Changing Role of the CPO in Today's Privacy Ecosystem September 22, 2016
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 1 © TRUSTe Inc., 2016
Today’s Speakers Hilary Wandall General Counsel & Chief Data Governance Officer TRUSTe
Scott Taylor AVP Compliance & Chief Privacy Officer Merck & Co., Inc.
Barbara Lawler Chief Privacy Officer Intuit
Privacy Insight Series - truste.com/insightseries v
2 © TRUSTe Inc., 2016
Today’s Agenda
• Welcome & Introductions • Evolution of the Role
• Core Responsibilities • Making it Operational • Addressing the EU GDPR’s DPO Requirements • Q&A
Privacy Insight Series - truste.com/insightseries v
3 © TRUSTe Inc., 2016
Evolution of the Role
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 4 © TRUSTe Inc., 2016
How the role has developed over more than a half century • 1970s: First Privacy Officer positions were created in Germany • 1991: First CPO appointed in the U.S. in 1991 • 2002: International Association of Privacy Professionals (IAPP) created • 2003: HIPAA Privacy Officer positions required in the U.S. • 2007: EU WD 153 - Elements and Principles for BCRs - Governance • 2011: Designated individual required by APEC Cross-Border Privacy Rules • 2004-2014: Data Protection Officer (DPO) roles required outside U.S. and EU, such Canada, Colombia, Ghana, India, Israel, Korea, Mexico, Montenegro, Philippines, Russia, Singapore, South Africa, Ukraine • 2016: U.S. Federal Agencies required to appoint a Senior Agency Official for Privacy (SAOP) • 2018: GDPR requires appointment of mandatory DPOs with specific statutory criteria for expertise, professional qualities, responsibilities, resourcing, independence and reporting Privacy Insight Series - truste.com/insightseries v
5 © TRUSTe Inc., 2016
Core Responsibilities
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 6 © TRUSTe Inc., 2016
Program Goals: Compliance. Accountability. Governance. Driven by organizational experience, culture, resources, business aspirations Regulatory Compliance
• • • • • •
Privacy notices Consents Opt-outs Contracts Security program Breach management and notification • Complaint and individual rights requests handling
Accountability & Stewardship
Regulatory Compliance + • Management ownership • Privacy leader or team • Comprehensive policies • Awareness and training • Risk assessment • Privacy by design • Ongoing assurance • Continuous improvement
Privacy Insight Series - truste.com/insightseries v
Strategic Data Governance
Accountability + • Holistic approach • Interoperable across jurisdictions • Data as an asset • Integrated with other data-driven obligations, e.g..: • data security • IP & trade secrets • e-discovery • records management 7 © TRUSTe Inc., 2016
According to IAPP-EY Annual Privacy Governance Report 2016
Privacy Insight Series - truste.com/insightseries v
8 © TRUSTe Inc., 2016
DEMONSTRATION
EFFECTIVE APPROACH
OVERSIGHT
Privacy Framework
Identify Risks and Opportunities
Commitment • Solid policies aligned to external criteria • Management commitment • Full transparency
Integrated Governance
Implementation • Mechanisms to ensure policies and commitments are put into effect with employees
Validation • Monitoring and assurance programs that validate both coverage and effectiveness of implementation
Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board) Demonstrate capacity to external stakeholders (Trust Agents, Regulators) Demonstrate capacity to individual data subjects
Data Stewardship in an Evolving Digital World Is the role of the CPO changing?
Privacy in products and services
What’s Remains the Same • Promoting trust online (and offline) • Global and local tensions about appropriate and ethical collection, transfer and uses of data • Data Stewardship Principles and FIPPs-based privacy policies • Customer first • Product-focused Confidential and Proprietary •IntuitPbD & PIA
Products
Ecosystems
Data governance and privacy across product ecosystems What’s Changed • Enabling or driving innovation • Promoting digital trust everywhere • Data at the center of every discussion • Robust analytics machine learning A.I. • Platforms and distributed services • Demonstrating (and documenting) compliance
Making it Operational
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 11 © TRUSTe Inc., 2016
Putting Policies and Standards into Practice We often hear from privacy professionals that are starting up a program or looking to take it to the next stage that they find it difficult to translate legal opinions and the letter of laws and regulations into effective, sustainable practices within their organizations. 1. How have you addressed this challenge in your career?
2. Are there any best practices that you would recommend? 3. Do you have any insights for SMEs?
Privacy Insight Series - truste.com/insightseries v
12 Š TRUSTe Inc., 2016
Addressing the GDPR’s DPO Requirements
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 13 © TRUSTe Inc., 2016
According to IAPP-EY Annual Privacy Governance Report 2016
Privacy Insight Series - truste.com/insightseries v
14 © TRUSTe Inc., 2016
Compliance and Accountability: EU GDPR DPO Role Controllers and Processors are Required to Appoint If:
• The organization’s core activities consist of processing on a large scale of sensitive data (e.g., health, race, ethnicity, biometric, religion) or criminal data • The organization’s core activities consist of processing that requires regular and systematic monitoring of individuals on a large scale • Processing is carried out by a public authority or body • Mandated by EU country law (e.g., Germany)
DPO Competencies
• Expertise in data protection law • Professional qualities (e.g., leadership, communications, program management, business acumen, understanding of technology, strategic thinking, influence)
Role and Responsibilities
• Governance: employee or contractor, single appointee for corporate group as long as readily accessible from any location of the organization • Transparency: DPO contact details published and communicated to DPAs • Professional responsibility: independent decisions, reports to senior management, no conflicts, protected from dismissal, duty of confidentiality
• Training and awareness of staff • Monitoring and assurance: advice to staff on obligations and assurance of implementation, risk assessment, consultation and monitoring on DPIAs, auditing • Complaint handling: individuals can raise concerns and exercise rights with DPO • Regulatory liaison: primary contact to DPAs, cooperation with DPAs on complaints, investigations, demonstration of organizational accountability, prior consultation on DPIAs and breaches
• Organizational support and resources: organizations must ensure timely and proper involvement of the DPO in all data protection-related issues, as well as to 15 Privacy Insight Series - truste.com/insightseries v provide proper resources for DPO to fulfill responsibilities and maintain ©expertise TRUSTe Inc., 2016
According to IAPP-EY Annual Privacy Governance Report 2016
Privacy Insight Series - truste.com/insightseries v
16 © TRUSTe Inc., 2016
Questions?
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 17 © TRUSTe Inc., 2016
Contacts Hilary Wandall Scott Taylor Barb Lawler
Privacy Insight Series - truste.com/insightseries v
hilary@truste.com scott.taylor3@merck.com barbara_lawler@intuit.com
v
© TRUSTe Inc., 2016 18 © TRUSTe Inc., 2016
Thank You! Details of our 2016 Summer/Fall Webinar Series are now available. Register now for our next webinar on October 21 “Building a Privacy Governance Program”
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. © TRUSTe Inc., 2016 v 19 Privacy Insight Series truste.com/insightseries v © TRUSTe Inc., 2016