Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Building a privacy management program

34 views

Published on

Mike Muha

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Building a privacy management program

  1. 1. Building a Privacy Management Program
  2. 2. 2 Security vs. Privacy Security Privacy Protects individual’s ability to control use of their personal information Protects systems & data
  3. 3. 3 What data is privacy-related? Protected Health Data (PHI, ePHI) Personally Identifiable Information (PII) Financial Data, Credit Card Data
  4. 4. 4 PERSONAL INFORMATION What data is privacy-related? Protected Health Data (PHI, ePHI) Personally Identifiable Information (PII) Financial Data, Credit Card Data And more!
  5. 5. 5 • Risk management & compliance (avoid fines)? • Reputational risk avoidance? • Brand differentiator? • Enhance sales of products & services? Why do I need a privacy program? “Our mission is comply with privacy regulations to which we are subject, to inform stakeholders about how we manage and protect their personal information, and to provide assistance to our customers’ privacy compliance programs as required.”
  6. 6. 6 What regulations apply? So many to choose from… US Privacy Regulations • California Consumer Privacy Act • HIPAA • Gramm-Leach Bliley Act • Children’s Online Privacy Protection Act International Privacy Laws • EU General Data Protection Regulation • Mexican Federal Law on Protection of Personal Data • Australian Privacy Directive Self-Regulatory Privacy Standards • PCI DSS • Direct Marketing Association Privacy Promise • VeriSign or TRUSTe
  7. 7. 7 Who are the stakeholders and why? •Data subjects (employees, customers, suppliers, partners) How you will use my data? •Business units (HR, Marketing, Finance/Accounting, Product Development, Training, Support) How will the program impact my department? What changes are required? What info do you need? •Partners, Third-party processors (B2C and B2B) What do you need me to do to comply? •Resellers, Customers, Regulators (B2C and B2B) Prove to me that you comply.
  8. 8. 8 Create a data inventory  What needs to be in the inventory?  Purpose of the processing (e.g., time and attendance)  Categories of “data subjects” (e.g., employees)  Categories of personal information (e.g., work personal information, pay code, personal phone number)  How the data is collected  Data retention period or calculation (e.g., 7 years after termination) What data needs to be protected?  Who has access to the data: • HR: Full access • Managers: access to staff • Employees: their own information • Third-parties • SaaS processor staff!  Where the data is stored and processed (e.g., SaaS provider’s US data center)  If the data is transferred to a third country (e.g., from Spain to the US)  Security controls in place to protect the data
  9. 9. 9 Where are you today, where do you need to be? • Take a regulation and turn it into a checklist • Apply the checklist against each business area • Work on the easy wins (privacy notices) • Work through the gaps in order of risk Perform a gap assessment
  10. 10. 10 Example Gap Assessment
  11. 11. 11 Example Gap Assessment
  12. 12. 12 Example: GDPR You can collect personal data only if one of these applies: 1. The data is necessary for the performance of a contract with the employee (i.e., employment agreement) or 2. The data is required by another regulation to which the you are subject (i.e., employment regulations, tax calculations, etc.) or 3. You have a legitimate reason for collecting the data (i.e., to measure job performance) or 4. The employee gives explicit, freely-given consent » Employer-employee relationship: can consent be freely given? » Employees can withdraw consent or 5. additional options… Are we collecting personal information lawfully?
  13. 13. 13 GDPR You CAN’T collect this information:*  Race or ethnic origin  Political opinions  Religious or philosophical beliefs  Trade union membership  Genetic data  Biometric data  Health data  Sex life or sexual orientation  Criminal convictions & offenses Watch out for “Special Categories” of personal information *Unless:  The employee have given explicit consent  It’s necessary to carry out obligations to the employee  It’s necessary to assess the working capacity of an employee  …a few other exceptions Illinois Biometric Privacy Act: • You can’t collect biometric information without consent and proper & full notice • Must securely store • Must destroy in a timely manner
  14. 14. 14 • DPIA (Data Protection Impact Assessments)  What’s the risk to the data subject?  How do I comply with the regulation?  Example template under “Resources” • Risk treatment plans  How do I address the risk? • Privacy by design, privacy by default  Think about privacy during the initiation of new projects/processes  Designs should protect data/rights from the very beginning Manage risk
  15. 15. 15 Privacy Notices
  16. 16. 16 “An internal statement that governs an organization or entity’s handling practices of personal information. It is directed at the users of the personal information. A privacy policy instructs employees on the collection and the use of the data, as well as any specific rights the data subjects may have.” Privacy policy vs. privacy notices Privacy Policy Privacy Notice “A statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. A privacy notice is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy.” Source: IAPP glossary
  17. 17. 17 Write privacy notices The Privacy Notice must be: • Concise, transparent, intelligible and easily accessible • Written in clear and plain language • Free of charge • Must be provide at the time data is collected! Use-specific Privacy Notices: • Recruiting notice • Employee notice • Customer notice • Partner notice • Product notice
  18. 18. 18 1. Contact details of the data owner. 2. Contact details of Data Protection Officer 3. Reason for collection the data. 4. Legal basis of processing. 5. Who will have access to the personal information. 6. If personal information will be transferred out of the EU. 7. Legal basis for transferring the data out of the EU » Adequacy decision » Privacy Shield » Binding Corporate Rules » Standard Data Protection Clauses What needs to be in a privacy notice? (GDPR example) 7. Where to obtain a copy of the legal basis for transferring data. 8. Retention period for the data. 9. Personal rights of the employee (see next slide) 10. If automated processing or profiling is used. 11. If data is contractually required and the impact of not providing that data.
  19. 19. 19 What needs to be in a privacy notice? Personal rights of an individual: • Right of access • Right to rectification • Right of erasure • Right to restrict processing • Right to data portability • Right to object • Right to human intervention around automated processing activities Example: https://www.workforcesoftware.com/privacy-policy/
  20. 20. 20 Privacy Processes
  21. 21. 21 Create processes around the personal rights of individuals: • Right of access • Right to rectification • Right of erasure • Right to restrict processing • Right to data portability • Right to object • Right to human intervention around automated processing activities Embed data privacy into business operations Privacy Processes
  22. 22. 22 Process needs to include: 1. How to determine if the person making the request is actually authorized to make the request 2. How to decide if the request must be fulfilled or can be denied 3. How to find all the locations of the data 4. How to actually delete the data 5. How to track the request and its final disposition 6. How to communicate with the data subject 7. How fast to respond and fulfill the request Example: The process to erase data upon request
  23. 23. 23 Process needs to include: 1. How to determine if the person making the request is actually authorized to make the request 2. How to decide if the request must be fulfilled or can be denied 3. How to find all the locations of the data 4. How to actually delete the data 5. How to track the request and its final disposition 6. How to communicate with the data subject 7. How fast to respond and fulfill the request Example: The process to erase data upon request Data inventory! Can you actually delete data for an individual?
  24. 24. 24 Showing proof of compliance  Documented processes  Must prove compliance, so keep a log! Document your processes; log your actions
  25. 25. 25 Controllers vs. Processors
  26. 26. 26 Controller Processor Sub-Processor Controller – Processor Relationship Determines how data is processed Processes data on behalf of the Data Controller, following instructions of Data Controller Processes data on behalf of the Data Controller, following instructions of Data Controller / Processor
  27. 27. 27 Controller Processor Sub-Processor Controller – Processor Relationship Determines how data is processed Processes data on behalf of the Data Controller, following instructions of Data Controller Processes data on behalf of the Data Controller, following instructions of Data Controller / Processor You SaaS Provider Vendors used by SaaS Provier
  28. 28. 28 • You’re responsible for your data, no matter who has it! • Third-party management  What third parties process personal data? » Store, transfer, process, view, edit, organize…  Data processing agreements in place?  Legal means of transferring data?  Risk assessments  Process to information/ask permission to use new third parties? Processors and Sub-processors
  29. 29. 29 Controller & processor responsibilities Protect your data Ensure confidentiality Provide evidence of compliance • Appropriate security controls • Data protection impact assessments • Vulnerability management • Internal audit • Confidentiality agreements in place (employees & processors) • Annual required security and privacy training • Penetration tests • Internal IT & external audits (ISO 27001, SOC 2, etc.) • Evidence the privacy processes work
  30. 30. 30 Controller & processor responsibilities Limited use of data Permission to use sub-processors Data protections flow down to Processors • Only collect necessary data • Delete it when it’s not needed • Only use data as defined in Privacy Notices • Processor can only use data per your instructions • Permission required by processor to use a partner • Can request information about existing use of partners • Processors & subprocessor must have data protections in place
  31. 31. 31 Controller & processor responsibilities Ensure lawful transfers of data out of country Data deletion • Applies to you, processors & sub-processors • Adequacy, Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules • Data retention policies • Ability to actually delete data! • Contracts: Return data in a industry-standard format • Delete all data from all systems, including backups Breach Notification • All 50 states have breach notification laws • GDPR requires notifying Supervisory Authority within 24 hours of a breach
  32. 32. 32 Governance
  33. 33. 33 • Executive team  Need for program  Consequences of not having a program  Advantages of having a program • Department heads  What is the impact on a specific department?  How does it affect the department head? Selling privacy and your privacy program
  34. 34. 34 CEO signs “Privacy Policy” • Communicates objectives of privacy program • Need to continuous improvement • Commitment of privacy compliance • Sets roles and responsibilities Leadership
  35. 35. 35 SKILLSETS 1. Legal knowledge 2. Technical background 3. Operational experience 4. Communication skills 5. Credibility Data Privacy Officer
  36. 36. 36 SKILLSETS 1. Legal knowledge 2. Technical background 3. Operational experience 4. Communication skills 5. Credibility Data Privacy Officer = Unicorn
  37. 37. 37 SKILLSETS 1. Legal knowledge 2. Technical background 3. Operational experience 4. Communication skills 5. Credibility Data Privacy Officer LIKELY SUSPECTS… 1. In-house attorney Can understand the law; not tech-savvy, lack operations background 2. Someone from IT or Security Tech savvy, ops experience; doesn’t know the law 3. Internal audit / Compliance Know the law; conflict of interest in defining rules & checking compliance 4. Human resources or marketing Could see business opportunity; lacks overall corporate scope
  38. 38. 38 Centralized vs decentralized vs hybrid? Centralized De- Centralized De- Centralized De- Centralized Centralized De- Centralized De- Centralized De- Centralized • Based in one country • Subject to limited set of privacy regulations • Other processes are centralize • Many countries • Subject to different privacy regulations • Other processes are decentralized • Many countries • Subject to same & unique privacy regulations • Many local variations
  39. 39. 39 • Create policies, standards, procedures • Log (to prove compliance)  Opt-in / Opt-out  Time to respond to privacy requests  Breach notification • Get training for privacy professionals • Create privacy awareness & role-based training • Communicate! Especially successes! Privacy operations
  40. 40. 40 • DA Piper Data Protection Laws of the World Compare data protection laws around the world. https://www.dlapiperdataprotection.com/index.html • EU General Data Protection Regulation table of contents Table of contents, cross-references, emphases http://www.privacy-regulation.eu/en/index.htm • BS 10012:2017 Data Protection – Specification for a personal information management system https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/ • NIST Privacy Framework (under development) https://www.nist.gov/privacy-framework Resources
  41. 41. 41 • States Breach Notification Laws Summarizes states laws regarding breach notification https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html • Data Privacy Impact Assessment template Mainly GDPR, but could be adapted https://www.mikemuha.com/2017/09/how-to-perform-data-protection-impact.html • International Association of Privacy Professionals Wealth of privacy related webinars, news, software, training, certifications, best practices https://iapp.org/ Resources, 2nd page
  42. 42. 42 1. Get buy in from management 2. Document where personal data resides and is transferred 3. Know how it’s protected, both legally and from a security perspective 4. Mind the gap 5. Ensure you have (documented) privacy processes 6. Make sure you have compliant privacy notices 7. Delete personal data if there’s no reason to keep it around 8. Keep records that show your compliance Key takeaways
  43. 43. 43 Thanks! Michael J. Muha, Ph.D., CISSP, CRISC, CISM, CIPP/E, CIPM, Certified GDPR Practitioner mmuha@WorkForceSoftware.com workforcesoftware.com

×