Building a Privacy Governance Program October 21, 2016
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 1 © TRUSTe Inc., 2016
Today’s Speakers Michelle Fleury, Senior Director, Supply Chain Operations, Cisco
Patrick Curry, Director, Privacy and Compliance, McKesson
Eleanor Treharne-Jones (Moderator) Vice President Consulting TRUSTe
Privacy Insight Series - truste.com/insightseries v
2 © TRUSTe Inc., 2016
Today’s Agenda
• Welcome & Introductions • Understanding the Role of Data in Corporate Strategy • Building Data Protection Programs • Steps for Rapid Deployment • Q&A
Privacy Insight Series - truste.com/insightseries v
3 © TRUSTe Inc., 2016
Privacy Insight Series - truste.com/insightseries v
4 Š TRUSTe Inc., 2016
Cisco’s Strategy #DigitalBusiness Depends on #Data
Intellectual Property Deal Prospects Corporate Strategy
Support Data Product Roadmaps Customer Sat Ratings
Key Activities
Relationships
Employee Information
Sales Records
Trade Secrets Brand Strategy
Pricing Details Discount Rates Customers
Strategic Partners
Key Resources
Privacy Insight Series - truste.com/insightseries v
Distribution Channels
The Business Model Canvas by @strategyzer
5 Š TRUSTe Inc., 2016
180+ Years in Health Care
Privacy Insight Series - truste.com/insightseries v
6 © TRUSTe Inc., 2016
Healthcare Trends
Innovation ` Cost Containment
Chronic Diseases
Global Shift in Demographics Ongoing growth in 65+ years1
Consolidation
Regulatory Change
Diabetes - worldwide: 55% percent increase by 20352
Value-Based Care 2/3 of the market by
20203
Rise of ` Consumerism
Patient-centered model = Health data for millions of patients 110
Projections for the Global Population in 2050, Pew Research Center, Feb. 2, 2014. 22014 IDF Diabetes Atlas, International Diabetes Foundation. 3The State of Value-Based Reimbursement and the Transition from Volume to Value in 2014, McKesson Health Solutions, 2014.
Privacy Insight Series - truste.com/insightseries v
7 Š TRUSTe Inc., 2016
Strategic Considerations
S
Legal Obligations
Customer & Market Expectations
Competitive Differentiation
Risk Landscape
Cisco’s Data Protection Program 8
Privacy Insight Series - truste.com/insightseries v
8 Š TRUSTe Inc., 2016
Guiding Principles
Involve the Business in the Program
Leverage Your Operational Strengths
Privacy Insight Series - truste.com/insightseries v
Manage Complexity and Ambiguity through Iteration
9 Š TRUSTe Inc., 2016
Cisco’s Data Protection Program
Policies and Standards
Oversight and Enforcement
Identification and Classification
Privacy by Design & Int’l Privacy Policy
Privacy Insight Series - truste.com/insightseries v
Data Risk and Organizational Maturity
Incident Response
Security by Design & Data Loss Prevention
Awareness and Education
10 © TRUSTe Inc., 2016
McKesson US Pharmaceuticals Privacy Program • Based on Federal Sentencing Guidelines/HHS OIG guidance
• GRC-based; process harnessed for privacy, IT security risk • PHI is king: Priority to regulatory & legal obligations
Program Governance & Resources Risk Assessment
Policies & Procedures
Enforcement, Discipline & Incentives
Communications
• Helps coordinate multi-faceted approach • Provides functional backdrop and process for analysis for considerations of choice, data use, consent, collection, etc.
Privacy Insight Series - truste.com/insightseries v
Investigations & Response
Training
Monitoring
11 © TRUSTe Inc., 2016
McKesson case example: Programmatic PIA •Observation: risk of changes to data use without review •“Follow the circle:”
Program Governance & Resources Risk Assessment
Policies & Procedures
–What structures need to be in place –Who owns / manages the process –What policies / procedures are needed
Enforcement
Awareness
–Who needs to know what about the updates to the process –How do we know the process is effective?
Investigation & Response
Training
Monitoring
–What do we do if people don’t follow the rules?
Outcome: stable and documented process; general awareness of goals and changes; auditable framework Privacy Insight Series - truste.com/insightseries v
12 © TRUSTe Inc., 2016
Steps for Rapid Deployment of a DPP
1
Form a multi-disciplinary team, including Privacy and Security
2
Inventory your data –
3
Assess your organization’s
4
Choose a program framework and set goals
start with high-risk categories & PII
data protection maturity
Privacy Insight Series - truste.com/insightseries v
5
Collect and connect capabilities
6
Identify and prioritize most
7
Take “agile” approach to
8
Get the word out –
and processes
significant gaps address gaps – wise to iterate people as important as technology
13 © TRUSTe Inc., 2016
Questions?
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 14 © TRUSTe Inc., 2016
Contacts Michelle Fleury Patrick Curry Eleanor Treharne-Jones
Privacy Insight Series - truste.com/insightseries v
mfleury@cisco.com Patrick.Curry@McKesson.com eleanor@truste.com
v
© TRUSTe Inc., 2016 15 © TRUSTe Inc., 2016
Thank You! Details of our 2016 Summer/Fall Webinar Series are now available. Register now for our next webinar on November 10 “Understanding new EU Guidance on DPIA/PIA requirements”
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. © TRUSTe Inc., 2016 v 16 Privacy Insight Series truste.com/insightseries v © TRUSTe Inc., 2016