how to stand up a privacy program: privacy in a...
TRANSCRIPT
Part I of III: The Foundations of a Privacy Program
Presented by: Kerry Childe, Sr. Corporate Counsel, Privacy and Information Policy, Best Buy. Nick Holland, Fieldfisher (ITPEC Sponsor) Co-sponsor: Health Law Committee
How to Stand Up a Privacy Program: Privacy in a Box
1
Three part series
• The Foundations of a Privacy Program • Key Areas to Consider • Maturing a Privacy Program
Today’s Topic: The basics
2
Program Introduction
Congratulations!
3
You’ve been hired to create a privacy program (or you’ve been handed another hat to wear). What do you do now?
1) Business Case 2) Sponsorship 3) Models 4) Charter 5) Team and Roles 6) Strategy and Plan
– Identify compliance drivers – Cross-Organizational Resources – Perform a Risk Assessment – Key Policies, standards, guidelines, processes – Data classification/inventory
7) How to be a successful privacy professional 8) Resources
4
Structure the Program
1. Business Case
Why privacy? • Are you required by regulators to have a privacy officer/policy/ program?
• GDPR • Health • Children (under-13 in the US; different ages elsewhere) • Mobile app development • Consent decree requires it • State or national requirements
• Do you operate in a compliance-driven environment? • Sarbanes-Oxley or Dodd-Frank • Other industry partners have requirements or have consent decrees
requiring a program/etc. • Current events • FTC UDAP 5
2. Sponsorship
• Attributes of a sponsor – Strong – Supportive – Respected – Has authority – Tone from the top
6
• Organizational alignment – Origins – Relocated – Mature – Tone at the top
3. Models of Privacy Programs
• Centralized v. decentralized • Also can include hybrid
• Large v. Small • Required v. Voluntary • All-in-one v. Legal/implementation (bifurcated) • Real v. Paper
7
4. Charter
• What’s a charter? A document that formally authorizes the existence of a project and provides an individual with the authority to apply organization resources to project activities.
• Mission /Vision
A statement to describe the purpose and ideas in just a few sentences. Should be readable in less than 30 seconds.
Explains what you do as an organization. This is the fundamental building block for your privacy program
• Scope Process required to ensure that the project includes all the work required, and only the work required, to complete the project successfully. Project Management Body of Knowledge Guide, Fifth Ed.
8
4. Charter
Mission Statement Examples Stanford University The Stanford University Privacy Office works to protect the privacy of university,
employee, patient, and other confidential information. Our office helps to ensure the proper use and disclosure of such information, as well as, foster a culture that values privacy through awareness. The Privacy Office provides meaningful advice and guidance on privacy “Best Practices” and expectations for the University community. https://privacy.stanford.edu/about-us/mission-statement
Department of Commerce The Department of Commerce (DOC) is committed to safeguarding personal privacy.
Individual trust in the privacy and security of PII is a foundation of trust in government and commerce in the 21st Century. As an employer, a collector of data on millions of individuals and companies, the developer of information-management standards and a federal advisor on information policy, the Department strives to be a leader in best privacy practices and privacy policy. To further this goal, the Department assigns a high priority to privacy considerations in all systems, programs, and policies.
http://www.osec.doc.gov/opog/privacy/Privacy_Office.html
9
5.Teams and Roles • Start developing a RACI matrix • Look for existing programs within your organization Audit, Information Security, HR have usually worked through this area already to some degree • Think about who needs to be a point of contact going forward
• Procurement • Contracts • IT (help desk) • Accounting • Customer service • Sales (relationship management) • Marketing • IT engineering/development • Project managers • Who drives the business? • Who is out of compliance?
10
6. Strategy & Plan Tactical first and strategic later • Think long-term, but take care of immediate and simpler tasks
• Revenue-generating functions should be at the top of the list
• Review the organizational goals – your program should be aligned with that
• Also include budgetary considerations in your review
• As your program matures, you will have to determine a framework to use (part III); when you’re starting out, your framework is likely to be “taking care of the low-hanging fruit”
• If you’re in a regulated area, your “low-hanging fruit” is going to be compliance-based
11
6. Strategy and Plan: Identify compliance drivers
• Laws, rules, and regulations • Existing and upcoming • Audits, decisions
• Markets • Products/services • Regions
• Customers • And their customers
• Privacy by Design/Security by Design
12
6. Strategy and Plan: Cross-Organizational Resources
As you’re sitting in your Ivory Privacy Tower, think about how your business performs. • Who do you need to align with? • Who can be your champion? • Who is willing to be your mole? • Is your organization matrixed or siloed? • What about
• Records management • eDiscovery
13
6. Strategy and Plan: Perform a Risk Assessment
• What do your internal clients see as the biggest privacy risks? • What do you see as the biggest risks? • How big is big? • Are these risks that you can mitigate or are they risks you can
only manage to? • If you can mitigate, how can you mitigate them (at a high
level)? • How long will that take?
• Does your company have a risk management team? • You may need to educate them as well.
14
6. Strategy and Plan: Key policies, standards, guidelines, processes
• Define each • Website privacy statement and internal privacy policy • Not just customers/consumers
• employees, vendors, indirect customers • Identified current stuff as part of risk assessment • Formal v. Informal
• But informal means not consistent, predictable, or provable • Bounce against drivers and framework
15
6. Strategy and Plan: Data classification schema (and inventory later)
• Know what data you have and why • Put in basic protection requirements (especially legally required) • The inventory can come later:
– What data – How collected/how transmitted and stored – When collected, noticed
• When deleted (and how)
– Where from/where to • Location and entity
– Laws, rules, regulations apply to which data
16
7. How to be a Successful Privacy Professional
• Be willing to learn 24/7/365, and be flexible in your learning • Be eager to make friends with your regulators (you are not a
litigator anymore) • Be comfortable (or at least not wholly uncomfortable) in the grey
areas – most of privacy law in the US is unformed, and most of the law everywhere but EU is new enough that it hasn’t been challenged
• Network with other privacy professionals • Ask questions –
there is no such thing as a stupid question
17
8. Resources
18
Sites Law Firms Social Media ACC Fieldfisher @ACC_ITPEC
Ave Point Baker McKenzie @darkreading IAPP * New DPO Blog
Bird & Bird @EUPrivacyLawyer (Phil Lee- Fieldfisher)
Nymity Hogan Lovells @ftc
Stop Think Connect Hunton and Williams @ICONew Teach Privacy Jones Day @lexology
TRUSTe Winston and Strawn @ICONews
Sample resources
19