Embed Size (px)
Citation preview
How to Get a Gold Star in Privacy Governance at Your Organization Ken Mortensen, CVS Caremark, V.P., Assistant
General Counsel and Chief Privacy Officer
Sheila Colclasure, Acxiom, Senior Manager of Global Privacy
Michael McNeil, Medtronic, Inc., Global Chief Privacy and Security Officer
Ann Killilea, Counsel, McDermott Will & Emery, Privacy and Data Protection Practice
2
What is a Privacy Maturity Model?
0: Nonexistent 1: Initial 2: Repeatable 3: Defined 4: Managed 5: Optimized
There is no evidence of this standard or practice in the organization.
The organization has an ad hoc and inconsistent approach to this privacy standard or practice.
The organization has a consistent overall approach, but it is mostly undocumented.
The organization has a documented, detailed approach, but no routine measurement or enforcement of it.
The organization regularly measures its compliance and makes regular process improvements.
The organization has refined its compliance to the level of best practice.
Where is your organization?
3
Quick Tally of the Room
0: Nonexistent 1: Initial 2: Repeatable 3: Defined 4: Managed 5: Optimized
4
Deming’s Management Teachings Applied to Privacy and Information
Management
• “The prevailing style of management must undergo transformation. A system cannot understand itself. The transformation requires a view from outside.”
• The outside view provides a “map of theory” by which we understand the organizations that we work in.
--Dr. W. Edwards Deming
5
10 Steps -- One
1. Create Constancy of Purpose
• Find the strategic connections for the information held by the enterprise.
• Work toward management of the information in a consistent manner.
• Replace short-term goal creation with long-term goal planning.
6
Questions: Step 1 - Create Constancy of Purpose
• Can you provide examples where you found strategic connections across your enterprise? How did you do that?
• How do you get people to engage in long-term planning versus the crisis-oriented, “need now” demands?
7
Step 1: Constancy of Purpose
• Build a privacy-aware organization
• Obtain executive support and sponsorship
• Build upon what we should do (consumer trust/brand strength) and what we must do (regulatory compliance)
• Organize based on high level principles
• Design reporting structure to fit organizational needs (centralized function with broad reach v. decentralized with distributed responsibility)
8
10 Steps -- Two
2. Adopt The New Philosophy • Internal leadership must recognize the value
of treating and using information in the enterprise as a critical asset.
• Ensure that the policies adopted at the top, must provide for effective and understandable implementation throughout the workforce.
• Leadership must lead the change.
9
Questions: Step 2 - Adopt the New Philosophy
• Give some examples of where leadership caused change in privacy management.
• Policies are easy draft, difficult to execute. How
do you make that happen? • How do you get senior leadership to support your
leadership long enough to ensure that privacy management practices are and remain in place?
• In a large multinational, what steps do you take to help ensure that policies are implemented throughout the workforce?
10
Step 2: Adopt the New Philosophy
• Tie to brand value and corporate mission.
• Base program on high-level principles that transcend specific organization/business units.
• Ensure that privacy is seen as a strategic asset.
• Position as a competitive advantage.
• Protects the downside but more importantly adds corporate value.
11
10 Steps -- Three
3. Stop Dependence On Audits To Ensure Compliance
• Incorporate the management goals into the processes that handle the information.
• Focus on information flow and not information stop-points
• Understand the uses of information across the enterprise
12
Questions: Step 3 - Stop Dependence on Audits
• Aren’t audits the only way to test whether policies are being followed?
• What would I use instead of audits to understand daily practices?
• Don’t you need the threat of audits to make people “toe the line?”
13
Step 3: Audits and Other Incentives
• Only one of many tools.
• Seek partnership, rather than oversight.
• Define processes, standards and guidelines with relevant stakeholders.
• Leverage internal audit to embed privacy measurements.
• Embed privacy into corporate strategy and operating planning.
• Consider self-assessments based on privacy metrics.
• Use privacy resources as internal consultants rather than as auditors.
14
10 Steps -- Four
4. End the practice of using cost, expense, or price to determine benefit.
• Recognize the return on the investment of
managing information across the entire enterprise.
• Accept that short-term savings equal long-term costs.
• Factor in value to determine benefit.
15
Questions: Step 4 – End Practice of Using Cost, Expense,
or Price to Determine Benefit
• How do you measure value?
• What are the metrics to measure benefit?
• Don’t our metrics need to align with the business metrics – revenue, profit, bottom line?
• How do I make the business case for a privacy/information management program in the first place?
16
Step 4: Demonstrating Value and Metrics
• Develop and report on privacy metrics.
• Embed metrics into corporate scorecard and board governance scorecard.
• Must be relevant and tied to mission.
• Do not generate fear.
• Use metrics/audits to highlight gaps that leverage improvement.
17
10 Steps -- Five
5. Improve constantly and forever
• Continuously improve the processes underlying the management of the information in the enterprise.
• Institute a change management structure to ensure implementation across the enterprise.
• Integrate the management procedures with the operational needs of the enterprise.
• Reduce variation in the management.
18
Questions: Step 5 – Improve Constantly and Forever
• Forever is daunting. How do I incorporate continuous improvements?
• How do I incorporate change management?
• In a complex multinational, management is always changing. How does a privacy program exist separate from the particular individuals who initiated it? How do I keep it going?
• What are the top 3 things that you are trying right now to improve in your program?
19
Step 5: Demonstrate Constant Improvement
• Highlight value and progress by reporting on metric improvements.
• Use gaps to develop future actions.
• Build a regular review and reporting process.
• Enable early formulation of privacy strategies for products and services.
• Report to senior management on progress and improvements on periodic cycle.
20
10 Steps -- Six
6. Institute constant training for the entire workforce
• Ensure that all parts of the workforce understand and comprehend the strategic model for the management of information in the enterprise.
• Do not limit training to periodic episodes, but integrate as part of change management and risk controls.
21
Questions: Step 6 – Institute Constant Training for the Entire
Workforce • How have you accomplished this constant
training?
• Have you hired outside vendors to design and manage the training?
• What is the most effective training?
• What type of training most impresses regulators?
• Do you also train subcontractors and how does that work?
22
Step 6: Constant Training
• Make key component of building awareness.
• Make mandatory so that staff share in the responsibility.
• Assume most people what to do the right thing when they know what that is.
• Consider training tailored to each organization’s perspective.
• Keep training interesting and not a routine click-through activity.
• Consider short vignettes/videos depicting real-life incidents.
23
10 Steps -- Seven
7. Institute leadership
• The leadership of the enterprise must embrace a culture of strategic information management.
• The aim of enterprise leadership should be to help the workforce embed the concepts of strategic information management into the business model.
24
Questions: Step 7 – Institute Leadership
• Since privacy corporate management practices are relatively new, what type of leader is most successful in driving enterprise-wide programs?
• Do you have some examples of this type of leadership?
• How do you embed privacy/data management into the business model?
25
Leadership
• Have high energy and executive presence. • Effect change and collaboration. • Demonstrate decisiveness and sound
judgment • Articulate big picture that drives tasks • Think long-range while addressing short-
term needs. • Become a valued contributor and
resource. • Motivate team and others that may report
on a dotted-line basis or informally.
26
10 Steps -- Eight
8. Break down barriers
• Nothing can be accomplished until the components of the enterprise relinquish ownership control.
• Focus on the stewardship of information for the enterprise.
• Incorporate all components in the decision-making process.
27
Questions: Step 8 – Break Down Barriers
• How do you get leaders of various business units to relinquish control over these issues?
• How do you succeed in baking privacy management practices into each business unit’s metrics?
• Do you have examples of where you were able to drive cross-business unit activities?
28
Step 8: Break Down Barriers
• Understand the perspective of each business unit/function. • Define privacy as it relates to that group. • Develop partnerships with: -Marketing/customer relations -HR: Should become role model -Finance -Legal -Product/service development -IT/IT Security -Media Relations -Internal and external auditors -Procurement and Vendor Management -Supply chain networks -Senior Management/Board of Directors -External Government/Public Policy/Associations
29
10 Steps – Nine
9. Institute a vigorous program of education and self-improvement
• Go beyond training, but provide for an understanding of the criticality of information to the enterprise.
• Provide for cross-functional learning to enhance understanding of needs and uses of information throughout the enterprise.
30
Questions: Step 9 – Institute a Vigorous Program of Education and
Self-Improvement
• This seems a “tall order.” Can you provide examples of how your organization has succeeded in going beyond training into this next stage?
• What do I need to do to make this happen?
• Which parts of the organization need to be drafted to get this done?
31
Step 9: Vigorous Program
• Ensure program is compliant with ever-changing regulatory landscape.
• Review supporting processes, standards and guidelines annually.
32
10 Steps – Ten
10. Put everyone in the enterprise to work to accomplish the transformation
• Building of an enterprise core competency
requires that all levels and functions of the enterprise work together toward the implementation.
• Leadership from all is required to instill the courage to break with tradition.
33
Questions: Step 10 – Put Everyone To Work to Accomplish the
Transformation
• This is easier said than done. Do you have concrete examples of how you were able to get everyone to take ownership of these issues?
• All I hear is that “we never did it this way before. Why do we have to change now?” How do I break through that mentality?
34
Step 10: Give Everyone Ownership
• Make all employees guardians of consumer trust and corporate values
• Use working groups to bring stakeholders together to tackle issues
• Make their success visible
• Instill awareness, knowledge, accountability, and energy.
35
Summary of 10 Steps
1. Determine organization’s maturity level 2. Be a leader and understand that
privacy/information management require change management
3. Think enterprise-wide, cross-functions and cross-business units
4. Optimize placement and profile of Privacy Office – obtain buy-in from the top
5. Create a strategy and ensure consistency with corporate objectives
36
Summary of 10 Steps
6. Define roles, responsibilities and accountability 7. Target communications to the interests of each
stakeholder organization 8. Create metrics for success and measure: (a)
risk reduction; (b) compliance; (c) business enablement; (d) value creation
9. Create processes for continual improvement and updating
10. Create constant, effective training to reinforce principles and program.
37
Discussion
Gold Star
