How to Stand Up a Privacy Program: Privacy in a Box

Size: px

Start display at page:

Download "How to Stand Up a Privacy Program: Privacy in a Box"

Abner Park
5 years ago
Views:

1 How to Stand Up a Privacy Program: Privacy in a Box Part III of III: Maturing a Privacy Program Presented by the IT, Privacy, & ecommerce global committee of ACC Thanks to: Nick Holland, Fieldfisher (ITPEC Sponsor) Co-sponsor: Small Law Committee

2 Three Part Series Part I: Foundations Part II: Areas to Consider Part III: Maturing your Privacy Program Audits Maintenance Data mapping Vendor Oversight Metrics 2

3 Speakers Margaret Gloeckle, Senior Privacy Officer, HSBC. Nick Holland, Partner, Technology, Outsourcing and Privacy, Fieldfisher 3

4 Data Mapping, Audits and Maintenance

5 Overall Privacy Structure Plan 5

Ensuring your compliance through data mapping Using the OneTrust Privacy Management platform ("OneTrust"), Fieldfisher can ensure that you remain compliant with global data protection requirements

6 Ensuring your compliance through data mapping Using the OneTrust Privacy Management platform ("OneTrust"), Fieldfisher can ensure that you remain compliant with global data protection requirements (particularly the Article 30 record keeping obligations under the General Data Protection Regulation ("GDPR")), as well as your general information governance requirements. Our methodology follows a simple three step process to ensure your ongoing compliance: 6

Step 1: Generate Inventory We will create bespoke automated, intuitive and interactive questionnaires (see slide 5) to map your data flows according to the processing activities you undertake (for

7 Step 1: Generate Inventory We will create bespoke automated, intuitive and interactive questionnaires (see slide 5) to map your data flows according to the processing activities you undertake (for example HR processing, CRM processing, sales and marketing processing, payment processing) and/or on a per application basis, depending on your requirements. We will work with you to identify key stakeholders within your business who need to respond to questionnaires. We understand that these people will likely be busy people so we will ensure that the process is as simple for them as possible - they will receive a simple link via which will enable them to complete the questionnaires at their leisure and with no requirement to go through time consuming processes such as setting up accounts for respondents. We will work with you to integrate any existing inventories or information about data flows that you already have so that you do not have duplicate effort. As appropriate, we can make use of intelligent identity scanning. 7

8 Example: Automated Ques1onnaire 8

9 Step 2: Report We will use the questionnaire responses to produce the following illustrative reports: Article 30 Inventory: This data inventory will act as your Article 30 GDPR data processing record (see slide 7). Under the GDPR you must keep detailed records of your processing activities. We will create a data inventory which will be the record of the data flows and assets throughout your business. A data inventory is typically organized according to the data lifecycle of collection, processing, transfers, storage, protection and retention however we can tailor the inventory to comply with any framework to suit your needs. The Inventory can be exported into common formats should you need to do so to satisfy a request from a regulator or a data controller customer. Typically, you would create a data inventory in a tabular or Excel-based format and need to maintain it manually; however with OneTrust, we can ensure that your inventory is maintained live and updated automatically when your processing activities change, when you conduct a DPIA and so on (see Step 3 for more detail). Using the information in the Inventory, we can then produce automated visual maps to represent your data flows: Asset Heat Map to represent where your key IT assets are globally (see slide 8) Data Flow Charts to represent the flows of data both within your organisation and externally (see slide 9). Cross Border Transfers to represent your compliance with international data transfer regulations (see slide 10) 9

10 Example: Data Inventory 10

11 Example: Asset Heat Map 11

12 Example: Data Flow Graph 12

13 Example: Cross Border Data Flow Map 13

14 Step 3: Keep it Up to Date Once we have completed steps 1 and 2 to ascertain your current state of compliance, we will work with you to ensure you have a plan to maintain your records as your business changes. Using OneTrust, we can ensure that your records remain current by using the platform s capabilities: Conducting automated what changed audits (see slide 12) are the most common way to keep your inventories and maps up to date. When sending the audit questionnaire, instead of asking all the same questions over again, a best practice is to just ask what changed for each question so as to not create unwieldy time-consuming processes for your business people. Conducting ongoing DPIA and Risk Assessments on new projects feeding into the data inventory. Conducted ongoing Vendor assessments feeding into the data inventory. Automation to keep the visual maps up to date dynamically based on the changes to the underlying inventory. Automated scanning tools deployed in parallel to detect any changes in your data processing. 14

15 Example: What changed audit 15

16 Overall Privacy Structure Plan 16

17 VENDOR OVERSIGHT 17

Vendor Oversight Companies are not able to confirm if third parties have had a data breach or cyber attack involving their sensitive confidential information Companies are not able to determine the

18 Vendor Oversight Companies are not able to confirm if third parties have had a data breach or cyber attack involving their sensitive confidential information Companies are not able to determine the number of third parties with access to their confidential information and how many of these third parties are sharing this data with one or more vendors. There is a lack of confidence in third parties data safeguards, security policies and procedures if their security posture is sufficient to respond to a data breach or cyber attack. Companies rarely conduct vendor reviews of vendor management polices and programs to ensure they address third party risk. A lack of resources makes it difficult for organizations to have a robust vendor management program. Senior leadership and boards of directors are rarely involved in third party risk management. Companies rely on contractual obligations instead of audits and assessments to evaluate the security and privacy practices of third parties. 18

19 Vendor Oversight 1. Know where your data sets are, which vendors have access to the data, and what privacy and security measures are in place. 2. Remember Target- the weakest link 3. Develop a Plan Map your vendors. Put one department in charge of vendor management. Document in your agreement who will have access to the data. Enforce vendor compliance. Audit regular systematic audits. 19

20 Vendor Oversight Gartner recommends that IT leaders and vendor managers follow these four organizing principles to start managing vendors effectively: Strategize and Plan: Define the structure, roles/responsibilities and resources to put a formal vendor management discipline in place and drive the right behaviors (product or service elements) to IT or business outcomes for all the collective third-party relationships. Develop Governance: Establish an optimal process for making decisions and assigning decision rights related to vendor management. Agree on authority and flow for decision making. Implement and set up feedback mechanisms. Execute: Ensure optimal management of the vendor contract life cycle and the commercial parts of the vendor relationship. Other responsibilities include managing and improving vendor performance, and monitoring and mitigating vendor risks. Measure and Improve: Use assessment and industry data to track vendor management operations and success. Responsibilities include managing and improving vendor performance, and monitoring and mitigating vendor risks. 20

Service Organization Control Reports (SOC) Established by the American Institute of Certified Public Accountants in 2011 The SOC reporting standards provide an appropriate framework for CPAs to

21 Service Organization Control Reports (SOC) Established by the American Institute of Certified Public Accountants in 2011 The SOC reporting standards provide an appropriate framework for CPAs to examine internal controls and for a service organization to provide clarity and greater transparency to its customers (and/or customers auditors) on both its financial reporting controls and its controls relevant to its IT system attributes, such as security, availability, processing integrity, confidentiality and privacy. SOC 1 Report Report on Controls at a Service Organization Relevant to User Entities Internal Control over Financial Reporting.(SSAE No. 16) SOC 2 Report Report on Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, and/or Privacy SOC 3 Report Trust Services Report for Service Organizations 21

22 Vendor Due Diligence- SOC 2 Company controls to address the Five Trust Service Principles. Security: The system is protected against unauthorized access, use, or modification Availability: The system is available for operation and use as committed or agreed Processing Integrity: System processing is complete, valid, accurate, timely, and authorized Confidentiality: Information designated as confidential is protected as committed or agreed Privacy: The system s collection, use, retention, disclosure, and disposal of personal information are in conformity with the commitments in the service organization s privacy notice and with criteria set forth in the Generally Accepted Privacy Principles (GAPP) issued by the AICPA and CICA 22

23 Vendor Due Diligence- Checklist Governance Policies- Network Security, Disaster Recovery, BCP, Data Retention, Disposal, Change Control, Training (privacy and security awareness for employees and vendors),social Media, Acceptable Use. Security Administrative, Technical, Physical: Perform Assessment/ Pen Testing Privacy - Collection, Use, Retention, Disclosure, and Disposal. Data Transfers Asset Management Incident Response Monitoring Audits certification(s), Regulatory Oversight GLBA, HIPAA,SEC. Accountability Security CISO or equivalent Privacy - CPO or equivalent *Key Point: As the business evolves and changes- revisit, review and re-assess. 23

24 Vendor Due Diligence- Checklist Violation of privacy or security FTC Cases (consent orders, fines), State Actions, Sanctions Occurrence or potential occurrence of Cybersecurity or Data Breaches * estimated cost of a data breach is approximately $4 million 24

25 Vendor Due Diligence-SOC Report Look for: Products and services covered in the report Type (1 or 2) of the report and period covered Opinion of the service auditor User entities responses to the complimentary user entity controls stated in the report Exceptions noted by the service auditor 25

26 METRICS 26

27 Questions to Consider Target Audience Methodology SMART Specific clear and actionable Manageable objective independently verified and obtainable Actionable- identifies/ reveals problems to fix and helps to drive improvement Relevant /results orientated. Metrics determined w/ in the context of your organization Timely trending allow tracking over time for comparison 27

28 Measuring Privacy Training Completion Rates, Test Outs, Retakes. Privacy Incidents Types of Incidents, Frequency, Root Cause Privacy Complaints Type, Frequency, Root Cause Maturity Adhoc, Repeatable, Define, Managed, Optimized. 28

29 29

30 Nick Holland Nick Holland, Partner, Fieldfisher has over 24 years experience in advising clients on international technology and privacy projects and most of his work is international. He was a senior in house counsel at a US company for a number of years. His main areas of practice are consumer and commercial transactions, global privacy compliance programs, global data security advice and IT outsourcing transactions for a range of clients across the world. Nick particularly specialises in undertaking BCR projects as well as implementing global privacy programs for multinationals, using GDPR as a catalyst for that. He is regarded by both Chambers and The Legal 500 as a leading individual in technology and privacy. He is a regular speaker at various events and is well known to most technology in-house counsel throughout EMEA. 30

31 Margaret Gloeckle Margaret is a Senior Privacy Officer at HSBC and is a key member of the Privacy Office engaged in the design, implementation and maintenance of the privacy program. Prior to her role at HSBC, Margaret served as a global privacy program manager and has held multiple leadership and executive roles responsible for network design, infrastructure and security, global operations, program management and policy development.. Margaret holds the Certified Information Privacy Professional (CIPP/US), Certified Information Privacy Manager (CIPM), and Certified Information Privacy Technologist (CIPT) credentials from the International Association of Privacy Professionals (IAPP) and is also a Project Management Professional (PMP). Margaret holds Masters in both Business (MBA) and Technology (MSc.Telecommunications) and is admitted to the New York Bar. 31

32 Resources AICPA Privacy Maturity Model Nymity's Privacy Management Accountability Framework Data Risk in the Third Party Ecosystem NIST SP Performance Measurement Guide for InfoSec Understanding Soc Reports for Effective Vendor Management Understanding SOC Reports and Their Value for Your SOC 2 User Guide How to Ensure Safe Personal Data Protection Handling Example SOC 2 32

Will Your Company Pass a Privacy Audit?

Will Your Company Pass a Privacy Audit? by Tammi K. Franke The Issue - Companies that collect personal information are under increasing scrutiny by both consumers and governments in the United States and