What is a privacy policy?
Privacy goals and strategic direction of the organization’s privacy office.
Align the vision/mission statement to the strategy
High level policy that supports documents such as standards and guidelines
External information on how the organization handles personal information
Describe steps for employees handling personal information
How personal data is processed
Privacy Policy Components
Purpose - Why the policy exists
Scope - defines which resources the policy protects
Risk and Responsibilities.
Responsibilities leaders, managers, employees, and contractors
All employee
Compliance
General Organization compliance
Ability to Apply penalties and disciplinary actions
Understanding the penalties for non compliance
Privacy policy is the high level policy
Privacy Notice versus Privacy Policy
Privacy Policy = scope->employees and data users
Privacy Notice = external communications to customers or data subjects
Describes how organization shares, uses, retains, and discloses personal data
Interfacing and Communicating with an Organization
Protect personal info and build a program requires a team, not just the CPO
Privacy Committee - launch the privacy policy and then manage it.
Create an organization from each of the different business functions.
Communicating the Privacy Policy within the Organization
Purpose
Will the privacy team work with the communications team
Who is the audience for the communication relating to the policy
What existing communication modes.
Has privacy team conducted a privacy workshop for stakeholders.
Policy Cost Considerations
Implement the policy and addressing the impacts
Other costs are incurred through the policy
Design Effective Employee Policies
Most common cause of data breaches - need comprehensive policies and procedures.
Comprehensive Privacy Policies
Documents addressing these issues.
Must align with a specific goal
Issue/objective statement
Formulate a policy on an issue.
Statements of the organization’s position.
Once the issue is stated and understood - need to do management’s objective.
Applicability - Issue specific policies
Roles and Responsibilities - The assignment of roles and responsibilities is included with issue specific policies.
Compliance
Specific policies describe unacceptable infractions
Points of contact and supplementary information
Many offices
Acceptable Use Policies
Guest WIreless
Responsibilities
Information Security Policies: Access and Data Classification
Protect unauthorized access to data and information systems
Provide stakeholders with information efficiently and maintain CIA
Promote compliance
Promote data quality
Procurement: Engaging Vendors
Identify vendors
Evaluate risk, policies, and server locations
Develop a thorough contract
Procurement: Engaging Vendors
Create a vendor policy
Requirements for vendors, logistic, onboarding, and training
Develop a vendor contract
Monitor Vendors
Cloud Computing Acceptable Use
Public
Private
Hybrid
Prior Knowledge - understand privacy capabilities of cloud providers.
Makes sure Cloud providers understand the acceptable use policies of the cloud provider.
Implement HR Policies
Employee privacy concerns
Browser history
Phone Recordings
Financial Information
Handling applicant information
Employee background checks
Access to employee data
Termination of access
BYOD
Social Media
Employee/workplace monitoring
Employee health programs
Data Retention and Destruction Policies
Only support the idea that personal information should be retained as long as necessary.
Policy intersects with IT, legal, and privacy.
Estimate business impacts
Implementing Policies
Privacy-related policies will not be effective if nobody follows them
Aligning with Procedures
Multinational and multi sector organizations need to work across all locations.
Implementing and closing the loop
Communicate the policy to the organization.
Awareness means to be vigilant or watchful
Reminders on policy
Formal training
12 Summary