The webinar discussed privacy frameworks and how they provide the foundation for effective privacy programs. It introduced the TrustArc-Nymity Privacy & Data Governance Framework and explained how it is based on international standards. The framework takes an accountability-based approach and can be used to map activities to various regulatory requirements to demonstrate compliance. It also described how organizations can use the framework to build out the components of a comprehensive privacy program.
Handwritten Text Recognition for manuscripts and early printed texts
Privacy Frameworks: The Foundation for Every Privacy Program
1. Thank you for joining the webinar Privacy Frameworks: The Foundation of
Every Privacy Program
1
● We will be starting a couple minutes after the hour
● This webinar will be recorded and the recording and slides sent out later today
● Please use the GoToWebinar control panel on the right hand side to submit
any questions for the speakers
3. Speakers
Joanne Furtsch
CIPP/C, CIPP/US, CIPT, FIP
Director, Privacy Intelligence Development
TrustArc
3
Paul Breitbarth
LL.M
Director, EU Policy &
Strategy
TrustArc
Meaghan McCluskey
LL.B., CIPP/US/E, CIPM
Director of Research
TrustArc
4. Agenda
4
● Introducing the TrustArc-Nymity Privacy & Data Governance Framework
● The value of using a privacy framework as the backbone of your privacy program
● Using the TrustArc Framework in combination with international standards
● Q&A
5. Polling Question
Are you using a framework as the basis of your privacy program?
● Nymity Privacy Management Accountability Framework
● TrustArc Privacy & Data Governance Framework
● ISO. NIST, or other external framework
● Own developed framework or guiding principles
● None
5
14. Privacy Management Categories
14
Maintain Governance Structure ◼︎ ◼︎
Maintain Personal Data Inventory and Data Transfer
Mechanism
◼︎ ◼︎ ◼︎
Maintain Internal Data Privacy Policy ◼︎ ◼︎ ◼︎
Embed Data Privacy Into Operations ◼︎ ◼︎
Maintain Training and Awareness Program ◼︎ ◼︎
Manage Information Security Risk ◼︎ ◼︎ ◼︎
Manage Third Party Risk ◼︎ ◼︎ ◼︎
Maintain Notices ◼︎ ◼︎
Respond to Requests and Complaints from Individuals ◼︎ ◼︎ ◼︎
Monitor for New Operational Practices ◼︎ ◼︎
Maintain Data Privacy Breach Management Program ◼︎ ◼︎ ◼︎
Monitor Data Handling Practices ◼︎
Track External Criteria ◼︎
◼︎ Build ◼︎ Implement ◼︎ Demonstrate
17. Accountability Based Approach
17
Leverage existing activities to comply with many laws and evidence of accountability to
demonstrate compliance
ONE ACCOUNTABLE
PRIVACY PROGRAM
Evidence of Privacy Management Activities or
Controls exists throughout the organization (within
the privacy program as well as operations);
evidence is collected in a centralized repository,
structured in a line with the Privacy Management
Categories or Standards.
MANY REGULATORY
REQUIREMENTS
Evidence of accountability
is mapped to requirements
allowing the organization to
demonstrate compliance
with laws and regulations
on-demand, supported by
evidence.
18. Framework Mapping to International Standards
18
GDPR, CCPA, LGPD and NIST Compared – but there are many more…
Accountability Compliance
Privacy Management Categories EU GDPR California CCPA Brazil LGPD NIST
1 Maintain Governance Structure ◼︎◼︎ X X X
2 Maintain Personal Data Inventory ◼︎◼︎◼︎ X X X X
3 Maintain Data Privacy Policy ◼︎◼︎◼︎ X X X X
4 Embed Data Privacy into Operations ◼︎◼︎ X X X X
5 Maintain Training and Awareness Program ◼︎◼︎ X X X X
6 Manage Information Security Risk ◼︎◼︎◼︎ X X X
7 Manage Third-Party Risk ◼︎◼︎◼︎ X X X X
8 Maintain Notices ◼︎◼︎ X X X X
9 Maintain Procedures for Inquiries and Complaints ◼︎◼︎◼︎ X X X X
10 Monitor for New Operational Practices ◼︎◼︎ X X X
11 Maintain a Data Privacy Breach Management Program ◼︎◼︎◼︎ X X X X
12 Monitor Data Handling Practices ◼︎ X X X
13 Track External Criteria ◼︎ X X
20. Getting Started with a Framework-based Program
20
Updated version available soon
21. Framework to GDPR
21
Accountability Annotation
Technical or Organisational
Measures
Example Accountability
Mechanisms
Example Evidence
Article 13 - Controllers obligations to provide notice to
data subjects
Article 13 provides that where personal data relating to
data subjects are collected, controllers must provide
certain minimum information to those data subjects
through an information notice. It also sets out
requirements for timing of the notice and identifies
when exemptions may apply.
See Recitals 60-62.
Maintain a data privacy notice that details the
organization’s personal data handling practices
This privacy management activity ensures that
controllers put in place policies and procedures to
ensure that the required information is provided to
data subjects when their information is collected.
Maintain policies/procedures for secondary uses of
personal data
This privacy management activity addresses having
policies and procedures that define how to handle
situations when the organisation wishes to use
personal data beyond the primary purpose.
Secondary uses of data must be disclosed in
information notices under Article 13 and 14.
Provide data privacy notice at all points where
personal data is collected
This privacy management activity addresses how an
organisation provides an opportunity for data
subjects to review the organisations privacy notice at
the point of data collection.
Data privacy notice
Just in Time Data Privacy Notice
Mobile Data Privacy Notice
Short Form/Condensed Data Privacy
Notice
Translated Data Privacy Notice
Privacy Notice Language for Hard Copy
Forms
Privacy Notice Signage
Privacy Notice in Marketing
Communications
Privacy Notice in Contracts and Terms
Scripts for Providing Notice via Phone
Copy of the information notice
provided to data subjects
Documentation showing that privacy
notice is aligned to legal requirements
Details on the placement and timing
of the notice
Copies of contracts showing
requirements for privacy notice
language
Records of training sessions with call
center reps providing instruction on
how to provide notice via phone
22. Framework to CCPA
22
Accountability Annotation
Technical or Organisational
Measures
Example Accountability
Mechanisms
Example Evidence
1798.115
This section addresses the right to request, from
businesses that sell or disclose personal information for
business purposes, disclosure of categories of personal
information that the business sold or disclosed and the
categories of third parties to whom those categories of
personal information were sold or disclosed in the
preceding 12 months.
Third parties cannot sell personal information that was
sold to them from a business unless:
•notice is given to consumers; and
•they have an opportunity to opt out.
Maintain a data privacy notice
This privacy management activity ensures policies
and procedures are in place for required information
to be provided to consumers about sale of their
personal information.
Maintain and implement procedures to provide for
and respond to requests for information
This privacy management activity addresses the
primary processes and procedures needed to ensure
businesses can respond to requests in a timely and
appropriate manner.
Maintain and implement procedures to provide for
and respond to requests to opt-out of, restrict or
object to processing
This privacy management activity addresses the
primary processes and procedures needed to ensure
consumers can opt-out of sale of their personal
information upon request, in a timely and effective
manner.
Data privacy notice
Opt-out request form
Disclosure request form
Procedures for responding to customer
requests
Template letters for responding to
requests
Request log
Customer service mailbox
Copy of the information notice
provided to consumers
Documentation showing that privacy
notice is aligned to legal requirements
Documentation that workflows for
request demonstrate that procedures
are being followed
Random audit of files that
demonstrates that templates are used
in communications with requestors
Documentation that customer service
mailbox is tested to verify it is
monitored and responded to
Log tracking requests validates that
timelines for responses are met
Audit results that procedures are
being followed
25. Speakers
Joanne Furtsch
CIPP/C, CIPP/US, CIPT, FIP
Director, Privacy Intelligence Development
TrustArc
25
Paul Breitbarth
LL.M
Director, EU Policy &
Strategy
TrustArc
Meaghan McCluskey
LL.B., CIPP/US/E, CIPM
Director of Research
TrustArc
26. Upcoming Webinars
26
Past Webinars
Assessing Risk: How Organizations Can
Proactively Manage Privacy Risk
EMEA Quarterly Update: Two Years Later
April 22, 2020 @ 12:00 EDT
April 29, 2020 @ 10:00 EDT
COVID-19 – What are the Potential Impacts on
Data Privacy?
Free Download