Embed Size (px)
Citation preview
Effective Privacy On A Budget Privacy Impact Assessments & Reports
Stephen Kline
Sr. Counsel, Privacy & Regulatory
Omnicom Media Group [email protected]
Linnette Attai
Founder, Owner
PlayWell, LLC [email protected]
DEFINITIONS
Privacy Threshold Assessment: One tool used to determine whether a PIA should be conducted.
Privacy Impact Assessment: “[A] tool that you can use to identify and reduce the privacy risks of your projects. A PIA can reduce the risks of harm to individuals through the misuse of their personal information. It can also help you to design more efficient and effective processes for handling personal data.”
PIA Report: The record of how the privacy risks were identified and how they will be addressed. It may include an overview of the project, an explanation of why the PIA was undertaken, and its effect on the privacy implications of the product assessed.
Why Do Privacy Impact Assessments?
Regulatory
• Provides Proof of Risk Analysis
• Privacy by Design
• EU Data Protection Regulation Will Require
• UK ICO: PIA Central to Privacy Risk Assessment
Consumer
An educated team that understands:
• Company Values
• Privacy Risks
• Regulatory Obligations
• Risk Appetite
will create more privacy-protective products.
Internal
• ID Risks
• ID Data Flows
• ID Processing Practices
• Remediate Risks
• ID Institutional Knowledge
• Education
• Financial Beneficial
Who Should Be Involved?
1. Executive Sponsor. This should be someone that speaks for the company: “Privacy is an important value.”
2. Legal / Governance / Compliance
3. Privacy / Data Governance
4. IT / Security
5. Project Management
6. Subject Matter Experts
1. Product Teams (Engineers, Developers, Designers)
2. Human Resources
3. Vendors
4. Clients
What Can Or Should Be Assessed?
1. Business Processes (Policies, Practices, Auditing)
2. Data Collection Technology (cameras, drones, cars, company phones, printers, and fax machines)
3. Websites
4. Applications
5. Vendors
6. Clients
When Should the PIA be Completed?
A PIA should be part of the development process for any project . . . but better late than never.
Also when changes that affect data processing occur and on a regular basis going forward.
DOJ: A PIA should be conducted before developing or procuring IT systems or projects that collect, maintain information in identifiable form, or initiating...a new electronic collection of information in identifiable form for 10+ people.
Elements of a PIA
1. Privacy Threshold Assessment
2. Plan the PIA
3. Describe the Project
4. Identify and Consult with Stakeholders
5. Documenting Information Flow / Data Mapping
6. Risk Identification / Compliance Check
7. Risk Assessment / Risk Tolerance
8. Risk Remediation
9. Report
10.Respond and Review
Privacy Threshold Assessments
Privacy Threshold Assessment (aka Initial Privacy Assessment) is a series of basic questions used to identify:
• Whether the subject system requires a PIA to be completed?
• Who should be involved in the completion of the PIA?
1. Provide a description of the information system.
2. The data in the system is electronic, paper or both?
3. In which countries is the information being collected, stored, and transferred?
4. Does the information identify specific individuals?
5. What is the source of this information? 6. For what purposes will the information
be used. 7. Is there an existing PIA?
Examples of Questions:
Documenting Information Flow/Mapping
Description of how information is collected, stored, used, and deleted.
• What information is used.
• Purpose for which the information is used.
• Who has access to it.
Format is flexible per the need of the organization.
• Flow Chart
• Information Asset Register
• A Project Design Brief
Risk Identification
1. Identify risks to individuals, clients, vendors, or other stakeholders
2. Identify risks to the organization
• Regulatory Action
• Litigation
• Loss of Business
• Reputation Damage
3. Identify legal and contractual compliance requirement
Risk Assessment
1. Assess both the likelihood and the severity of identified risks.
2. Document the gap analysis
Risk Tolerance
Risk Appetite: Amount and type of risk that an organization is willing to pursue or retain.
Risk Tolerance: Organization’s or stakeholder’s readiness to bear the risk after risk treatment in order to achieve its objectives.
Source: ISO Guide 73:2009
Risk Remediation
1. Identify and evaluate privacy solutions
2. Seek to reduce or eliminate privacy risks
3. Conduct a cost/benefit analysis of each potential solution
4. Record privacy risks which have been accepted as necessary.
Reporting
1. Report should include:
• Overview of the project
• Why the project was undertaken
• How it will impact privacy
2. Produce a PIA Report drawing on the material produced:
• Data Map
• Gap Analysis
• Remediation Plan
3. Obtain sign-off within the company:
• PIA approval at the level appropriate to the project.
• PIA report or summary is made available to the appropriate stakeholders.
Integrating The PIA Remediation Solutions Into The Project Plan
1. Confirm that the actions recommended in the PIA are implemented.
2. Record the implementation.
3. Use the PIA as a guide if the project is changed in the future.
Executing A Privacy Impact Assessment
1. Privacy Threshold Assessment
2. Plan the PIA
3. Describe the Project
4. Identify and Consult with Stakeholders
5. Documenting Information Flow / Data Mapping
6. Risk Identification / Compliance Check
7. Risk Assessment / Risk Tolerance
8. Risk Remediation
9. Report
10.Respond and Review
Questions And Answers
Polling (TBI)
Questions And Sources
Stephen Kline
Sr. Counsel, Privacy & Regulatory
Omnicom Media Group [email protected]
Linnette Attai
Founder, Owner
PlayWell, LLC [email protected]
PIA Resources:
IAPP: TBA
Blog: TBA
Sources: TBA
