Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Alejandra Brown: Introduction to privacy and overview of privacy and data residency rules that apply to BC nonprofits.

228 views

Published on

You have a lot of data! How can you keep your member and client information secure? What legal rules does you nonprofit need to follow when it comes to data hosting? What tools and apps won't get your in trouble?

We have four experts who will answer all your questions.

* Alejandra Brown: Introduction to privacy and overview of privacy and data residency rules that apply to BC nonprofits.

* Mack Hardy: Five practical things you can do to secure your online self. Policies, 2FA, password managers, and more.

* Damien Norris: A suite of curated tools that organizations can use to locally/securely replace the US owned cloud services in their lives.

* Kris Constable: IDVPN: a VPN for complying with justistional regulations.

Published in: Data & Analytics
  • Be the first to comment

  • Be the first to like this

Alejandra Brown: Introduction to privacy and overview of privacy and data residency rules that apply to BC nonprofits.

  1. 1. Privacy Management Kirke Management Consulting 2019-10-21© 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
  2. 2. Privacy and Data Breaches © 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
  3. 3. Something in Common? © 2019 Kirke Management Consulting. All Rights Reserved - Private and Confidential • Large and well-known organizations • Strong reputations… … until they didn’t • Breaches could have been avoided
  4. 4. 2018 Breach Examples © 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential Jul - Oct2019 Jan - JunJul - Dec2018 Jan - Jun Marriott Starwoods 500MM records 2020 Ontario Cannabis Store notifies of a breach through Canada Post 4.5K records Air Canada through mobile app 1.7MM records BMO and Simplii 90K records Under Armour MyFitnessPal 150MM records Facebook – Cambridge Analytica 87MM records Facebook exposed sensitive data 29MM records Facebook exposed sensitive data 100MM+ records Desjardin’s employee exposes data of 2.9MM individuals Capital One records exposed in US and Canada
  5. 5. NFP Privacy Breaches https://www.vancourier.com/alleged-hiv-aids-privacy-breach-could-become-class-action-suit-1.23811118 https://www.oipc.ab.ca/media/993856/P2019_ND_014_008114.pdf © 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential Emergency backpack with first aid supplies and children’s information was left at a playground King Edward Child Care Society Edmonton AB - Sep 2017 Human error caused donation history to display on their new online donation system The information breached included name, email address and donation amount JDRF – Mar 2018 • Excel file with employee info sent through email, unprotected BC HIV/AIDS NFP privacy breach could become a class action lawsuit - 2019 • Tax forms were made accessible through search engines Legal Aid Society of Orange County – Jan 2017
  6. 6. © 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
  7. 7. It is a Hyper-connected World © 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
  8. 8. Global Privacy Regulations © 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential Canada • Federal • PIPEDA (private sector) • CASL – Anti-Spam Legislation • Provincial (BC, AB, QC) • PIPA (private sector) • FIPPA (public sector) USA • HIPAA • CCPA • COPPA • CalOPPA EU • GDPR (2018) • E-Privacy Regulation (TBD)
  9. 9. Privacy vs Security • Privacy focuses on governance around use, disclosure and retention of Personal Information • Security is concerned with measures to restrict access and protect Personal Information during collection, storage, and transmission © 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
  10. 10. Importance of Privacy for NFP © 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential NFPs interact with different stakeholders - Donors/ funding contributors - Volunteers - Employees - Clients NFPs may require managing very sensitive information: - Examples – immigration status, health status, financial position and contributions When data is managed there is always data loss risk - Losing data may prove damaging to the affected individual MOST IMPORTANTLY - NFPs reputation and brand identity are paramount to main objective (fund raising) - Public shown to be less forgiving of NFPs when it comes to trust
  11. 11. © 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential Human Error • Collection of donations and credit card info • Storage, transfer and disclosure of employee, donor, volunteer or client info • Storage of PI on digital assets (e.g. laptop, smartphones, USB sticks) or any other unsecured environment • Disclosure of PI to third parties and/or too broadly within the organization • Lack of awareness of privacy obligations, what constitutes a breach & what to do if one takes place Common Areas of Vulnerability
  12. 12. Effective Privacy Program  Understand regulations that apply to organization  Have a designated CPO  Have clear and simple policies around Privacy, including a Privacy Notice on the official website  Keep Privacy principles in mind for new campaigns, processes or initiatives – especially for Digital Marketing  Ensure 3rd party contracts have clear Privacy provisions  Educate employees and relevant stakeholders on the their obligations – provide regular training  Ensure that questions, gaps, complaints are easily funneled to the CPO  Have an Incident Management Protocol in place  Review Privacy practices periodically  Ensure cybersecurity coverage is included as part of insurance  Ensure PI is identified and protected – include IT security measures © 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
  13. 13. Privacy Notice and Principles © 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential Privacy Notice Identify what PI you collect, use and share Describe what protection you us on PI Share where you store PI and who has access to it Provide a contact for anyone with questions or concerns Privacy Principles Request consent where necessary Limit use of PI Share only on a "need-to-know" basis Create awareness in the organization – keep privacy top of mind Be accountable, respond quickly to issues and take responsibility
  14. 14. Where Do We Go From Here? Determine what is your level of Privacy maturity Assess your risk and current gaps Adopt “quick-wins” Appoint a CPO Create or review privacy policy Train employees, volunteers on privacy practices and their obligations Identify IT security areas of risk Include appropriate disclaimers in your e-Newsletter sign up form Establish an incident response procedure Bring in experts when required © 2017 Kirke Management Consulting. All Rights Reserved - Private and Confidential
  15. 15. Resources • Privacy tools - https://kirke-consulting.com/tools/ • Privacy checklist for NFPs - http://www.charitycentral.ca/wp- content/uploads/privacy-en.pdf • Privacy concerns for NFPs - https://www.techsoupcanada.ca/en/community/blog/privacy-and- data-concerns-for-nonprofits © 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
  16. 16. Thanks! Ale Brown – abrown@kirke-consulting.com © 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential
  17. 17. About Kirke © 2018 Kirke Management Consulting. All Rights Reserved - Private and Confidential Strategy. Transformation. Results. We are a strategy consulting firm that enables business growth and minimizes corporate risk. We believe that safeguarding personal information has become paramount in a rapidly expanding digital world, therefore we help organizations gain relevant data insights to build tighter relationships with their customers, all within a strong privacy management framework. This results in increased brand recognition, improved reputation in the industry and trust within their customer-base. http://www.kirke-consulting.com/ contact@kirke-consulting.com

×