Collaboration: Driving Highly Effective Privacy Programs

Aaron Weller, Managing Director, Cybersecurity, Privacy & IT Risk

September 2015

Session overview

1.What makes a highly-effective Privacy program?

2.Why is Privacy by Collaboration necessary?

3.Overview of a Privacy by Collaboration

framework

• Executive Support

• Peer Relationships

• Tangible Deliverables

• Measureable Outcomes

4.Key takeaways 2

What makes a highly-effective privacy

program?

Why is Privacy by Collaboration necessary?

Why privacy needs collaboration

Having a function formally responsible for privacy is a relatively new

development compared to many other risk management functions.

Because privacy is concerned with personal data at every stage of the

data lifecycle, from before data is collected through to when it is

disposed of, relevant risks and controls exist across many different

functional areas.

Privacy functions are frequently understaffed compared to other

functions with comparable responsibilities.

As a result privacy functions can increase their effectiveness through

engaging in a model of Privacy by Collaboration (PbC) as part of a

broader governance effort.

5

Three lines of defense model

Senior Management

Governing Body/Board/Audit Committee

Exte

rnal A

udit

Regula

tor

1st Line of Defense

Management

Controls

Internal

Control

Measures

2nd Line of Defense

Information Security

Privacy

Risk Management

Quality

Inspection

Compliance

3rd Line of Defense

Internal

Audit

Adapted from IIA position Paper: The Three Lines of Defense in Effective Risk Management & Control 6

Sharing protection of brand & bottom line

Risk Factors

Financial

Legal

Regulatory

Compliance

Reputational

Contractual

• Companies face several

financial risks associated with

a breach or privacy misstep:

- Federal/state

regulatory fines

- Loss of customers

and revenue

- Remediation efforts

• Companies are

experiencing

increasing

lawsuits from:

- Employees

- Customers

- Investors

• Enforcement actions from

federal and state agencies

• Regulatory inquires may

require long-term third

party remediation in order

to verify regulatory

compliance

• Negative impact to

the brand

• Loss of employee,

customer, & investor

confidence

• Non-compliance with

government or industry

regulations/

enforcements (FTC Act,

COPPA, State laws, etc.)

• Non-compliance with self-

regulatory frameworks (i.e.,

TRUSTe, DMA OBA Principles,

US-EU Safe Harbor, etc.)

• Non-compliance with

contract terms

• Mismanagement of vendors

and third parties

• Inadequate or lack of

consumer privacy notices 7

What are organizations trying to protect

& why?

Legal Requirements

Reputation/Brand

Competitive Advantage

National Security

Contractual Requirements

Shareholder Value/Financial

Proprietary Business Information:

intellectual property, pricing &

sales/marketing strategy, sourcing strategy

Personally Identifiable Information: name,

age, identification numbers, home or e-mail

address, geo-location data, phone number,

income or physical characteristics, opinions,

web browsing or purchasing history/patterns

Sensitive Personal Information: Information

on medical or health conditions, financial

information (including credit cards), racial or

ethnic origin

Business Customer Information: Franchisee

information, Customer sensitive information

(financial,

IP, etc.) 8

Data protection and privacy is an enterprise-wide

issue – Supports trust in the organization

• Growing demand by business leaders to understand how to better integrate privacy

(“what” data is sensitive to the business and “what are the constraints on how it can

be used”) with security (“how” to protect the data deemed sensitive).

• Emerging products/technologies and reliance on third parties (e.g., cloud providers)

have created a borderless global business ecosystem.

• Use of and reliance on data for business and personal use continues to grow –

almost exponentially.

• The market’s expectation is that corporations will be accountable for the

safekeeping of the data they are collecting.

• Increased scrutiny and media coverage of government data collection and sharing

practices with the private sector is resulting in the need for companies to provide

greater transparency (transparency reports, GNI, etc.).

• Need to balance protection with monetization – most organizations see increased

use of data driving profits.

Increasing importance of data to existing and future revenue drives an increased

need for effective controls over the data throughout its lifecycle, across

the organization. 9

Overview of a privacy by collaboration

framework

Privacy by collaboration framework

Peer Relationships

Privacy by Collaboration

Tangible Deliverables

Measureable Outcomes

Executive Support

11

Preparing for privacy by

collaboration

Privacy Program Development & Delivery

Peer relationship management

Executive support, communication and air-

cover

12

Executive support

Peer Relationships

Privacy by Collaboration

Tangible Deliverables

Measureable Outcomes

Executive Support

13

Executive support – Group

discussion

1. What does effective executive support look

like?

2. How do you get executive support for your

privacy program?

3. How do you maintain executive support for your

privacy program?

4. How do you align what you are telling

executives are important with other messages

that they are hearing? 14

Key activities to obtain &

maintain executive support

• Once you have it, don’t take it for granted.

• Don’t assume that you are the only source of

what executives know about data related risks

and issues.

• Align your messaging with peers.

• Focus your messaging on business priorities.

15

Peer relationships

Peer Relationships

Privacy by Collaboration

Tangible Deliverables

Measureable Outcomes

Executive Support

16

Peer relationships – Group

discussion

1. Which of your peers have some overlap in caring about

the treatment of personal data?

2. Which of your peers do you tend to interact with most

often?

3. How formally do you maintain and manage these

relationships?

4. Are there peer groups within your organization who you

would like to have a better relationship with?

5. Have you asked them what they would like the privacy

program to deliver to help them achieve their goals? 17

Identify likely areas of

shared concern Business area Example privacy related concerns

Legal • Global privacy and data protection laws

• Regulatory investigations and lawsuits

• Records Management

• Contract management

Marketing • Digital and behavioral advertising initiatives

• eCommerce initiatives

• CRM

• Social media campaigns

Information

Security

• Security compliance readiness (PCI, Fedramp, ISO27001, SOC 2/3, etc.)

• Data breaches

Internal Audit • Board or Audit Committee requests

• Addressing highest risk areas across the enterprise

Compliance • HIPAA (healthcare), GLBA (financial), state laws, global laws

• Regulatory examination

Product

Development

• New product design and launch

• Changes to existing products and features 18

Consider topical issues that may

have a raised profile within

your organization Topic Trend

Customer Perception • Customers are willing to provide personal information with the expectation

of corporate safeguarding and accountability

Privacy by Design • Privacy is embedded into new technologies, products and business

practices, from the outset

Social Networking • Increasing new risks for organizations (i.e. security) and individuals (i.e.

consumer privacy)

Online Behavioral

Advertising

• Self-regulatory principles (i.e. transparency, consumer control and

accountability)

Government Data

Requests

• Increased media attention and scrutiny over how companies are handling

government requests for user data (e.g., transparency reports, GNI)

Cross-border Data

Transfers

• Increased scrutiny from DPAs as to the level of effectiveness of current

cross-border data transfer mechanisms (Safe Harbor, BCRs, MCs).

Legislative Activity • Congress and States are becoming increasingly active developing legislation

to address the changing privacy environment

Active Regulators • Rising enforcements activity and interest from FTC, SAGs, international

DPAs, HHS-OCR, Department of Commerce, etc. 19

Case study – Data and

system inventory

“Problem: When I was a brand-new CPO, I needed to inventory what

turned out to be over 5,000 systems worldwide, including over 300

unique websites. I had zero staff and zero budget.

Solution: I enlisted the audit department to include a data and system

inventory in every audit they planned over the next two years, the

BC/DR person to include a data and system inventory in each Business

Impact Assessment she was doing for her own inventory, and the IT

department to include data elements in their configuration

management database they kept for IT inventory purposes.

Outcome: This approach led me to eventually get multiple million-

dollar projects funded with broad sponsorship. After 5 years we had all

systems inventoried, assessed, and remediated.”

20

Case study – Product

development

“My team was significantly understaffed in comparison to the volume of

engineering projects and products currently underway that had possible

privacy implications.

We highly encouraged/incentivized Site Reliability Engineers (SRE’s) to

volunteer to be privacy champions and assist us review major launches of

all products and releases to gauge if privacy controls were properly

developed and adequately supported post launch.

This role required them to receive additional training and participate in

various privacy activities so that they were aware of what to look for in

reviews.

This stop-gap enabled us to show the value that this type of review could

provide and allowed me to gradually hire the right staff to supplant and

pair with our privacy champions to make it a more comprehensive review

with resource redundancy.” 21

Case study – Vendor risk

management

“Problem: Vendors were being selected without consideration of how

well they implemented and managed controls over personal data.

Solution: I worked with our Vendor Risk Management team to include a

privacy risk assessment as part of the vendor selection process and to

hold vendors accountable for a privacy SLA during their contracts.

I partnered with the executive running Business Continuity Planning and

joined his meetings to discuss assessment of vendors from that

perspective and added the broader perspective on protection of the

data. I expanded the notion of privacy to focus on personal data as a

key asset of the organization...wherever the data went, I, as a privacy

professional was going to insert myself as I felt appropriate.

Outcome: Privacy considerations were integrated into the Vendor Risk

Management process, with exceptions being escalated to me.” 22

Case study – Peer education &

awareness

“My company had a pretty robust "new product approval process" in place when I

joined. There was an existing monthly roundtable including representatives from

every "control function" - legal, technology, operations, financial reporting, fraud,

etc. As the new privacy director for the business unit, I was inserted as the privacy

SME and expected to cover all risks related to personal information.

To help the other control function SMEs understand my role and the specific risks I

was responsible for mitigating, I met with each one of them individually and

provided a "privacy 101" cheat sheet/guardrails document that described what

privacy was, the laws/regulations that were/could be applicable to the business

unit, and some example scenarios of the types of products/services that would

require further analysis from a privacy perspective.

Through these one-on-one meetings, I also got a better sense of what was important

to these other control function SMEs, and where some of our "red flags" overlapped.

The cheat sheet I developed was eventually integrated into the new product

approval process that effectively now served as our "PbD" process.” 23

Case study – Data transfer

restrictions

“In order to address the privacy and security concerns of clients, but also get

significant operational savings, we opened a new company in Northern Ireland

to handle IT production support and software development. The privacy, IT,

and finance (including tax) teams collaborated in the selection of the best

location for starting a captive IT support operation. In the end, although other

locations did have lower labor costs, the operational costs from the added

logistical and security requirements made the selection.

By having the privacy team part of the initial process not only was a location

selected that best addressed the underlying risks and requirements, but the

collaboration continued through the organizational set up leading to

efficiencies in addressing operational privacy requirement, such as the data

transfer limitations on sending employee data to centralized HR systems in the

U.S.”

24

Case study – Encrypting USB

thumb drives

“In my role as the CPO of a large services organization, I saw a significant

risk in the continued usage of unencrypted USB drives to transfer data

between our employees, and to vendors and customers.

For both the CISO and I, implementing tighter controls was a no-brainer,

but there were many in management, including the CIO, that were

resistant to this for reasons that included: tying the hands of the business,

slowing our speed to market and perceptions of our employees.

The CISO and I had to work together and align our messaging to convince

the various stakeholders in management that this was the right approach.

Unfortunately it took some time, and two large breaches, to reach tipping

point but ultimately we were successful in getting this control

implemented.”

25

Relationship mapping

1. Identify key stakeholders that can help you be successful, or prevent

you meeting your goals.

2. Assess your current relationship strength with each stakeholder on a

scale from strong detractor to strong advocate.

3. Determine how to engage with each stakeholder:

– What are their objectives and how can you support them?

– Do they need your program to do anything in particular?

– Determine preferred method and frequency of interaction.

4. Determine specific actions to take to improve the relationship.

26

Tangible deliverables

Peer Relationships

Privacy by Collaboration

Tangible Deliverables

Measureable Outcomes

Executive Support

27

Tangible deliverables –

Group discussion

1. What tangible deliverables does your privacy program

produce today?

– Policies?

– Incident response plans?

– Training materials?

2. Who are the intended users of each of these

deliverables, and how much input did they have to what

these deliverables contain?

3. What other deliverables would you produce if you had

additional resources? 28

Elements of a typical

privacy program

Accountability and Governance

• Setting formal strategy of the program

• Designation of responsibility for sensitive

data protection

• Cross functional partnerships & processes

• Well defined roles and responsibilities

Risk and Compliance Assessment

• Applicable laws and regulations

• Business process risk ranking

• Data flow mapping and inventory

• Privacy impact assessment

• Integration points with other functions

Processes and Controls

• Policies, procedures and guidelines

• Data Classification

• Collection, storage, use, transfer and

destruction processes

• Technical, administrative and physical

data protection controls

• Privacy By Design principles Training and Awareness

• Coordinated communication channels to drive awareness

• Comprehensive training with defined elements,

audience, frequency and sanctions

• Monitoring of training completion

Monitoring, Auditing & Reporting

• Periodic testing of control

effectiveness

• Independent program

assessments

• Audit & compliance monitoring

• Metrics and reporting of

program activities

Incident Management and Response

• Defined response and breach notification

plan

• Testing of plan

• Inclusion of vendor or third party

Vendor Management

• Risk valuation of vendor relationships

• Vendor assessment

(questionnaire/onsite)

• Reporting and on-going evaluation

Sensitive

Data

29

Gives & gets

For each element of the program

consider the inputs and outputs that

component of the program relies upon as

inputs and produces as outputs that

others can use.

Worked Example:

Building privacy into the SDLC

(Privacy by design)

Inputs: Information on which changes

may have privacy implications

Outputs: Approved changes and/or

recommendations for additional controls

or adjustments to the proposed change

Give

Get

30

Gives/Gets – Example for an

information security function

Service # Gives/Gets identified

during over 20

interviews

Manage compliance obligations 27

Identify, Classify and Respond to Incidents 16

Risk Management/Threat Management 14

Manage Security Risks associated with Changes to

Information Systems

13

IT Project Support 12

Manage Access to Information Assets 9

Respond to internal or external inquiries 8

Design and manage security architecture 8

Governance of Information Security 4

Test Security Configurations 4

31

Measurable outcomes

Peer Relationships

Privacy by Collaboration

Tangible Deliverables

Measureable Outcomes

Executive Support

32

Measurable outcomes –

Group discussion

1. What are the most important metrics and measurements that your

program produces?

2. Who is the audience for those metrics?

3. Do they measure activities performed by the program, or the

outcomes that the program achieves?

4. What would you really like to measure but don’t have the data for?

33

Are you measuring the

right things?

Measures and data that are easy to get and deliver little in the way of informational value are a lot like candy – it makes you feel good,

doesn’t deliver much in the way of (nutritional) value, and is hard to give up.

Typically, metrics that are easy to measure don’t provide much value, and metrics that do provide value are often hard to properly measure.

34

Privacy program maturity

(Qualitative)

Level 1

Initial State/Forming

Level 2

Maturing State/

Storming and Norming

Level 3

Mature State/Performing

No formal privacy program

Privacy program is well established

Development of privacy program in

short term goals; reactionary Seeking opportunity for continuous

improvement

No formal privacy officer (most

likely covered by information

security and/or legal)

Strive to be a leader in Privacy and

incorporate of industry trends

and/or possible future directions

Established privacy program with

room for enhancement whether in

various sub components vs.

consistently applied across the

whole organization

2-3 years 35

Activity, process & outcome

measurements

Three types of metrics measure performance at different levels

Activity metrics

Process metrics

Outcome metrics

What are we doing to improve

our performance?

How mature and reliable is

our performance?

Are our activities and systems

yielding improved outcomes that

will help us reach our objective?

Maturity of metrics

Complexity of metrics 36

Activity, process &

outcome measurements

37

Key takeaways

Key takeaways

1. Privacy by Collaboration is not a checklist. It is an operating model

and mindset for achieving the best results from your privacy

program, and the most value for your organization.

2. The most effective approach is one that aligns with your

organizational culture and values, and where you can gain and

maintain support through alignment with broader business goals.

3. Position privacy as an aspect of a broader trust concern, not as a

compliance function.

4. Engage other stakeholders to identify areas where collaboration

allows you to both contribute to a shared outcome.

5. Produce tangible outputs, and tell people that they exist.

6. Understand what makes sense to measure. If it’s easy to measure,

it’s rarely valuable to measure and vice versa. 39

Thank you.

Aaron Weller, CIPT, CIPP/US, CIPM

Member of IAPP Certification Faculty

Seattle KnowledgeNet Co-chair

aaron.weller@us.pwc.com

40