2: Privacy Program Framework: Privacy Governance Flashcards
Privacy Governance
The components that guide a privacy function toward compliance with laws and regulations and enable it to support the organization’s broader business objectives
Organizational Privacy Vision / Mission Statement
*Lays the groundwork for the privacy program
*Should align with organization’s broader purpose and business objectives
*Refined with feedback from key stakeholders and reviewed and approved by executive leadership
*Describes the purpose and ideas in just a few sentences
Defining Privacy Program Scope: Data
Identify what personal info the org collects, uses, stores, processes
*Interviews with functions that typically process personal data which can determine general categories and locations of PD but can be time-consuming and difficult in large orgs.
* More robust but likely expensive approach if to engage third parties either consultants or data discovery tool
*Final state: A documented data inventory
Key questions:
* Who collects, uses and maintains personal info related to individuals, customers and employees including third parties?
*What types of pi are collected and why (purpose)?
*Who has access, internally and externally?
*When (during was process) and how is it collected?
*How long is it retained and how is it deleted?
*What security controls are in place to protect it?
Defining Privacy Program Scope: Laws and regulations
Identify in-scope privacy and data protection laws and regulations
*Understanding the data lifecycle, considering global perspectives and remaining aware of the global and local regulatory landscape
*Create policies and controls that are the highest level / most restrictive achievable to reduce risk.
Scope requirements
*Understanding end-2-end PI data lifecycle
*Consideration of global perspective to meet legal, cultural and personal expectations
*Customizing approach from global and local perspectives
*Awareness of challenges including translations of laws an d regs and enforcement activities and processes
*Monitoring of legal compliance factors for both local and global markets
Scope challenges
*Global programs need to be cognizant of cultural norms, differences and approaches to privacy protection
*US approach is more sectoral: industries (GLBA, HIPAA), categories of data (HIPAA, COPPA, PCI DSS) or states
*Different laws/regs have different obligations like breach notifications
*Determining applicability of laws is key function of privacy program
Privacy Strategy
The org’s approach to communicating and supporting the privacy program and its vision.
*Increase management’s awareness of the importance of protecting PI and financial impact of mismanagement
*May require changing mindset of the org.
*Need a sense of final destination to create a roadmap
Identify stakeholders and key partners
*One of the main challenges can be gaining consensus on privacy as biz imperative to highest level of leadership
*The first major step in building a coalition of supporters is to conduct informal one-on-one conversations with executives within the organization who have accountability for information management and/or security, risk, compliance or legal decisions.
*Start with most senior leader in your division and work up chain of mgmt.
*Provide initial visibility and gain buy-in / advice
*Will help in identifying a champion who serves as a sponsor of Privacy by understanding the importance and acting as an advocate.
*Sponsor typically has experience with the org, respect of colleagues and access to or ownership of a budget
*Frequently a risk or compliance exec.
Working with stakeholders / internal partners
Best practices:
*Be aware of how others treat and view PI
*Understand their use of data in biz context
*Assist w/building privacy reqmts. into their ongoing projects to reduce risk
*Offer to help staff meet their objectives while offering solutions to reduce risk of PI exposure
*Invite staff to be a part of a privacy advocate group to further privacy best practices
*Regular workshops to ensure common
understanding by defining privacy for the organization, explaining risks, obligations market expectations, embedding privacy culture and assign with implementing PbD framework
*Steering committee can ensure clear ownership of assets and responsibilities
*Keep records of discussions to log decisions, support audits and accountability reqmts., serve as due diligence in terms of which functions and individuals should be held accountable to privacy compliance.
Develop and Implement a Framework
*Design a manageable approach to operationalizing the controls needed to handle and protect PI.
*Can help:
Achieve compliance w/ in-scope laws and regs
Serve as a competitive advantage by reflecting the value the org places on the protection of PI
Support biz commitment and objectives to stakeholders, customers, partners and vendors
Key Questions:
Are privacy and the organization’s privacy risks properly defined and identified in the organization?
Has the program been implemented into all key workstreams?
Has the organization assigned responsibility and accountability for managing a privacy program?
Does the organization understand any gaps in privacy management?
Does the org monitor privacy mgmt.?
Are employees properly trained / is there a privacy awareness program?
Does the org follow industry best practices for data inventories, risk assessments and PIAs?
Does the org have an incident response plan?
Does the org maintain / communicate privacy materials?
Does the org use common language to address and manage risk based on biz and org needs?
“A rationalized approach that seeks to address both sets of requirements would result in the organization establishing a standard access process that generally meets the demands of many countries, with a local process that meets specific time frame requirements for individuals in EU countries only.”
Contrasted against the strictest standard approach.
Technology and GRC tools are invaluable
Frameworks can be broadly grouped into three categories: principles and standards; laws, regulations and programs; and privacy program management solutions”
Frameworks are essentially a benchmark for a privacy program to measure itself against.
Privacy Team Structure
Centralized: One team or one person primarily responsible for Privacy
Decentralized: Bottom up decision making
“delegating decision-making authority down to the lower levels in an organization, at a distance from and below a central authority.”
Hybrid: An individual or team is responsible for decision making, local entities fulfill and support the policies and directives
Organization Structure and RACI
Define roles and responsibilities, map out hierachy complexity and type of structure.
