Transcription
International Conference on Privacy Protection inCorporate GovernanceImplementing Accountability– A Pragmatic FrameworkPresented by:Karinna Neumann, MBA, CIPP/E, CIPMHong Kong11/02/14
IMPLEMENTING ACCOUNTABILITYA Pragmatic Framework Key ConceptsFree Framework to Implement Accountability in your Organization1.2.3.Baseline Your Privacy ManagementPlan Your Privacy ManagementImplement Your Privacy ManagementKEY OBJECTIVE:Building Accountability through an Effective Privacy Program
ABOUT NYMITYNymity Research A global research company grounded in data privacy compliance researchwith a pragmatic approachResearch includes the development of frameworks and methodologiesAccountability is a cornerstone of Nymity’s research9 demonstrating accountability research studies since 2009 listed in preface ofFeedback Release 2013: Nymity Data Privacy Accountability ScorecardNymity Solutions Compliance tools for the privacy officeNymity makes its frameworks available to the global privacy community for free
PRIVACY MANAGEMENT TOOLSFrameworkCompliance Mapping - FundamentalsPractical Guide to BuildingAccountability through anEffective Privacy Program
pg. 5ELEMENTS OF ACCOUNTABILITYThe organization maintains aneffective privacy programconsisting of ongoing privacymanagement activities.An individual is answerable forthe management and monitoringof the privacy managementactivities.The Privacy Office cansupport, with documentation, thecompletion of privacy managementactivities.Accountability: Showing how responsibility is exercised and making this verifiable.– Article 29 Working Party
IMPLEMENTING ACCOUNTABILITYImplementing accountability –an ongoing approach to effective privacy ingPrivacyManagementActivities ImplementingAccountability
A FRAMEWORK TO IMPLEMENT ACCOUNTABILITYNymity’s research has revealed: Privacy offices in responsible organizationsaround the world fundamentally conductthe same activitiesNymity Data Privacy Management Framework Jurisdictional and industry neutralStructured on 13 privacy management processes150 Privacy Management ActivitiesAvailable for freeFramework designed for organizations to demonstrate accountability organizations are using it to implement accountability
NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORKpg. 39A Nymity Research Initiative
150 PRIVACY MANAGEMENT ACTIVITIESPrivacy Management Activities (Activities):“Ongoing activities that have a positive impact on the processing ofpersonal data” Privacy Management Activities Vary Between Organizations- As do purposes for processing personal data and the types of personal data being processed Organizations Select Applicable Activities Various Stakeholders Conduct the Activities
NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORKImplementing Privacy Management Activities1. BASELINE2. PLAN3. IMPLEMENT IMPLEMENTING ACCOUNTABILITY
1. BASELINE2. PLAN3. IMPLEMENT BASELINE - Identify the Privacy Management Activities That Already ExistPrivacy Office Implements the Activity maintains activityORPrivacy Office Influences the Activity supports functional or business unitsORPrivacy Office Observes Activity independent of privacy officeMost organizations will find that they are already doing many of these activities
1. BASELINE2. PLAN3. IMPLEMENT Use Framework as checklist todetermine Activities exist withinorganization Determine Activities applicable toyour organization, jurisdiction andindustryDesired Privacy Management Activities become part of the plan
1. BASELINE2. PLANList of Current Activities Already ImplementedNext Step: Plan privacy program3. IMPLEMENT
1. BASELINE2. PLAN3. IMPLEMENT PLAN Activities to be Implemented Use Framework as Checklist todetermine which Activities need to beput into place Determine timeline for Activities Determine sequence of Activities
1. BASELINE 2. PLANList of Current Activities Already Implemented 3. IMPLEMENTList of Desired Activities Desired Activities Become the PlanActivities Planned for ImplementationSequence of Activities Requiredwithin your OrganizationNext Step: Implement privacy program
1. BASELINE2. PLAN3. IMPLEMENT IMPLEMENT - Put the Activities into Place Determine Scope of the Activity within your organization Role of the Activity within the organization Role of the privacy office in managing the implementation of the Activity Determine the Owner of the Activity Determine Business Case Justification for the Activity As necessary, based on your organization’s unique circumstances Determine Sequence of the Activity versus other Activities in your Program Resources ExecuteAccountability cannot be outsourced
pg. 20IMPLEMENT EXAMPLESPrivacy ManagementProcessActivities Owned by the PrivacyOfficeActivities Owned by OperationalUnits1. Maintain GovernanceStructureMaintain a Privacy StrategyRequire employees to acknowledge andagree to adhere to the data privacypoliciesOwner: Human Resources2. Maintain Personal DataInventory3. Maintain Data PrivacyPolicyMaintain an inventory of key personal dataholdings (what personal data is held andwhere)Maintain a data privacy policyClassify personal data holdings by type(e.g. sensitive, confidential, public)Owner: Corporate Records ManagementMaintain a separate employee dataprivacy policyOwner: Human Resources4. Embed Data PrivacyInto Operations5. Maintain Training andAwareness ProgramMaintain policies/procedures for collectionand use of sensitive personal data(including biometric data)Integrate data privacy into directmarketing practicesMaintain a core training program for allemployeesIntegrate data privacy into other trainingprograms, such as HR, security, callcentre, retail operations trainingOwner: MarketingOwner: Customer Service
IMPLEMENT EXAMPLESPrivacy ManagementProcessActivities Owned by the Privacy Activities Owned by Operational UnitsOffice6. Manage InformationSecurity RiskMaintain an acceptable use ofinformation resources policy7. Manage Third PartyRiskMaintain a vendor data privacy riskassessment processlikely performed in conjunction withInformation SecurityMaintain technical security measures (e.g.intrusion detection, firewalls, monitoring)Owner: Information SecurityMaintain internal guidelines for contracttemplates that establish data privacyobligations in all contracts and agreementsOwner: Legal8. Maintain Notices9. Maintain Proceduresfor Inquiries andComplaintsMaintain a data privacy notice thatdetails the organization’s personal datahandling policiesProvide notice by means of on-locationsignage, postersMaintain procedures to investigate rootcauses of data protection complaintsMaintain procedures to address complaintsOwner: Facilities/Corporate SecurityOwner: Call CentreVarious stakeholders conduct the activities
IMPLEMENT EXAMPLESPrivacy ManagementProcessActivities Owned by thePrivacy OfficeActivities Owned by Operational Units10. Monitor for NewOperational PracticesMaintain PIA guidelines andtemplatesConduct PIAs for new programs, systems,processes11. Maintain Data PrivacyBreach ManagementProgram12. Monitor Data HandlingPracticesMaintain a documented data privacy Engage a forensic investigation teamActivity Owner: Legalincident/breach response protocolMaintain privacy program metricsActivity Owner: Information TechnologyConduct audits/assessments of the privacyprogram outside of the privacy office (e.g.Internal Audit)Actitivity Owner: Internal Audit13. Track External CriteriaMaintain subscription to compliance Document that new requirements have beenreporting service/law firm updates to implemented (also document where a decisionstay informed on new developments is made to not implement any changes,including reason)Activity Owner: ComplianceConducting activities produces documentation
NYMITY PRIVACY MANAGEMENT ACCOUNTABILITY FRAMEWORKImplementing Privacy Management Activities1. BASELINE2. PLAN3. IMPLEMENT IMPLEMENTING ACCOUNTABILITY
THANK YOU!CONTACT DETAILS:Karinna Neumannkarinna.neumann@nymity.com 1 647 260 6230 x221Skype: inc.
A Pragmatic Framework IMPLEMENTING ACCOUNTABILITY . . Owner: Marketing 5. Maintain Training and Awareness Program Maintain a core training program for all employees Integrate data privacy into other training programs, such
