How to Build a Privacy Program

1. Daniel Ayala (@buddhake) Managing Partner & Founder, Secratic How to Build a Privacy Program

3. Secratic was built on the premise that a strong bridge between information security and privacy and the broader company can help a business not just succeed, but flourish. Secratic provides strategic security and privacy advisory to growing companies through the benefit of decades of its global enterprise experience and helps its clients find the right balance in concert with the business at hand by acting as their outside CISO/CPO. By spending ample time getting to know these companies, Secratic uses that insight to give contextual, informed guidance on topics such as risk, compliance and incident response, and ensures that a company's security and privacy programs properly align with what the business needs and does. © 2019 Secratic LLC.

5. What is Privacy The state or condition of being free from observed or disturbed by other people.

6. Privacy in the News © 2019 Secratic LLC. https://www.theinformation.com/articles/apples-ad-targeting-crackdown-shakes-up-ad-market https://www.billboard.com/articles/business/legal-and-management/8545568/tiktok-class-action-lawsuit-child-privacy

7. Blockchain + Privacy = Conundrum

12. Inside Look: Regulatory Requirements © 2019 Secratic LLC. General Data Protection Regulation (GDPR) 12 Increased territorial scope Consent Breach notification Right to Access Right to be Forgotten Data Portability Privacy by Design Data Protection Officers

13. General Data Protection Regulation (GDPR) 13 Increased territorial scope Consent Breach notification Right to Access Right to be Forgotten Data Portability Privacy by Design Data Protection Officers© 2019 Secratic LLC.

17. The Creepy Line http://creepyline.com

20. Fully Private Fully Secure Fully Open Fully Collecting Utility Now add in transparency Better informed Still want utility Might make better choices It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly © 2019 Secratic LLC.

21. OMG! I can use w/o sharing everything? I can decide what to share? Fully Private Fully Secure Fully Open Fully Collecting Now add in transparency It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly and choice! Utility © 2019 Secratic LLC.

22. Fully Private Fully Secure Fully Open Fully Collecting Finally, add trust (but verify) and accountability I can trust because I’ve verified They do what they say they do More value, more control Data security practises Depersonalisation (and even better, aggregation) Retention (GET RID OF IT FAST!) Use an identity that user’s care about and protect Utility © 2019 Secratic LLC.

24. Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? • What is your customer culture? • What is your company culture? © 2019 Secratic LLC.

26. Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? • What is your customer culture? • What is your company culture? • How can you build support for a privacy program? © 2019 Secratic LLC.

27. Look Inside: Build Support • Organisational change management mindset • Find ways to tie to business value • Competitive Advantage • Customer Sentiment/Trust • Enable Later (Ethical) Data Use © 2019 Secratic LLC.

29. Coexistence SecurityPrivacy

30. Step 3: What Do You Do With Your Data • How Does Data Move From System to System? • Who Do You Share It With? Why? • Who Has Access to It? • Who Processes It For You? • Have You Reviewed Their Security & Privacy Controls & Policies © 2019 Secratic LLC.

32. Data Use IRB • Is it ethical? • How will data use interact with customers? • How will we use the data? • What do we really need? • What are the risks? • Is the data protected? • Is it lawful? • Are we protected? • What are the unintended consequence? Legal Security/ Privacy Marketing Business Leaders © 2019 Secratic LLC.

35. Remediation Done by Business/Technology • Privacy by Design (rolls into existing product management planning processes) • Data Pseudonymisation of individuals in storage, separation of people data • Data Retention (Define the length of keeping data, and purge accordingly) Personal data w/ Token ID Token ID Usage Records Demographic Aggregated Data Purge Data Regularly © 2019 Secratic LLC.

36. Remediation Done by Business/Technology • Clear, concise disclosure of data collected, processed, used, shared, and consent kept w/ recall • Cookie acceptance before cookie is dropped and consent w/ recall © 2019 Secratic LLC.

37. Remediation Done by Business/Technology • Request & process for what we know, right to be forgotten, data correction • Store personal data securely (access control, encryption, deletion) • Add link to privacy notice to all pages and applications © 2019 Secratic LLC.

39. Step 7: Communicate with Transparency • Privacy Policy • Descriptive Privacy Site • Build Trust & Customer Confidence • Privacy as a Business Differentiator • Data Subject Access Requests & Don’t Sell My Info © 2019 Secratic LLC.

40. Step 8: Documentation & Such • Register with Privacy Shield • Register with DPA in Europe • Declare Compliance with Any Others? • Document Data Flows & IRB Outcomes • Third Party Assessments (Both Security & Privacy) © 2019 Secratic LLC.

41. Step 9: Stay Informed • Privacy Laws & Changes • Bloomberg Law • News & Business Impacts • Privacy Maven (https://maven.secratic.com) • Lawfare • Lexology • Connect with your GC or Outside Counsel © 2019 Secratic LLC.

42. The Steps Look in the mirror What data do you have? What do you do with the data? Data governance and ethics Privacy by design Educate colleagues Communicate to customers Documentation Stay Informed

43. In Summary • Security, privacy and compliance are closer than ever and growing closer • Privacy is a topic that customers are taking seriously, and are part of business • Not only that, robust and transparent privacy can be business enablers • The privacy world is in a very large state of flux, especially in the US, so keep up to date on happenings around the states • You don’t have to boil the ocean to get a privacy programme going. Start with your most important data • Think about the ways that data use can be used for bad, along with how they can be used for good as they are developed. • Push back on the idea that if some data is good, then more data is better. Use Governance to agree on ethics, legal, security approach. Balance! • Depersonalization of data alone doesn’t actually keep it private • Location and biometrics will see increased challenge both in courts of law and courts of public opinion. • On privacy, be Gretsky: skate to where the puck is going, not where it is now. • Transparency and leaning into security, privacy and compliance in tech builds trust and reputation. © 2019 Secratic LLC.

44. Privacy is dead It’s still not great, but getting better NOT YET

45. The Future of Privacy Is Interesting

46. Have a moment? Please review this session In the event app. Thank you for coming! Nope! @buddhake /danielaayala