#privacysummit

#privacysummit

PRIVACY AND INFORMATION GOVERNANCE:

Completing the Compliance Circle

Diane K. Carlisle, IGP, CRM

ARMA International

#privacysummit

TODAY’S LEARNING OBJECTIVES

After today’s session, participants will be able to:

• Define the relationship between RIM & IG

• Describe the importance of IG to compliance

• Identify opportunities to collaborate in your own organization

• Identify tools that RIM & Privacy can share in unified information governance

• Identify 2-3 “next steps” to complete the circle

#privacysummit

ABOUT ARMA INTERNATIONAL

• Not-for-profit professional association

• Leaders in information governance

• Premiered first IGP certification in 2013

• Worldwide membership -27,000+

• Education and resources

– Live & online education

– Technology news & trends

– Standards, best practices

– Books, newsletters, magazine

– Web seminars

#privacysummit

THE COMPLIANCE CIRCLE

#privacysummit

INFORMATION: ASSET? LIABILITY?

• Basis for sound business decisions

• Enables compliance with regulations, litigation obligations

• Evidence for claims made in court

#privacysummit

BENEFITS OF GOOD IG

• Ensure integrity of information

• Ensure availability of information for decisions

• Efficient and effective processes

• Compliance with laws and regulations

• Legally defensible recordkeeping practices

• Reduced risk

• Reduced costs

#privacysummit

RIM – THE HEART OF IG

A RIM program defines the rules and controls that allow a company to manage records and information from creation/receipt until no longer needed:

• Legal/regulatory compliance

• Retention policy/process

• Risk assessment

• Litigation/e-discovery

• Taxonomies / indexing

• Email management

#privacysummit

GENERALLY ACCEPTED RECORDKEEPING PRINCIPLES

• Framework for information governance

• Introduced in 2009

• Carefully vetted “best practices”

• Derived from international & national standards

• Industry independent

• Recognized by standards organizations and legal counsel

#privacysummit

THE PRINCIPLES

• Accountability

• Transparency

• Integrity

• Protection

• Compliance

• Availability

• Retention

• Disposition

www.arma.org/principles

#privacysummit

KEY CHARACTERISTICS

Taken together, they provide the framework for effective IG.

• Objective

• Reasonable

• Reality-based

• Scalable

• Standards-based

#privacysummit

STANDARDS ARE CRUCIAL

• Objective foundation for judging an IG program

• Represent best thinking & practices

• Standards evolve toward greater consistency

• They provide a body of guidance applicable to many

#privacysummit

WHAT THE PRINCIPLES ADD

• Better control over increasing volumes of ESI & regulations

• Promote risk-based, cost-effective solutions that are scalable

• Objective foundation for comparison & use

#privacysummit

CONTEXT IS CRUCIAL

• Application varies from organization to

organization

– Mission

– Compliance requirements

– Laws and regulations

– Jurisdictions

– Constituency

– Operations and workflows

– Litigation profile

– Speed of technology adoption

#privacysummit

IG REQUIRES COLLABORATION

• Key Stakeholders

– Business units

– Legal

– IT

– Regulatory / Compliance

– Privacy officers

• IG professionals integrate these various perspectives & needs into unified solutions

#privacysummit

ALIGNING OUR INTERESTS • Business units

– Quick retrieval during workflow, decisions – Accuracy and integrity of information – Maximize profits

• Legal – Legally defensible processes – Quick retrieval during discovery phases

• IT – Efficient technology use – Reduce costs

• Regulatory / Compliance – Compliance with laws & regulations

• Privacy officers – Compliance with privacy requirements – Ability to respond effectively to privacy breaches

• RIM – Compliance with laws & regulations – Reduce risk through effective policy implementation

#privacysummit

BAD PRACTICES, BAD RESULTS

• Evidence comes from the records & information

• BP rig explosion and oil spill litigation – $4.5 Billion to government – $7.8 Billion to businesses – Engineer charged for deleting 200 text

messages – Claims against Halliburton - $20

Billion – Emails are the “smoking gun” – Contractors – who is at fault?

#privacysummit

MEASURING INFORMATION GOVERNANCE

18

#privacysummit

WHY IG METRICS ARE IMPORTANT

• Transform strategy into action

– Specific & quantifiable goals

– Monitor progress toward goals

• Document improvements and “good faith efforts”

• Demonstrate impact of program

• Support compliance/litigation efforts

#privacysummit

INFORMATION GOVERNANCE MATURITY MODEL

• 1st generation assessment tool

• Defines characteristics of IG at different levels

• Use to identify gaps between current state and desirable state

• Quantitative & qualitative measures

• Systematic process

– Evaluate program & assess risks

– Plan program improvements

#privacysummit

THE MATURITY MODEL

Maturity Level Status

1

Sub-Standard RED

2

In Development ORANGE

3

Essential AMBER

4

Proactive BLUE

5

Transformational GREEN

• No need to stair step

through levels

• Level may vary

across principles

• Level 3 – minimum

acceptable

• Less than 5 may be

acceptable: - Risk tolerance

- Level of regulation

#privacysummit

USING THE MATURITY MODEL

• Target the optimum level for your organization for each principle

– Different levels for different principles is ok

• Determine maturity of existing practices

– DIY based on maturity model, or

– Information Governance Assessment product

• Rank gaps between current and optimum levels

• Define corrective actions & implement work plan

#privacysummit

Practical Applications: Privacy

23

#privacysummit

PRIVACY CONSIDERATIONS

• Striking the balance

– Trust vs. business intelligence

• Opt in vs. Opt out

• Data protection

• Data breach prevention

– 46 states have notification laws

– Cost per record: $194

– Cost per organization: $5.5M

#privacysummit

KEY FACTORS IN DATA BREACHES

Protections – Cost Reduction

• CISO appointment

• Strong security posture

• Established incident response plan

• Use of consultants to guide response actions

Primary root causes of a breach

• Malicious or criminal attack (37%); especially true for Germany, Australia, Japan

• Human error (35%); especially in Brazil

• System glitch (29%); especially in India

Ponemon Institute Cost of Data Breach study, 2013

#privacysummit

IMPACT ON COSTS

#privacysummit

IG AND PRIVACY COMPLIANCE

ITEM Principle IG Tools

Security at the C-level Accountability Enterprise IG Program

Quick response process

Transparency;

Compliance

Availability

Defined policies

Data map

Metadata index

Get outside help Accountability Proactive discussions

Identify confidential info Transparency

Availability

Protection

Data map

Business process analysis

Data loss prevention measures Accountability

Protection

Defined policies

Employee training

Technology

Integrate protection practices

into business process

Protection Work process analysis

Technology application

Passwords; encryption

Measured response process See above Risk assessment

Third-party providers Accountability SLAs – negotiated

#privacysummit

ALIGNING OUR TOOLS

IAPP 10 Steps ARMA

Principle

Existing tools

Roadmap of

laws/regulations

Compliance Records Retention Schedule

Perform risk assessment Protection Information risk assessments

Privacy by Design Tools

Privacy Impact Assessments ARMA IGA

Audit prep plan / program Throughout ARMA IGA

Test your incident response Protection Disaster Recovery Plans in both

RIM and IT

ID root cause; corrective

actions; document impact

Apply lessons from other

areas

Written plan for known

issues

Monitoring / trending Throughout Emphasis on continuing

improvement & benchmarking

#privacysummit

ALIGNING OUR TOOLS

AICPA Privacy Principles ARMA

Principle

Existing tools

Management Accountability Senior leader; Documented

policies; defined roles; training

programs re: information

responsibility; compliance audits

Notice Transparency Consistent systems that

contribute to effective notice;

clearly defined

policies/procedures

Choice & Consent -- Consistent systems that enable

implementation of consumer

choice

Collection Transparency,

Availability

Use, retention, disposal Retention,

Disposition

Access

Disclosure to 3rd parties

Security for privacy

Quality Integrity Metadata management

Monitoring / enforcement Throughout Continuing improvement plans,

benchmarking

#privacysummit

ALIGNING OUR TOOLS

AICPA Privacy Principles ARMA

Principle

Existing IG tools

Access Availability Defined security levels for access

to information; metadata &

indexing to facilitate access

Disclosure to 3rd parties Availability Defined processes for disclosure,

approvals, access to electronic

systems

Security for privacy Protection Defined schemes for security;

implementation with IT support;

protection is both physical &

virtual

Quality Integrity Metadata management; random

checks for appropriate indexing

Monitoring / enforcement Throughout Audits, continuing improvement

plans, benchmarking

#privacysummit

NEXT STEPS

• Identify key stakeholders in your organization, by name

• Conduct an overall IG assessment

– AICPA maturity model

– ARMA maturity model and assessment product

• Build a coalition with stakeholders to determine best course for your organization

• Learn more

– www.arma.org/principles

– www.privacyassociation.org

#privacysummit

CLOSING THOUGHTS

• Unified information governance relies on an effective collaborative team

– Power in numbers

– Comprehensive identification of issues & solutions

• Harmonize principles, models, standards for your organization

• Exploit existing IG tools

– Mitigates costs

– Maximizes resource usage

– Facilitates adoption of new processes

#privacysummit

QUESTIONS?

33

Diane Carlisle, CRM

Executive Director of Content

ARMA International

diane.carlisle@armaintl.org

For more information:

www.arma.org

#privacysummit

INSTRUCTIONS FOR USING THIS TEMPLATE

Congratulations on presenting at the Summit! If you wish, please feel free to use this template for your presentation. Please note that if you do use it, we ask that you follow these simple guidelines:

The slides have been preformatted with Verdana font. Please maintain

this font throughout the presentation.

Please use the slides for the full presentation. Avoid using the title page slide only and switching to different slides for the remainder of the presentation.

To use an IAPP logo, please e-mail lmoulton@privacyassociation.org and request a high-resolution file. Please do not copy a logo from our website and use it in the presentation.