2: Privacy Program Framework: Privacy Governance Flashcards
Components of “Privacy Governance” (5)
- create org privacy vision and mission statement
- define the scope of the privacy program
- select appropriate privacy framework
- develop the organizational privacy strategy
- structure the privacy team
What does a Privacy Vision and Mission Statement do?
- lays the groundwork for the rest of the privacy program.
- the vision should align with the organization’s broader purpose and objectives
Privacy Program Scope
- organizational legal and regulatory compliance obligations
1. identify the PI collected & processed
2. identify the privacy and data protection laws and regulations
Things to consider about PI collected and processed
- who collects, uses and discloses/maintains PI?
- what type of PI
- reasons for collection
- data storage
- transferred to whom
- access
- when is the data collected
- storage/retention
- security protocols to protect
What if data is cross-jurisdictional?
use the most restrictive regulations
Scope challenges
Consider:
- domestic laws
- state/regional laws
- industry specific
- global differences and approaches
US vs EU Privacy Protection approaches
US - limited sectoral approach, laws apply to specific industry sectors or categories of data, or to specific states
EU - more comprehensive approach that applies to all personal data, regardless of sector or location
Protection Models (4)
Sectoral laws/state specific (US) Comprehensive laws (EU) Co-regulatory model (AUS) Self-regulated model (US, Japan, Singapore)
Sectoral/State specific laws
Laws that specifically address a particular industry sector, or apply to residents of a specific state
US
Comprehensive laws
Apply to the collection, use and disclosure of PI in public and private sectors with an official oversight agency (to review concerns and provide guidance to businesses and individuals)
EU, CAN, UK
Co-regulatory Model
Similar to comprehensive model, industry develops enforcement standards that are overseen by privacy agency
AUS
Self-regulated Model
Companies use a code of practice by an industry body, i.e. OPA, TrustArc, WebTrust, PCI DSS (some states have adopted as law)
US, Japan, Singapore
Privacy Program Scope requires:
- end to end of data lifecycle
- considerations to meet legal, cultural, and personal expectations
- customize approach from global and local perspective
- aware of privacy challenges, incl laws/regs and enforcement activities and processes
- monitoring for compliance
Developing a Privacy Strategy
Need organizational support to implement and for accountability, every individual contributes.
Identify stakeholders and internal partnerships.
Privacy Strategy - challenges
gaining consensus from organization management, look for privacy sponsors / champions for support.
Privacy Champions
A privacy champion at the executive level acts as an advocate and sponsor to further foster privacy as a core organization concept.
- keep champions informed so the can advocate and privacy becomes embedded
Best Practices for Internal Partnerships?
- how do others treat and view PI?
- use of data in their business context
- build privacy requirements into their ongoing projects to help reduce risk
- offer to help meet objectives with solutions to reduce risk
- invite staff to a privacy advocate group
Stakeholder Privacy Workshop
Conduct a privacy workshop for stakeholders to level the privacy playing field by defining privacy for the organization, explaining the market expectations, answering questions, and reducing confusion.
Program Ownership
- ensure clear ownership of assets and responsibilities
- record using agendas, minutes and actions (also helps with audits and accountability requirements)
Develop and Implement Framework
manageable approach to operationalizing the controls to protect and handle PI
- reach compliance
- competitive advantage, engendering trust
- support business commitment and objectives
Frameworks - Definition
the various processes, templates, tools, laws and standards to guide in privacy program management.
Framework includes:
- are risks defined and identified?
- program implemented in all workstreams?
- assigned responsibility and accountability for privacy program management
- gaps?
- monitored?
- employees trained? awareness program?
- follow industry best practice for data inventories, risk assessments, PIAs?
- incident response plan?
- communicate privacy-related matters and update material
- use common language to address and manage cybersecurity risk
Frameworks - 2 categories
- Principles and Standards
2. Laws, Regulations, and Programs
Principles and Standards
- Fair Information Practices
- Organization for Economic Co-operation and Development (OECD), basis of EU DPD and GDPR
- GAPP
- CSA Privacy Code (base of PIPEDA)
- APEC
- ETSI
- NIST agnostic to technologies, sectors, laws or jurisdictions
Fair Information Practices include:
- rights of individuals (notice, choice and consent, data subject rights)
- controls on information (info sec, info quality)
- information life cycle (collection, use and retention, disclosure, destructions)
- management (man and administration, monitoring, enforcement)
NIST
Privacy Framework - 3 key parts
Suitable for all size of organizations
Agnostic to technology/sector/law
How does the NIST framework help manage privacy risk?
- embedding privacy when designing and deploying systems, products and services
- communicating about privacy practices
- encouraging cross-organization workforce collaboration
3 parts to NIST framework
- core set of privacy protection activities
- profiles core activities based on risk appetite, future state, resources, etc.
- tiers - consider level of operational maturity achievable based on profile based on key criteria
PbD - definition
ensure every stage of development takes privacy into account
affirm the Fair Information Practices but you beyond to aim for the highest standard
Pbd - principles
- proactive > reactive
- privacy as default
- embedded in design
- full functionality
- end to end security
- visibility and transparency
- respect for user privacy (user centric)
Examples of Laws, Regulations and Programs
- Canada
-EU
- EU-US
- BCR
- HIPAA
- DPA
CA: PIPEDA well developed, generic privacy principles
EU: GDPR, framework for data protection, increased obligations and national laws
EU-US Privacy Shield, cross border data protection, replaced Safe Harbour Framework, invalidated by Schrems II
BCR Binding Corporate Rules - legally binding internal corporate privacy rules within a corporate group
HIPAA - national standards for electronic healthcare transactions. Patients must opt in before their information can be shared
DPA - local data protection authorities - France’s CNIL provide guidance on legal frameworks
Rationalizing Requirements for a framework
- most data privacy legislation = the obligations on regulated entities
- data protection reg’s usually include: notice, choice, consent, purpose limitations, limits on retaining data, individual rights to access, correction and deletion of data, and the obligation to safeguard data (all generally covered by privacy frameworks).
- need to also address ‘outliers’ that fall outside of the obligations, i.e. when the local law exceeds the national law or industry/data specifi requirements.
-look at the strictest standard when seeking a solution.
Technology for governance, risk and complicance
- usually selected in order to demonstrate compliance
- include data mapping, assessment management modules, supplier due diligence, and incident response tools and DSAR (data subject access requests)
GCR Tools
- integrating governance, management and assurance of performance, risk and compliance activities.
used to: - create and distribute policies and controls, map to regs and internal compliance
- assess if controls are in place and working
- ease risk assessments and mitigation
Privacy Team Structure: Governance Models
- consider global/regional implications or needs
- will need executive leadership support for successful implementation
- Should:
involve senior leadership
stakeholders
develop internal partnerships
provide flexiblity
leverage communication
leverage collaboration
3 models: centralized | local (decentralized) | hybrid
Governance model - centralized
uses a single channel function, planning and decision-making by one group
typically a CPO, chief privacy officer
+ use same resources throughout org (efficient)
- those furthest from the issue are addressing it
Governance model - local
decentralized
delegate decision making authority down to the lower levels of an org
- likely to run with less-rigid policies and wider spans of control
- flat structure
- if correct controls are in place, there is a bottom to top flow of info; creating a well informed base
+ those closest to the issue are addressing it
- inefficient, each manager/layer has to create own practices
Governance model - hybrid
combo of centralized and local
- main department for privacy-related affairs, and the local entities fulfill the directives issued
+ dictate core values and have the employees implement those that fit/reach goals
Org Model - CPO
Chief Privacy Officer
corporate leader, develop and operationalize privacy strategy and program
common with large, global orgs
Org Model - Privacy directory/ manager
mid level position that reports to CPO
assists with implementation of strategy/program
Org Model - Privacy Analyst
entry level
more tactical privacy program tasks
Org Model - Business line privacy leaders
senior management
large multinational corps, number of business lines, brands or siloed regions
Org Model - Privacy/legal counsels
legal resource within the privacy team, or with legal but working on privacy related matters (3rd party due diligence, negotiating DPA’s, breaches and incidents, regular notifications and complaints)
Org Model - first responders
i.e. incident response team members
Org Model - DPO
Data Protection Officer
for companies subject to GDPR
not a full time role
Org Model - Privacy Engineer
technical implementation of privacy requirements into product design and leading implementation of PbD principles in the org
Org Model -Privacy Technologist
technology professional that play a role in protecting privacy in or within technology.
audit, risk and compliance managers, data professionals, data architects, data scientists,
these roles are not necessarily within the privacy office
Organizational Structure Considerations
- hierarchy of command - authority establishes trail of responsibility
- role definition - clearly defined to create expectations and performance
- evaluation of outcomes
- alteration of org structure - flexibility to change to meet demands
- significance - complex for large orgs, flat for small orgs
- types of structures - product, functional, etc.
- customers - consider needs
- benefits - to org, customers, stakeholders
The DPO Role - required when?
Article 37 of GDPR
- designate an individual to be responsible for monitoring an orgs privacy compliance
- by public authorities or bodies
- where ‘core’ activities require ‘ regular and systematic monitoring of data subjects on a large scale’
- where ‘core’ activities consist of processing ‘special’ categories of data, or data relating to criminal convictions/offences on a large scale
DPO - reporting structure and independence
required to report to the highest management level of the controller or processor
DPO - qualifications and responsibilities
“expert knowledge of data protection law and practices”
Privacy Awareness vs Training
Training programs are formal.
Awareness is less formal, ongoing efforts. Designed to remind of privacy lessons they have already learned
