Information Asset Management

GARP®, Privacy, and Security-

Perfect Together!

Today’s Presenters

Galina Datskovsky, Ph.D. CRM

President, ARMA International

SVP Information Governance Solutions, Autonomy, an HP Company

Sandy Hughes, CIPP, CCEP

Past Chairman, International Association of Privacy Professionals

Global Information Governance and Privacy Executive, The Procter and Gamble Company

Today’s Session Objectives

• Gain an understanding of the Generally Accepted Recordkeeping Principles (GARP®)

• Discover the considerations brought forth when managing information as an asset, particularly as more companies make the leap into the cloud

• Discuss the ways the two professions can collaborate in the future to ensure a holistic approach to managing information

Generally Accepted Recordkeeping Principles®

Understand the intent of the GARP® maturity model and various levels and its application.

Understand the inputs require to measure the maturity level of an organization

What is GARP®?

Generally Accepted Recordkeeping Principles®

In order to achieve recognition at the regulator, business and association level, ARMA International has developed Generally Accepted Recordkeeping Principles (GARP®) so as to allow organizations to adhere to and measure objective records and information governance standards.

What is GARP®?

A

T

I

P

C

A

R

D

accountability

transparency

integrity

protection

compliance

availability

retention

disposition

Similar Models Used by CPOs (examples)

AICPa/CICA Privacy Maturity Model Principles: •Management/Accountability •Notice •Choice and Consent •Collection •Use, retention and disposal •Access •Disclosure to third parties •Security for Privacy •Quality •Monitoring and enforcement

FSG Elements of Effective Compliance (CEB/CELC has MaturityModels)

Elements: •Responsibility & Oversight •Standards, Procedures & Systems •Awareness, Training & Communication •Monitoring & Auditing •Reporting & Response •Risk Assessment •Culture

Principles Underlying GARP®

Principle of Accountability

A senior executive (or person of comparable authority) oversees the recordkeeping program and delegates program responsibility to appropriate individuals. The organization adopts policies and procedures to guide personnel, and ensure the program can be audited.

Principles Underlying GARP®

Principle of Transparency

The processes and activities of an organization’s recordkeeping program are documented in a manner that is open and verifiable and is available to all personnel and appropriate interested parties.

Principles Underlying GARP®

Principle of Integrity

A recordkeeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity

and reliability.

Principles Underlying GARP®

Principle of Protection

A recordkeeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret, or essential to business

continuity.

Principles Underlying GARP®

Principle of Compliance

The recordkeeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization’s policies.

Principles Underlying GARP®

Principle of Availability

An organization shall maintain records in a manner that ensures timely, efficient, and accurate retrieval of needed information.

Principles Underlying GARP®

Principle of Retention

An organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational, and historical requirements.

Principles Underlying GARP®

Principle of Disposition

An organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization’s policies.

Maturity by GARP® Principle

• Implies certain rules of behavior

• Dictates certain controls

• Carries oversight requirements

• Carries recordkeeping requirements

• Carries audit implications

• Carries continuous improvement implications

GARP® - Compliance - Principle and Maturity

Level Definitions

GARP® - Compliance - Principle and

Maturity Level Definitions

GARP® - Compliance - Principle and

Maturity Level Definitions

GARP® - Compliance - Principle and

Maturity Level Definitions

GARP® - Compliance - Principle and

Maturity Level Definitions

GARP® - Compliance - Principle and

Maturity Level Definitions

GARP® - Accountability-Principle and

Maturity Level Definitions

GARP® Maturity Model

• A qualitative and quantitative measurement

– By principle

– Overall or average across all principles

• Rating of an organization’s overall information governance

• Systematic process guiding the evaluation of an organization’s maturity with respect to information governance activities.

GARP® Maturity Model

• Five levels

• Less than 5 may be acceptable because of:

- Organization risk tolerance

- As measured against peers or competitors

ARMA International Resources

White Papers:

– How the Information Governance Reference Model (IGRM) Complements ARMA International’s Generally Accepted Recordkeeping Principles (GARP ®)

– The Information Governance Maturity Model: A Foundation for Responding to Litigation

Online Courses:

–Introduction to the GARP ® Principles

–GARP ® and Legally Defensible Information Governance

–Applying GARP ® to organizational Excellence

These and more resources available at:

http://www.arma.org/GARP

Laws & Regulations Cover all Aspects (And it’s just going to get worse)

Existing: GLBA, HIPAA, PIPEDA, EU Directive/e-Privacy Directive, etc.

External - Tightening Control / Complex global landscape (2011)

• High profile Data Breaches (Epsilon, Sony, Honda Canada, iPhone location recording) - resulting in closer regulatory scrutiny, class action suits and large fines.

• US Privacy and Breach legislation – 6 bills in congress, multiple states with Online Behavioral Advertising (OBA) bills, 48 states with data breach laws

• New Privacy laws in Mexico, Canada (anti-SPAM), India, South Korea, Peru

• Pending Privacy Laws in Philippines, Ukraine, Turkey, Pakistan, South Africa and Morocco

• OBA self regulatory implementation in US, EU, Australia

• Anti-Cookie Law in EU / Do Not Track in US

• Breach Laws outside of US, including heavy fines and possible imprisonment

• EU Data Directive Update – Tough!

Real-World Examples

How GARP®, Privacy, and Security can be

Perfect Together!

www.privacyassociation.org www.arma.org

Professional Collaboration Opportunities?

Similarities: Newsfeeds, Monthly publications, Global/Regional Conferences, Webinars, Certifications & Training, Online Stores, Linked-In, Twitter, Facebook

Additional Features:

IAPP – Book Publications, Global ‘affiliates’: Privacy After Hours, KnowledgeNet Lunch & Learns ARMA –Local Conferences, Local Chapters, Bi-Monthly ‘Information Management’ Publication

Collaboration Opportunities –Audience Fill in the Blanks Research? Best Practices?

QUESTIONS?