Learn how our Advisory Services team guides customers through two critical processes. The first is the process of assessing where you are today and the second is the process of building a stronger privacy program for tomorrow customized to your organization.
2. WHY IS PRIVACY SO HOT RIGHT NOW? 2
REGULATORY
CHANGES
ARTIFICIAL
INTELLIGENCE
THIRD PARTY
PROCESSING & DATA
SHARING
BIOMETRICSMOBILE WORKFORCE
DATA BREACHES
3. GDPR WAS JUST THE BEGINNING…
All 50 U.S. states
have breach notification laws
California Consumer
Privacy Act (CPPA)
Membership includes U.S.,
Mexico, Canada, Japan,
South Korea; others working to
join include Australia, Chinese
Taipei, and the Philippines
Proposed changes to Canada’s
Personal Information
Protection and Electronic
Documents Act (PIPEDA)
Data protection and privacy for
all individuals within the
EU and the European
Economic Area (EEA)
Updates effective February
2018 affect the Australian
Privacy Principles under the
Privacy Act 1988
4. THE COST OF NON-COMPLIANCE
$5.47
MILLION
$14
MILLION
$3.86
MILLION
$2.8
MILLION
Average cost of a
data breach2
The cost of non-
compliance –
2.7x more!1
A company’s
average spend
on compliance1
Average cost of losing
<1% of customers
from a breach2
1. Ponemon Institute, “Cost of a Data Breach Study”, 2017
2. Ponemon Institute, “Cost of a Data Breach Study”, July 2018
5. Constantly changing laws and complex regulations
DATA PRIVACY MANAGEMENT IS KEY
But there are challenges…
Data proliferation has made it too complex to manage it manually
Lack resources to fulfill increasing subject rights requests
Unclear how you perform compared to your peers
6. WHAT IF YOU COULD… 6
1
2
3
4
Identify where personal and
sensitive data is located so it can
be classified and properly
managed throughout its lifecycle?
Benchmark your privacy
program against your peers and
understand where gaps exist?
Receive tailored guidance on
how to prioritize and address
your most pressing challenges?
Work with privacy specialists
to help you build a stronger
privacy program customized
to your organization?
7. IRON MOUNTAIN
®
PRIVACY ADVISORY SERVICE
Accelerating your journey to advanced data
privacy management
Benchmark
Measure against peers
Compare
Attestation
Document compliance
Collect
Evidence
Privacy Impact
(PIAs/DPIAs)
Evaluate risks
Identify
Requirements
Personal Data
Classification
Locate and protect data
Subject Rights
Requests
Create process
Assess current state Build future-proof program
Build
Program
RefineIdentify
Protect &
Manage
Compliance
Scorecard
Gap
Analysis
Roadmap
Mitigate
Risks
8. IRON MOUNTAIN FOR DATA PRIVACY MANAGEMENT
Legal Compliance Expertise + Technology Solutions
EXPERTISE
BEST PRACTICES
TECHNOLOGY
• 65+ years protecting customer data
• Specialty experience in data mapping, classification, and retention
• Comprehensive support to mitigate risks and achieve compliance
Iron Mountain®
Privacy Advisory Service
• Tools and templates that accelerate assessments
• Software to streamline manual processes
• Recommended technology solutions
9. ASSESSING WHERE YOU ARE TODAY 9
Benchmark
• Compare to peers/industry
standards
• Identify strengths and gaps
• Prioritize improvements
• Customized report and roadmap
- Validate existing programs
- Align resources with priorities
- Accelerate progress
• Customized assessment
• Document compliance
• Solidify direction
• Compliance scorecard
• Updated roadmap
- Prioritize gaps and align resources
- Establish annual reviews
Privacy Impact (PIAs/DPIAs)
• Evaluate applicable laws
• Identify question
• Evaluate risks
• Custom impact assessment report
- Understanding of GDPR impact
- Proactively mitigate risks
We provide a customized roadmap for improvement based on your current state
Client Outcomes
Attestation
10. BUILD A STRONGER PROGRAM FOR THE FUTURE 10
• Identify and locate personal data
• Protect what needs protecting
• Delete redundant, obsolete, or trivial data
• Complete report on analysis
- End-to-end visibility of data privacy needs
- Improve protection
- Free up storage
- Reduce complexity and risk
• Identify requirements
• Define and document procedures
• Recommend and implement technology
• Train staff
Personal Data
Classification service
Subject Rights Request
Management Planning
Client Outcomes
- Confidently handle subject rights requests
- Streamline request process
- Trained staff
Better manage and protect data while satisfying requests for information
11. IRON MOUNTAIN SERVICE OFFERINGS FOR
THE FULL LIFECYCLE OF SENSITIVE DATA
11
Destroy data in with regulations
governing information destruction
Have paper documents scanned
and indexed, with metadata
applied, for easy data retrieval
Know Your Retention and Privacy Obligations. Show Compliance.
Secure and protect your valuable
information you plan to retain
Policy Center Solution
A cloud-based service that helps
keep your records retention and
data privacy policy management
connected, current and compliant
• Expert Advisory Services team support
• Create a unified view of personal data and related obligations
• Continuously updated online portal
• Easily distribute policy to key stakeholders
Iron Cloud™ and
Secure Storage Services
Shredding and Secure e-Waste
and IT Asset Disposition Services
Document Imaging
Services
12. EMPOWERING OUR CLIENTS WITH
ENTERPRISE DATA PRIVACY MANAGEMENT
12
Respond swiftly to audits
Reduce exposure of data to breaches
Streamline data protection
Model industry best practices
Create a culture of ethics and compliance
Make stronger, data-driven decisions
Lower the risk of fines
Leverage technology
13. Reach out to our Advisory
Services team to conduct a
complimentary benchmark
assessment and learn how
your privacy program
compares to your peers
IT’S EASY AND FREE TO GET STARTED 13
Hello and welcome! I’m looking forward to sharing the benefits of our Iron Mountain® Privacy Advisory Service, and why now, more than ever, having a strong data privacy management practice is critical for your business.
Let’s talk first about why privacy is such a hot topic today. There are a lot of complex trends influencing the focus on privacy from every level of business, from IT and cybersecurity, to partners, to employees, and of course, government and industry regulations.
Examples of privacy concerns include the obvious malicious events like cyberattacks or even accidental data breaches – we’ve all seen the headlines and know how damaging these can be to your reputation and the bottom line.
Meanwhile, your workforce is mobile. Even if they regularly work in the office, they utilize phones, tablets, and laptops to access sensitive data that is often sensitive. What happens when those devices are compromised or lost, or not correctly managed?
Pushing the frontier of AI and biometrics also means pushing the boundaries of privacy. What must we be careful about when leveraging personal information for commercial, marketing, or predictive analytics purposes?
Business is rarely done alone. We all rely on third parties to get the job done, which can include processing and sharing personal data. How do you ensure alignment with these entities and that they comply with all necessary regulations?
And speaking of regulations, this is at the forefront for so many companies today. It’s no easy task proving compliance with the ever-changing, ever-evolving industry and government regulations around the globe. [DETAILS ON NEXT SLIDE]
GDPR created a huge shift in how businesses must treat personal information. And that shift is still rippling through the global economy, as additional regions strive to augment or define their own privacy rules. This has created a web of complexity that can be hard to navigate, and damaging if mismanaged.
[MORE INFORMATION ABOUT REGIONAL PRIVACY ACTS]
Proposed changes to Canada’s PIPEDA Source: https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12/
US – New York, Colorado, California
California Comparison https://adexchanger.com/privacy/how-the-california-consumer-privacy-act-stacks-up-against-gdpr/
http://www.govtech.com/policy/The-Battle-Over-California-Privacy-Ballot-Initiative-Looms-Large-in-2018.html
https://www.caprivacy.org/about
APEC https://www.apec.org/Groups/Committee-on-Trade-and-Investment/Electronic-Commerce-Steering-Group, Singapore https://www.huntonprivacyblog.com/2018/03/08/singapore-joins-the-apec-cbpr-and-prp-systems/
Croatian Privacy Law -- https://iapp.org/news/a/croatian-gdpr-implementation-law-main-features-and-unanswered-questions/
Asia / Cayman Islands / Australia / Mexico / China
Regardless of your organization’s size or industry, the cost of compliance has increased during the past six years and is expected to continue to rise. But the cost of non-compliance far outweighs the cost of compliance, averaging 2.71 times more expensive [PONEMON STUDY 2017]. The cost of non-compliance is primarily attributed to the disruption to business, loss of productivity, revenue loss, and resulting fines and penalties. Data breaches alone can be extremely harmful, with the average cost hovering around 3.8 million dollars.
What’s harder to measure is the impact to your brand and reputation. How many customers lose your trust and in turn, you lose their business? Even a small loss of less than 1% of your customer base can result in millions lost.
What’s the answer? Data privacy management is the key to protecting your customers and your business and minimizing the chance of a costly breach. But this is no easy task. Like we’ve already discussed, the path to protecting data is fraught with challenges, like:
Constantly evolving regulations
The overall growth of data and the complexities of managing it
Not understanding best practices or how your peers are (or are not) successful
And you often lack the resources in-house to manage your data privacy effectively and efficiently – or to satisfy new “data subject rights” requests from your customers and users
Let’s imagine the future. What would it mean to your business and your ability to manage data privacy if you could:
Benchmark your privacy program against your peers and understand where gaps exist?
Receive tailored guidance on how to prioritize and address your most pressing challenges?
Work with privacy specialists to help build a stronger privacy program customized to your organization?
Identify where personal and sensitive data is located so it can be classified and properly managed throughout its lifecycle?
Turns out this future is possible, with Iron Mountain.
To help you, the leader in information management and governance with 65+ years of experience protecting customers’ digital and physical information brings you the Iron Mountain® Privacy Advisory service. This service is designed to assess your current state of data privacy management capabilities, and then create a roadmap to build a program for privacy management that will stand the test of time - all on an accelerated timeline and driven by privacy experts.
Our Advisory Services team guides you through two critical processes. The first is the process of assessing where you’re at and the second is the process of building a stronger privacy program customized to your organization. Through high-level and in-depth assessments, you’ll know where you benchmark against peers, and have documentation of your organization’s privacy compliance activities and risks to personal data. You’ll receive a strategic roadmap with practical guidance and support to build a program for identifying where sensitive personal data is located so you can either protect or delete it, managing subject rights requests, and augmenting your staff as needed.
What makes Iron Mountain unique with our Privacy Advisory service offering is the strong combination of expertise, best practices and processes, and technology. Our Advisory Services team, with privacy specialists in areas such as data mapping, classification, and retention, provides you with comprehensive support to mitigate risks associated with personal data and achieve privacy compliance.
Our heritage of data protection and deep experience with privacy management has enabled us to develop best practices and processes that have helped many customers create successful data privacy programs. Through this service, you’ll be provided with comprehensive support to mitigate risks associated with personal data, and achieve privacy compliance. With years of experience providing holistic information governance solutions, the Advisory Services team includes over 100 skilled legal researchers and attorneys, records managers, library and information scientists, and experts in electronic content management with practice areas in most industries.
And we have the know-how to leverage best-in-class technologies to automate and streamline manual, error-prone processes that will otherwise never scale the way you need them to in order to tackle the challenges you face today.
Let’s take a closer look at how you can assess where you are today. We help you assess your current program through a number of approaches and techniques, starting with a benchmark review that compares your privacy program against your peers and industry standards. We then identify strengths, and more importantly, your gaps, and start constructing a roadmap that will help you address them quickly based on your biggest priorities.
We can also help with a customized attestation assessment, where we can help you document evidence of your organization’s compliance with relevant jurisdictional and industry-specific privacy requirements and best practices to manage and protect personal data effectively. Critical gaps here are also identified and we help you prioritize your efforts based on risk, business needs, and resources, so you can close those gaps as quickly as possible.
As you assess your current state, we can also support you with privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) under the EU General Data Protection Regulation (GDPR). First, you’ll be guided through an assessment to evaluate whether or not a PIA/DPIA is recommended or required. You’ll work together with our Advisory Services team to leverage customizable PIA/DPIA templates to include questions relevant to your organization. You’ll receive an output report summarizing the final PIA/DPIA with completed responses and noted decision making criteria, including legal grounds for processing personal data.
Here’s where the rubber starts meeting the road and we begin constructing a program for you that will meet your needs today as well as into the future. Your program will also account for any new processes you need to build to satisfy requests for information, as is a requirement for GDPR data subject rights requests.
As part of helping you build a stronger privacy program for the future, we have a number of technology tools we utilize to automate the process of identifying and locating personal data throughout your organization. You’ll receive reporting on results from the file analysis, including what types of data where found in your systems, where the data is located and whether or not the data complies with your retention and privacy policies. We can then bring data under protection that requires it, and also take the opportunity to “clean house” by deleting redundant, obsolete, or otherwise unneeded data that only serves to take up storage space, add to your complexity, and increase your risk.
We can also support you as you develop or enhance your processes to manage requests made by individuals to exercise their subject rights under privacy regulations such as the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CaCPA), including informing, correcting and restricting their personal data. Privacy specialists on our Advisory Services team can help manage, refine and build out processes to manage requests based on your organization’s maturity of systems and processes, risk profile and volume of subject rights requests. You’ll work together with Advisory Services to define and document procedures and workflows for evaluating, processing and managing subject rights requests in a way that makes sense for your organization. Advisory Services can recommend and implement appropriate technology such as data mapping, collection or anonymization software that may be needed to support your organization in fulfilling subject rights requests. Advisory Services can provide training on the processes and procedures for employees who will be managing subject rights requests.
Iron Mountain has a number of related services that allow you to address every aspect of privacy data management from cloud and offsite storage, to imaging, to secure disposal. In addition, our Policy Center solution, a comprehensive cloud-based service, helps you stay on top of your records retention and data privacy obligations, giving you what you need to maintain and prove compliance.
The Iron Mountain® Privacy Advisory service empowers clients with the enterprise data privacy management they need. With our service, you will be able to:
Make better, data-driven decisions for customers and for the business
Respond quickly and accurately to audits
Reduce the risk and exposure of data to possible breaches of all types
Lower the risk of non-compliance and in turn, the likelihood of fines
Streamline your capabilities to protect data by automated manual processes and reducing the chance for errors
Smartly leverage technology so you can manage more data, more effectively, with fewer resources, and scale to the levels demanded by the business
Have the confidence that you are modeling your processes after proven best practices for your industry
And ultimately, create the needed culture of ethics and compliance that helps make it all possible
Ready to learn more? It’s easy, and turns out FREE, to get started. If you’re ready to take the next step towards excellence in data privacy management, we’ll connect you to our advisory services team for a complimentary benchmark assessment. This assessment will provide the insights you need to understand how you compare to your peers based on industry best practices.