PRIVACY 101 SETTING UP THE FUNCTION Evie Kyriakides, Mars, Incorporated Heather Egan Sussman, McDermott Will & Emery LLP Mac Macmillan, Hogan Lovells International LLP March 5, 2014
INTRODUCTION Making the case for change Building a realistic roadmap Successful strategies for tackling global challenges
MAKING THE CASE FOR CHANGE Regulatory Compliance U.S. State laws, plus federal overlay Accountability Principle (European based regimes, PIPEDA, EU Member State requirements) Respecting privacy builds consumer trust and brand loyalty (impacts bottom line) Effective oversight and internal controls can help mitigate risk of data breaches Where breach is unavoidable, helps to mitigate fines, penalties, and reputational damage
ASSESSING CURRENT STATE
DIAGNOSIS: BUILDING A REALISTIC ROADMAP One size does not fit all Consider company s: Industry Size Geographic coverage Product lines Sensitivity of data processed Culture From that, start to scope the function
HOW TO PERFORM A GLOBAL PRIVACY ASSESSMENT Consider issues of privilege Establish a budget Set realistic parameters (think big picture) Local counsel in every country? Deep dive or high level review? Risk-based review? Principles-based review? Create a work plan
SAMPLE WORK PLAN STRUCTURE Preparation Gather Organizational Charts Identify segments, leadership, and geographic focus Complete Due Diligence to understand: Types of personal data processed and where Extent of registrations made Data transfer mechanisms in place What Policies and Procedures exist Scope of Vendor Risk Management Training of workforce Digital properties survey Data breach protocols Plan and Execute Interviews Evaluation Against Applicable Laws
DOCUMENTING FINDINGS AND RECOMMENDATIONS Consider issues of Privilege Consider audience and objectives How much written content? Executive Summary Overview of the process Overview of Legal Landscape Findings in key areas of diligence Recommendations based on findings
OPERATIONALIZING THE ASSESSMENT S FINDINGS
OPERATIONALIZING THE ASSESSMENT S FINDINGS Setting the budget Allocating resources (internal/external) Establishing priorities Assign responsibilities Achieving buy-in from Key Stakeholders Who? When? How?
WORK PLAN: SUCCESSFUL STRATEGIES FOR TACKLING GLOBAL CHALLENGES Develop heat map based on risk, consider both Geography Subject matter Seek out internal privacy champions Set realistic goals Prioritize projects What can be managed globally vs. locally? Delegate, delegate, delegate Hold team accountable Regular contact Realistic timelines
TACKLE MANAGEABLE PIECES THAT BUILD UPON ONE ANOTHER Data breach protocols Training on how to recognize/report Training on how to prevent a breach Build a governance framework Establish senior team Empower internal champions Ensure training for team Address data transfers and registrations Develop externally-facing privacy policies Develop internally-facing policies Accountability mechanism
BENCHMARKING DATA/ STRUCTURE OF FUNCTION Fortune 100 CPGs: 1. 1 GC position responsible for Digital and Privacy - 8 direct reports. Recruiting additional CPO. Separate commercial legal team dealing with IT contracts. 2. 1 CPO with 5 direct reports, 5 Commercial lawyers for IT contracts, 3 Digital Lawyers 3. 1 CPO, approx 30 direct reports. Separate commercial legal team for IT contracts. 4. 1 CPO, approx 10 direct reports. Separate commercial legal team for IT contracts. 5. 1 Senior Digital Lawyer recruiting CPO type role, 8 lawyers reporting into centre on digital issues. Separate commercial legal team for IT contracts.
BENCHMARKING DATA/ STRUCTURE OF FUNCTION Fortune 100 Techs: 1. 1 CPO, 20 direct reports. Separate commercial legal team for IT contracts. 2. 1 GC and CPO 6 regional lawyers reporting in, recruiting regional DPO for Europe. Separate commercial team for IT contracts. 3. 1 CPO, 30 DP professionals reporting in. Separate commercial team for IT contracts.
LESSONS LEARNED FROM THE TRENCHES C-level buy-in is critical to program success Everyone has an agenda some good, some not Project management skills help You can t have privacy without security Cultural nuances play a big role Awareness is the foundation for success Money can t buy happiness...... but it can buy a privacy officer s sanity
WHAT WORKED AND WHAT DIDN T
TOP 10 TIPS FOR DRIVING SUCCESSFUL CHANGE 1. Robust assessment and diagnosis important 2. Set priorities to meet budgets 3. Benchmark with peers 4. Build internal champions 5. Tackle manageable pieces 6. Let existing culture shape the program 7. Take account of dynamically changing regulatory framework flexibility is key 8. Communicate changes in digestible pieces 9. Build internal Privacy Resources Center 10. Train, train and then train some more
QUESTIONS? Evie Kyriakides, Mars, Incorporated Evie.kyriakides@effem.com Heather Egan Sussman, McDermott Will & Emery hsussman@mwe.com Mac Macmillan, Hogan Lovells International LLP Mac.macmillan@hoganlovells.com (After April 1)