SlideShare a Scribd company logo

How to Build a Privacy Program

Download as PPTX, PDF
Daniel Ayala
Daniel Ayala

Privacy is a topic that inevitably emerges whenever people speak about technology or business. What is it, really? How can you build a program to support it and balance it within our businesses? This session will cover the basics of a privacy program for organisations, some of the more applicable regulations on privacy, how to find the right balance and how to begin to implement your program. We will also discuss how to position your privacy program as a business enabler, establish some lightweight internal governance processes as well as customer and employee communications and awareness, too. Bring your questions and cases to review and analyse.

Technology
1 of 46
Daniel Ayala (@buddhake) Managing Partner & Founder, Secratic How to Build a Privacy Program
© 2019 Secratic LLC.
Secratic was built on the premise that a strong bridge between information security and privacy and the broader company can help a business not just succeed, but flourish. Secratic provides strategic security and privacy advisory to growing companies through the benefit of decades of its global enterprise experience and helps its clients find the right balance in concert with the business at hand by acting as their outside CISO/CPO. By spending ample time getting to know these companies, Secratic uses that insight to give contextual, informed guidance on topics such as risk, compliance and incident response, and ensures that a company's security and privacy programs properly align with what the business needs and does. © 2019 Secratic LLC.
© 2019 Secratic LLC. https://maven.secratic.com
What is Privacy The state or condition of being free from observed or disturbed by other people.
Privacy in the News © 2019 Secratic LLC. https://www.theinformation.com/articles/apples-ad-targeting-crackdown-shakes-up-ad-market https://www.billboard.com/articles/business/legal-and-management/8545568/tiktok-class-action-lawsuit-child-privacy
Blockchain + Privacy = Conundrum
Blockchain Handdrawn © 2019 Secratic LLC.
Interconnected © 2019 Secratic LLC.
Blockchain + Privacy =Compliance = © 2019 Secratic LLC.
Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? © 2019 Secratic LLC.
Inside Look: Regulatory Requirements © 2019 Secratic LLC. General Data Protection Regulation (GDPR) 12 Increased territorial scope Consent Breach notification Right to Access Right to be Forgotten Data Portability Privacy by Design Data Protection Officers
General Data Protection Regulation (GDPR) 13 Increased territorial scope Consent Breach notification Right to Access Right to be Forgotten Data Portability Privacy by Design Data Protection Officers© 2019 Secratic LLC.
https://iapp.org/resources/article/state-comparison-table/ © 2019 Secratic LLC.
Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? © 2019 Secratic LLC.
Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? • What is your customer culture? © 2019 Secratic LLC.
The Creepy Line http://creepyline.com
18 Security & Privacy Utility Balance © 2019 Secratic LLC.
Fully Private Fully Secure Fully Open Fully Collecting Utility Balance ??? Uninformed What do I pick? Huge utlity, huge data disclosure © 2019 Secratic LLC.
Fully Private Fully Secure Fully Open Fully Collecting Utility Now add in transparency Better informed Still want utility Might make better choices It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly © 2019 Secratic LLC.
OMG! I can use w/o sharing everything? I can decide what to share? Fully Private Fully Secure Fully Open Fully Collecting Now add in transparency It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly and choice! Utility © 2019 Secratic LLC.
Fully Private Fully Secure Fully Open Fully Collecting Finally, add trust (but verify) and accountability I can trust because I’ve verified They do what they say they do More value, more control Data security practises Depersonalisation (and even better, aggregation) Retention (GET RID OF IT FAST!) Use an identity that user’s care about and protect Utility © 2019 Secratic LLC.
Trust © 2019 Secratic LLC.
Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? • What is your customer culture? • What is your company culture? © 2019 Secratic LLC.
Look Inside: Company Culture • Which type of company are you? • Data Slurper? • Risk Averse? • Bleeding Edge? • Fast Follower? • Data Economy Mandate? © 2019 Secratic LLC.
Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? • What is your customer culture? • What is your company culture? • How can you build support for a privacy program? © 2019 Secratic LLC.
Look Inside: Build Support • Organisational change management mindset • Find ways to tie to business value • Competitive Advantage • Customer Sentiment/Trust • Enable Later (Ethical) Data Use © 2019 Secratic LLC.
Step 2: What Data Do You Have? • Inventory • Data Flow • What is Sensitive? • How is it Protected? © 2019 Secratic LLC.
Coexistence SecurityPrivacy
Step 3: What Do You Do With Your Data • How Does Data Move From System to System? • Who Do You Share It With? Why? • Who Has Access to It? • Who Processes It For You? • Have You Reviewed Their Security & Privacy Controls & Policies © 2019 Secratic LLC.
Step 4: Data Governance & Ethics • Data Use Institutional Review Board (IRB) • Ethical Boundaries Exercise • Who Is Responsible - The DPO • Annual Review (Frequency) © 2019 Secratic LLC.
Data Use IRB • Is it ethical? • How will data use interact with customers? • How will we use the data? • What do we really need? • What are the risks? • Is the data protected? • Is it lawful? • Are we protected? • What are the unintended consequence? Legal Security/ Privacy Marketing Business Leaders © 2019 Secratic LLC.
Step 4: Data Governance & Ethics • Data Use Institutional Review Board (IRB) • Ethical Boundaries Exercise • Who Is Responsible - The DPO • Annual Review (Frequency) © 2019 Secratic LLC.
Step 5: Privacy By Design • Integrate Reviews into Development Lifecycle • Integrate Reviews into Product Lifecycle • Tie Into Data Use IRB © 2019 Secratic LLC.
Remediation Done by Business/Technology • Privacy by Design (rolls into existing product management planning processes) • Data Pseudonymisation of individuals in storage, separation of people data • Data Retention (Define the length of keeping data, and purge accordingly) Personal data w/ Token ID Token ID Usage Records Demographic Aggregated Data Purge Data Regularly © 2019 Secratic LLC.
Remediation Done by Business/Technology • Clear, concise disclosure of data collected, processed, used, shared, and consent kept w/ recall • Cookie acceptance before cookie is dropped and consent w/ recall © 2019 Secratic LLC.
Remediation Done by Business/Technology • Request & process for what we know, right to be forgotten, data correction • Store personal data securely (access control, encryption, deletion) • Add link to privacy notice to all pages and applications © 2019 Secratic LLC.
Step 6: Educate Colleagues © 2019 Secratic LLC. Data Collection Data Use
Step 7: Communicate with Transparency • Privacy Policy • Descriptive Privacy Site • Build Trust & Customer Confidence • Privacy as a Business Differentiator • Data Subject Access Requests & Don’t Sell My Info © 2019 Secratic LLC.
Step 8: Documentation & Such • Register with Privacy Shield • Register with DPA in Europe • Declare Compliance with Any Others? • Document Data Flows & IRB Outcomes • Third Party Assessments (Both Security & Privacy) © 2019 Secratic LLC.
Step 9: Stay Informed • Privacy Laws & Changes • Bloomberg Law • News & Business Impacts • Privacy Maven (https://maven.secratic.com) • Lawfare • Lexology • Connect with your GC or Outside Counsel © 2019 Secratic LLC.
The Steps Look in the mirror What data do you have? What do you do with the data? Data governance and ethics Privacy by design Educate colleagues Communicate to customers Documentation Stay Informed
In Summary • Security, privacy and compliance are closer than ever and growing closer • Privacy is a topic that customers are taking seriously, and are part of business • Not only that, robust and transparent privacy can be business enablers • The privacy world is in a very large state of flux, especially in the US, so keep up to date on happenings around the states • You don’t have to boil the ocean to get a privacy programme going. Start with your most important data • Think about the ways that data use can be used for bad, along with how they can be used for good as they are developed. • Push back on the idea that if some data is good, then more data is better. Use Governance to agree on ethics, legal, security approach. Balance! • Depersonalization of data alone doesn’t actually keep it private • Location and biometrics will see increased challenge both in courts of law and courts of public opinion. • On privacy, be Gretsky: skate to where the puck is going, not where it is now. • Transparency and leaning into security, privacy and compliance in tech builds trust and reputation. © 2019 Secratic LLC.
Privacy is dead It’s still not great, but getting better NOT YET
The Future of Privacy Is Interesting
Have a moment? Please review this session In the event app. Thank you for coming! Nope! @buddhake /danielaayala

Recommended

DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
DATAVERSITY
 
Identity, Security and Healthcare
Identity, Security and HealthcareIdentity, Security and Healthcare
Identity, Security and Healthcare
NetIQ
 
Getting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensicsGetting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensics
Druva
 
Are You Being Anti-Social
Are You Being Anti-SocialAre You Being Anti-Social
Are You Being Anti-Social
NetIQ
 
Bring Your Own Identity
Bring Your Own IdentityBring Your Own Identity
Bring Your Own Identity
NetIQ
 
Planning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessPlanning Information Governance and Litigation Readiness
Planning Information Governance and Litigation Readiness
Rich Medina
 
Enterprise Discovery: Taking Control, Driving Change
Enterprise Discovery: Taking Control, Driving ChangeEnterprise Discovery: Taking Control, Driving Change
Enterprise Discovery: Taking Control, Driving Change
Iron Mountain
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
Marc Vael
 

Recommended

DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
DATAVERSITY
 
Identity, Security and Healthcare
Identity, Security and HealthcareIdentity, Security and Healthcare
Identity, Security and Healthcare
NetIQ
 
Getting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensicsGetting a clue: uncovering the truth about your data with mobile forensics
Getting a clue: uncovering the truth about your data with mobile forensics
Druva
 
Are You Being Anti-Social
Are You Being Anti-SocialAre You Being Anti-Social
Are You Being Anti-Social
NetIQ
 
Bring Your Own Identity
Bring Your Own IdentityBring Your Own Identity
Bring Your Own Identity
NetIQ
 
Planning Information Governance and Litigation Readiness
Planning Information Governance and Litigation ReadinessPlanning Information Governance and Litigation Readiness
Planning Information Governance and Litigation Readiness
Rich Medina
 
Enterprise Discovery: Taking Control, Driving Change
Enterprise Discovery: Taking Control, Driving ChangeEnterprise Discovery: Taking Control, Driving Change
Enterprise Discovery: Taking Control, Driving Change
Iron Mountain
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
Marc Vael
 
Information Governance
Information GovernanceInformation Governance
Information Governance
Atle Skjekkeland
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
Winston & Strawn LLP
 
12th July GDPR event slides
12th July GDPR event slides12th July GDPR event slides
12th July GDPR event slides
Exponential_e
 
The state of data privacy with dimensional research
The state of data privacy with dimensional research The state of data privacy with dimensional research
The state of data privacy with dimensional research
Druva
 
2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management
TrustArc
 
Interested in working at Druva?
Interested in working at Druva?Interested in working at Druva?
Interested in working at Druva?
Druva
 
2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy management2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy management
TrustArc
 
Principles of Holistic Information Governance
Principles of Holistic Information GovernancePrinciples of Holistic Information Governance
Principles of Holistic Information Governance
PHIGs Information Management Consulting Inc.
 
Information Governance -- Necessary Evil or a Bridge to the Future?
Information Governance -- Necessary Evil or a Bridge to the Future?Information Governance -- Necessary Evil or a Bridge to the Future?
Information Governance -- Necessary Evil or a Bridge to the Future?
John Mancini
 
Ritz 4th-july-gdpr
Ritz 4th-july-gdprRitz 4th-july-gdpr
Ritz 4th-july-gdpr
Exponential_e
 
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Nick Inglis
 
2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business
TrustArc
 
Protecting Corporate Data When an Employee Leaves: Survey and Best Practices
Protecting Corporate Data When an Employee Leaves: Survey and Best PracticesProtecting Corporate Data When an Employee Leaves: Survey and Best Practices
Protecting Corporate Data When an Employee Leaves: Survey and Best Practices
Druva
 
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension Inc.
 
Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...
Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...
Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...
DATAVERSITY
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the Outside
DLT Solutions
 
SPTechCon 2014 - Keep the Lawyers off Your Back:Where does eDiscover and Comp...
SPTechCon 2014 - Keep the Lawyers off Your Back:Where does eDiscover and Comp...SPTechCon 2014 - Keep the Lawyers off Your Back:Where does eDiscover and Comp...
SPTechCon 2014 - Keep the Lawyers off Your Back:Where does eDiscover and Comp...
Jeff Willinger
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
TrustArc
 
Introduction to Ethics of Big Data
Introduction to Ethics of Big DataIntroduction to Ethics of Big Data
Introduction to Ethics of Big Data
28 Burnside
 
How to Build a Privacy Program
How to Build a Privacy ProgramHow to Build a Privacy Program
How to Build a Privacy Program
secratic
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptx
Ravindra Babu
 

More Related Content

What's hot

2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management
TrustArc
 
2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy management2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy management
TrustArc
 
2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business
TrustArc
 
Protecting Corporate Data When an Employee Leaves: Survey and Best Practices
Protecting Corporate Data When an Employee Leaves: Survey and Best PracticesProtecting Corporate Data When an Employee Leaves: Survey and Best Practices
Protecting Corporate Data When an Employee Leaves: Survey and Best Practices
Druva
 
Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...
Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...
Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...
DATAVERSITY
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
TrustArc
 
Introduction to Ethics of Big Data
Introduction to Ethics of Big DataIntroduction to Ethics of Big Data
Introduction to Ethics of Big Data
28 Burnside
 

What's hot (20)

Information Governance
Information GovernanceInformation Governance
Information Governance
 
Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?Information Governance – What Does a Modern Program Look Like?
Information Governance – What Does a Modern Program Look Like?
 
12th July GDPR event slides
12th July GDPR event slides12th July GDPR event slides
12th July GDPR event slides
 
The state of data privacy with dimensional research
The state of data privacy with dimensional research The state of data privacy with dimensional research
The state of data privacy with dimensional research
 
2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management
 
Interested in working at Druva?
Interested in working at Druva?Interested in working at Druva?
Interested in working at Druva?
 
2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy management2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy management
 
Principles of Holistic Information Governance
Principles of Holistic Information GovernancePrinciples of Holistic Information Governance
Principles of Holistic Information Governance
 
Information Governance -- Necessary Evil or a Bridge to the Future?
Information Governance -- Necessary Evil or a Bridge to the Future?Information Governance -- Necessary Evil or a Bridge to the Future?
Information Governance -- Necessary Evil or a Bridge to the Future?
 
Ritz 4th-july-gdpr
Ritz 4th-july-gdprRitz 4th-july-gdpr
Ritz 4th-july-gdpr
 
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
 
2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business
 
Protecting Corporate Data When an Employee Leaves: Survey and Best Practices
Protecting Corporate Data When an Employee Leaves: Survey and Best PracticesProtecting Corporate Data When an Employee Leaves: Survey and Best Practices
Protecting Corporate Data When an Employee Leaves: Survey and Best Practices
 
Next Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity StrategyNext Dimension: How to create a Cybersecurity Strategy
Next Dimension: How to create a Cybersecurity Strategy
 
Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...
Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...
Automated Data Governance 101 - A Guide to Proactively Addressing Your Privac...
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer SatisfactionInformation Governance: Reducing Costs and Increasing Customer Satisfaction
Information Governance: Reducing Costs and Increasing Customer Satisfaction
 
Threat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the OutsideThreat Ready Data: Protect Data from the Inside and the Outside
Threat Ready Data: Protect Data from the Inside and the Outside
 
SPTechCon 2014 - Keep the Lawyers off Your Back:Where does eDiscover and Comp...
SPTechCon 2014 - Keep the Lawyers off Your Back:Where does eDiscover and Comp...SPTechCon 2014 - Keep the Lawyers off Your Back:Where does eDiscover and Comp...
SPTechCon 2014 - Keep the Lawyers off Your Back:Where does eDiscover and Comp...
 
2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant2019 06-19 convince customerspartnersboard gdpr-compliant
2019 06-19 convince customerspartnersboard gdpr-compliant
 
Introduction to Ethics of Big Data
Introduction to Ethics of Big DataIntroduction to Ethics of Big Data
Introduction to Ethics of Big Data
 

Similar to How to Build a Privacy Program

Creating Trust for the Internet of Things
Creating Trust for the Internet of ThingsCreating Trust for the Internet of Things
Creating Trust for the Internet of Things
PECB
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10)
Jim Kaplan CIA CFE
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir Fancy
SaskSummit
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
Meg Weber
 
TrustArc-Webinar-Slides-2022-03-01-Is Your Privacy Program Ready for a Fundin...
TrustArc-Webinar-Slides-2022-03-01-Is Your Privacy Program Ready for a Fundin...TrustArc-Webinar-Slides-2022-03-01-Is Your Privacy Program Ready for a Fundin...
TrustArc-Webinar-Slides-2022-03-01-Is Your Privacy Program Ready for a Fundin...
TrustArc
 
How We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of ThingsHow We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of Things
Jason Hong
 
Discovery, Risk, and Insight in a Metadata-Driven World Webinar
Discovery, Risk, and Insight in a Metadata-Driven World WebinarDiscovery, Risk, and Insight in a Metadata-Driven World Webinar
Discovery, Risk, and Insight in a Metadata-Driven World Webinar
Concept Searching, Inc
 
TrustArc Webinar: Privacy Management Made Simple
TrustArc Webinar: Privacy Management Made SimpleTrustArc Webinar: Privacy Management Made Simple
TrustArc Webinar: Privacy Management Made Simple
TrustArc
 
Managing Information for Impact
Managing Information for ImpactManaging Information for Impact
Managing Information for Impact
Donny Shimamoto
 

Similar to How to Build a Privacy Program (20)

How to Build a Privacy Program
How to Build a Privacy ProgramHow to Build a Privacy Program
How to Build a Privacy Program
 
Ethics in Data Management.pptx
Ethics in Data Management.pptxEthics in Data Management.pptx
Ethics in Data Management.pptx
 
Creating Trust for the Internet of Things
Creating Trust for the Internet of ThingsCreating Trust for the Internet of Things
Creating Trust for the Internet of Things
 
Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10) Implementing and Auditing GDPR Series (8 of 10)
Implementing and Auditing GDPR Series (8 of 10)
 
Global Data Privacy Regulation
Global Data Privacy RegulationGlobal Data Privacy Regulation
Global Data Privacy Regulation
 
Privacy Policies: Guide to Protecting User Data
Privacy Policies: Guide to Protecting User DataPrivacy Policies: Guide to Protecting User Data
Privacy Policies: Guide to Protecting User Data
 
Internet security and privacy issues
Internet security and privacy issuesInternet security and privacy issues
Internet security and privacy issues
 
Why We Require GDPR?
Why We Require GDPR?Why We Require GDPR?
Why We Require GDPR?
 
Sask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir FancySask 3.0 Summit Pci dss presentation Bashir Fancy
Sask 3.0 Summit Pci dss presentation Bashir Fancy
 
Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...
Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...
Principles of Holistic Information Governance - Presented to ARMA Edmonton Ja...
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
2014 ota databreach3
2014 ota databreach32014 ota databreach3
2014 ota databreach3
 
TrustArc-Webinar-Slides-2022-03-01-Is Your Privacy Program Ready for a Fundin...
TrustArc-Webinar-Slides-2022-03-01-Is Your Privacy Program Ready for a Fundin...TrustArc-Webinar-Slides-2022-03-01-Is Your Privacy Program Ready for a Fundin...
TrustArc-Webinar-Slides-2022-03-01-Is Your Privacy Program Ready for a Fundin...
 
How We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of ThingsHow We Will Fail in Privacy and Ethics for the Emerging Internet of Things
How We Will Fail in Privacy and Ethics for the Emerging Internet of Things
 
Discovery, Risk, and Insight in a Metadata-Driven World Webinar
Discovery, Risk, and Insight in a Metadata-Driven World WebinarDiscovery, Risk, and Insight in a Metadata-Driven World Webinar
Discovery, Risk, and Insight in a Metadata-Driven World Webinar
 
TrustArc Webinar: Privacy Management Made Simple
TrustArc Webinar: Privacy Management Made SimpleTrustArc Webinar: Privacy Management Made Simple
TrustArc Webinar: Privacy Management Made Simple
 
Data Privacy: The Hidden Beast within Mergers & Acquisitions
Data Privacy: The Hidden Beast within Mergers & AcquisitionsData Privacy: The Hidden Beast within Mergers & Acquisitions
Data Privacy: The Hidden Beast within Mergers & Acquisitions
 
Protect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and ActionProtect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and Action
 
Managing Information for Impact
Managing Information for ImpactManaging Information for Impact
Managing Information for Impact
 

Recently uploaded

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 

Recently uploaded (20)

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 

How to Build a Privacy Program

  • 1. Daniel Ayala (@buddhake) Managing Partner & Founder, Secratic How to Build a Privacy Program
  • 3. Secratic was built on the premise that a strong bridge between information security and privacy and the broader company can help a business not just succeed, but flourish. Secratic provides strategic security and privacy advisory to growing companies through the benefit of decades of its global enterprise experience and helps its clients find the right balance in concert with the business at hand by acting as their outside CISO/CPO. By spending ample time getting to know these companies, Secratic uses that insight to give contextual, informed guidance on topics such as risk, compliance and incident response, and ensures that a company's security and privacy programs properly align with what the business needs and does. © 2019 Secratic LLC.
  • 4. © 2019 Secratic LLC. https://maven.secratic.com
  • 5. What is Privacy The state or condition of being free from observed or disturbed by other people.
  • 6. Privacy in the News © 2019 Secratic LLC. https://www.theinformation.com/articles/apples-ad-targeting-crackdown-shakes-up-ad-market https://www.billboard.com/articles/business/legal-and-management/8545568/tiktok-class-action-lawsuit-child-privacy
  • 7. Blockchain + Privacy = Conundrum
  • 10. Blockchain + Privacy =Compliance = © 2019 Secratic LLC.
  • 11. Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? © 2019 Secratic LLC.
  • 12. Inside Look: Regulatory Requirements © 2019 Secratic LLC. General Data Protection Regulation (GDPR) 12 Increased territorial scope Consent Breach notification Right to Access Right to be Forgotten Data Portability Privacy by Design Data Protection Officers
  • 13. General Data Protection Regulation (GDPR) 13 Increased territorial scope Consent Breach notification Right to Access Right to be Forgotten Data Portability Privacy by Design Data Protection Officers© 2019 Secratic LLC.
  • 15. Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? © 2019 Secratic LLC.
  • 16. Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? • What is your customer culture? © 2019 Secratic LLC.
  • 19. Fully Private Fully Secure Fully Open Fully Collecting Utility Balance ??? Uninformed What do I pick? Huge utlity, huge data disclosure © 2019 Secratic LLC.
  • 20. Fully Private Fully Secure Fully Open Fully Collecting Utility Now add in transparency Better informed Still want utility Might make better choices It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly © 2019 Secratic LLC.
  • 21. OMG! I can use w/o sharing everything? I can decide what to share? Fully Private Fully Secure Fully Open Fully Collecting Now add in transparency It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly and choice! Utility © 2019 Secratic LLC.
  • 22. Fully Private Fully Secure Fully Open Fully Collecting Finally, add trust (but verify) and accountability I can trust because I’ve verified They do what they say they do More value, more control Data security practises Depersonalisation (and even better, aggregation) Retention (GET RID OF IT FAST!) Use an identity that user’s care about and protect Utility © 2019 Secratic LLC.
  • 24. Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? • What is your customer culture? • What is your company culture? © 2019 Secratic LLC.
  • 25. Look Inside: Company Culture • Which type of company are you? • Data Slurper? • Risk Averse? • Bleeding Edge? • Fast Follower? • Data Economy Mandate? © 2019 Secratic LLC.
  • 26. Step 1: Look At Yourself in the Mirror • What are your regulatory requirements? • What jurisdictions are you operating in? • What is your customer culture? • What is your company culture? • How can you build support for a privacy program? © 2019 Secratic LLC.
  • 27. Look Inside: Build Support • Organisational change management mindset • Find ways to tie to business value • Competitive Advantage • Customer Sentiment/Trust • Enable Later (Ethical) Data Use © 2019 Secratic LLC.
  • 28. Step 2: What Data Do You Have? • Inventory • Data Flow • What is Sensitive? • How is it Protected? © 2019 Secratic LLC.
  • 30. Step 3: What Do You Do With Your Data • How Does Data Move From System to System? • Who Do You Share It With? Why? • Who Has Access to It? • Who Processes It For You? • Have You Reviewed Their Security & Privacy Controls & Policies © 2019 Secratic LLC.
  • 31. Step 4: Data Governance & Ethics • Data Use Institutional Review Board (IRB) • Ethical Boundaries Exercise • Who Is Responsible - The DPO • Annual Review (Frequency) © 2019 Secratic LLC.
  • 32. Data Use IRB • Is it ethical? • How will data use interact with customers? • How will we use the data? • What do we really need? • What are the risks? • Is the data protected? • Is it lawful? • Are we protected? • What are the unintended consequence? Legal Security/ Privacy Marketing Business Leaders © 2019 Secratic LLC.
  • 33. Step 4: Data Governance & Ethics • Data Use Institutional Review Board (IRB) • Ethical Boundaries Exercise • Who Is Responsible - The DPO • Annual Review (Frequency) © 2019 Secratic LLC.
  • 34. Step 5: Privacy By Design • Integrate Reviews into Development Lifecycle • Integrate Reviews into Product Lifecycle • Tie Into Data Use IRB © 2019 Secratic LLC.
  • 35. Remediation Done by Business/Technology • Privacy by Design (rolls into existing product management planning processes) • Data Pseudonymisation of individuals in storage, separation of people data • Data Retention (Define the length of keeping data, and purge accordingly) Personal data w/ Token ID Token ID Usage Records Demographic Aggregated Data Purge Data Regularly © 2019 Secratic LLC.
  • 36. Remediation Done by Business/Technology • Clear, concise disclosure of data collected, processed, used, shared, and consent kept w/ recall • Cookie acceptance before cookie is dropped and consent w/ recall © 2019 Secratic LLC.
  • 37. Remediation Done by Business/Technology • Request & process for what we know, right to be forgotten, data correction • Store personal data securely (access control, encryption, deletion) • Add link to privacy notice to all pages and applications © 2019 Secratic LLC.
  • 38. Step 6: Educate Colleagues © 2019 Secratic LLC. Data Collection Data Use
  • 39. Step 7: Communicate with Transparency • Privacy Policy • Descriptive Privacy Site • Build Trust & Customer Confidence • Privacy as a Business Differentiator • Data Subject Access Requests & Don’t Sell My Info © 2019 Secratic LLC.
  • 40. Step 8: Documentation & Such • Register with Privacy Shield • Register with DPA in Europe • Declare Compliance with Any Others? • Document Data Flows & IRB Outcomes • Third Party Assessments (Both Security & Privacy) © 2019 Secratic LLC.
  • 41. Step 9: Stay Informed • Privacy Laws & Changes • Bloomberg Law • News & Business Impacts • Privacy Maven (https://maven.secratic.com) • Lawfare • Lexology • Connect with your GC or Outside Counsel © 2019 Secratic LLC.
  • 42. The Steps Look in the mirror What data do you have? What do you do with the data? Data governance and ethics Privacy by design Educate colleagues Communicate to customers Documentation Stay Informed
  • 43. In Summary • Security, privacy and compliance are closer than ever and growing closer • Privacy is a topic that customers are taking seriously, and are part of business • Not only that, robust and transparent privacy can be business enablers • The privacy world is in a very large state of flux, especially in the US, so keep up to date on happenings around the states • You don’t have to boil the ocean to get a privacy programme going. Start with your most important data • Think about the ways that data use can be used for bad, along with how they can be used for good as they are developed. • Push back on the idea that if some data is good, then more data is better. Use Governance to agree on ethics, legal, security approach. Balance! • Depersonalization of data alone doesn’t actually keep it private • Location and biometrics will see increased challenge both in courts of law and courts of public opinion. • On privacy, be Gretsky: skate to where the puck is going, not where it is now. • Transparency and leaning into security, privacy and compliance in tech builds trust and reputation. © 2019 Secratic LLC.
  • 44. Privacy is dead It’s still not great, but getting better NOT YET
  • 45. The Future of Privacy Is Interesting
  • 46. Have a moment? Please review this session In the event app. Thank you for coming! Nope! @buddhake /danielaayala

Editor's Notes

  1. Clear the myth: Privacy is dead Good news: It’s not dead yet. EU is driving a new way of thinking Bad news: Still not great in the USA Refer to Apple billboard at CES in 2019, apple card marketing
  2. Public & Private – different but same Plan ahead on the way you architect blockchain solutions. If personal info is included in the blockchain, you can’t undo it
  3. Integrity and Availability are pretty well taken care of in Blockchain, but what about Confidentiality? The biggest issues, as in many technology efforts comes down to how the technology is architected and established from the beginning. As Blockchain has permanent (immutable) and perpetual life, if the information stored on the blockchain or the crypto used to protect it is not futureproofed. GDPR/CCPA also has some very significant conflicts with blockchain: entries can NOT be deleted, or amended. No DSAR request can change that. So that means using blockchain for storing personal info is a GDPR nonstarter. There are some approaches when looking at private blockchains, but the tradeoffs are pretty significant including lack of transparency, forced control of the copies of the blockchain, and a lot more complex infrastructure subject to error/attack vectors
  4. So ill leave you with two concepts that are also part of securing and managing and protecting the privacy of data.
  5. Clear the myth: Privacy is dead Good news: It’s not dead yet. EU is driving a new way of thinking Bad news: Still not great in the USA Refer to Apple billboard at CES in 2019, apple card marketing