Privacy Governance

What is Governance?

1. Things that drive your organization to become compliant.

2. Define the scope of the program

3. Select an appropriate privacy framework.

4. Develop the organization privacy strategy.

5. Privacy Professional - a member of the privacy team.

Create an Organization Privacy Vision and Mission Statement

1. Mission statement - less than 30s to read, what is our purpose

2. Vision - how we will get there and the time frame.

3. Examples:

   1. Stanford -

      1. protect the privacy of students

      2. Example for other universities

Define organization privacy program Scope

1. Identify personal information captured.

2. Identify laws and regulations that you are required to follow.

How to identify where personal information is located?

1. Setup interviews with any organizations that process information

   1. Functional groups - HR

   2. IT

   3. Security

   4. Finance

2. Engage an outside consultancy

3. Identify where the personal information is

4. Questions to ask?

   1. Where is the personal information?

   2. Where is data stored physically?

   3. How long is data retained?

   4. How is data deleted?

   5. What security controls are in place to protect the data?

   6. Choose the most restrictive regulations not the least restrictive.

How to identify the regulations you need to follow for your scope?

1. Identify the Privacy

   1. Region - (CCPA, EU)

   2. Subjects (COPPA)

   3. Financial Transactions

   4. CoRegulatory Model (implement but regulators oversee)

   5. Self Regulated model (use a code of practice)

      1. PCI-DSS is self regulated standard not a law

Develop and implement a framework

1. Find the framework that works the best for your organization.

2. Supports business commitment

3. Supports legal and regulatory requirements.

4. Serves as a competitive advantage

Three types of frameworks

1. Principles and standards

   1. Fair Information Practices

   2. OECD - trans border data flow

   3. CSA Privacy Code - PIPEDA

   4. APEC Frameworks

2. Laws, regulations, and programs

   1. HIPAA

   2. PIPEDA

   3. GDPR

3. Privacy Program Management

   1. Privacy by Design

   2. EUNISA

   3. NIST

      1. Introduction to Risk Assessment and Privacy engineering

4. Questions for Privacy Frameworks they answer:

   1. Identify Privacy Risks

   2. Responsibility assigned for the privacy program to an individual

   3. Monitoring in place

   4. Employees properly trained

   5. Incident response plan

   6. Best practices for SAR, Destruction,

5. Strategies

   1. Look to the strictest standard so you have no problems implementing it.

Use a Tech vendor

1. Vendors implement solutions for you

2. Vendor Categories

   1. Data Mapping

   2. Incident Response

   3. Assessment

   4. Consent

   5. Website Scanning/Cookie COmpliance

3. GRC Tools

   1. Governance Risk and Compliance

   2. Oversee compliance across organizations

Develop a Privacy Strategy

1. Must determine the best strategy

2. May have to change culture to implement strategy

3. Identify stakeholders and champions

Conduct a privacy workshop for stakeholders

Structure the Privacy Team

Governance Models

1. Can pick a model depending on whether you want the model to go global or regional and replicated.

2. Put under legal umbrella or put under IT umbrella

3. Involvement

   1. SEnior Leadership

   2. Stakeholders

   3. Leverage communications

4. Models

   1. Centralized

      1. CPO

      2. One team to manage privacy related affairs

      3. Very efficient one decision maker

      4. 
         

   2. DeCentralized

      1. Works well when the controls can be delegated down in the organization.

      2. May reproduce processes throughout the organization

   3. Hybrid

      1. Combination of local and centralized governance

      2. Each region has a privacy manager that reports into a local privacy manager.

   4. Reporting structure

      1. Define how the teams report back to the original owner.

      2. Roles

         1. CPO

         2. Priv Mgr

         3. DPO

         4. Priv Analysts

         5. First Responders

DPO

1. Required by Article 37 of the GDPR

2. Required by PIPEDA

3. Required by South Korea

4. When do regulations require?

   1. When core activities require processing large amounts of data on subjects.

   2. When processing special categories of data on a large scale

5. Requirements

   1. Expert knowledge of data protection law

   2. Implemented an array of privacy programs

      1. PIA

      2. SAR