1.5-1.6: Privacy Across the Org/Championing Privacy Flashcards
Privacy across the Org.
*Important that all functional groups understand how they contribute and support the overall privacy program as well as privacy principles themselves
*Buy-in and a sense of ownership from key functions assists w/better acceptance of privacy requirements and sharing of responsibility
*Need to take into account culture, politics and protocols of the org to determine best methods, style and practices to engage each group
*Build and maintain good relationships with key stakeholders to ensure privacy embedded in the org
*Policies and procedures should be created and enforced at a functional level and may be owned by other functions
*Important to align with owners of related policies and reference them as applicable
*Most groups w/in an org should have policies to address the appropriate use and protection of personal information specific to their functional areas created in consultation with the privacy office
Key partners
*Learning and devmt.: enables policies and procedures to be translated into teachable content; contextualizes privacy principles into tangible operations and processes
*Communications: assists w/ creation of content that reinforce good privacy practices in line w/ company’s branding, objectives and tone; advise on best methods of communications for higher engagement
*Information Security: Most closely aligned w/privacy; ensures that appropriate technological controls are employed and determines whether groups are aware of and comply with controls
*IT: can enhance the effectiveness of privacy program by adding processes and controls that support privacy principles (eg. providing testing processes/tools that don’t require use of production data); implement privacy principles in tech devmt. and deployment
*Internal audit: assess whether controls are in place to protect personal info and whether people and processes abide by controls; assist in devmt. of framework to monitor policies, controls and procedures
*Procurement: ensure contracts are in place w/ 3rd-party providers that process personal info and that the contractual language minimizes org’s exposure; facilitate/perform due diligence
*HR: ensures employee info is handled in accordance w/ privacy policies and procedures
*Ethics and Compliance: manages whistleblowing and complaints related to the handling of personal data
*Legal: keeps current on privacy regulations and requirements
*Risk: ensures data protection risks are included in org’s ERM framework
*Data governance: develops d.g. framework that supports data privacy reqmts.
*Product teams: Enables PbD principles in devmt.; performs PIAs
Championing Privacy
- Establish privacy committee/council composed of stakeholders or reps. of relevant functions (privacy champions) to make strategic decisions and drive compliance through their groups
*For global company, governance structure may consist of reps from each geographic region and business function to ensure alignment with local laws
*Collating feedback through questionnaires can help reveal strengths and weakness of programs
