Building an Effective Privacy Program – Six Practical Steps September 24, 2015
Privacy Insight Series v
v
1
Today’s Speakers
Beth Sipula, CIPP/US Senior Consultant, TRUSTe
Paola Zeni Director Global Privacy, Ethics and Compliance Symantec Corporation
Privacy Insight Series v
2
Six Practical Steps Framework
Development and Management
Risk Mgmt
Vendor & Third Parties
Privacy by Design
Incident Response
Privacy Insight Series v
3
Poll Question #1 – What level on the maturity scale is your organization?
Staged Maturity Levels Process Measured & Controlled Process Characterized & Understood Process in Place & Proactive
Process Unpredictable
Level 2 Managed
Level 3 Defined
Level 5 Optimized
Level 4 Quantitatively Managed Continuous Improvement
Level 1 Initial
Privacy Insight Series v
4
Step 1 - Create the Framework Create the Framework (based on the requirements for your organization) •
Analysis of regulatory/contractual requirements
•
Review legislative requirements/Geos
•
Develop a budget and a roadmap
•
Privacy Committee/Privacy Champions
Privacy Insight Series v
5
Poll Question #2 What team or business unit is primarily responsible for managing privacy risks in your organization? • • • • •
Legal/Compliance IT/Security Internal Audit Product/Development Other
Privacy Insight Series v
6
Step 2 - Risk Management Develop a Risk Management Process •
Data discovery and data inventory
•
Comprehensive risk assessment process
•
Risk Management Committee to rank ongoing risks
•
Executive sponsor and champion
Privacy Insight Series v
7
Step 3 - Privacy by Design Build in Privacy •
PIAs
•
Create tools and processes for product/development teams
•
Identify risks and analysis of impacts
•
Leverage existing development processes where possible
•
Training Privacy Insight Series v
8
Incident Response Develop an Incident Response Plan •
Process, plan and toolkit
•
RACI charts • Responsible/accountable/consulted/informed • Privilege
•
Crisis communications plan (internal/external)
•
Test plan regularly and update • Tabletop exercises • Common scenarios Privacy Insight Series v
9
Step 5 - Vendor and Third Party Management Develop a Comprehensive Approach •
Understand who has access to sensitive data, purpose, access and data transfers
•
Documentation
•
Contractual requirements
•
Partner with Procurement
Privacy Insight Series v
10
Step 6 - Program Development and Ongoing Monitoring
How do you keep moving forward once you have the basics in place? •
Monitor regulatory changes
•
Establish metrics to measure your program effectiveness
•
Reporting on program effectiveness
•
Ongoing training and communication • Building privacy champions • Employee training • Privacy sensitive culture Privacy Insight Series v
11
Key Take-Aways
Privacy Insight Series v
v
12
Key Take-Aways •
Start with a roadmap and implement the basics
•
Manage risks
•
Partner with other areas of the organization
•
Utilize tools and automate whenever possible
•
Prioritize training and communicate privacy
•
Building blocks of a privacy centric culture
Privacy Insight Series v
13
Moving Forward Framework
Development and Management
Risk Mgmt
Vendor & Third Parties
Privacy by Design
Incident Response
Privacy Insight Series v
14
Questions?
Privacy Insight Series v
v
15
Contacts Beth Sipula Paola Zeni
Privacy Insight Series v
bsipula@truste.com paola.zeni@veritas.com
v
16
Thank You! Don’t miss the next webinar in the Series – “ Top 5 Things the CISO Needs to Know about Data Privacy” on October 15th See http://www.truste.com/insightseries for details of future webinars and recordings.
Privacy Insight Series v
v
17