This document outlines key aspects of establishing an effective privacy program. It discusses defining a privacy mission and strategy, establishing a governance team, developing a framework aligned to policies and standards, and defining performance metrics. It also covers the privacy operational lifecycle, including assessing privacy using maturity models, protecting data through its lifecycle via data lifecycle management and privacy by design, sustaining privacy through compliance monitoring and audits, and responding to incidents and requests. The presenter provides this overview to help organizations effectively address privacy through all stages from assessment to response.
2. Symptai
• Symptai Consulting Limited is an independent IS Audit, Security &
Business Assurance firm founded in 1998.
• We are an industry leader in technology consulting services for
assurance, security, business processes, and compliance with
numerous success stories and excellent client retention rates.
3. Symptai Consulting Ltd
Director
eGov Jamaica
Member, Board of Directors
Andrew A. Nooks
Certs:
CISA, CISSP, CISSP-ISSAP, CIPM, CSSLP, CISM,
CRISC, PCIP, ISO27001, ITSM
Interests: Volleyball Swimming Aikido
4. Disclaimer
• This presentation is based on research collated from the Internet
leveraging articles from the International Association of Privacy
Professionals (IAPP), an organization of which I am a member, and its
contributors.
• I have also leveraged my own experience being as an IS practitioner
for over twenty-five (25) years of which thirteen (13) of which has
been dedicated to Information Security and related controls to
include privacy, as well as and the knowledge and experience from
the Symptai team.
5. Definition of Privacy
Privacy
The right to be left
alone, or freedom
from interference or
intrusion.
Information
privacy
The right to have
some control over
how your personal
information is
collected and used.
Impact
How organization
protect data in its
various states: At
rest, in-transit and in
use.
6. Why is Privacy Important?
Due to advancement in technological innovation, information
privacy is becoming more complex by the minute as more data is
being collected and exchanged.
As the technology gets more sophisticated so do the uses of data.
This leaves organizations facing an incredibly complex
risk matrix for ensuring that personal information
is protected.
7. In the News (Source https://www.scmagazine.com)
Source: https://iapp.org/news
8. Business Risk
• Health
• Banking
• Insurance
• Telecoms
Inherent High Risk
• GDPR and other Data Protection
Legislations
• PCI DSS
• HIPAA
Legal &
Compliance
9. Primary Components of a Privacy Program
Privacy Program
Governance
Privacy Operational
Life-Cycle Management
10. Privacy Program Governance
• Vision and Mission
• Develop a strategy
• Team structure and composition
Strategy
Management
11. Privacy Program Governance
• Vision and Mission
• Develop a strategy
• Team structure and composition
Strategy
Management
• Frameworks
• Policies Procedures Standards
and guidelines
Framework
12. Privacy Program Governance
• Vision and Mission
• Develop a strategy
• Team structure and composition
Strategy Management
• Frameworks
• Policies Procedures Standards and guidelinesFramework
• Metrics and measurements
(identify, Define, Select,
Collect, Analyze)
Performance
13. Business Case
• Organizational Privacy Office Guidance
• Define Privacy
• Laws and Regulations
• Technical Controls
• External Privacy Organizations
• Industry Frameworks
• Privacy information Technology
• Education and Awareness
• Program Assurance
19. In Summary
1. Define the privacy mission statement
2. Develop a strategy
3. Define team structure
4. Develop a framework – aligned to organization
5. Develop and communicate policies, procedures, standards and guidelines
6. Define performance metrics
7. Assess the based on governance model
8. Protect – DLM, Info Sec embedding privacy in the organization
9. Conduct RA and PIA
10. Monitor, audit and communicate
11. Respond to request
12. Accountability
13. Incident management
Privacy Framework: An implementation Roadmap that provides a structure or checklists to guide the privacy professional through privacy management and prompts them for details to determine all privacy-relevant decisions of the organization
Strategy Management
Vision and Mission
(statements, scope, compliance, legal) -
Develop a strategy
(Stakeholders –CISO, CRO, GLC, CIO, HRM, CMO), Key Functions, Interfacing, Data Governance Strategy (Collection, Authorized use, access, Security Destruction), Privacy Workshop
Team structure
(Governance Model – Centralized, Decentrlized, Hybrid, Org Model – CPO, privacy manager, Professional Competency – CIPM, CIPP, CIPT)
Privacy Framework: An implementation Roadmap that provides a structure or checklists to guide the privacy professional through privacy management and prompts them for details to determine all privacy-relevant decisions of the organization.
Managing risk
Framework
Assist in risk management
Minimize incidents of data loss
Protect reputation and market value
Aids in Compliance to lawas regulation and standards
Frameworks (privacy by Design, Privacy Maturity Model)
APEC Privacy Framework – Enable regional data transfers C2B, B2B, B2G
Guidance from UK Information Commissioner’s Office
Canadian Personal Information and Electronic Documents Act PIPEDA
Australian Privacy Principles
Organization for Economic Co-operation amd Development Privacy Guidelines
Framework questions
Are risks defined identified and is there a business case
Who has responsibility
Are gaps in privacy management understood
Is privacy management being monitored
Are employees trained
Are best practices for data inventory, risk assessments and privacy impact assessments
Is there an incident response plan
Is there a communication policy on privacy-related matters and are materials updated
Policies Procedures Standards and guidelines (Business Case, Gap Analysis, Review Process and Monitoring, Communicate to stakeholders
Performance
Measurable, meaningful, unambiguous, specific
Externalprovacy – Data Commissioner’s office
Privacy enhancing technologied
Industry frameworks such as AICPA – Generally Accepted Privacy Principles -- collection use
PMM – Levels adhoc repeatable, defined, managed, optimized
PbD – Assess org objectives and goals – Dr Ann Cavoukian
Support for these areas
Internal Audit and Risk Management
Informaiton Technology – Business Continuity/DRP
InformationSecurity – Response and Breach Notification
Legal and Contracts – Compliance, Mergers, Acquisitions, divestitures
Processors and thirdparty vendors
Human Resourcesmarketting and business development
Gobernment relations and public policy
Finance/business contrls
DLM Principles
Alignment with enterprise objectives
Minimalism
Simplify processes
Provide adequate infrastructure
Information Security
Authenticity of subjects records
Retrievability
Distribution Controls
Auditability
Consistency of policies
Enforcement