Policies

1. What is a privacy policy?

   1. Privacy goals and strategic direction of the organization’s privacy office.

      1. Align the vision/mission statement to the strategy

      2. High level policy that supports documents such as standards and guidelines

      3. External information on how the organization handles personal information

      4. Describe steps for employees handling personal information

      5. How personal data is processed

2. Privacy Policy Components

   1. Purpose - Why the policy exists

   2. Scope - defines which resources the policy protects

   3. Risk and Responsibilities.

      1. Responsibilities leaders, managers, employees, and contractors

      2. All employee

   4. Compliance

      1. General Organization compliance

      2. Ability to Apply penalties and disciplinary actions

      3. Understanding the penalties for non compliance

      4. Privacy policy is the high level policy

   5. Privacy Notice versus Privacy Policy

      1. Privacy Policy = scope->employees and data users

      2. Privacy Notice = external communications to customers or data subjects

         1. Describes how organization shares, uses, retains, and discloses personal data

3. Interfacing and Communicating with an Organization

   1. Protect personal info and build a program requires a team, not just the CPO

   2. Privacy Committee - launch the privacy policy and then manage it.

   3. Create an organization from each of the different business functions.

4. Communicating the Privacy Policy within the Organization

   1. Purpose

   2. Will the privacy team work with the communications team

   3. Who is the audience for the communication relating to the policy

   4. What existing communication modes.

   5. Has privacy team conducted a privacy workshop for stakeholders.

5. Policy Cost Considerations

   1. Implement the policy and addressing the impacts

   2. Other costs are incurred through the policy

6. Design Effective Employee Policies

   1. Most common cause of data breaches - need comprehensive policies and procedures.

   2. Comprehensive Privacy Policies

      1. Documents addressing these issues.

      2. Must align with a specific goal

   3. Issue/objective statement

      1. Formulate a policy on an issue.

   4. Statements of the organization’s position.

      1. Once the issue is stated and understood - need to do management’s objective.

   5. Applicability - Issue specific policies

   6. Roles and Responsibilities - The assignment of roles and responsibilities is included with issue specific policies.

   7. Compliance

      1. Specific policies describe unacceptable infractions

   8. Points of contact and supplementary information

      1. Many offices

   9. Acceptable Use Policies

      1. Guest WIreless

      2. Responsibilities

   10. Information Security Policies: Access and Data Classification

       1. Protect unauthorized access to data and information systems

       2. Provide stakeholders with information efficiently and maintain CIA

       3. Promote compliance

       4. Promote data quality

   11. Procurement: Engaging Vendors

       1. Identify vendors

       2. Evaluate risk, policies, and server locations

       3. Develop a thorough contract

7. Procurement: Engaging Vendors

   1. Create a vendor policy

      1. Requirements for vendors, logistic, onboarding, and training

      2. 
         

   2. Develop a vendor contract

   3. Monitor Vendors

   4. Cloud Computing Acceptable Use

      1. Public

      2. Private

      3. Hybrid

      4. Prior Knowledge - understand privacy capabilities of cloud providers.

      5. Makes sure Cloud providers understand the acceptable use policies of the cloud provider.

      6. Implement HR Policies

         1. Employee privacy concerns

            1. Browser history

            2. Phone Recordings

            3. Financial Information

         2. Handling applicant information

         3. Employee background checks

         4. Access to employee data

         5. Termination of access

         6. BYOD

         7. Social Media

         8. Employee/workplace monitoring

         9. Employee health programs

8. Data Retention and Destruction Policies

   1. Only support the idea that personal information should be retained as long as necessary.

   2. Policy intersects with IT, legal, and privacy.

   3. Estimate business impacts

9. Implementing Policies

   1. Privacy-related policies will not be effective if nobody follows them

10. Aligning with Procedures

    1. Multinational and multi sector organizations need to work across all locations.

11. Implementing and closing the loop

    1. Communicate the policy to the organization.

    2. Awareness means to be vigilant or watchful

    3. Reminders on policy

    4. Formal training

12 Summary