Things that drive your organization to become compliant.
Define the scope of the program
Select an appropriate privacy framework.
Develop the organization privacy strategy.
Privacy Professional - a member of the privacy team.
Mission statement - less than 30s to read, what is our purpose
Vision - how we will get there and the time frame.
Examples:
Stanford -
protect the privacy of students
Example for other universities
Identify personal information captured.
Identify laws and regulations that you are required to follow.
Setup interviews with any organizations that process information
Functional groups - HR
IT
Security
Finance
Engage an outside consultancy
Identify where the personal information is
Questions to ask?
Where is the personal information?
Where is data stored physically?
How long is data retained?
How is data deleted?
What security controls are in place to protect the data?
Choose the most restrictive regulations not the least restrictive.
Identify the Privacy
Region - (CCPA, EU)
Subjects (COPPA)
Financial Transactions
CoRegulatory Model (implement but regulators oversee)
Self Regulated model (use a code of practice)
PCI-DSS is self regulated standard not a law
Find the framework that works the best for your organization.
Supports business commitment
Supports legal and regulatory requirements.
Serves as a competitive advantage
Principles and standards
Fair Information Practices
OECD - trans border data flow
CSA Privacy Code - PIPEDA
APEC Frameworks
Laws, regulations, and programs
HIPAA
PIPEDA
GDPR
Privacy Program Management
Privacy by Design
EUNISA
NIST
Introduction to Risk Assessment and Privacy engineering
Questions for Privacy Frameworks they answer:
Identify Privacy Risks
Responsibility assigned for the privacy program to an individual
Monitoring in place
Employees properly trained
Incident response plan
Best practices for SAR, Destruction,
Strategies
Look to the strictest standard so you have no problems implementing it.
Vendors implement solutions for you
Vendor Categories
Data Mapping
Incident Response
Assessment
Consent
Website Scanning/Cookie COmpliance
GRC Tools
Governance Risk and Compliance
Oversee compliance across organizations
Must determine the best strategy
May have to change culture to implement strategy
Identify stakeholders and champions
Can pick a model depending on whether you want the model to go global or regional and replicated.
Put under legal umbrella or put under IT umbrella
Involvement
SEnior Leadership
Stakeholders
Leverage communications
Models
Centralized
CPO
One team to manage privacy related affairs
Very efficient one decision maker
DeCentralized
Works well when the controls can be delegated down in the organization.
May reproduce processes throughout the organization
Hybrid
Combination of local and centralized governance
Each region has a privacy manager that reports into a local privacy manager.
Reporting structure
Define how the teams report back to the original owner.
Roles
CPO
Priv Mgr
DPO
Priv Analysts
First Responders
Required by Article 37 of the GDPR
Required by PIPEDA
Required by South Korea
When do regulations require?
When core activities require processing large amounts of data on subjects.
When processing special categories of data on a large scale
Requirements
Expert knowledge of data protection law
Implemented an array of privacy programs
PIA
SAR