Upload
marcus-evans
View
364
Download
0
Embed Size (px)
Citation preview
Designing a Solid Privacy & Data Protection Programme
by Enabling Organisational Cooperation & Teamwork
EUROPEAN CORPORATE COUNSEL SUMMIT 2015
Joao Torres Barreiro, Esq.
Associate VP, Chief Data Protection Officer
HCL Technologies
Copyright
This presentation contains a variety of copyright material. Some of this is the intellectual property of
individuals and corporations (as named), the remainder is owned by the Presenter himself.
Except for material which is unambiguously and unarguably in the public domain, only material owned by the
Presenter, may be copied, provided that textual and graphical content are not altered and that the source is
acknowledged. The Presenter reserves the right to revoke that permission at any time. Permission is not
given for any commercial use or sale of this material.
No other material comprised in this presentation may be copied (except as legally allowed for study
purposes) or further disseminated without the express and written consent of the copyright’s legal holder.
2
Agenda
I. Buy-in from the top
II. Organisational Cooperation & Teamwork
III. Pillars of a solid Privacy & Data Protection Program
3
Agenda
I. Buy-in from the top
II. Organisational Cooperation & Teamwork
III. Pillars of a solid Privacy & Data Protection Program
4
I. Buy-in from the top
A mentor and senior
sponsor you will need
5
I. Buy-in from the top
Why do you need buy-in from the top?
You will need headcounts & mooney.
You will change business & internal practices in your organization.
(IAPP-EY Annual Privacy Governance Report 2015)
6
I. Buy-in from the top
Who is your sponsor?
7
Compliance Information
Security
Business
Continuity
Mgmt.
Vendor Risk
Management Privacy
Chief Risk Officer
HCL RISK &
COMPLIANCE
ORGANIZATION
STRUCTURE
Operational Risk
Management
Risk and Compliance Committee
(CFO, CRO, CHRO, EPO, Delivery Heads, Head-Legal)
Risk Committee of the Board
Legend:
CFO – Chief Finance Officer CRO – Chief Risk Officer
CHRO – Chief Human Resource Officer EPO – Enterprise Performance Officer
I. Buy-in from the top
Who is my sponsor?
8
I. Buy-in from the top
How will you impress and convince your sponsor?
9
I. Buy-in from the top
How will you impress and convince your sponsor?
Sometimes your sponsor is already convinced:
- A serious privacy breach already occured
- Your company already lost a client or a was
not selected to provide services
... but if you need to impress and convince him/her?
10
Consequences in case of a serious privacy breach
Media coverage Obligation to notify regulatory authorithies and data subjects
Stock market value
- “Sony shares fall 3.7 percent after 2nd data security breach”
http://www.reuters.com/article/2011/05/06/ us-sony-shares-idUSTRE74507E20110506
Loss of custumers
- “Visa removed Global Payments, an Atlanta company that helps the payment giant
process transactions for merchants, from its list of “compliant service providers.”
http://www.nytimes.com/2012/04/02/business/after-data-breach-visa-removes-a-
service- provider.html?ref=globalpaymentsinc&_r=0
I. Buy-in from the top
11
I. Buy-in from the top
An absence of data breaches is an important seal for your brand and reputation
Ponemon Institute© Research Report
Cost of a data breach per compromised record
“US and German companies experience the most expensive data breach incidents at $195 and $201 per compromised records”
(2014 Cost of Data Breach Study:Global Analysis, Ponemon Institute)
12
- Government scrutiny that may result in investigations and sanctions (e.g. blocking of
further processing on clinical trials)
- Criminal offences claims
E.g., a person who obtains individually identifiable health information in violation of
HIPAA with intent to use such information for commercial advantage shall be
imprisoned up to 10 years. (Section 1177 of the HIPPA)
- Audits from clients
I. Buy-in from the top
13
U.S.A: ELI LILLY: $160,000 + OTHER MEASURES
- ELI inadvertently sent email message to all 669 subscribers of a Medi-messanger service
(“To” field visible to all)
- FTC + 8 states complaint; settlement provided specific requirements for the information
security program + audits for 20 years (every other year)
ITALY: NOVARTIS: Threat to restrict processing until corrective measures are adopted
- Novartis’ sales reps to have incorrectly collected and used PI
- Novartis clinical trial anonymisation procedures and treatment of sensitive PII inadequate
SPAIN: Zeppelin Television S.A - €1,081,822
- Internet hackers accessed and published personal data of some 7,000 potential contestants-
Big Brother- (racial origin, religious beliefs, health and sex life)
I. Buy-in from the top
14
Brighter future?
Proposal of General Data Protection Regulation
- €100 million or 2- 5% of annual worldwide turnover.
- All data subjects will have the right to obtain compensation from the relevant controller or
processor for damage suffered as a result of processing carried out in breach of the
Regulation.
I. Buy-in from the top
15
Agenda
I. Buy-in from the top
II. Organisational Cooperation & Teamwork
III. Pillars of a solid Privacy & Data Protection Program
16
Governance
II. Organisation Cooperation & Teamwork
17
Governance – Privacy Office
Models
Establish the organizational model, based on:
- The size of the organization, and
- The implementation stage of the Privacy Program.
1) Complex
• Chief Data Protection/ Privacy Officer (global) and Regional Privacy Counsel
• Data protection/Privacy (Local) and/or Country Privacy Lawyer
• Privacy leaders in the business units (local)
2) Stand-alone position
• Sole privacy officer including when not only job.
Privacy
Committee
Privacy
Office
II. Organisation Cooperation & Teamwork
18
Governance – Privacy Office
II. Organisation Cooperation & Teamwork
Profile of the Chief Data Protection/Privacy Officer
- Should be familiar with privacy laws, rules and regulations specifically
related to his or her respective industry.
- Should be able to involve the relevant internal and external stakeholders
and being able to operate at all levels from senior management down.
- Should know the business.
- Should have technological awareness and importantly an ability to
communicate with technology professionals.
19
Governance – Privacy Working Group
Sometimes we need to create…
II. Organisation Cooperation & Teamwork
20
II. Organisation Cooperation & Teamwork
… other times to put the puzzle together
Governance – Privacy Working Group
… other times to put the puzzle together
21
Governance – Privacy Working Group
II. Organisation Cooperation & Teamwork
Members
• Privacy Office
• Heads of business lines
• Heads of support functions
Duties
• Understanding what other functions already implemented in terms of
privacy.
• Reviewing and approving enterprise-wide privacy policies, as well as
implementing procedures.
22
Governance – Privacy Working Group
II. Organisation Cooperation & Teamwork
• Reviewing requests for exemptions from your company privacy policies and
implementing procedures.
• Reviewing privacy issues identified in internal/external audits and developing
mitigation plans for open risks.
• Reviewing updates in global privacy and recommending actions to ensure
future compliance.
• Presenting initiatives for new projects or changes to existing technology or
business processes that relate to privacy.
23
Agenda
I. Buy-in from the top
II. Organisational Cooperation & Teamwork
III. Pillars of a solid Privacy & Data Protection Program
24
acceptable tradeoff
Feasibility and Data
Utility
Le
vel
of
str
ictn
ess o
f
the p
rog
ram
minimum
maximum
The virtue lies in the middle
maximum minimum
25
You need to speak their language
III. Pillars of a solid Privacy & Data Protection Program
26
Risk-based Planning -Process Maturity Model
III. Pillars of a solid Privacy & Data Protection Program
27
Risk-based Planning -Process Maturity Model
III. Pillars of a solid Privacy & Data Protection Program
28
Internal Assessment
Policies & Guidelines
Legal Instruments
Awareness
Data Protection Practices
Audits
Which are the pillars?
III. Pillars of a solid Privacy & Data Protection Program
29
Internal Assessment
Goals
To understand and evaluate which, whom, why and how your company
processes personal data;
= corporate mapping of the main data processing activities
What should you tackle first? (priorities)
Models
Questionnaires
or
Workshops followed by interviewees (preferred solution)
III. Pillars of a solid Privacy & Data Protection Program
30
To create a database inventory that consolidates the company’s
main applications/systems that process personal data
(cont’d)
III. Pillars of a solid Privacy & Data Protection Program
Internal Assessment
31
Once the information has been gathered
Database Inventory
Internal Assessment
III. Pillars of a solid Privacy & Data Protection Program
32
Internal Assessment
Once the information has been gathered
Database Inventory
III. Pillars of a solid Privacy & Data Protection Program
33
Awareness
Training initiatives
a) Face-to-face
Department sessions and/or
Company sessions
b) Online
Perform a risk-based assessment of training needs across your organization to identify
which groups of individuals may interact with Personal Information as part of their day-to-
day activities.
KEYs
Sensitivity
Higher Risk – Sensitive Personal Information processed
Medium Risk – Significant types of Personal Information processed
Lower Risk – Limited types of Personal Information processed
Quantity
Higher Risk – Large scale processing of Personal Information
Medium Risk – Substantial quantities of Personal Information processed
Lower Risk – Limited quantities of Personal Information processed
III. Pillars of a solid Privacy & Data Protection Program
34
Privacy Impact Assessment
Privacy Risk Analysis of
the application/system
Privacy
Risk Rating
= Green?
Start the Privacy Assessment
Procedure
Assessment completed / The
application/system can be deployed
NO
YES
NO
YES
YES
Privacy
Risk Rating
= Red
“Approved” or “Approved with
restrictions/recommendations”
The application system can not be deployed or
changed
Privacy Impact
Assessment
Privacy by
Design
III. Pillars of a solid Privacy & Data Protection Program
35
Joao Torres Barreiro
Associate VP, Chief Data Protection Officer
HCL Technologies
Email: [email protected]
36
For more information about the
marcus evans legal
summit series: