Collaboration: Driving Highly Effective Privacy Programs
Aaron Weller, Managing Director, Cybersecurity, Privacy & IT Risk
September 2015
Session overview
1.What makes a highly-effective Privacy program?
2.Why is Privacy by Collaboration necessary?
3.Overview of a Privacy by Collaboration
framework
• Executive Support
• Peer Relationships
• Tangible Deliverables
• Measureable Outcomes
4.Key takeaways 2
What makes a highly-effective privacy
program?
Why is Privacy by Collaboration necessary?
Why privacy needs collaboration
Having a function formally responsible for privacy is a relatively new
development compared to many other risk management functions.
Because privacy is concerned with personal data at every stage of the
data lifecycle, from before data is collected through to when it is
disposed of, relevant risks and controls exist across many different
functional areas.
Privacy functions are frequently understaffed compared to other
functions with comparable responsibilities.
As a result privacy functions can increase their effectiveness through
engaging in a model of Privacy by Collaboration (PbC) as part of a
broader governance effort.
5
Three lines of defense model
Senior Management
Governing Body/Board/Audit Committee
Exte
rnal A
udit
Regula
tor
1st Line of Defense
Management
Controls
Internal
Control
Measures
2nd Line of Defense
Information Security
Privacy
Risk Management
Quality
Inspection
Compliance
3rd Line of Defense
Internal
Audit
Adapted from IIA position Paper: The Three Lines of Defense in Effective Risk Management & Control 6
Sharing protection of brand & bottom line
Risk Factors
Financial
Legal
Regulatory
Compliance
Reputational
Contractual
• Companies face several
financial risks associated with
a breach or privacy misstep:
- Federal/state
regulatory fines
- Loss of customers
and revenue
- Remediation efforts
• Companies are
experiencing
increasing
lawsuits from:
- Employees
- Customers
- Investors
• Enforcement actions from
federal and state agencies
• Regulatory inquires may
require long-term third
party remediation in order
to verify regulatory
compliance
• Negative impact to
the brand
• Loss of employee,
customer, & investor
confidence
• Non-compliance with
government or industry
regulations/
enforcements (FTC Act,
COPPA, State laws, etc.)
• Non-compliance with self-
regulatory frameworks (i.e.,
TRUSTe, DMA OBA Principles,
US-EU Safe Harbor, etc.)
• Non-compliance with
contract terms
• Mismanagement of vendors
and third parties
• Inadequate or lack of
consumer privacy notices 7
What are organizations trying to protect
& why?
Legal Requirements
Reputation/Brand
Competitive Advantage
National Security
Contractual Requirements
Shareholder Value/Financial
Proprietary Business Information:
intellectual property, pricing &
sales/marketing strategy, sourcing strategy
Personally Identifiable Information: name,
age, identification numbers, home or e-mail
address, geo-location data, phone number,
income or physical characteristics, opinions,
web browsing or purchasing history/patterns
Sensitive Personal Information: Information
on medical or health conditions, financial
information (including credit cards), racial or
ethnic origin
Business Customer Information: Franchisee
information, Customer sensitive information
(financial,
IP, etc.) 8
Data protection and privacy is an enterprise-wide
issue – Supports trust in the organization
• Growing demand by business leaders to understand how to better integrate privacy
(“what” data is sensitive to the business and “what are the constraints on how it can
be used”) with security (“how” to protect the data deemed sensitive).
• Emerging products/technologies and reliance on third parties (e.g., cloud providers)
have created a borderless global business ecosystem.
• Use of and reliance on data for business and personal use continues to grow –
almost exponentially.
• The market’s expectation is that corporations will be accountable for the
safekeeping of the data they are collecting.
• Increased scrutiny and media coverage of government data collection and sharing
practices with the private sector is resulting in the need for companies to provide
greater transparency (transparency reports, GNI, etc.).
• Need to balance protection with monetization – most organizations see increased
use of data driving profits.
Increasing importance of data to existing and future revenue drives an increased
need for effective controls over the data throughout its lifecycle, across
the organization. 9
Overview of a privacy by collaboration
framework
Privacy by collaboration framework
Peer Relationships
Privacy by Collaboration
Tangible Deliverables
Measureable Outcomes
Executive Support
11
Preparing for privacy by
collaboration
Privacy Program Development & Delivery
Peer relationship management
Executive support, communication and air-
cover
12
Executive support
Peer Relationships
Privacy by Collaboration
Tangible Deliverables
Measureable Outcomes
Executive Support
13
Executive support – Group
discussion
1. What does effective executive support look
like?
2. How do you get executive support for your
privacy program?
3. How do you maintain executive support for your
privacy program?
4. How do you align what you are telling
executives are important with other messages
that they are hearing? 14
Key activities to obtain &
maintain executive support
• Once you have it, don’t take it for granted.
• Don’t assume that you are the only source of
what executives know about data related risks
and issues.
• Align your messaging with peers.
• Focus your messaging on business priorities.
15
Peer relationships
Peer Relationships
Privacy by Collaboration
Tangible Deliverables
Measureable Outcomes
Executive Support
16
Peer relationships – Group
discussion
1. Which of your peers have some overlap in caring about
the treatment of personal data?
2. Which of your peers do you tend to interact with most
often?
3. How formally do you maintain and manage these
relationships?
4. Are there peer groups within your organization who you
would like to have a better relationship with?
5. Have you asked them what they would like the privacy
program to deliver to help them achieve their goals? 17
Identify likely areas of
shared concern Business area Example privacy related concerns
Legal • Global privacy and data protection laws
• Regulatory investigations and lawsuits
• Records Management
• Contract management
Marketing • Digital and behavioral advertising initiatives
• eCommerce initiatives
• CRM
• Social media campaigns
Information
Security
• Security compliance readiness (PCI, Fedramp, ISO27001, SOC 2/3, etc.)
• Data breaches
Internal Audit • Board or Audit Committee requests
• Addressing highest risk areas across the enterprise
Compliance • HIPAA (healthcare), GLBA (financial), state laws, global laws
• Regulatory examination
Product
Development
• New product design and launch
• Changes to existing products and features 18
Consider topical issues that may
have a raised profile within
your organization Topic Trend
Customer Perception • Customers are willing to provide personal information with the expectation
of corporate safeguarding and accountability
Privacy by Design • Privacy is embedded into new technologies, products and business
practices, from the outset
Social Networking • Increasing new risks for organizations (i.e. security) and individuals (i.e.
consumer privacy)
Online Behavioral
Advertising
• Self-regulatory principles (i.e. transparency, consumer control and
accountability)
Government Data
Requests
• Increased media attention and scrutiny over how companies are handling
government requests for user data (e.g., transparency reports, GNI)
Cross-border Data
Transfers
• Increased scrutiny from DPAs as to the level of effectiveness of current
cross-border data transfer mechanisms (Safe Harbor, BCRs, MCs).
Legislative Activity • Congress and States are becoming increasingly active developing legislation
to address the changing privacy environment
Active Regulators • Rising enforcements activity and interest from FTC, SAGs, international
DPAs, HHS-OCR, Department of Commerce, etc. 19
Case study – Data and
system inventory
“Problem: When I was a brand-new CPO, I needed to inventory what
turned out to be over 5,000 systems worldwide, including over 300
unique websites. I had zero staff and zero budget.
Solution: I enlisted the audit department to include a data and system
inventory in every audit they planned over the next two years, the
BC/DR person to include a data and system inventory in each Business
Impact Assessment she was doing for her own inventory, and the IT
department to include data elements in their configuration
management database they kept for IT inventory purposes.
Outcome: This approach led me to eventually get multiple million-
dollar projects funded with broad sponsorship. After 5 years we had all
systems inventoried, assessed, and remediated.”
20
Case study – Product
development
“My team was significantly understaffed in comparison to the volume of
engineering projects and products currently underway that had possible
privacy implications.
We highly encouraged/incentivized Site Reliability Engineers (SRE’s) to
volunteer to be privacy champions and assist us review major launches of
all products and releases to gauge if privacy controls were properly
developed and adequately supported post launch.
This role required them to receive additional training and participate in
various privacy activities so that they were aware of what to look for in
reviews.
This stop-gap enabled us to show the value that this type of review could
provide and allowed me to gradually hire the right staff to supplant and
pair with our privacy champions to make it a more comprehensive review
with resource redundancy.” 21
Case study – Vendor risk
management
“Problem: Vendors were being selected without consideration of how
well they implemented and managed controls over personal data.
Solution: I worked with our Vendor Risk Management team to include a
privacy risk assessment as part of the vendor selection process and to
hold vendors accountable for a privacy SLA during their contracts.
I partnered with the executive running Business Continuity Planning and
joined his meetings to discuss assessment of vendors from that
perspective and added the broader perspective on protection of the
data. I expanded the notion of privacy to focus on personal data as a
key asset of the organization...wherever the data went, I, as a privacy
professional was going to insert myself as I felt appropriate.
Outcome: Privacy considerations were integrated into the Vendor Risk
Management process, with exceptions being escalated to me.” 22
Case study – Peer education &
awareness
“My company had a pretty robust "new product approval process" in place when I
joined. There was an existing monthly roundtable including representatives from
every "control function" - legal, technology, operations, financial reporting, fraud,
etc. As the new privacy director for the business unit, I was inserted as the privacy
SME and expected to cover all risks related to personal information.
To help the other control function SMEs understand my role and the specific risks I
was responsible for mitigating, I met with each one of them individually and
provided a "privacy 101" cheat sheet/guardrails document that described what
privacy was, the laws/regulations that were/could be applicable to the business
unit, and some example scenarios of the types of products/services that would
require further analysis from a privacy perspective.
Through these one-on-one meetings, I also got a better sense of what was important
to these other control function SMEs, and where some of our "red flags" overlapped.
The cheat sheet I developed was eventually integrated into the new product
approval process that effectively now served as our "PbD" process.” 23
Case study – Data transfer
restrictions
“In order to address the privacy and security concerns of clients, but also get
significant operational savings, we opened a new company in Northern Ireland
to handle IT production support and software development. The privacy, IT,
and finance (including tax) teams collaborated in the selection of the best
location for starting a captive IT support operation. In the end, although other
locations did have lower labor costs, the operational costs from the added
logistical and security requirements made the selection.
By having the privacy team part of the initial process not only was a location
selected that best addressed the underlying risks and requirements, but the
collaboration continued through the organizational set up leading to
efficiencies in addressing operational privacy requirement, such as the data
transfer limitations on sending employee data to centralized HR systems in the
U.S.”
24
Case study – Encrypting USB
thumb drives
“In my role as the CPO of a large services organization, I saw a significant
risk in the continued usage of unencrypted USB drives to transfer data
between our employees, and to vendors and customers.
For both the CISO and I, implementing tighter controls was a no-brainer,
but there were many in management, including the CIO, that were
resistant to this for reasons that included: tying the hands of the business,
slowing our speed to market and perceptions of our employees.
The CISO and I had to work together and align our messaging to convince
the various stakeholders in management that this was the right approach.
Unfortunately it took some time, and two large breaches, to reach tipping
point but ultimately we were successful in getting this control
implemented.”
25
Relationship mapping
1. Identify key stakeholders that can help you be successful, or prevent
you meeting your goals.
2. Assess your current relationship strength with each stakeholder on a
scale from strong detractor to strong advocate.
3. Determine how to engage with each stakeholder:
– What are their objectives and how can you support them?
– Do they need your program to do anything in particular?
– Determine preferred method and frequency of interaction.
4. Determine specific actions to take to improve the relationship.
26
Tangible deliverables
Peer Relationships
Privacy by Collaboration
Tangible Deliverables
Measureable Outcomes
Executive Support
27
Tangible deliverables –
Group discussion
1. What tangible deliverables does your privacy program
produce today?
– Policies?
– Incident response plans?
– Training materials?
2. Who are the intended users of each of these
deliverables, and how much input did they have to what
these deliverables contain?
3. What other deliverables would you produce if you had
additional resources? 28
Elements of a typical
privacy program
Accountability and Governance
• Setting formal strategy of the program
• Designation of responsibility for sensitive
data protection
• Cross functional partnerships & processes
• Well defined roles and responsibilities
Risk and Compliance Assessment
• Applicable laws and regulations
• Business process risk ranking
• Data flow mapping and inventory
• Privacy impact assessment
• Integration points with other functions
Processes and Controls
• Policies, procedures and guidelines
• Data Classification
• Collection, storage, use, transfer and
destruction processes
• Technical, administrative and physical
data protection controls
• Privacy By Design principles Training and Awareness
• Coordinated communication channels to drive awareness
• Comprehensive training with defined elements,
audience, frequency and sanctions
• Monitoring of training completion
Monitoring, Auditing & Reporting
• Periodic testing of control
effectiveness
• Independent program
assessments
• Audit & compliance monitoring
• Metrics and reporting of
program activities
Incident Management and Response
• Defined response and breach notification
plan
• Testing of plan
• Inclusion of vendor or third party
Vendor Management
• Risk valuation of vendor relationships
• Vendor assessment
(questionnaire/onsite)
• Reporting and on-going evaluation
Sensitive
Data
29
Gives & gets
For each element of the program
consider the inputs and outputs that
component of the program relies upon as
inputs and produces as outputs that
others can use.
Worked Example:
Building privacy into the SDLC
(Privacy by design)
Inputs: Information on which changes
may have privacy implications
Outputs: Approved changes and/or
recommendations for additional controls
or adjustments to the proposed change
Give
Get
30
Gives/Gets – Example for an
information security function
Service # Gives/Gets identified
during over 20
interviews
Manage compliance obligations 27
Identify, Classify and Respond to Incidents 16
Risk Management/Threat Management 14
Manage Security Risks associated with Changes to
Information Systems
13
IT Project Support 12
Manage Access to Information Assets 9
Respond to internal or external inquiries 8
Design and manage security architecture 8
Governance of Information Security 4
Test Security Configurations 4
31
Measurable outcomes
Peer Relationships
Privacy by Collaboration
Tangible Deliverables
Measureable Outcomes
Executive Support
32
Measurable outcomes –
Group discussion
1. What are the most important metrics and measurements that your
program produces?
2. Who is the audience for those metrics?
3. Do they measure activities performed by the program, or the
outcomes that the program achieves?
4. What would you really like to measure but don’t have the data for?
33
Are you measuring the
right things?
Measures and data that are easy to get and deliver little in the way of informational value are a lot like candy – it makes you feel good,
doesn’t deliver much in the way of (nutritional) value, and is hard to give up.
Typically, metrics that are easy to measure don’t provide much value, and metrics that do provide value are often hard to properly measure.
34
Privacy program maturity
(Qualitative)
Level 1
Initial State/Forming
Level 2
Maturing State/
Storming and Norming
Level 3
Mature State/Performing
No formal privacy program
Privacy program is well established
Development of privacy program in
short term goals; reactionary Seeking opportunity for continuous
improvement
No formal privacy officer (most
likely covered by information
security and/or legal)
Strive to be a leader in Privacy and
incorporate of industry trends
and/or possible future directions
Established privacy program with
room for enhancement whether in
various sub components vs.
consistently applied across the
whole organization
2-3 years 35
Activity, process & outcome
measurements
Three types of metrics measure performance at different levels
Activity metrics
Process metrics
Outcome metrics
What are we doing to improve
our performance?
How mature and reliable is
our performance?
Are our activities and systems
yielding improved outcomes that
will help us reach our objective?
Maturity of metrics
Complexity of metrics 36
Activity, process &
outcome measurements
37
Key takeaways
Key takeaways
1. Privacy by Collaboration is not a checklist. It is an operating model
and mindset for achieving the best results from your privacy
program, and the most value for your organization.
2. The most effective approach is one that aligns with your
organizational culture and values, and where you can gain and
maintain support through alignment with broader business goals.
3. Position privacy as an aspect of a broader trust concern, not as a
compliance function.
4. Engage other stakeholders to identify areas where collaboration
allows you to both contribute to a shared outcome.
5. Produce tangible outputs, and tell people that they exist.
6. Understand what makes sense to measure. If it’s easy to measure,
it’s rarely valuable to measure and vice versa. 39
Thank you.
Aaron Weller, CIPT, CIPP/US, CIPM
Member of IAPP Certification Faculty
Seattle KnowledgeNet Co-chair
40