privacy program management: a framework for success [webinar slides]

1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

v © TRUSTe Inc., 2017

Privacy Program Management: A

Framework for Success

March 23, 2017


Today’s Speaker

Hilary Wandall

General Counsel

Chief Data Governance Officer

TRUSTe


• Welcome & Introductions

• Policy and Regulatory Origins and Developments

• Choosing a Model

• Framework for Core Program Elements

• 3Ds: Design, Document & Demonstrate

• Q&A

Today’s Agenda



Policy and Regulatory Origins and

Developments


Policy and Regulatory Origins

• OECD Privacy Guidelines – 1980

– Accountability Principle

• PIPEDA (Canada) – 2000


• APEC Privacy Framework – 2005


• CIPL Accountability Project – 2008

• APEC CBPRs – 2011

• Canada Privacy Management Program – 2012

• Revised OECD Privacy Guidelines – 2013

– Privacy Management Programme

• EU GDPR – 2016


OECD Privacy Guidelines 2013

• New Part III – Implementing Accountability

– Establish a Privacy Management Programme

o Implements requirements of the Guidelines

o Tailored based on structure, scale, sensitivity and

volume of the operations (“risk factors”)

o Safeguards implemented based on privacy risk

assessment

o Integrated with organizational governance and

oversight mechanisms

o Inquiry and incident response mechanisms

o Update based on monitoring and periodic assessment

– Demonstrate the programme to regulators and others

responsible for enforcement


EU GDPR – Example Provisions

• Article 5.2

– Controllers are responsible for demonstrating compliance with the principles of:

o Lawfulness, fairness and transparency

o Purpose limitation

o Data minimization

o Accuracy

o Storage limitation

o Integrity and confidentiality

• Article 24

– Controllers are responsible for implementing organizational and technical measures to ensure and demonstrate that processing is compliant, such as policies and procedures, codes of conduct, or certification

• Article 39 – Tasks of the DPO

– Advice, monitoring compliance, awareness, training, audits



Choose a Model


Choose a Model

• Consider organizational structure

– Where are you headquartered?

– Centralized versus distributed

– Is central coordination possible and effective?

– How do other organizational governance functions operate?

• Consider functional alignment and coordination

– Which organizational area is best suited to support sustainable

success of the program?

– Is there a strong executive champion?

– What levels of cross-functional coordination are needed –

strategic vs. tactical?

• Consider legal requirements, ethical obligations and risk

– Legal drivers, culture toward ethical and CSR considerations

– Organizational risk tolerance


Aligning Organizational Governance & Oversight

Legal

Regulatory

Government

Affairs

Compliance

Ethics

CSR

IT

Data &

Records

Mgmt.

Business

Analytics

Risk Mgmt.

Privacy


Aligning Organizational Governance & Oversight

• Elements of an Effective Ethics and Compliance Program

– Establish Policies, Procedures and Controls

– Exercise Effective Compliance & Ethics Oversight

– Exercise Due Diligence (third party risk)

– Communicate and Educate Employees

– Monitor and Audit for Effectiveness

– Ensure Consistent Rewards and Sanctions

– Incident Response and Prevention



Framework for Core Program Elements


Build Your Program – 6 Essential Elements

Build

Establish, maintain and evolve an

integrated privacy and data governance program aligned with

other data management and information risk

functions such as security, IP, trade

secret protection and e-discovery

Integrated

Governance

Identify stakeholders. Establish

program leadership and governance.

Define program mission, vision and

goals.

Risk

Assessment

Identify, assess and classify data-

related strategic, operational, legal

compliance and financial risks.

Resource

Allocation

Establish budgets. Define roles and

responsibilities. Assign competent

personnel.

Policies &

Standards

Develop policies, procedures and

guidelines to define and deploy

effective and sustainable governance

and controls for managing data-

related risks.

Processes Establish, manage, measure and

continually improve processes for

PIAs, vendor assessments, incident

management and breach notification,

complaint handling and individual

rights management.

Awareness &

Training

Communicate expectations. Provide

general & contextual training.

Learn and Evolve Over Time


Demonstrate Your Program – 2 Core Standards

Monitoring &

Assurance

Evaluate and audit effectiveness of

controls and risk mitigation initiatives.

Reporting &

Certification

Demonstrate the value and

effectiveness of your program and

controls to customers, employees,

management, the board of directors,

regulators and the public.

Demonstrate

Demonstrate program and practices

compliance, maturity, responsibility and

value to organizational

leadership, regulators, customers, other

stakeholders through monitoring,

assurance, reporting and certification

Learn and Evolve Over Time



3Ds: Design, Document, Demonstrate


Tools to Build and Demonstrate Your Program

Supported by the TRUSTe Data Privacy Management Platform


Privacy & Data Governance Program Assessment



Questions?



Hilary Wandall

[email protected]

Contact:

mailto:[email protected]



Register now for the next webinar in our 2017 Winter/Spring Webinar Series

on April 13, 2017 “Swiss-US Privacy Shield Rollout: What to Expect”

• https://info.truste.com/swiss-us-privacy-shield-rollout-webinar.html

See http://www.truste.com/insightseries for the 2017 Privacy Insight Series

and past webinar recordings.

Thank You!

http://www.truste.com/insightseries



Register now for the next webinar in our 2017 Winter/Spring Webinar Series

on April 27, 2017 “ROI of Privacy: Building a Case for Investment”

• https://info.truste.com/roi-of-privacy-webinar.html

See http://www.truste.com/insightseries for the 2017 Privacy Insight Series

and past webinar recordings.

Thank You!

http://www.truste.com/insightseries