How to Build a Privacy Program

Daniel Ayala (@buddhake)
Managing Partner & Founder,
Secratic
How to Build a
Privacy Program

Secratic was built on the premise that a strong bridge between
information security and privacy and the broader company can
help a business not just succeed, but flourish.
Secratic provides strategic security and privacy advisory to
growing companies through the benefit of decades of its global
enterprise experience and helps its clients find the right balance
in concert with the business at hand by acting as their outside
CISO/CPO. By spending ample time getting to know these
companies, Secratic uses that insight to give contextual,
informed guidance on topics such as risk, compliance and
incident response, and ensures that a company's security and
privacy programs properly align with what the business needs
and does.
© 2019 Secratic LLC.

https://maven.secratic.com

What is
Privacy
The state or condition of
being free from observed
or disturbed by other
people.

Privacy in the News
https://www.theinformation.com/articles/apples-ad-targeting-crackdown-shakes-up-ad-market
https://www.billboard.com/articles/business/legal-and-management/8545568/tiktok-class-action-lawsuit-child-privacy

Blockchain + Privacy = Conundrum

Blockchain
Handdrawn

Interconnected

Blockchain
+ Privacy =Compliance =

Step 1: Look At Yourself in the Mirror
• What are your regulatory requirements?

Inside Look: Regulatory Requirements
General
Data
Protection
Regulation
(GDPR) 12
Increased territorial
scope
Consent
Breach notification
Right to Access
Right to be
Forgotten
Data Portability
Privacy by Design
Data Protection Officers

General Data
Protection
Regulation
(GDPR)
13
Increased
territorial scope
Consent
Breach notification
Right to Access
Right to be
Forgotten
Data Portability
Privacy by Design
Data Protection
Officers© 2019 Secratic LLC.

https://iapp.org/resources/article/state-comparison-table/

• What jurisdictions are you operating in?

• What is your customer culture?

The Creepy
Line
http://creepyline.com

18
Security &
Privacy Utility
Balance

Fully Private
Fully Secure
Fully Open
Fully Collecting
Utility
Balance
???
Uninformed
What do I pick?
Huge utlity, huge data
disclosure

Fully Private
Fully Secure
Fully Open
Fully Collecting
Utility
Now add in transparency
Better informed
Still want utility
Might make better
choices
It’s clear what is collected
It’s clear what it is used for
It’s clear who they share it with
It’s clear how long they keep it
It’s presented so that average beings
can read it quickly and clearly

OMG!
I can use w/o sharing
everything?
I can decide what to
share?
Fully Private
Fully Secure
Fully Open
Fully Collecting
Now add in transparency It’s clear what is collected
It’s clear what it is used for
It’s clear who they share it with
It’s clear how long they keep it
It’s presented so that average beings
can read it quickly and clearly
and choice!
Utility

Fully Private
Fully Secure
Fully Open
Fully Collecting
Finally, add trust (but verify)
and accountability
I can trust because I’ve verified
They do what they say they do
More value, more control
Data security practises
Depersonalisation (and even better,
aggregation)
Retention (GET RID OF IT FAST!)
Use an identity that user’s care about
and protect
Utility

• What is your company culture?

Look Inside: Company Culture
• Which type of company are you?
• Data Slurper?
• Risk Averse?
• Bleeding Edge?
• Fast Follower?
• Data Economy Mandate?

• What is your company culture?
• How can you build support for a privacy program?

Look Inside: Build Support
• Organisational change management mindset
• Find ways to tie to business value
• Competitive Advantage
• Customer Sentiment/Trust
• Enable Later (Ethical) Data Use

Step 2: What Data Do You Have?
• Inventory
• Data Flow
• What is Sensitive?
• How is it Protected?

Step 3: What Do You Do With Your
Data
• How Does Data Move From System to System?
• Who Do You Share It With? Why?
• Who Has Access to It?
• Who Processes It For You?
• Have You Reviewed Their Security & Privacy Controls & Policies

Step 4: Data Governance & Ethics
• Data Use Institutional Review Board (IRB)
• Ethical Boundaries Exercise
• Who Is Responsible - The DPO
• Annual Review (Frequency)

Data Use
IRB
• Is it ethical?
• How will data use
interact with
customers?
• How will we use the
data?
• What do we really
need?
• What are the risks?
• Is the data
protected?
• Is it lawful?
• Are we protected?
• What are the
unintended
consequence?
Legal
Security/
Privacy
Marketing
Business
Leaders

Step 5: Privacy By Design
• Integrate Reviews into Development Lifecycle
• Integrate Reviews into Product Lifecycle
• Tie Into Data Use IRB

Remediation Done by
Business/Technology
• Privacy by Design (rolls into
existing product
management planning
processes)
• Data Pseudonymisation of
individuals in storage,
separation of people data
• Data Retention (Define the
length of keeping data, and
purge accordingly)
Personal
data w/
Token ID
Token ID
Usage
Records
Demographic
Aggregated
Data
Purge
Data
Regularly

Remediation Done by
Business/Technology
• Clear, concise disclosure
of data collected,
processed, used, shared,
and consent kept w/
recall
• Cookie acceptance before
cookie is dropped and
consent w/ recall

Remediation Done by
Business/Technology
• Request & process for
what we know, right to
be forgotten, data
correction
• Store personal data
securely (access control,
encryption, deletion)
• Add link to privacy notice
to all pages and
applications

Step 6: Educate Colleagues
Data Collection
Data Use

Step 7: Communicate with
Transparency
• Privacy Policy
• Descriptive Privacy Site
• Build Trust & Customer Confidence
• Privacy as a Business Differentiator
• Data Subject Access Requests & Don’t Sell My Info

Step 8: Documentation & Such
• Register with Privacy Shield
• Register with DPA in Europe
• Declare Compliance with Any Others?
• Document Data Flows & IRB Outcomes
• Third Party Assessments (Both Security & Privacy)

Step 9: Stay Informed
• Privacy Laws & Changes
• Bloomberg Law
• News & Business Impacts
• Privacy Maven (https://maven.secratic.com)
• Lawfare
• Lexology
• Connect with your GC or Outside Counsel

The Steps
Look in the mirror
What data do you have?
What do you do with the data?
Data governance and ethics
Privacy by design
Educate colleagues
Communicate to customers
Documentation
Stay Informed

In Summary
• Security, privacy and compliance are closer than ever and growing closer
• Privacy is a topic that customers are taking seriously, and are part of business
• Not only that, robust and transparent privacy can be business enablers
• The privacy world is in a very large state of flux, especially in the US, so keep up to date on happenings
around the states
• You don’t have to boil the ocean to get a privacy programme going. Start with your most important
data
• Think about the ways that data use can be used for bad, along with how they can be used for good as
they are developed.
• Push back on the idea that if some data is good, then more data is better. Use Governance to agree on
ethics, legal, security approach. Balance!
• Depersonalization of data alone doesn’t actually keep it private
• Location and biometrics will see increased challenge both in courts of law and courts of public opinion.
• On privacy, be Gretsky: skate to where the puck is going, not where it is now.
• Transparency and leaning into security, privacy and compliance in tech builds trust and reputation.

Privacy is dead
It’s still not great,
but getting better
NOT YET

The Future of Privacy
Is Interesting

Have a moment?
Please review this session
In the event app.
Thank you for
coming!
Nope!
@buddhake
/danielaayala

How to Build a Privacy Program

More Related Content

What's hot

Similar to How to Build a Privacy Program

Recently uploaded

How to Build a Privacy Program

Editor's Notes