Embed Size (px)
Citation preview
Castlebridge Associates
Castlebridge Associates | Invent Centre | DCU | Glasnevin | Dublin 9| Ireland
Changing How People in Organisations Think about Information
DATA PRIVACY & THE DMBOKNO NEED TO REINVENT THE WHEEL!
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT WE ARE GOING TO COVER
Why Data Privacy is Important
Data Privacy in the DMBOK
Some Other Concepts
Ethical Information Management
Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
WHY DATA PRIVACY IS IMPORTANTSOME KEY TRENDS TO BE AWARE OF…
Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
People have entrusted us with their most personal information.
We owe them nothing less than the best protections that we can possibly provide by harnessing the technology at our disposal.
We must get this right.
History has shown us that sacrificing our right to privacy can have dire consequences.
Tim Cook, CEO Apple
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE GLOBAL LEGISLATIVE TREND
7
17
36
68
111
0
20
40
60
80
100
120
1970s 1980s 1990s 2000s 2010-2015
Total Global Data Privacy Laws
Total Global Data Privacy Law
Within this, there is also continued evolution of existing Data Privacy laws(e.g. EU Data Protection Regulation)
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
ONE KEY TREND…
Global momentum toward the EU’s model of data privacy regulation has led to new laws and better protection for the consumer. Many non-EU countries have passed laws over the past 12 months that bring the world’s collective standards around data privacy closer to the high-water mark laid out by the EU’s overarching Privacy Directive.
For instance, countries such as Malaysia and South Africa have recently passed new data privacy frameworks that closely follow the EU’s lead. South Africa has even gone one step farther and implemented provisions that will likely be implemented by the future EU Privacy Directive updates.
- Forrester, August 2014
© 2015 | Castlebridge Associates | Confidential
A FRAMEWORK FOR THINKING ABOUT INFORMATIONSt
rate
gic
Business Information Technology
Tact
ical
Ope
ratio
nsC
usto
mer
Business Strategy &
Governance
Information Strategy &
Governance
IT Strategy & Governance
Business Architecture &
Planning
Information Architecture &
Planning
Technology Architecture &
Planning
Management & Execution of
Business Processes
Management & Application of Information
Management & Exploitation of
IT Services
Process Outcome Information Outcome
Expectation
Based on Amsterdam 9-box model by Prof. Rik Maes et al
Privacy is Here
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
A SUMMARY MAPPING OF CORE PRINCIPLES
EU Principle OECD Principle(s) AICPA FIPPObtain Data Fairly Openness Notice ; Choice and ConsentProcess for a Specified and Lawful Purpose Purpose Specification CollectionDo not Process for an incompatible purpose Use Limitation Use, Retention, DisposalEnsure Data is Accurate, Complete, and Up-to-date Data Quality QualityPersonal Data should be kept Safe and Secure Security Safeguards Security for Privacy; DisclosureData must be adequate, relevant, not excessive Data Quailty QualityPersonal data must not be kept for longer than necessary for the specified purposes Use, Retention, Disposal
Individuals have rights of access, rectification, erasure, blocking Individual participation Access
Management; Monitoring & EnforcementPenalties & Civil liability & Enforcement Accountability Monitoring & Enforcement
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
One Stop Shop
KEY PROVISIONS OF THE DATA PROTECTION REGULATION
Core 8 Principles+
Accountability Principle+
Transparency Principle +
Article 7, 8 ECHR
Increased Penalties
Moves towards a “Risk Based” model
ExplicitFocus on
Governance
Principles DrivenPrinciples Driven
Enhanced Rights:Data Portability;
RTBF;
Risk & Penalty Mitigation
Docum
entation
Risk & Penalty Mitigation
Fines as % of
Global Turnover
General Data Protection Regulation – 1 Slide Summary
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHY DOES IT MATTER?
Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL© DAMA International, used with permission
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL
Remember to Respect Copyright
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL© DAMA International, used with permission
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION THROUGH THE DG/IQ LENS
Current EU Data Protection Directive 95/46/EC
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: PRINCIPLES
Principle Governance QualityPersonal data which is being processed must be fairly obtained and processed XPersonal Data shall be obtained for a Specified and Lawful Purpose XPersonal Data shall not be processed in a manner incompatible with the specified purpose XPersonal Data shall be kept accurate and complete and, where necessary, kept up to date X
Personal Data should be kept Safe & Secure XData processed must be adequate, relevant and not excessive X XPersonal data should not be kept for longer than necessary for the specified purpose or purposes X X
Data Subjects have a right of Access. X
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: QUALITY PRINCIPLES
Principle Governance QualityPersonal data which is being processed must be fairly obtained and processed XPersonal Data shall be obtained for a Specified and Lawful Purpose XPersonal Data shall not be processed in a manner incompatible with the specified purpose XPersonal Data shall be kept accurate and complete and, where necessary, kept up to date X
Personal Data should be kept Safe & Secure XData processed must be adequate, relevant and not excessive X XPersonal data should not be kept for longer than necessary for the specified purpose or purposes X X
Data Subjects have a right of Access. X
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT IS DATA QUALITY IN DMBOK?Definition:
Planning, implementation, and control activities that apply quality management techniques to measure, assess, improve, and ensure the fitness of data for use..
Goals:• To measurably improve the quality of data in relation to
defined business expectations.• To define requirements and specifications for integrating data
quality control into the system development lifecycle.• To provide defined processes for measuring, monitoring, and
reporting conformance to acceptable levels of data quality.
Activities:1. Develop and Promote Data Quality Awareness2. Define Data Quality Requirements3. Profile, Analyze, and Assess Data Quality4. Define Data Quality Metrics 5. Define Data Quality Business Rules6. Test and Validate Data Quality Requirements7. Set and Evaluate Data Quality Service Levels8. Continuously Measure and Monitor Data Quality9. Manage Data Quality Issues10. Clean and Correct Data Quality Defects11. Design and Implement Operational DQM Procedures12. Monitor Operational DQM Procedures and Performance
Inputs OutputsInputs:• Business Requirements• Data Requirements• Data Quality Expectations• Data Policies and Standards• Business Metadata• Technical Metadata• Data Sources and Data Stores
Primary Deliverables:• Improved Quality Data• Data Management• Operational Analysis• Data Profiles• Data Quality Certification
Reports• Data Quality Service Level• Agreements
Metrics:• Data Value Statistics• Errors / Requirement Violations• Conformance to Expectations• Conformance to Service Levels
Tools:• Data Profiling Tools• Statistical Analysis Tools• Data Cleansing Tools• Data Integration Tools• Issue and Event Management Tools
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
EXAMPLE: MARKETING CONSENTS EXPIRE AFTER 12 MONTHS
0%
5%
10%
15%
20%
25%
30%
35%
40%
45%
12 months orover
10 -12 Months 6-9 months 3-6 months 0-3 months
Marketing Months since last contact
ePrivacy Directive Consent Tracker
30% x Avg uplift of €10 per campaign, 10% success rate, 1.2 million customers
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL© DAMA International, used with permission
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: DATA DEVELOPMENT
Principle Governance QualityPersonal data which is being processed must be fairly obtained and processed XPersonal Data shall be obtained for a Specified and Lawful Purpose XPersonal Data shall not be processed in a manner incompatible with the specified purpose XPersonal Data shall be kept accurate and complete and, where necessary, kept up to date X
Personal Data should be kept Safe & Secure XData processed must be adequate, relevant and not excessive X XPersonal data should not be kept for longer than necessary for the specified purpose or purposes X X
Data Subjects have a right of Access. X
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT IS DATA DEVELOPMENT IN DMBOK?
Definition: Designing, implementing, and maintaining solutions to meet the data needs of the enterprise..
Goals:• Identify and define data requirements.• Design data structures and other solutions to these requirements.• Implement and maintain solution components that meet these
requirements.• Ensure solution conformance to data architecture and standards as
appropriate.• Ensure the integrity, security, usability, and maintainability of structured data
assets.
Activities:1. Data Modelling, Analysis and Solution Design
• Analyze Information Requirements• Develop and Maintain Conceptual Data Models• Develop and Maintain Logical Data Models• Develop and Maintain Physical Data Models
2. Detailed Data Design• Design Physical Databases• Design Information Products• Design Data Access Services• Design Data Integration Services
3. Data Model and Design Quality Management• Develop Data Modeling and Design Standards• Review Data Model and Database Design Quality • Manage Data Model Versioning and Integration
4. Data Implementation• Build and test Data Access Services• Validate Information Requirements
Inputs OutputsInputs:• Business Goals and Strategies• Data Needs and Strategies• Data Standards• Data Architecture• Process Architecture• Application Architecture• Technical Architecture
Primary Deliverables:• Data Requirements and
Business Rules• Conceptual Data Models• Logical Data Models and
Specifications• Physical Data Models and
Specifications• Meta-data (Business and
Technical)• Data Access Services
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
HOW DATA DEVELOPMENT AFFECTS PRIVACY
Obtain
Storage
Store/Share Apply
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
HOW DATA DEVELOPMENT AFFECTS PRIVACY -EXAMPLE
• EU e-marketing rules require explicit Opt-in consent for calls to mobiles and for SMS marketing
• Fixed line is Opt-out• Data Modelling decision required here…
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
HOW DATA DEVELOPMENT AFFECTS PRIVACY -EXAMPLE
Marketing Other
Call
SMS
Call
Opt-inIs this a nominated contact
for that purpose?
PurposesService Delivery
Record opt-in for service delivery calls
Opt-inIs this a nominated contact
for that purpose?Record opt-in for service
delivery calls
Opt Out Record opt-in for service delivery calls
Is this a nominated contact for that purpose?
Email Opt-in Record opt-in for service delivery calls
Is this a nominated contact for that purpose?
Postal Opt-Out Record opt-in for service delivery calls
Is this a nominated contact for that purpose?
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
HOW DATA DEVELOPMENT AFFECTS PRIVACY –A KISS OF DEATH TO USEABLE DATA…
Please tick this box if you would like us to not contact you
Blanket Opt-Outs applied at the PARTY Entity level, not at the contact point or in the context of a specific purpose….
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT CAN WE LEARN FROM DATA MODEL ABOUT PRIVACY IMPACTS?
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL© DAMA International, used with permission
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT IS DATA ARCHITECTURE IN DMBOK?
Definition: Defining the data needs of the enterprise and designing the master blueprints to meet those needs..
Goals:• To plan with vision and foresight to provide high quality data.• To identify and define common data requirements.• To design conceptual structures and plans to meet the current
and long-term data requirements of the enterprise.
Activities:1. Understand Enterprise Information Needs2. Develop and Maintain the Enterprise Data Model3. Analyze and Align With Other Business Models4. Define and Maintain the Data Technology Architecture 5. Define and Maintain the Data Integration Architecture6. Define and Maintain the DW/BI Architecture 7. Define and Maintain Enterprise Taxonomies and
Namespaces8. Define and Maintain the Meta-data Architecture
Inputs OutputsInputs:• Business Goals• Business Strategies• Business Architecture• Process Architecture• IT Objectives• IT Strategies• Data Strategies• Data Issues• Data Needs• Technical Architecture
Primary Deliverables:• Enterprise Data Model• Information Value Chain
Analysis• Data Technology Architecture• Data Integration / MDM
Architecture• DW / BI Architecture• Meta-data Architecture• Enterprise Taxonomies and
Namespaces• Document Management
Architecture• Metadata
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: DATA ARCHITECTURE
Principle Governance QualityPersonal data which is being processed must be fairly obtained and processed XPersonal Data shall be obtained for a Specified and Lawful Purpose XPersonal Data shall not be processed in a manner incompatible with the specified purpose XPersonal Data shall be kept accurate and complete and, where necessary, kept up to date X
Personal Data should be kept Safe & Secure XData processed must be adequate, relevant and not excessive X XPersonal data should not be kept for longer than necessary for the specified purpose or purposes X X
Data Subjects have a right of Access. X
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORKExecutive
Business Manager
Architect
Engineer
Technician
How(Action)
Why(Motivation)
Where(Location)
When(Event)
Who(Actor)
What(Data)
Enterprise
ScopeContext
Business Concepts
System Logic
Technology Physics
Tool components
Enterprise
Inventory Identification
Inventory Definition
Inventory Representation
Inventory Specification
Inventory Configuration
Inventory Instantiation
Process Identification
Process Definition
Process Representation
Process Specification
Process Configuration
Process Instantiations
Distribution Identification
Distribution Definition
Distribution Representation
Distribution Specification
Distribution Configuration
Distribution Instantiations
Responsibility Identification
Responsibility Definition
Responsibility Representation
Responsibility Specification
Responsibility Configuration
Distribution Instantiations
Timing Identification
Timing Definition
Timing Representation
Timing Specification
Timing Configuration
Timing Instantiations
Motivation Identification
Motivation Definition
Motivation Representation
Motivation Specification
Motivation Configuration
Motivation Instantiations
Inventory Sets Process flows Distribution Networks
Responsibility Assignments Timing Cycles Motivation
Intentions
Based on the Zachman Framework and content from Dennedy & Finneran’s Privacy Engineers Manifesto
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORKExecutive
Business Manager
Architect
Engineer
Technician
How(Action)
Why(Motivation)
Where(Location)
When(Event)
Who(Actor)
What(Data)
Enterprise
ScopeContext
Business Concepts
System Logic
Technology Physics
Tool components
Enterprise
Inventory Identification
Inventory Definition
Inventory Representation
Inventory Specification
Inventory Configuration
Inventory Instantiation
Process Identification
Process Definition
Process Representation
Process Specification
Process Configuration
Process Instantiations
Distribution Identification
Distribution Definition
Distribution Representation
Distribution Specification
Distribution Configuration
Distribution Instantiations
Responsibility Identification
Responsibility Definition
Responsibility Representation
Responsibility Specification
Responsibility Configuration
Distribution Instantiations
Timing Identification
Timing Definition
Timing Representation
Timing Specification
Timing Configuration
Timing Instantiations
Motivation Identification
Motivation Definition
Motivation Representation
Motivation Specification
Motivation Configuration
Motivation Instantiations
Inventory Sets Process flows Distribution Networks
Responsibility Assignments Timing Cycles Motivation
Intentions
What triggers need for data?
Timing Identification
Motivation Identification
• Why?• Balancing
priorities/goals• Purpose spec
Specified data, specified purpose
Specified data, specified purpose
Based on the Zachman Framework and content from Dennedy & Finneran’s Privacy Engineers Manifesto
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORKExecutive
Business Manager
Architect
Engineer
Technician
How(Action)
Why(Motivation)
Where(Location)
When(Event)
Who(Actor)
What(Data)
Enterprise
ScopeContext
Business Concepts
System Logic
Technology Physics
Tool components
Enterprise
Inventory Identification
Inventory Definition
Inventory Representation
Inventory Specification
Inventory Configuration
Inventory Instantiation
Process Identification
Process Definition
Process Representation
Process Specification
Process Configuration
Process Instantiations
Distribution Identification
Distribution Definition
Distribution Representation
Distribution Specification
Distribution Configuration
Distribution Instantiations
Responsibility Identification
Responsibility Definition
Responsibility Representation
Responsibility Specification
Responsibility Configuration
Distribution Instantiations
Timing Identification
Timing Definition
Timing Representation
Timing Specification
Timing Configuration
Timing Instantiations
Motivation Identification
Motivation Definition
Motivation Representation
Motivation Specification
Motivation Configuration
Motivation Instantiations
Inventory Sets Process flows Distribution Networks
Responsibility Assignments Timing Cycles Motivation
Intentions
Data Classification
IN CONTEXT
How does the purpose get executed?
Based on the Zachman Framework and content from Dennedy & Finneran’s Privacy Engineers Manifesto
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORKExecutive
Business Manager
Architect
Engineer
Technician
How(Action)
Why(Motivation)
Where(Location)
When(Event)
Who(Actor)
What(Data)
Enterprise
ScopeContext
Business Concepts
System Logic
Technology Physics
Tool components
Enterprise
Inventory Identification
Inventory Definition
Inventory Representation
Inventory Specification
Inventory Configuration
Inventory Instantiation
Process Identification
Process Definition
Process Representation
Process Specification
Process Configuration
Process Instantiations
Distribution Identification
Distribution Definition
Distribution Representation
Distribution Specification
Distribution Configuration
Distribution Instantiations
Responsibility Identification
Responsibility Definition
Responsibility Representation
Responsibility Specification
Responsibility Configuration
Distribution Instantiations
Timing Identification
Timing Definition
Timing Representation
Timing Specification
Timing Configuration
Timing Instantiations
Motivation Identification
Motivation Definition
Motivation Representation
Motivation Specification
Motivation Configuration
Motivation Instantiations
Inventory Sets Process flows Distribution Networks
Responsibility Assignments Timing Cycles Motivation
Intentions
Logical Schema Process Maps / Data Flow RACI Matrix
Based on the Zachman Framework and content from Dennedy & Finneran’s Privacy Engineers Manifesto
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE ZACHMAN FRAMEWORKExecutive
Business Manager
Architect
Engineer
Technician
How(Action)
Why(Motivation)
Where(Location)
When(Event)
Who(Actor)
What(Data)
Enterprise
ScopeContext
Business Concepts
System Logic
Technology Physics
Tool components
Enterprise
Inventory Identification
Inventory Definition
Inventory Representation
Inventory Specification
Inventory Configuration
InvntoryInstantiation
Process Identification
Process Definition
Process Representation
Process Specification
Process Configuration
Process Instantiations
Distribution Identification
Distribution Definition
Distribution Representation
Distribution Specification
Distribution Configuration
Distribution Instantiations
Responsibility Identification
Responsibility Definition
Responsibility Representation
Responsibility Specification
Responsibility Configuration
Distribution Instantiations
Timing Identification
Timing Definition
Timing Representation
Timing Specification
Timing Configuration
Timing Instantiations
Motivation Identification
Motivation Definition
Motivation Representation
Motivation Specification
Motivation Configuration
Motivation Instantiations
Inventory Sets Process flows Distribution Networks
Responsibility Assignments Timing Cycles Motivation
Intentions
Where is your data stored?
What rules apply to that storage?
Based on the Zachman Framework and content from Dennedy & Finneran’s Privacy Engineers Manifesto
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PRIVACY IN THE DMBOK WHEEL© DAMA International, used with permission
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
DATA PROTECTION: DATA GOVERNANCE
Principle Governance QualityPersonal data which is being processed must be fairly obtained and processed XPersonal Data shall be obtained for a Specified and Lawful Purpose XPersonal Data shall not be processed in a manner incompatible with the specified purpose XPersonal Data shall be kept accurate and complete and, where necessary, kept up to date X
Personal Data should be kept Safe & Secure XData processed must be adequate, relevant and not excessive X XPersonal data should not be kept for longer than necessary for the specified purpose or purposes X X
Data Subjects have a right of Access. X
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
WHAT IS DATA GOVERNANCE IN DMBOK?
Definition: The exercise of authority and control (planning, monitoring, and enforcement) over the management of data assets..
Goals:• To define, approve, and communicate data strategies, policies, standards, architecture, procedures,
and metrics.• To track and enforce regulatory compliance and conformance to data policies, standards, architecture,
and procedures.• To sponsor, track, and oversee the delivery of data management projects and services.• To manage and resolve data related issues.• To understand and promote the value of data assets..
Activities:1. Data Management Planning • Understand Strategic Enterprise Data Needs• Develop and Maintain the Data Strategy• Establish Data Professional Roles and Organizations• Identify and Appoint Data Stewards• Establish Data Governance and Stewardship Organizations• Develop and Approve Data Policies, Standards, and Procedures• Review and Approve Data Architecture• Plan and Sponsor Data Management Projects and Services• Estimate Data Asset Value and Associated Costs2. Data Management Control• Supervise Data Professional Organizations and Staff• Coordinate Data Governance Activities• Manage and Resolve Data Related Issues• Monitor and Ensure Regulatory Compliance• Monitor and Enforce Conformance With Data Policies, Standards,• and Architecture• Oversee Data Management Projects and Services• Communicate and Promote the Value of Data Assets
Inputs OutputsInputs:• Business Goals• Business Strategies• IT Objectives• IT Strategies• Data Needs• Data Issues• Regulatory Requirements
Primary Deliverables:• Data Policies• Data Standards• Resolved Issues• Data Management Projects and
Services• Quality Data and Information• Recognized Data Value
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
SOME KEY GOVERNANCE FUNCTIONS FROM PRIVACY PERSPECTIVE
Co-ordination of Data Privacy policies and standards
ISO29100 is a good core starting point
Ensuring staff are trained
Acting as “honest broker”
Ensuring appropriate risk posture in relation to privacy compliance
Ensuring processes for personal data are documented
Ensuring key controls are defined, operate, and are validated
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
STEWARDSHIP FOR DATA PRIVACY
Strategic
Operational
Tactical
Doers Definers Deciders Co-ordinators
3DC Stewardship
Defined not by WHERE they are in organisation, but by ROLE in relation to Information
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
A DATA STEWARDSHIP MIND MAP
Governance & Stewardship
Data Use Steward (Doer/Definer)
UX Requirements
Privacy Reporting
Screens & Reports Quality
Screen & Reports Content
Design & Aesthetics
Data Governance Reqts(Co-ordinator)
Data Standards Compliance
Use of Metadata Documentation
Metric Driven Quality Assurance
Data Management Structure
Data Collection Steward
(Doer/Definer)
Data Classification (PII, Sensitive)
Encryption
Business Content Rules
Privacy Rules
Privacy ReqtsSteward
(Decider/Definer)
Purpose
Notice
Consent
Transfer (3rd Party)
Access/Correction/Deletion
Proportionality
Retention
Responsible Action
Based on work by M. Dennedy & Tom Finneran
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
THE DATA PROTECTION OFFICER ROLE• On the Executive Board?
• Reporting to Executive Board?
• Must be Independent
• Technical and Business skills
• Accountable for the System of Governance
• “Statutory Tenure”
Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
SOME FINAL CONCEPTS
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
PRIVACY BY DESIGN
What is it?Privacy by Design is a philosophy for systems engineering which takes privacy into account throughout the whole engineering process.
Why is it Important?Privacy by Design establishes 7 guiding principles for development of systems that respect and enhance privacy as a quality system
What is it?It is just QUALITY MANAGEMENT applied to Information, with PRIVACY as a “critical to quality” characteristic
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
PRIVACY BY DESIGN
'You cannot inspect quality into a product.' The quality is there or it isn't by the time it's inspected.
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
PRIVACY BY DESIGN
Focus on defining processes & rules, not
correcting errors
Privacy as a quality characteristic
A function of process design, not an after
thought
Things need to work without undue
invasion of privacy
Information Asset Life Cycle thinking
Communicate, Document,
communicate more!
Focus on the Customer –Customer determines
Quality /Privacy
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
PRIVACY ENGINEERING
What is it?Privacy Engineering is the discipline that ensures the gathering and application of privacy requirements has the same primacy as other ‘functional’ requirements in processes and systems and incorporates them into the project, product, system, or information life cycle.
Why is it Important? It is the glue that makes PBD operative in an organisation
What is it?It is just QUALITY ENGINEERING applied to Information, with PRIVACY as a “critical to quality” characteristic
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
ELEMENTS OF PRIVACY ENGINEERING MAPPED TO JURAN
Enterprise GoalsUser Goals
Privacy Policy
Requirements
Policies and Procedures
Privacy Mechanisms
Privacy Awareness Training
Quality Assurance
QA Feedback
Improvement
Castlebridge Associates
© 2014 | Castlebridge Associates | Confidential
ETHICAL INFORMATION MANAGEMENTTHE NEW EIM
Castlebridge Associates
© 2015 | Castlebridge Associates | Confidential
Business Information Technology
Society’s Ethical Framework
Organisation’s Ethical Framework
Regulation & Laws Lobbying
Stra
tegi
cTa
ctic
alO
pera
tions
Cus
tom
er
Standards & Codes
Standard Practices
Business Strategy &
Governance
Information Strategy &
Governance
IT Strategy & Governance
Business Architecture &
Planning
Information Architecture &
Planning
Technology Architecture &
Planning
Management & Execution of
Business Processes
Management & Application of Information
Management & Exploitation of
IT Services
Process Outcome Information OutcomeCustomer Feedback
Customer Education
Expectation
Business Information Technology
