Designing a Solid Privacy & Data Protection Programme by Enabling Organisational Cooperation & Teamwork

Designing a Solid Privacy & Data Protection Programme

by Enabling Organisational Cooperation & Teamwork

EUROPEAN CORPORATE COUNSEL SUMMIT 2015

Joao Torres Barreiro, Esq.

Associate VP, Chief Data Protection Officer

HCL Technologies

Copyright

This presentation contains a variety of copyright material. Some of this is the intellectual property of

individuals and corporations (as named), the remainder is owned by the Presenter himself.

Except for material which is unambiguously and unarguably in the public domain, only material owned by the

Presenter, may be copied, provided that textual and graphical content are not altered and that the source is

acknowledged. The Presenter reserves the right to revoke that permission at any time. Permission is not

given for any commercial use or sale of this material.

No other material comprised in this presentation may be copied (except as legally allowed for study

purposes) or further disseminated without the express and written consent of the copyright’s legal holder.

2

Agenda

I. Buy-in from the top

II. Organisational Cooperation & Teamwork

III. Pillars of a solid Privacy & Data Protection Program

3

Agenda




4


A mentor and senior

sponsor you will need

5


Why do you need buy-in from the top?

You will need headcounts & mooney.

You will change business & internal practices in your organization.

(IAPP-EY Annual Privacy Governance Report 2015)

6


Who is your sponsor?

7

Compliance Information

Security

Business

Continuity

Mgmt.

Vendor Risk

Management Privacy

Chief Risk Officer

HCL RISK &

COMPLIANCE

ORGANIZATION

STRUCTURE

Operational Risk

Management

Risk and Compliance Committee

(CFO, CRO, CHRO, EPO, Delivery Heads, Head-Legal)

Risk Committee of the Board

Legend:

CFO – Chief Finance Officer CRO – Chief Risk Officer

CHRO – Chief Human Resource Officer EPO – Enterprise Performance Officer


Who is my sponsor?

8


How will you impress and convince your sponsor?

9


How will you impress and convince your sponsor?

Sometimes your sponsor is already convinced:

- A serious privacy breach already occured

- Your company already lost a client or a was

not selected to provide services

... but if you need to impress and convince him/her?

10

Consequences in case of a serious privacy breach

Media coverage Obligation to notify regulatory authorithies and data subjects

Stock market value

- “Sony shares fall 3.7 percent after 2nd data security breach”

http://www.reuters.com/article/2011/05/06/ us-sony-shares-idUSTRE74507E20110506

Loss of custumers

- “Visa removed Global Payments, an Atlanta company that helps the payment giant

process transactions for merchants, from its list of “compliant service providers.”

http://www.nytimes.com/2012/04/02/business/after-data-breach-visa-removes-a-

service- provider.html?ref=globalpaymentsinc&_r=0


11

http://www.reuters.com/article/2011/05/06/us-sony-shares-idUSTRE74507E20110506

























http://www.nytimes.com/2012/04/02/business/after-data-breach-visa-removes-a-service-provider.html?ref=globalpaymentsinc&_r=0


















An absence of data breaches is an important seal for your brand and reputation

Ponemon Institute© Research Report

Cost of a data breach per compromised record

“US and German companies experience the most expensive data breach incidents at $195 and $201 per compromised records”

(2014 Cost of Data Breach Study:Global Analysis, Ponemon Institute)

12

https://www4.symantec.com/mktginfo/whitepaper/053013_GL_NA_WP_Ponemon-2013-Cost-of-a-Data-Breach-Report_daiNA_cta72382.pdf

- Government scrutiny that may result in investigations and sanctions (e.g. blocking of

further processing on clinical trials)

- Criminal offences claims

E.g., a person who obtains individually identifiable health information in violation of

HIPAA with intent to use such information for commercial advantage shall be

imprisoned up to 10 years. (Section 1177 of the HIPPA)

- Audits from clients


13

U.S.A: ELI LILLY: $160,000 + OTHER MEASURES

- ELI inadvertently sent email message to all 669 subscribers of a Medi-messanger service

(“To” field visible to all)

- FTC + 8 states complaint; settlement provided specific requirements for the information

security program + audits for 20 years (every other year)

ITALY: NOVARTIS: Threat to restrict processing until corrective measures are adopted

- Novartis’ sales reps to have incorrectly collected and used PI

- Novartis clinical trial anonymisation procedures and treatment of sensitive PII inadequate

SPAIN: Zeppelin Television S.A - €1,081,822

- Internet hackers accessed and published personal data of some 7,000 potential contestants-

Big Brother- (racial origin, religious beliefs, health and sex life)


14

Brighter future?

Proposal of General Data Protection Regulation

- €100 million or 2- 5% of annual worldwide turnover.

- All data subjects will have the right to obtain compensation from the relevant controller or

processor for damage suffered as a result of processing carried out in breach of the

Regulation.


15

Agenda




16

Governance

II. Organisation Cooperation & Teamwork

17

Governance – Privacy Office

Models

Establish the organizational model, based on:

- The size of the organization, and

- The implementation stage of the Privacy Program.

1) Complex

• Chief Data Protection/ Privacy Officer (global) and Regional Privacy Counsel

• Data protection/Privacy (Local) and/or Country Privacy Lawyer

• Privacy leaders in the business units (local)

2) Stand-alone position

• Sole privacy officer including when not only job.

Privacy

Committee

Privacy

Office


18

Governance – Privacy Office


Profile of the Chief Data Protection/Privacy Officer

- Should be familiar with privacy laws, rules and regulations specifically

related to his or her respective industry.

- Should be able to involve the relevant internal and external stakeholders

and being able to operate at all levels from senior management down.

- Should know the business.

- Should have technological awareness and importantly an ability to

communicate with technology professionals.

19

Governance – Privacy Working Group

Sometimes we need to create…


20


… other times to put the puzzle together


… other times to put the puzzle together

21



Members

• Privacy Office

• Heads of business lines

• Heads of support functions

Duties

• Understanding what other functions already implemented in terms of

privacy.

• Reviewing and approving enterprise-wide privacy policies, as well as

implementing procedures.

22



• Reviewing requests for exemptions from your company privacy policies and

implementing procedures.

• Reviewing privacy issues identified in internal/external audits and developing

mitigation plans for open risks.

• Reviewing updates in global privacy and recommending actions to ensure

future compliance.

• Presenting initiatives for new projects or changes to existing technology or

business processes that relate to privacy.

23

Agenda




24

acceptable tradeoff

Feasibility and Data

Utility

Le

vel

of

str

ictn

ess o

f

the p

rog

ram

minimum

maximum

The virtue lies in the middle

maximum minimum

25

You need to speak their language


26

Risk-based Planning -Process Maturity Model


27

Risk-based Planning -Process Maturity Model


28

Internal Assessment

Policies & Guidelines

Legal Instruments

Awareness

Data Protection Practices

Audits

Which are the pillars?


29

Internal Assessment

Goals

To understand and evaluate which, whom, why and how your company

processes personal data;

= corporate mapping of the main data processing activities

What should you tackle first? (priorities)

Models

Questionnaires

or

Workshops followed by interviewees (preferred solution)


30

To create a database inventory that consolidates the company’s

main applications/systems that process personal data

(cont’d)


Internal Assessment

31

Once the information has been gathered

Database Inventory

Internal Assessment


32

Internal Assessment

Once the information has been gathered

Database Inventory


33

Awareness

Training initiatives

a) Face-to-face

Department sessions and/or

Company sessions

b) Online

Perform a risk-based assessment of training needs across your organization to identify

which groups of individuals may interact with Personal Information as part of their day-to-

day activities.

KEYs

Sensitivity

Higher Risk – Sensitive Personal Information processed

Medium Risk – Significant types of Personal Information processed

Lower Risk – Limited types of Personal Information processed

Quantity

Higher Risk – Large scale processing of Personal Information

Medium Risk – Substantial quantities of Personal Information processed

Lower Risk – Limited quantities of Personal Information processed


34

Privacy Impact Assessment

Privacy Risk Analysis of

the application/system

Privacy

Risk Rating

= Green?

Start the Privacy Assessment

Procedure

Assessment completed / The

application/system can be deployed

NO

YES

NO

YES

YES

Privacy

Risk Rating

= Red

“Approved” or “Approved with

restrictions/recommendations”

The application system can not be deployed or

changed

Privacy Impact

Assessment

Privacy by

Design


35

Joao Torres Barreiro

Associate VP, Chief Data Protection Officer

HCL Technologies

Email: [email protected]

[email protected]

36

mailto:[email protected]


For more information about the

marcus evans legal

summit series:

[email protected]


http://www.youtube.com/user/meSummitsGlobal

http://www.slideshare.net/MarcusEvansSummits

http://www.twitter.com/meSummitsGlobal

http://www.linkedin.com/groups?gid=3568575&trk=hb_side_g