. Business context Inherent data protection risk to the business unit
and the involved data processes; potential risk impact of strategic changes
2.
People Management's awareness of data protection risks, sufficiency of resources and know how
3.
External environment Local regulations, regulatory changes and actions, fines, press coverage on other companies
4. Control environment Existence (maturity) and effectiveness of compliance control environment
5. Issues, losses, incidents
Experienced control failures, breaches, and fines by data protection authorities
16
RISK-ASSESSING THE BUSINESS
17
Regulatory attention
Strength of safeguards
High
Low
Low High
Personal data
Sensitive personal data
Confidential business data
Internal or public business data
DATA CATEGORIES
18
Other business applications
Financial reporting
relevant
applications
Personal data
processing
applications
Sensitive personal
data applications
Confidential/restricted data processing
applications
APPLICATION CATEGORIES
19
Approach with global standards or principles
Add local, sector, or risk specific requirements as needed
SAFEGUARDS
• A global programme requires you to set-up a principles-based approach
• We have used these principles because they cover about 80% in a 80/20 approach or …
• … you can use the ISO/IEC 29100 Privacy Principles
20
Accountability Purpose
Specification
Limiting
Use,
Disclosure
and
Retention
Security
Safeguards
Individual
Access
Notice
and
Consent
Collection
Limitation
Data
Accuracy Openness Awareness
DATA PROTECTION AND PRIVACY PRINCIPLES
1. Consent and choice
2. Purpose legitimacy and specification
3. Collection limitation
4. Data minimization
5. Use, retention and disclosure limitation
6. Accuracy and quality
7. Openness, transparency and notice
8. Individual participation and access
9. Accountability
10. Information security
11. Privacy compliance
21
ISO/IEC 29100 PRINCIPLES
22
ISO/IEC 29100 CONTROL STANDARDS
• The standards lists control standards that address each principle
• These control standards can be used for your global data protection policy and they
– cover 80% of what you need to do
– ask for local specifications where needed
23
ESSENTIALS THAT MATTER
• Focus on the data protection risks in your business
• Use existing standards and best practices
• Apply the 80/20 approach rather than focusing only on a few detailed requirements in low risk environments
25
APPENDIX
ISO/IEC 29100:2011 – Privacy framework
The following control standards are only examples and partial quotes from the standard document.
For the complete text, please go to the ISO store and purchase the standard for your own use: http://www.iso.org/iso/home/store/catalogue_tc/catalogue_detail.htm?csnumber=45123
26
ISO/IEC 29100 CONTROL STANDARDS
Example "Consent and choice"
• providing PII principals with clear, prominent, easily understandable, accessible and affordable mechanisms to exercise choice and to give consent in relation to the processing of their PII at the time of collection, first use or as soon as practicable thereafter; and
• implementing the PII principal’s preferences as expressed in their consent
27
ISO/IEC 29100 CONTROL STANDARDS
Example "Purpose legitimacy and specification"
• ensuring that the purpose(s) complies with applicable law and relies on a permissible legal basis;
• communicating the purpose(s) to the PII principal before the time the information is collected or used for the first time for a new purpose;
• using language for this specification which is both clear and appropriately adapted to the circumstances; and
• …
28
ISO/IEC 29100 CONTROL STANDARDS
Example "Collection limitation"
• limiting the collection of PII to that which is within the bounds of applicable law and strictly necessary for the specified purpose(s)
29
ISO/IEC 29100 CONTROL STANDARDS
Example "Collection limitation"
• limiting the collection of PII to that which is within the bounds of applicable law and strictly necessary for the specified purpose(s)
30
ISO/IEC 29100 CONTROL STANDARDS
Example "Data minimization"
• minimize the PII which is processed and the number of privacy stakeholders and people to whom PII is disclosed or who have access to it;
• ensure adoption of a “need-to-know” principle, i.e. one should be given access only to the PII which is necessary for the conduct of his/her official duties in the framework of the legitimate purpose of the PII processing;
• use or offer as default options, wherever possible, interactions and transactions which do not involve the identification of PII principals, reduce the observability of their behaviour and limit the linkability of the PII collected; and
• …
31
ISO/IEC 29100 CONTROL STANDARDS
Example "Use, retention and disclosure limitation"
• limiting the use, retention and disclosure (including transfer) of PII to that which is necessary in order to fulfil specific, explicit and legitimate purposes;
• limiting the use of PII to the purposes specified by the PII controller prior to collection, unless a different purpose is explicitly required by applicable law;
• retaining PII only as long as necessary to fulfil the stated purposes, and thereafter securely destroying or anonymizing it; and
• …
32
ISO/IEC 29100 CONTROL STANDARDS
Example "Accuracy and quality"
• ensuring that the PII processed is accurate, complete, up-to-date (unless there is a legitimate basis for keeping outdated data), adequate and relevant for the purpose of use;
• ensuring the reliability of PII collected from a source other than from the PII principal before it is processed;
• verifying, through appropriate means, the validity and correctness of the claims made by the PII principal prior to making any changes to the PII (in order to ensure that the changes are properly authorized), where it is appropriate to do so;
• establishing PII collection procedures to help ensure accuracy and quality; and
• …
33
ISO/IEC 29100 CONTROL STANDARDS
Example "Openness, transparency and notice"
• providing PII principals with clear and easily accessible information about the PII controller’s policies, procedures and practices with respect to the handling of PII;
• including in notices the fact that PII is being processed, the purpose for which this is done, the types of privacy stakeholders to whom the PII might be disclosed, and the identity of the PII controller including information on how to contact the PII controller;
• disclosing the choices and means offered by the PII controller to PII principals for the purposes of limiting the processing of, and for accessing, correcting and removing their information; and
• …
34
ISO/IEC 29100 CONTROL STANDARDS
Example "Individual participation and access"
• giving PII principals the ability to access and review their PII, provided their identity is first authenticated with an appropriate level of assurance and such access is not prohibited by applicable law;
• allowing PII principals to challenge the accuracy and completeness of the PII and have it amended, corrected or removed as appropriate and possible in the specific context; and
• …
35
ISO/IEC 29100 CONTROL STANDARDS
Example "Accountability"
• documenting and communicating as appropriate all privacy-related policies, procedures and practices;
• assigning to a specified individual within the organization (who might in turn delegate to others in the organization as appropriate) the task of implementing the privacy-related policies, procedures and practices;
• setting up efficient internal complaint handling and redress procedures for use by PII principals; and
• …
36
ISO/IEC 29100 CONTROL STANDARDS
Example "Information security"
• protecting PII under its authority with appropriate controls at the operational, functional and strategic level to ensure the integrity, confidentiality and availability of the PII, and protect it against risks such as unauthorized access, destruction, use, modification, disclosure or loss throughout the whole of its life cycle;
• choosing PII processors that provide sufficient guarantees with regard to organizational, physical and technical controls for the processing of PII and ensuring compliance with these controls;
• basing these controls on applicable legal requirements, security standards, the results of systematic security risk assessments as described in ISO 31000, and the results of a cost/benefit analysis; and
• …
37
ISO/IEC 29100 CONTROL STANDARDS
Example "Privacy compliance"
• verifying and demonstrating that the processing meets data protection and privacy safeguarding requirements by periodically conducting audits using internal auditors or trusted third-party auditors;
• developing and maintaining privacy risk assessments in order to evaluate whether program and service delivery initiatives involving PII processing comply with data protection and privacy requirements; and
• …