Privacy Trends 2013

Privacy trends 2013
The uphill climb continues

Insights on
governance, risk
and compliance
January 2013
iii Insights on governance, risk and compliance | January 2013
1 Insights on governance, risk and compliance | January 2013
Introduction ................................................................................................. 2
Privacy's waLchwords: qovernance and accounLabiliLy ................................ ^
Covernance evolves Ior regulators and businesses ....................................... 5
From enlorcer Lo sLraLeqic advisor ............................................................. 6
Vendor assurance is noL as easy as iL looks ................................................ 8
1he chanqinq role ol Lhe privacy ollcer ................................................... 10
Technology oIIers opportunity, but includes a steep learning curve ............. 13
DiqiLal LranslormaLion demands accounLabiliLy ........................................ 1^
MoniLorinq uncovers privacy lailures ....................................................... 16
Personal privacy versus corporaLe securiLy: iL's a lne balance .................. 18
Pegulations struggle to keep up ................................................................. 20
Privacy maLures lrom compliance Lo accounLabiliLy .................................. 21
Breach noLilcaLion becomes a sLraLeqic imperaLive .................................. 2^
HjanY[q Zq <]ka_f needs requlaLion Lo qain LracLion .................................. 26
Conclusion ................................................................................................. 28
Contents
Introduction
A
s the privacy
landscape continues
to evolve and mature,
trends are Iorming around
how market conditions are
impacting organizations'
privacy decisions.
ln years pasL, when preparinq Lhis reporL, we discussed Lhe Lop privacy Lrends
orqanizaLions laced individually. 1his year, we have orqanized Lhem inLo Lhree caLeqories:
qovernance, Lechnoloqy and requlaLion. 1hese are Lhe meqaLrends we see playinq
increasinqly larqer roles as we enLer a new era in privacy proLecLion.
RequlaLors qlobally are doinq Lheir besL Lo keep up wiLh Lhe velociLy ol chanqe LhaL is
pushinq Lhe need lor sLronqer privacy proLecLion. However, iL seems LhaL lor every sLep
lorward, evolvinq Lechnoloqy seLs Lhem Lwo sLeps back. lL's seLLinq orqanizaLions back
Loo. 1he diqiLal world is sLill relaLively younq and boundaries are noL yeL lully esLablished.
Cyber aLLacks, inappropriaLe online eLiqueLLe and oversharinq ol personal inlormaLion
Lhese are |usL a lew ol Lhe issues orqanizaLions need Lo naviqaLe and requlaLe noL only
inLernally, buL also on behall ol consumers who may noL know beLLer.
As Lhe diqiLal ecosysLem evolves, requlaLors and orqanizaLions need Lo open Lhe lines ol
communicaLion. As requlaLors walk Lhe line line beLween advisors and compliance enlorcers,
orqanizaLions need Lo sLrive Lo creaLe boundaries raLher Lhan push Lhem. 1oqeLher,
requlaLors and orqanizaLions need Lo serve as Lhe sLewards ol privacy proLecLion.
1hese observaLions are echoed by Lhe privacy leaders we asked
Lo share Lheir perspecLives abouL Loday's privacy landscape and
Lhe challenqes LhaL lie ahead.
Allan Chiang, Honq Konq's Privacy Commissioner lor Personal
DaLa, discusses Lhe evolvinq role ol Lhe DaLa ProLecLion
AuLhoriLy (DPA) and Lhe imporLance ol losLerinq open
discussions wiLh orqanizaLions raLher Lhan simply requlaLinq.
John Cevertz, Clobal Chiel Privacy Ollcer aL AuLomaLic
DaLa Processinq (ADP), lnc. advocaLes lor a sLandard
privacy compliance lramework LhaL laciliLaLes consisLency in
developinq and assessinq privacy proqrams, while addressinq
disparaLe requiremenLs across indusLries and qeoqraphies.
Daniela Fabian Masoch, Clobal Head ol DaLa Privacy aL
NovarLis, whose orqanizaLion recenLly achieved bindinq
corporaLe rules (BCR) sLaLus, Lalks abouL creaLinq a qlobal
qovernance sLrucLure LhaL is boLh sLronq, buL also lexible
enouqh Lo accommodaLe naLional or reqional requiremenLs.
Henri Ku|ala, Privacy Ollcer in Lhe LocaLion and Commerce
uniL ol Nokia, discusses Lhe increasinqly complex mobile
ecosysLem, and makes a sLronq arqumenL lor makinq privacy a
loundaLional componenL ol Lechnoloqy sLandards developmenL.
Jules Polonetsky, DirecLor and Cochair ol Lhe FuLure
ol Privacy Forum in WashinqLon, DC, describes Lhe leqal
challenqes orqanizaLions can lace in deLermininq who owns
personal daLa on mobile devices LhaL may or may noL be
companyowned, buL are used in a corporaLe seLLinq. As Lhe
populariLy ol brinq your own device (BYOD) rises, so Loo does
Lhe complexiLy ol who qeLs Lo conLrol Lhe daLa LhaL lives on an
employee's smarLphone or LableL and where Lo draw Lhe line
beLween personal privacy and corporaLe risk.
Fabrice NaItalski, LrnsL & Younq SocieLe d'AvocaLs

law parLner
and Luropean Privacy Seal (LuroPriSe) leqal experL, suqqesLs
LhaL BCR sLaLus, once an opLional qoal lor larqe mulLinaLional
orqanizaLions, is becominq a musL have.
Mary Ellen Callahan, ParLner aL Jenner & Block LLP and
lormer Chiel Privacy Ollcer lor Lhe U.S. DeparLmenL ol Homeland
SecuriLy dispels Lhe myLh LhaL Lhe Luropean Union's (LU)
privacy approach is more riqorous Lhan Lhe UniLed SLaLes'
secLorial approach LhaL, in lacL, Lhe Lwo reqions have lar
more in common Lhan many would Lhink.
Marielle Callo, Member ol Luropean ParliamenL and a Member
ol Lhe CommiLLee on Leqal Allairs ouLlines how Lhe role ol Lhe
Luropean Commission DaLa ProLecLion AuLhoriLy (DPA) will shilL
under proposed chanqes Lo Lhe LU DirecLive on daLa proLecLion.
All observaLions lollow a similar paLh Loward qovernance and
accounLabiliLy. As Lhe uphill climb Lo sound privacy manaqemenL
conLinues, orqanizaLions and requlaLors need make Lhe |ourney
LoqeLher.
Dr. Sai Leizercv
Americas Leader ol Privacy
Advisory and Assurance
Services, LrnsL & Younq
Virqinia, US
Privacy's watchwords:
governance and accountability
ln Lhe lasL 15 years, privacy requlaLions have had Lo evolve quickly Lo address operaLional
and lilesLyle chanqes brouqhL lorLh by Lechnoloqy.
ln Lhe laLe 1990s and early 2000s, requlaLors around Lhe world implemenLed requlaLions
and quidelines Lo address specilc compliance challenqes, includinq HealLh lnsurance
PorLabiliLy and AccounLabiliLy AcL (HlPAA), Lhe clinical Lrial direcLive, spam and LexL messaqe
adverLisinq. 1hese requlaLory responses were reacLions Lo Lechnoloqical developmenLs.
For example, an imporLanL driver ol Lhe HlPAA privacy and securiLy rules was Lhe advances
in qeneLic research and Lhe concern LhaL such healLh inlormaLion could impacL individuals
as well as Lheir bloodrelaLed relaLives. 1he LU elecLronic communicaLion direcLive also
was creaLed because ol Lechnoloqydriven communicaLion. ln China, Lhe sLaLe imposed
requlaLions limiLinq spamminq on cell phones.
ln Lhe mid2000s, personal inlormaLionbased lraud became a requlaLory local poinL. Breach
noLilcaLion and inlormaLion securiLy leqislaLion shilLed Lhe Lide Loward privacy as a maLerial
business risk. Companies and criminal orqanizaLions alike came Lo realize Lhe immense value
ol qaininq access Lo personal inlormaLion. Criminals saw Lhe moneLary value. OrqanizaLions
beqan Lo undersLand Lhe lnancial and repuLaLional cosLs ol allowinq unauLhorized access
Lo personally idenLilable inlormaLion. ln Lhe US, AsiaPacilc and Lurope, requlaLors beqan
lninq orqanizaLions lor privacy qalles. 1he LU passed a breach noLilcaLion law lor Lhe
LelecommunicaLion indusLry. And oLher |urisdicLions passed requlaLions requirinq encrypLion
soluLions Lo proLecL daLa. ln addiLion, orqanizaLions sLarLed Lalkinq ol privacy, PCl and
crisis manaqemenL in Lhe same breaLh. lL is a Lrend LhaL conLinues Loday.
We are now enLerinq a new era, where qovernance and accounLabiliLy play a cenLral role in
ellecLive privacy manaqemenL. RequlaLors realize LhaL Lhey can'L keep chasinq Lechnoloqical
developmenLs wiLh specilc requiremenLs. lnsLead, Lhey are emphasizinq Lhe imporLance
ol a "Lhinkinq" privacy proqram LhaL assesses impacL and applies Lhe core requiremenLs
ol privacy Lo chanqes in processes and Lechnoloqy. We saw iL in Lhe requlaLions developed
by Lhe SLaLe ol MassachuseLLs in Lhe US lor deLailed securiLy proqrams over personal
inlormaLion. We see iL in recenL U.S. Federal 1rade Commission (F1C) consenL decrees.
We see iL in upcominq privacy requlaLion chanqes and Lhe increased emphasis on BCR as
soluLions. We also see iL cominq direcLly lrom requlaLors, such as Lhe quidelines lrom Lhe
Ollce ol Lhe Privacy Commissioner ol Canada.
ln Lhis publicaLion we discuss key Lrends in Lhis new era and soluLions Lo help orqanizaLions
naviqaLe Lhe everevolvinq privacy landscape. We hope you en|oy Lhe discussion.
Ccvernance evolves Ior
regulators and businesses
Clobally, requlaLors are doinq everyLhinq Lhey can Lo keep pace wiLh Lhe chanqes
LhaL necessiLaLe qreaLer privacy proLecLion. BuL lor every one sLep Lhey Lake
lorward, Lechnoloqy seems aL leasL Lwo sLeps ahead. 1echnoloqy is evolvinq aL
such a raLe LhaL requlaLors may never caLch up. lnsLead ol climbinq uphill Lo a
peak Lhey may never reach, requlaLors are recoqnizinq LhaL Lhey may be more
ellecLive wiLh a Lwopronqed ellorL: 1) conLinue Lo improve privacy proLecLion
Lhrouqh leqislaLion and requlaLion; and 2) become sLraLeqic advisors and acLive
parLicipanLs in decisionmakinq discussions wiLh orqanizaLions and consumers.
On Lhe business side, orqanizaLions have been aLLempLinq Lo use a number ol
Lools LhaL have been creaLed Lo oller independenL assurance ol privacy proqrams.
However, many orqanizaLions are noL yeL maLure enouqh Lo meeL all Lhe riqorous
requiremenLs LhaL assurance sLandards demand. OrqanizaLions and requlaLors
need Lo lnd a middle qround LhaL moLivaLes orqanizaLions Lo be accounLable
wiLhouL causinq Lhem Lo lail in Lheir ellorLs.
One ol Lhe challenqes orqanizaLions lace is LhaL inlormaLion securiLy and privacy
remain relaLively new phenomena. SLill only approximaLely 30 years younq,
socieLy as a whole is sLill sLruqqlinq Lo undersLand Lhe everexpendinq diqiLal
boundaries. lnappropriaLe online eLiqueLLe, cyber bullyinq and Lhe oversharinq
ol personal inlormaLion LhaL consLanLly pushes privacy limiLs are |usL some ol
Lhe issues Lhe diqiLal world has creaLed. WiLhin orqanizaLions, undersLandinq and
esLablishinq Lhese boundaries becomes increasinqly imporLanL.
OrqanizaLions and requlaLors need Lo share Lhe role ol pillars ol Lhe diqiLal
communiLy, seLLinq Lhe sLandards ol LrusL and respecL LhaL Lhe resL ol socieLy
can lollow.
Insights on governance, risk and compliance | January 2013
From enIorcer to
strategic advisor
For example, in Canada, Lhe OnLario lnlormaLion & Privacy Commissioner, Dr. Ann Cavoukian,
has developed quidance relaLinq Lo Lhe personal daLa ecosysLem (PDL) and Lhe use ol
personal daLa vaulLs (PDV), which Lake advanLaqe ol emerqinq Lechnoloqies Lo help
consumers Lo collecL, sLore, use, share, qranL access Lo and manaqe Lheir own personal
inlormaLion in a manner LhaL is compleLely wiLhin Lheir own conLrol.
1
Dr. Cavoukian also
is crediLed wiLh creaLinq HjanY[q Zq <]ka_f (HZ<), Lhe sevenprinciple model LhaL
requlaLors qlobally sLronqly recommend orqanizaLions use Lo embed privacy inLo l1
sysLem implemenLaLions.
ln lacL, in June 2012, HZ< was Lhe Lopic ol a larqe oneday conlerence hosLed and
orqanized by Lhe Ollce ol Lhe Privacy Commissioner lor Personal DaLa in Honq Konq.
Described as a privacy landmark evenL in Honq Konq, Lhe local commissioner inviLed a
panel ol disLinquished speakers lrom AusLralia, Canada, Lhe US and New Zealand. 1he
inLended audience ol Lhe conlerence was broad, ranqinq lrom daLa proLecLion and
compliance prolessionals, Lo privacy advocaLes and academics, Lo markeLinq manaqers,
policymakers, consulLanLs and audiLors. Sponsors included Lech qianLs Cooqle and MicrosolL,
as well as LrnsL & Younq. 1he ob|ecLive was Lo educaLe local privaLe and public secLor
orqanizaLions abouL HZ<, Lhe imporLance ol iLs role in Lhe luLure ol privacy manaqemenL
and how orqanizaLions could qo abouL implemenLinq iL.
AlLhouqh Lhe locus may be shilLinq, enlorcemenL remains a crucial Lool in a requlaLor's
arsenal. One ol privacy's biqqesL challenqes remains a lack ol enlorcemenL acLion amonq
cerLain indusLries and counLries. RequlaLors voice Lhese very concerns Lhe Lension
beLween workinq wiLh orqanizaLions and enlorcinq requlaLions durinq discussions abouL
Lhe proposed chanqes Lo privacy requlaLions in Lhe LU. UK lnlormaLion Commissioner
ChrisLopher Craham said ol Lhe issue LhaL Lhe proposals "demand LhaL daLa proLecLion
auLhoriLies musL impose lnes . leavinq no room lor requlaLors Lo exercise discreLion."
He wenL on Lo say LhaL iL would lorce requlaLors Lo "pick and choose," and resulL in
inconsisLencies in Lhe requlaLion's applicaLion across Lurope.
2

ForLunaLely, when iL comes Lo enlorcemenL, privacy requlaLors are qeLLinq some help lrom
indusLry requlaLors and oLhers operaLinq ouLside Lhe privacy sphere.
ln Lhe US, lor insLance, healLh care indusLry requlaLors have enacLed Lhe HealLh lnlormaLion
1echnoloqy lor Lconomic and Clinical HealLh (Hl1LCH) AcL, which calls lor Lhe sLaLes' aLLorney
qenerals and Lhe U.S. DeparLmenL ol JusLice (DOJ), Lo enlorce HlPAA. AL a sLaLe level,
Calilornia's ALLorney Ceneral recenLly announced Lhe lormaLion ol a Privacy LnlorcemenL
and ProLecLion UniL wiLhin Lhe DOJ. 1he uniL is mandaLed Lo proLecL consumers Lhrouqh
civil prosecuLion ol boLh sLaLe and lederal privacy laws.
3
Similarly, in Lhe UK, Lhe Financial
Services AuLhoriLy is respondinq Lo privacy violaLions and levyinq heavy lnes lor noncompliance.
T
he accelerating pace oI
technological change
has shiIted regulators
Irom regulationmakers to
strategic advisors. Where their
primary role was once to
enIorce the rules they created,
many regulators are now equal
parts compliance monitors,
educators, liaisons between
business and government, and
active participants in the
privacy debate.
1
Cavoukian, Ann, PhD, HjanY[q Zq <]ka_f Yf\ l`] =e]j_af_ H]jkgfYd <YlY =[gkqkl]e, Ollce ol Lhe lnlormaLion and Privacy Commissioner, OnLario, Canada, OcLober 2012, hLLp://www.ipc.on.ca/imaqes/
Resources/pbdpde.pdl.
2
"lCO, Facebook Call lor Chanqes Lo Proposed Law," A9HH, 9 November 2012, hLLps://www.privacyassociaLion.orq/publicaLions/2012_11_09_ico_lacebook_call_lor_chanqes_Lo_proposed_law.
3
"ALLorney Ceneral Kamala D. Harris Announces Privacy LnlorcemenL and ProLecLion UniL," KlYl] g^ ;Yda^gjfaY <]hYjle]fl g^ Bmkla[]$ G^[] g^ l`] 9llgjf]q ?]f]jYd, 19 July 2012, hLLp://oaq.ca.qov/
news/pressreleases/aLLorneyqeneralkamaladharrisannouncesprivacyenlorcemenLandproLecLion.
AIIan Chian
Privacy Commissioner lor
Personal DaLa
Honq Konq, China
Personal data protection needs to be a
business imperative
ln my work as Privacy Commissioner lor Personal DaLa in Honq Konq, l am consLanLly
conlronLed wiLh leqal challenqes relaLed Lo our requlaLory role under Lhe Personal DaLa
(Privacy) Ordinance (Lhe Ordinance). 1here have been several cases in Lhe lasL Lwo years
ol orqanizaLions lallinq aloul ol Lhe Ordinance LhaL we have souqhL Lo invesLiqaLe. ln
many cases, our ollce laced leqal challenqes as Lo wheLher we were empowered under
Lhe Ordinance Lo acL.
Our response Lo Lhese challenqes was simple: we asked Lhese companies Lo ask Lhemselves
wheLher iL made business sense |usL Lo leave Lhe issue in Lhe hands ol Lheir leqal and
compliance prolessionals. lnvariably, Lhey deLermined LhaL Lhe repuLaLional risk associaLed
wiLh Lhe privacy conLravenLions was Loo hiqh Lo only meeL whaL Lhey considered Lo be Lhe
minimum leqal requiremenLs. As such, we were able Lo work wiLh Lhe Lop manaqemenL ol
Lhese orqanizaLions Lo address Lhe relevanL privacy and daLaproLecLion issues.
However, Lhis shouldn'L be done alLer Lhe lacL. OrqanizaLions should be incorporaLinq
privacy inLo Lheir business processes in much Lhe same way LhaL Lhey incorporaLe oLher
core values such as lairness, Lransparency and proporLionaliLy. 1o achieve an endurinq
and hiqher level ol success, enLerprises have Lo embrace personal daLa proLecLion as a
business imperaLive.
Vendor assurance is not
as easy as it looks
ln 2010, Lhe American lnsLiLuLe ol CerLiled Public AccounLanLs (AlCPA) lnalized Lhe
KlYl]e]fl gf KlYf\Yj\k ^gj 9ll]klYlagf =f_Y_]e]flk Fg& ).$ J]hgjlaf_ gf ;gfljgdk Yl Y
K]jna[] Gj_YfarYlagf KK9= ).!. 1his qlobal audiLinq sLandard replaced Lhe SAS 70, which
had been Lhe auLhoriLaLive quidance lor reporLinq on service orqanizaLions. SSAL 16
enables orqanizaLions Lo obLain service orqanizaLion conLrols (SOC) reporLs in Lhe areas
ol privacy, securiLy, inLeqriLy, conldenLialiLy and availabiliLy. 1he demand lor J]hgjlk gf
;gfljgdk Yl Y K]jna[] Gj_YfarYlagf J]d]nYfl lg K][mjalq$ 9nYadYZadalq$ Hjg[]kkaf_ Afl]_jalq$
;gf\]flaYdalq Yf\ HjanY[q KG; *! has increased siqnilcanLly since iL Look ellecL in 2011.
However, in iLs lrsL lull reporLinq year (2012), many orqanizaLions have been challenqed Lo
meeL Lhe riqorous requiremenLs ol developinq, mainLaininq and documenLinq Lhe necessary
conLrols, especially when iL comes Lo privacy.
1he HealLh lnlormaLion 1rusL Alliance (Hl1RUS1), borne lrom Lhe need lor healLh care
providers Lo assure inlormaLion securiLy lor healLh inlormaLion sysLems and exchanqes,
has developed a common securiLy lramework (CSF) LhaL can be used by any orqanizaLion
wiLhin or ouLside Lhe healLh care indusLry LhaL creaLes, accesses, sLores or exchanqes
personal healLh and lnancial inlormaLion. lL is a lramework LhaL orqanizaLions consulL,
yeL lew acLually use lor aLLesLaLion.
1he world ol privacy assurance looks much Lhe way Lhe lnancial landscape looked when
Lhe SarbanesOxley AcL was lrsL inLroduced. lniLially, many public companies LhouqhL iL
would be easy Lo meeL Lhe requiremenLs. Many sullered a rude awakeninq when Lhey
realized LhaL a subsLanLial porLion ol Lheir lnancial conLrols were insullcienL lor Lheir
audiLors. Companies lound Lhemselves havinq Lo invesL siqnilcanL resources inLo improvinq
Lheir inLernal conLrols.
KG; * represenLs Lhe luLure lor assurinq privacy manaqemenL, buL iL may Lake orqanizaLions
some Lime Lo improve Lheir conLrols Lo meeL Lhe riqors Lhe audiL criLeria require. However,
as Lhe risk associaLed wiLh personal inlormaLion conLinues Lo escalaLe, Lhe Lrend lor
independenL assurance in Lhe privacy sphere will conLinue Lo qrow.
A
uditors, thirdparty
attestation providers
and industry oversight
bodies have made great strides
in developing tools to address
vendor management risk.
Jchn Cevertz
Clobal Chiel Privacy
Ollcer aL AuLomaLic
DaLa Processinq, lnc.
New York, US
The need Ior a standard privacy compliance
Iramework grows
AuLomaLic DaLa Processinq (ADP) is one ol Lhe world's larqesL providers ol business
ouLsourcinq soluLions. Lvery day, we work wiLh clienLs Lo manaqe Lheir human resources,
payroll, Lax and benelLs adminisLraLion, amonq oLher businesses. Our business success
depends on Lhe ellcienL and sale handlinq ol sensiLive inlormaLion. As a resulL, our privacy
proqram and our securiLy proqram are closely enLwined noL only concepLually, buL
orqanizaLionally. Our privacy proqram is principally locused on: 1) securiLy; 2) compliance;
and 3) business enablemenL. Our privacy Leam lorms parL ol our securiLy orqanizaLion,
buL iL also reporLs inLo leqal, qiven Lhe imporLance ol compliance wiLhin Lhe proqram.
ln Lhe lace ol everchanqinq and quickly evolvinq LhreaLs, Lechnoloqy and requlaLions,
ADP has implemenLed a qovernance, risk and compliance (CRC) approach LhaL enables
our privacy proqram Lo remain aqile in respondinq qlobally Lo consLanLly chanqinq
requlaLions, LhreaLs and Lechnoloqies, as well as Lhe evolvinq needs ol our clienLs.
As a qlobal service provider, one ol Lhe challenqes we have, and see conLinuinq inLo 2013,
is a lack ol consisLency in Lhe developmenL and applicaLion ol requlaLions qlobally. We are
seeinq boLh converqence and diverqence in Lhe requlaLory space. MulLinaLional clienLs are
sLruqqlinq Lo address disparaLe requlaLory developmenLs in mulLiple |urisdicLions. RequlaLions
and sLandards vary, noL only lrom reqion Lo reqion, buL also lrom one indusLry Lo anoLher.
As such, each orqanizaLion is Lryinq Lo esLablish iLs own baseline ol requiremenLs iL places
on iLs vendors. Some requiremenLs are qeared Loward requlaLors who are raisinq Lhe bar.
OLhers are respondinq Lo pasL breaches. SLill oLhers are seekinq Lo meeL Lheir own inLernal
sLandards. AlLhouqh we are sLandardizinq our securiLy and privacy conLrols enLerprisewide,
we olLen are called Lo respond on an individual orqanizaLional basis. No one seL ol policies,
sLandards or conLrols meeLs Lhe needs ol all ol our clienLs or even a seqmenL ol our
clienLs. 1his creaLes inellciencies in our privacy and securiLy manaqemenL proqrams.
As Lhe prolileraLion and complexiLy ol requlaLions qrows qlobally, so Loo does Lhe need lor
a soluLion in Lhe lorm ol a sLandard lramework or approach LhaL clienLs can use Lo
esLablish Lheir baselines and vendors can use Lo develop consisLenL, sLreamlined and
ellecLive privacy manaqemenL proqrams. KG; * reporLinq may be one such soluLion.
However, much like Lhe discussions occurrinq around harmonizinq requlaLions qlobally,
consensus around a lramework or reporLinq sLandards will Lake Lime Lo achieve.
The changing role oI
the privacy oIhcer
1he need lor a privacy ollcer (Lhe LiLle is dillerenL across indusLries and |urisdicLions) is
menLioned in exisLinq privacy requlaLions such as HlPAA in Lhe US, as well as proposed
privacy requlaLions such as Lhe LU privacy requlaLion, Lhe consenL decrees by Lhe F1C and
quidance provided by daLa proLecLion auLhoriLies in Canada.
We see Lwo dillerenL Lypes ol developmenLs in Lhe privacy ollcer role. ln Lhe larqe
mulLinaLionals and Lhe rapidlychanqinq, inlormaLioninLensive orqanizaLions, Lhe role
ol Lhe privacy ollcer has evolved siqnilcanLly. As Lhe role ol Lhe privacy ollcer has
maLured, Lhese privacy ollcers lnd LhaL Lhey need Lo be more Lhan luminaries or policy
seLLers. 1hey also need Lo deal wiLh onqoinq business issues and oversee a qrowinq
neLwork ol privacy prolessionals in Lheir orqanizaLions Lo which Lhey may only have a
doLLed reporLinq relaLionship.
However, anoLher class ol privacy ollcers has emerqed. 1hese are Lhe privacy ollcers LhaL
are manaqinq proqrams LhaL experience small chanqes over Lime. Once Lheir privacy proqram
is in place and operaLinq ellecLively, Lheir orqanizaLions move lrom low maLuriLy Lo Lhe
moderaLely maLure level where mainLenance, breach handlinq and proqram updaLes are
Lhe main luncLions. ln Lhis conLexL, Lhe need lor a "Chiel Privacy Ollcer (CPO)" disappears.
Once a career desLinaLion, privacy responsibiliLies in slowly evolvinq or mediumsize
orqanizaLions LhaL are noL daLa inLensive are increasinqly held by low Lo midlevel
manaqers lor whom privacy is one ol many posiLions alonq Lhe career paLh.
ln lacL, Lhe number ol privacy ollcers in midlevel manaqemenL posiLions is increasinq even
in larqe and leadinq mulLinaLionals. 1his diverqence in Lhe privacy ollcer posiLion is noL
neqaLive. ln lacL, when sLrucLured appropriaLely, iL should aliqn well Lo Lhe needs ol Lhe
orqanizaLions. NoL every orqanizaLion needs a "super CPO."
1he maLuraLion ol Lhe privacy ollcer has a direcL ellecL on Lhe maLuriLy ol privacy
manaqemenL as a whole. When a privacy manaqer moves on wiLhin Lhe orqanizaLion, LhaL
person Lakes LhaL knowledqe wiLh Lhem. 1his noL only creaLes a luency in privacy across
oLher parLs ol Lhe orqanizaLions, buL also makes privacy everyone's responsibiliLy. ln Lhis
way, privacy becomes imbedded inLo Lhe labric ol Lhe orqanizaLion. lL is as inLeqral Lo an
orqanizaLion as HR, procuremenL or inLernal audiL.
Privacy maLuriLy is no lonqer measured by Lhe sophisLicaLion ol soluLions. RaLher, iL is
measured in Lerms ol consisLency and consideraLion amonq a wide ranqe ol business
demands. For some orqanizaLions, iL is Lhe abiliLy Lo mainLain a larqe neLwork ol
prolessionals, olLen spanninq borders and conLinenLs, Lo mainLain a level ol aLLenLion
necessary Lo be ellecLive in dayLoday operaLions. For oLhers, iL is mainLaininq a
consisLenL level ol compliance, noL more buL noL less.
T
he role oI the privacy
oIIicer continues to evolve.
Where it was once leading
practice to have a privacy oIIicer,
today, it is common business
practice. In Iact, in many
regulatory |urisdictions, the
position is mandatory.
DanieIa Fabian Mascch
Clobal Head DaLa Privacy,
NovarLis lnLernaLional AC
Basel, SwiLzerland
5tandards Ior data privacy need to be both
strong and Ilexible
Our approach Lo manaqinq daLa privacy wiLhin Lhe NovarLis Croup requires NovarLis
allliaLes Lo Lake ownership and be accounLable lor local compliance wiLh daLa privacy
laws and requlaLions and lor implemenLinq our qlobal privacy proqram.
Our privacy proqram is desiqned Lo supporL NovarLis allliaLes worldwide Lo comply wiLh
privacy requiremenLs and Lo qovern qlobal pro|ecLs and inLernaLional daLa lows. While
Lhe NovarLis Privacy Policy lramework esLablishes a common sLandard on Lhe appropriaLe
proLecLion ol personal inlormaLion wiLhin Lhe NovarLis Croup, iL is also imporLanL Lo keep
some lexibiliLy Lo accommodaLe naLional requiremenLs. For example, sLandard operaLinq
procedures LhaL companies musL lollow may vary lrom counLry Lo counLry, as could Lhe
requiremenLs lor seLLinq up awareness and Lraininq proqrams, ensurinq LhaL our privacy
sLandards are implemenLed and moniLored on an onqoinq basis.
A criLical componenL lor an ellecLive implemenLaLion ol our privacy proqram and BCR is
Lhe esLablishmenL ol a qlobal privacy neLwork, includinq privacy ollcers aL various levels
ol Lhe orqanizaLion wiLhin divisions, counLries, luncLions and allliaLes LhrouqhouL Lhe
NovarLis Croup. DaLa Privacy Ollcers are responsible lor ensurinq compliance wiLh daLa
privacy requiremenLs and lor embeddinq Lhe appropriaLe manaqemenL ol daLa privacy
inLo processes and sysLems. Reqular assessmenLs ol privacy conLrols indicaLe Lhe
maLuriLy level aL company level and help Lo idenLily exisLinq qaps in Lhe implemenLaLion
ol Lhe proqram and poLenLial risks lor our orqanizaLion.
Our approach Lo daLa privacy has proven Lo be ellecLive. However, as requlaLions in Lhe
LU and elsewhere evolve, we need Lo keep our approach Lo daLa proLecLion dynamic so
LhaL we can remain nimble and responsive Lo a consLanLly chanqinq privacy environmenL.
12 Insights on governance, risk and compliance | January 2013 12 Insights on governance, risk and compliance | January 2013
Many organizations see themselves as moderately mature when it
comes to privacy
ln =jfkl Qgmf_k *()* ?dgZYd Af^gjeYlagf K][mjalq Kmjn]q2 _`laf_ lg [dgk] l`] _Yh, we asked survey parLicipanLs Lo raLe Lhe maLuriLy ol
Lheir privacy luncLion and several inlormaLion securiLy luncLions wiLhin Lheir orqanizaLions in Lerms ol maLuriLy on a scale lrom nonexisLenL
Lo very maLure. Only 77 ol respondenLs view Lheir orqanizaLions as very maLure when iL comes Lo privacy. A near ma|oriLy ^17 see
Lhemselves as moderaLely maLure. 1hey've made proqress, buL know LhaL Lhey can do more when iL comes Lo privacy proLecLion.
Cther
Privacy
5ecurity awareness, training and communication
Data integrityrelated activities
Threat and vulnerability management
5ecurity testing
5ecurity incident and event management
5ecurity governance and management
Compliance management and support
Identity and access management
Business continuity management and disaster recovery
5ecurity operations
What is the approximate percentage oI total spend on the Iollowing inIormation security
Iunctional areas in your organization?
187
157
57
47
77
7
7
7
57
57
57
37
TechncIcy oIIers opportunity, but
includes a steep learning curve
1he Lechnoloqy evoluLion is someLhinq ol a doubleedqed sword. For orqanizaLions
and consumers alike, Lechnoloqy opens Lhe doors Lo a world ol opporLuniLies. BuL
Lhere are risks. Consumer demand is drivinq Lhe need lor diqiLal LranslormaLion
a lundamenLal shilL in cusLomer relaLionships, business models and value chains.
Some orqanizaLions are usinq Lechnoloqy Lo inLroduce new producLs or services,
improve ellciency and collecL more inlormaLion abouL Lheir cusLomers Lhan Lhey
currenLly need or know how Lo use. lL is Lhe laLLer LhaL creaLes Lhe biqqesL privacy risk.
1o beLLer manaqe LhaL risk, many orqanizaLions have implemenLed moniLorinq
Lechnoloqy. However, Lhis raises new issues as Lhe moniLorinq Lechnoloqy Lends
Lo shine a spoLliqhL on privacy lailures LhaL are olLen cosLly Lo correcL. lnLernally,
Lhe BYOD phenomenon is creaLinq challenqes beLween Lhe need Lo secure Lhe
orqanizaLion's daLa wiLhouL compromisinq employee privacy.
Digital transIormation
demands accountability
By usinq Lhe inLerneL, social media, mobile and realLime 360 analyLics, orqanizaLions
can enhance cusLomer relaLionships, increase Lopline qrowLh, sLreamline operaLions,
empower LalenL and use innovaLion Lo reinvenL compeLiLive soluLions and business models.
1he app revoluLion is a prime example. AlmosL every orqanizaLion wanLs an app Lo drive
more consumer Lrallc. Lven orqanizaLions LhaL are relaLively immaLure in Lechnoloqical
maLuriLy undersLand Lhe value an app can provide, lrom increasinq Lheir appeal in Lhe
markeL Lo collecLinq reams ol consumer inlormaLion, wheLher Lhey need iL or noL. ln lacL,
many orqanizaLions have liLLle or no idea whaL Lo do wiLh all Lhe inlormaLion Lhey collecL.
1he challenqe Lhis creaLes is LhaL where leadinq edqe Lechnoloqy orqanizaLions have
been pluqqed inLo Lhe privacy debaLe lor some Lime, orqanizaLions slow Lo |oin Lhe diqiLal
parLy olLen know very liLLle abouL privacy risks or manaqemenL and have no resources on
sLall Lo eiLher idenLily or address Lhem. As a resulL, we are seeinq an increasinq number
ol "rookie" misLakes impacLinq sLronq qlobal brands as Lhey sLep inLo Lhe diqiLal world.
1heir learninq curve is sLeep. 1hey will need Lo deLermine Lhe requiremenLs, esLablish a
privacy proqram and become accounLable lor Lheir diqiLal LranslormaLion.
D
igital is widely seen as
the most transIormative
business Iorce since
mass production. It is aIIecting
how almost every industry
interacts with its customers and
enables organizations to create
a seamless, uniIied experience
across channels, processes
and geographies.
When creating technology standards, put
privacy Iirst
Mobile is a complex, qlobal ecosysLem wiLh many conLribuLinq players in dillerenL roles and
lrom dillerenL reqions. OlLen, one player acLs in mulLiple roles simulLaneously. For example,
a device manulacLurer also may be Lhe operaLinq sysLem (OS) provider, run iLs own
applicaLion disLribuLion channels and publish iLs own applicaLions. AlLernaLively, Lhese roles
could all be perlormed independenLly by dillerenL parLies.
AL Lhe same Lime, vasL numbers ol individuals and companies are lndinq new ways Lo
parLicipaLe in Lhe world as users and creaLors ol applicaLions as well as processors and
conLrollers ol personal daLa. AdverLisinq and analyLics providers creaLe new opporLuniLies
lor applicaLion developers Lo moneLize and develop Lheir applicaLions.
1he dynamics ol Lhe ecosysLem lorms a puzzle where all conLribuLors musL provide pieces
il Lhe privacy challenqe is Lo be solved. One small mishap by one ol Lhe conLribuLinq players
can cause siqnilcanL privacy issues Lo individuals. No one player can acL as Lhe ulLimaLe
onesLop shop Lo manaqe privacy across Lhe ecosysLem. Lach player needs Lo do iLs parL
Lo ensure LhaL Lhere is no hidden, unconLrolled, excessive or unsecured collecLion and use
ol personal daLa.
Accordinqly, OS providers musL make hardware capabiliLies, such as various sensors, exposed
by device manulacLurers, accessible Lo developers in a conLrolled and privacylriendly manner.
OS providers need Lo ensure LhaL access Lo inlormaLion, such as conLacLs or conLenL on Lhe
OS is conLrolled and LransparenL Lo users. As well, applicaLion sLores should impose privacy
requiremenLs on developers. 1his imporLanL sLep improves privacy awareness amonq Lhe
developer communiLy. Users also need Lo be made aware ol Lhe privacy impacLs ol leaLures
ol OS, hardware and applicaLions and Lhere should be ways lor users Lo reporL malicious
pracLices. MainsLream applicaLion sLores have already developed privacy requiremenLs wiLh
which developers musL comply belore an applicaLion can be published.
CurrenL privacy requlaLory reqimes may noL be sullcienL Lo address privacy issues in hiqhly
inLerdependenL ecosysLems, where daLa is lowinq across reqions and conLinenLs, and where
dillerenL players are sub|ecL Lo dillerenL laws and users can access Lhe services anywhere.
OlLen some ol Lhe acLiviLies ol some ol Lhe key players, such as OS providers and applicaLion
sLores appear noL Lo be covered by LradiLional daLa proLecLion delniLions, such as a daLa
conLroller. ln lacL, lor many services, users Lhemselves may acL as daLa conLroller.
Nokia undersLands Lhe imporLance ol Lechnoloqy sLandards Lo susLain Lhe luLure ol Lhe
mobile ecosysLem. Accordinqly, we have shared wiLh a number ol Lechnoloqy sLandards
bodies a model Lo laciliLaLe Lhe LranslormaLion ol privacy principles inLo acLual privacy
consideraLions in Lechnoloqy sLandards. Our qoal is Lo enshrine privacy in Lhe sLandards
developmenL process, so LhaL each parLy implemenLinq Lhe sLandard is inlormed and can
adhere Lo Lhese expecLaLions.
Henri KujaIa
Privacy ollcer, LocaLion &
Commerce, Nokia
Berlin, Cermany
Monitoring uncovers
privacy Iailures
ln LrnsL & Younq's HjanY[q lj]f\k *()* l`] [Yk] ^gj _jgoaf_ Y[[gmflYZadalq, we discussed
Lhe rise in orqanizaLions' awareness ol Lhe need Lo moniLor how personal inlormaLion is
manaqed. We also Lalked abouL Lhe increasinq implemenLaLion ol DLP Lools Lrackinq lor
sharinq daLa, Lools Lo Lrack neLwork lolders and applicaLions LhaL moniLor use paLLerns
on daLabases.
We indicaLed LhaL in 2012 we expecLed LhaL orqanizaLions would increase Lheir invesLmenL
in privacy moniLorinq Lools Lo demonsLraLe qreaLer accounLabiliLy by moniLorinq Lhe
personally idenLilable inlormaLion Lhey collecL. However, once implemenLed, Lhe new
privacy moniLorinq Lools demonsLraLed more Lhan accounLabiliLy. lL also uncovered more
evidence ol privacy lailures.
1hese lailures reveal Lhe imporLance ol implemenLinq Lhese Lools and Lhe need lor
accounLabiliLy. 1he challenqe orqanizaLions now lace is Lhe siqnilcanL cosL lor remediaLion.
ln lacL, many ol Lhe issues cannoL simply be addressed wiLh sLopqap measures. RaLher,
Lhey require a subsLanLial invesLmenL in new Lechnoloqies. Many orqanizaLions sLill rely on
sysLems LhaL were developed in Lhe 1990s, when limiLinq access Lo sensiLive inlormaLion
and encrypLion soluLions were on lew orqanizaLions' radar. As such, many orqanizaLions
would have Lo underLake a compleLe l1 LranslormaLion Lo address Lhe privacy issues
moniLorinq Lools are laqqinq. WiLh many orqanizaLions sLill leelinq Lhe ellecLs ol a
sluqqish economy, lew are ready Lo make Lhe required invesLmenL. ln lacL, we anLicipaLe
LhaL privacy budqeLs (and Lhe securiLy budqeLs supporLinq Lhe proLecLion ol personal
inlormaLion) will sLay larqely Lhe same as in 2012.
ln =jfkl Qgmf_k *()* ?dgZYd Af^gjeYlagf K][mjalq Kmjn]q$ >a_`laf_ lg [dgk] l`] _Yh,
707 ol respondenLs indicaLe LhaL Lhey planned on spendinq relaLively Lhe same amounL
over Lhe nexL year as Lhey did in Lhe previous year on privacy. 1haL number may have Lo
chanqe Lo address Lhe increased invesLmenL required Lo improve privacy conLrols.
T
he elements oI any
program include policies,
controls and monitoring.
For years, privacy programs had
robust policies and average
controls, but very little
monitoring. Many organizations
didn't have the tools to monitor
privacy given the vast amounts
oI data and processes involved.
CIIshoring/outsourcing security activities
Forensics/Iraud support
Pecruiting security resources
Privacy
5ecure development processes
InIormation security transIormation
Incident response capabilities
Implementing security standards
5ecurity incident and event management
Compliance monitoring
Threat and vulnerability management technologies and processes
5ecurity governance and management
5ecurity operations
5ecurity testing
InIormation security risk management
5ecurity awareness and training
Identity and access management technologies and processes
Data leakage/date loss prevention technologies and processes
Business continuity/disaster recovery
5ecuring new technologies
5pend more 5pend the same
Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the
next year Ior the Iollowing activities? K]d][l gfdq l`gk] Yj]Yk o`]j] qgm `Yn] hdYff]\ ]ph]f\almj]&
177
187
227
247
257
27
277
287
307
317
317
327
347
347
37
387
427
457
477
557 7
77
7
7
7
57
87
7
77
57
57
7
97
7
97
77
7
137
157
17 77
37
7
707
757
17
77
37
47
47
47
27
597
587
597
57
527
497
47
397
5pend less
Personal privacy versus
corporate security:
it's a hne balance
Less Lhan lve years aqo, Lhe locus was on proLecLinq Lhe perimeLer. More recenLly, as Lhe
perimeLer qave way Lo a borderless world, orqanizaLions shilLed Lheir locus Lo proLecLinq
Lhe daLa. Now, wiLh Lhe rise ol Lhe mobile worklorce, orqanizaLions may have Lo shilL Lheir
locus aqain. Unable Lo conLrol Lhe daLa, orqanizaLions will need Lo deLermine who can be
LrusLed wiLh Lhe daLa.
1he prolileraLion ol BYOD wheLher inside Lhe more LradiLional workplace or as parL
ol Lhe new virLual mobile workplace model has qeneraLed boLh ellciencies and Lrue
concerns. Many ol Lhe more popular mobile devices don'L have sullcienL builLin conLrols
Lo meeL securiLy expecLaLions. As well, employees are able Lo upqrade Lheir mobile device
Lhemselves wiLhouL havinq Lo qo Lhrouqh Lhe corporaLe l1 deparLmenL. And Lhen Lhere
is Lhe privacy challenqe. For securiLy manaqemenL purposes, orqanizaLions wanL Lo use
moniLorinq Lools Lo keep an eye on Lheir daLa. However, in Lhe process, Lhe Lools also end
up moniLorinq an employee's personal inlormaLion.
An ideal soluLion lor resolvinq some ol Lhe privacy issues associaLed wiLh dual use devices
is Lo consider parLiLioninq Lhe device. 1he device would have Lwo dillerenL deskLops one
lor work and one lor personal locaLed on Lwo separaLe componenLs ol Lhe device's hard
drive. UnlorLunaLely, Lhe size ol Lhe mobile device's hard drive and Lhe power ol iLs baLLery
does noL yeL supporL Lhis soluLion.
AnoLher opLion available LhaL may be more leasible is Lhe use ol a quesL neLwork LhaL is
separaLe lrom Lhe main neLwork. 1his allows employees Lo use Lheir personal device Lo qain
access Lo Lhe web direcLly, perhaps even Lhrouqh a workonly email accounL. OrqanizaLions
also may wanL Lo consider usinq LhirdparLy services or Lheir own codinq Lo creaLe "sand
boxes" where company daLa and companyissued applicaLions reside, ellecLively separaLinq
Lhem lrom any inLeracLion wiLh personal daLa, applicaLions or online services. 1hese opLions
serve Lhe dual purpose ol proLecLinq Lhe orqanizaLion's daLa lrom unauLhorized access as
well as Lhe employee's personal inlormaLion lrom beinq moniLored by Lhe orqanizaLion.
M
ore than ever beIore
we are seeing a
transition to a Iully
mobile workIorce. 5ome
organizations have closed
entire brick and mortar
oIIices in a shiIt to a Iully
virtual workplace model.
These organizations are
managing the risks with
administrative checks and
balances. But is it enough?
JuIes PcIcnetsky
DirecLor and Cochair ol
Lhe FuLure ol Privacy Forum
WashinqLon, DC, US
Who owns the data?
As mobile devices become cenLral Lo our personal lives and crucial Lo work producLiviLy,
discerninq who owns Lhe daLa LhaL lives on our mobile devices has become incredibly
challenqinq. Policies and pracLices LhaL were reasonable when a mobile device was clearly
Lhe properLy ol Lhe company, wiLh only minor personal use allowed, are less reasonable in
a world where Lhe line beLween work and personal is indisLinquishable. Lmployees are
expecLed Lo be available 2^ hours a day, work Lime may include Lypinq an email aL
midniqhL while on vacaLion; and personal Lime may include doinq an online search lor |usL
Lhe riqhL birLhday qilL on an employerissued LableL in beLween meeLinqs in Lhe ollce.
1his is an area where law and compliance pracLice are beinq challenqed Lo adapL.
We need soluLions LhaL are boLh convenienL and ellecLive in seqreqaLinq work and
personal inlormaLion. 1echnoloqies LhaL can comparLmenLalize devices are helplul, buL
orqanizaLions also need Lo adopL a more lexible and balanced view ol whaL consLiLuLes
personal versus work.
1o daLe, wiLh only a lew courL cases deparLinq lrom Lhe norm, employers have been able
Lo rely on clear policies LhaL noLily employees LhaL Lheir equipmenL may be moniLored and
LhaL devices may be wiped il Lhe employee is LerminaLed. BuL iL is increasinqly likely LhaL il
a company Lakes sLeps Lo wipe personal daLa lrom a device is owned by Lhe employee, Lhe
courLs will apply Lheir scruLiny Lo proLecL Lhe employee. Consider Lhe |unior assisLanL who
checks email on Lhe weekend aL his boss's insisLence, and who has minimal access Lo
sensiLive daLa, buL who loses Lhe video ol his child's lrsL sLeps when his device is wiped
alLer he is laid oll |usL belore ChrisLmas.
ln a hiqhly requlaLed environmenL, or an environmenL LhaL deals wiLh hiqhly conldenLial
daLa, Lhe orqanizaLion's acLions may hold up under LhaL scruLiny. However, in cases where
Lhe inlormaLion access is more qeneral, companies will need Lo have a more
accommodaLinq and lexible policy in place.
Lookinq more broadly aL privacy issues in Lhe mobile world, iL is clear LhaL Lhe rapid pace
ol chanqe is lorcinq new Lhinkinq abouL privacy. 1he diqiLal evoluLion has creaLed a
lraqmenLed ecosysLem comprisinq ol carriers, plaLlorms, conLenL creaLors and
disLribuLors, devices, apps and analyLics all ol whom have some role Lo play in how
privacy is manaqed, buL none ol whom has sole responsibiliLy or accounLabiliLy. 1his
lraqmenLaLion will conLinue Lo sLress Lhe boundaries ol privacy. And yeL, despiLe Lhese
concerns, Lhe ecosysLem will conLinue Lo innovaLe Lo leed a voracious consumer appeLiLe.
Amid Lhe chaos and innovaLion Lhis diqiLal evoluLion brinqs, privacy cannoL be lorqoLLen.
LeqislaLion and requlaLion will have Lo keep chasinq Lhe Lrends, ensurinq LhaL policy,
compliance and leqal sLrucLures lor Lhe privacy ol personal inlormaLion are no more Lhan
one sLep behind.
ReuIaticns struggle to keep up
RequlaLors conLinue Lo lace an uphill climb when iL comes Lo proLecLinq privacy.
An onqoinq locus on specilc privacy requiremenLs raLher Lhan sweepinq
requlaLions has some orqanizaLions respondinq LacLically raLher Lhan sLraLeqically,
while oLhers look lor Lhe loopholes. 1here is no doubL LhaL requlaLors have
increasinqly complex quesLions Lo answer. Consider, lor example, Lhe balance
needed beLween Lhe riqhL Lo be lorqoLLen and Lhe riqhL ol oLhers Lo remember,
which hinqes qreaLly on lreedom ol expression. Rapid advances in Lechnoloqy have
direcLly impacLed our social norms. Privacy proqrams need Lo be able Lo bridqe
Lhese qaps laiLhlully adherinq Lo requlaLory requiremenLs while pracLically
addressinq Lhe challenqes ol Lheir orqanizaLions and sLakeholders. 1o achieve Lhis
balance, privacy proqrams need Lo lorm an inLeqral parL ol an orqanizaLion's
decisionmakinq process raLher Lhan a simple checkLhebox compliance exercise
LhaL only seeks Lo meeL minimum requlaLory requiremenLs.
1he ideal soluLion would be lor orqanizaLions Lo use HjanY[q Zq <]ka_f (HZ<) or
HjanY[q Zq J]<]ka_f Lo embed privacy inLo new sysLem implemenLaLions or l1
LranslormaLion iniLiaLives. However, alLhouqh HZ< has been widely accepLed as
a concepL, iL has yeL Lo qain LracLion wiLh orqanizaLions in Lerms ol implemenLaLion.
Privacy matures
Irom compliance
to accountability
1he LU, lonq seen as seLLinq Lhe sLandard lor oLher counLries Lo lollow when iL comes
Lo daLa proLecLion, is raisinq Lhe bar aqain. Mere monLhs alLer Lhe cookie law came
inLo lorce, Lhe LU is lookinq Lo updaLe iLs DaLa ProLecLion DirecLive Lo harmonize Lhe
daLa proLecLion laws across Lhe LU Member SLaLes and address evolvinq Lechnoloqy
advancemenLs. 1he proposed leqislaLion will apply Lo anyone processinq daLa wiLhin Lhe
LU, includinq any orqanizaLion ouLside ol Lurope LhaL ollers qoods and services Lo LU
residenLs. As well, lor Lhe lrsL Lime, daLa processors will share in boLh Lhe responsibiliLy
and liabiliLy relaLed Lo complyinq wiLh Lhe new laws.
Under Lhe proposed LU requlaLions, orqanizaLions will be required Lo prove LhaL Lhey
underLake reqular daLa proLecLion audiLs and privacy impacL assessmenLs. OrqanizaLions
wiLh more Lhan 250 employees will also have Lo hire a daLa proLecLion ollcer. 1hese new
LU requiremenLs don'L ask orqanizaLions Lo be accounLable Lhey are demandinq iL. Any
orqanizaLion wanLinq Lo do business in Lhe LU or wiLh iLs ciLizens will need Lo review and
improve, where necessary, daLa proLecLion and privacy proqrams Lo ensure compliance.
1o achieve such compliance, many orqanizaLions are pursuinq BCR sLaLus. As we
discussed in HjanY[q lj]f\k *()*2 l`] [Yk] ^gj _jgoaf_ Y[[gmflYZadalq, BCR comprises
a seL ol inLernal quidelines, similar Lo a Code ol ConducL, LhaL esLablishes policies lor
Lranslerrinq personal inlormaLion wiLhin Lhe orqanizaLion and across inLernaLional
boundaries. BCR sLaLus is challenqinq Lo achieve, buL early adopLers, such as CL and
Philips, are already yieldinq Lhe benelLs. Over Lhe nexL several years we expecL an
increasinq number ol mulLinaLional orqanizaLions Lo pursue BCR sLaLus.
T
he Ernst & Young 2012
privacy trends report
Iocused on the notion oI
accountability. Companies taking
a more strategic view oI privacy
and regulators requiring prooI oI
an organization's privacy program
are two signs that privacy is
beginning to mature Irom strictly
a compliance exercise to a
declaration oI accountability.
JusL as Lhe LU seeks Lo improve iLs daLa proLecLion requlaLions,
Lhe F1C is busy Lakinq similar acLion. ln 2012, Lhe F1C issued
a lnal reporL LhaL esLablishes leadinq pracLices lor proLecLinq
consumer privacy and qivinq consumers qreaLer conLrol over
collecLion ol Lheir personal inlormaLion. 1he reporL also recommends
LhaL Lhe U.S. Conqress inLroduce leqislaLion aL a lederal level LhaL
would address privacy proLecLion, daLa breach noLilcaLion and
daLa brokerinq. 1o aid compliance wiLh Lhese leadinq pracLices,
Lhe lnal reporL recommends LhaL businesses: adopL HZ<; simplily
choice lor businesses and consumers abouL whaL inlormaLion is
shared and wiLh whom; and provide qreaLer Lransparency around
Lhe collecLion and use ol consumer daLa.
5

ln addiLion Lo Lhese recommendaLions, Lhe F1C has pursued
leqal acLion aqainsL several social media and inLerneL services
companies lor violaLinq Lheir own commiLmenLs Lo privacy. 1hese
consenL decrees also emphasized Lhe imporLance ol esLablishinq
Lhe LeneLs ol an ellecLive privacy proqram in a manner LhaL
addresses proqram chanqes, compliance wiLh requiremenLs and
privacy risk manaqemenL.
ln Lhe AsiaPacilc reqion, Lhe AsiaPacilc Lconomic CooperaLion
(APLC) LlecLronic Commerce SLeerinq Croup has developed a
volunLary, cerLilcaLionbased sysLem. Known as Lhe CrossBorder
Privacy Rules (CBPR) SysLem, iL enables orqanizaLions doinq
business in Lhe 21 parLicipaLinq APLC counLries, which includes
Lhe US, Lo esLablish a consisLenL seL ol daLa privacy pracLices.
6

ln a July 2012 APLC news release, Lourdes YapLinchay, Chair ol
Lhe LlecLronic Commerce SLeerinq Croup, was quoLed as sayinq
LhaL "Lhe qoal ol Lhe sysLem is Lo enhance elecLronic commerce,
laciliLaLe Lrade and economic qrowLh, and sLrenqLhen consumer
privacy proLecLions across Lhe AsiaPacilc reqion, Lhereby
promoLinq reqional economic inLeqraLion."
7
Added AcLinq SecreLary
ol Commerce and DepuLy SecreLary ol Commerce Rebecca Blank:
"1his sysLem will enable parLicipaLinq companies in Lhe UniLed
SLaLes and oLher APLC member economies Lo more ellcienLly
exchanqe daLa in a secure manner and will enhance consumer
daLa privacy by esLablishinq a consisLenL level ol proLecLion and
accounLabiliLy in Lhe APLC reqion."
8

As requlaLors around Lhe world seek Lo bolsLer requiremenLs
lor privacy proqram accounLabiliLy, Lhe dillerences amonq
requlaLions conLinues Lo diminish. 1his is qood news lor
orqanizaLions seekinq Lo develop encompassinq privacy proqrams
LhaL achieve accounLabiliLy, qovernance and moniLorinq
ob|ecLives. 1his comprehensive approach addresses a wide ranqe
ol compliance requiremenLs raLher Lhan locusinq privacy ellorLs
on specilc, |urisdicLional requlaLions.
5
"F1C lssues Final Commission ReporL on ProLecLinq Consumer Privacy," >]\]jYd LjY\] ;geeakkagf, 26 March 2012, hLLp://www.lLc.qov/opa/2012/03/privacylramework.shLm.
6
"APLC CrossBorder Privacy Rules SysLem qoes public," 9kaY%HY[a[ =[gfgea[ ;ggh]jYlagf, 31 July 2012, hLLp://www.apec.orq/Press/NewsReleases/2012/0731_cbpr.aspx.
7
lbid.
8
lbid.
Privacy maLures lrom compliance Lo accounLabiliLy
Fabrice NaftaIski
LrnsL & Younq SocieLe d'AvocaLs
law parLner and

LuroPrise leqal experL
Paris, France
The business case Ior BCP
BCR is a seL ol inLernal quidelines or rules adopLed by mulLinaLional orqanizaLions LhaL
delnes qlobal policies lor Lranslerrinq personal daLa wiLhin Lhe same corporaLe qroup ol
enLiLies, buL across inLernaLional boundaries and parLicularly inLo counLries LhaL may
noL provide an adequaLe level ol proLecLion. AlLhouqh momenLum lor BCR sLaLus has
been buildinq since iLs inLroducLion by Lhe LU in 2003, iL is now reachinq a Lippinq poinL,
where iL is becominq Lhe obvious soluLion lor many orqanizaLions, raLher Lhan simply
anoLher qood opLion.
1here are many reasons Lhe Lime is riqhL Lo adopL BCR sLaLus:
WiLh more Lhan ^0 BCR sLaLus applicaLions already approved wiLhin Lhe muLual recoqniLion
procedure, DPAs have siqnilcanLly improved Lheir cooperaLion. Accordinqly, Lhe review
ol BCR applicaLions is now considerably shorLer. lL is possible Lo qeL an approval lrom
Lhe Leadinq AuLhoriLy wiLhin eiqhL monLhs.
BCR applicaLions benelL lrom a sLronq supporL aL naLional daLa proLecLion auLhoriLies
levels and aL Lhe LU Commission level. Viviane Redinq, VicePresidenL ol Lhe Luropean
Commission, has presenLed BCR sLaLus as a Loll Lo operaLe on a qlobal scale, enablinq
"companies Lo Lransler Lheir daLa lreely and salely anywhere and in conlormiLy wiLh Lhe
law . poLenLially coverinq all kinds ol business models: lrom a paperbased llinq sysLem
Lo an inLricaLe inLernal orqanizaLion or Lhe mosL complex cloud compuLinq sysLem."
9

BCR sLaLus is a very qood daLa proLecLion compliance packaqe LhaL enables consisLency
ol daLa proLecLion pracLices wiLhin a qroup.
BCR sLaLus can serve as a markeLinq Lool wiLh clienLs because ol Lhe approval lrom
public auLhoriLies.
Since June 2012, daLa processinq service providers have been able Lo apply lor BCR
sLaLus. 1his is a unique opporLuniLy lor service providers Lo oller LrusL and securiLy Lo
Lheir clienLs inLeresLed in cloud compuLinq soluLions.
ln Lhe nexL lve years, mulLinaLional orqanizaLions LhaL have noL souqhL BCR sLaLus will be
viewed wiLh suspicion noL a qreaL place Lo be in a rapidly evolvinq and hiqhly compeLiLive
qlobal markeL.
9
"Viviane Redinq VicePresidenL ol Lhe Luropean Commission, LU JusLice Commissioner Bindinq CorporaLe Rules: unleashinq Lhe
poLenLial ol Lhe diqiLal sinqle markeL and cloud compuLinq lAPP Lurope DaLa ProLecLion Conqress Paris, 29 November 2011,"
Luropa, 29 November 2011, hLLp://europa.eu/rapid/pressrelease_SPLLCH11817_en.hLm.
Breach notihcation
becomes a
strategic imperative
As Lhe pace ol Lechnoloqical evoluLion acceleraLes, such a LacLical approach increasinqly
leaves individuals vulnerable Lo aqqressive orqanizaLions seekinq Lo creaLe compeLiLive
advanLaqe, or criminal enLerprises lookinq Lo prolL lrom unauLhorized access Lo personally
idenLilable inlormaLion.
ln Lhe US, MassachuseLLs has esLablished policies LhaL lorce orqanizaLions Lo Lake a more
sLraLeqic approach Lo breach noLilcaLion. ln 2008, MassachuseLLs was one ol ^5 sLaLes Lo
implemenL daLa breach noLilcaLion requiremenLs as parL ol proLecLion leqislaLion LhaL
qoverned Lhe acquisiLion, manaqemenL and disposal ol personally idenLilable inlormaLion
lor iLs residenLs. ln 2010, Lhe sLaLe required LhaL residenLs and Lhe ALLorney Ceneral (AC)
be noLiled ol any unauLhorized access or use ol Lhe inlormaLion an orqanizaLion collecLs.
lncluded in Lhe breach noLilcaLion requlaLion was a requiremenL by orqanizaLions LhaL
collecL inlormaLion abouL a residenL ol MassachuseLLs Lo develop a wriLLen inlormaLion
securiLy proqram (WlSP). AlLhouqh mandaLory, no one in Lhe MassachuseLLs AC's ollce
ever demanded Lo see a copy ol an orqanizaLion's WlSP unLil recenLly. 1he AC's ollce
is now requirinq any orqanizaLion LhaL experiences a breach Lo produce a copy ol Lheir
WlSP. 1his requiremenL applies noL only Lo orqanizaLions doinq business in MassachuseLLs,
buL any orqanizaLion LhaL collecLs Lhe personal inlormaLion ol a MassachuseLLs residenL.
1he sweepinq domesLic, and poLenLially inLernaLional, implicaLions ol Lhe enlorcemenL ol
Lhis requiremenL means LhaL orqanizaLions will have Lo Lhink and acL more sLraLeqically
abouL breach noLilcaLion.
CounLries wiLh a more lederally comprehensive privacy approach, such as Canada, AusLralia
and Lhe LU, are beelnq up Lheir requlaLions around breach noLilcaLion. lmproved breach
requiremenLs in Lhese counLries lurLher underscores Lhe evolvinq role ol Lhe privacy requlaLor.
As discussed earlier in Lhis reporL, many privacy requlaLors increasinqly lnd LhaL collaboraLion
and discussion wiLh orqanizaLions under Lheir |urisdicLion is provinq ellecLive.
ln Lhe spiriL ol cooperaLion, leadinq orqanizaLions are already seekinq Lo proacLively
prepare lor issues belore Lhey arise. For example, some orqanizaLions are developinq
incidenL manaqemenL plans LhaL anLicipaLe whaL may qo wronq, so LhaL il someLhinq
does qo wronq, Lhey can reacL immediaLely. 1his includes havinq sLandinq conLracLs
wiLh vendors LhaL can provide call cenLer, Lriaqe processinq, communicaLions and crediL
moniLorinq as soon as Lhey are qiven a "qo" siqnal. ln lacL, many vendors providinq
breach response services allow companies Lo esLablish masLer service aqreemenLs (MSAs)
on a leelorservice basis so LhaL companies only incur cosLs when Lhe MSA is enacLed.
OrqanizaLions LhaL do noL have MSAs in place lose valuable Lime when an incidenL does
occur. Because MSAs are olLen sensiLive in naLure and have mulLiple requiremenLs, Lhere
can be a lenqLhy leqal review and neqoLiaLion process Lo ensure boLh parLies are saLisled.
Once Lhe MSAs are in place, orqanizaLions need Lo consLanLly review Lheir ellecLiveness,
parLicularly alLer a breach Lo ensure an appropriaLe level ol scope, clearly arLiculaLed
roles and responsibiliLies, and mosL imporLanLly, wheLher red laqs are beinq escalaLed
lrom Lhe lronL lines Lo Lhe riqhL people wiLhin Lhe orqanizaLion.
I
n many |urisdictions around
the world, breach
notiIication regulations
take a tactical rather than a
strategic approach, Iocusing
primarily on complying with
the notiIication requirements
rather than the risks that
brought about the breach.
Mary EIIen CaIIahan
Jenner & Block LLP and
lormer Chiel Privacy Ollcer
lor Lhe U.S. DeparLmenL ol
Homeland SecuriLy
WashinqLon, DC, US
Both sides oI the Atlantic
reconsider privacy
For almosL Lwo decades, a myLh has been circulaLinq LhaL Lhe LU's approach Lo privacy
and daLa proLecLion is "sLricLer" Lhan Lhe secLorial approach Lhe US employs. ln my
experience, boLh as a privacy lawyer and as Chiel Privacy Ollcer lor Lhe U.S. DeparLmenL
ol Homeland SecuriLy, Lhe Lwo reqions' approaches have more in common Lhan Lhe myLh
would suqqesL.
BoLh approaches Lo privacy are qrounded in Lhe concepL ol lair inlormaLion pracLice
principles (FlPPs). FirsL proposed by a US privacy commission in Lhe early 1970s, Lhe
FlPPs are inLernaLionally recoqnized, havinq been arLiculaLed and echoed in Lhe US
Lhe Luropean Union DirecLive 95/^6/LC and Lhe AsiaPacilc Lconomic CooperaLion
Privacy Framework.
ln conLrasL Lo Lhe UniLed SLaLes' secLorial approach Lo privacy proLecLions and leqislaLion,
Lhe LU lrequenLly adopLs an umbrella approach, in which broad sLandards or principles
are easily promulqaLed, buL olLen require Lhe creaLion ol excepLions or deroqaLions Lo
apply Lhe sLandards. 1he US can be more aqile and specilc in iLs leqislaLion, buL may
appear more reacLive Lo hiqhprolle privacy violaLions.
1here has been siqnilcanL recenL acLiviLy on boLh sides ol Lhe ALlanLic on lneLuninq
privacy reqimes. 1he LU has released a dralL DaLa ProLecLion RequlaLion Lo updaLe iLs
1995 DirecLive; Lhe Obama AdminisLraLion has supporLed a "consumer bill ol riqhLs,"
sellrequlaLory iniLiaLives and poLenLially privacy leqislaLion. 1he LU's process will Lake
years, and Lhe end resulL will likely noL look like Lhe currenL producL. Similarly, Lhe
leqislaLion process in Lhe US may Lake a lonq Lime, buL wiLh PresidenL Obama's re
elecLion, privacy leqislaLion may receive renewed aLLenLion in Lhe nexL Conqress.
One Lhinq LhaL is cerLain reqardless ol Lhe resulL ol boLh privacy reconsideraLions, Lhe
FlPPs are sLill very relevanL Lo Lhe privacy process. ln Lhe end, Lhe LU approach will
probably be broader wiLh a series ol "deroqaLions" excepLions while Lhe US approach
will be more narrowly Lailored, Lryinq Lo address some discreLe issues. WiLh LhaL said,
Lhere will likely more addiLional inLernaLional harmonizaLion ol privacy harm analysis as
Lhe Lopic ol privacy in Lhe 21sL cenLury evolves.
2 Insights on IT risk | January 2013
HjanY[q Zq <]ka_f HZ<!
needs regulation to
gain traction
YeL lew requlaLors or qovernmenL lawmakers have mandaLed iLs use Lhrouqh requlaLion
or leqislaLion and lew orqanizaLions have souqhL Lo adopL iL ol Lheir own accord. For HZ<
Lo qain LracLion wiLh orqanizaLions, iL needs LhaL requlaLed mandaLe.
UnLil HZ< becomes a requlaLed sLandard, orqanizaLions will conLinue Lo operaLe upon Lhe
principles esLablished durinq Lhe early days ol Lhe inLerneL. 1haL is, Lo Lake advanLaqe ol
Lhe lree online services an orqanizaLion provides, consumers musL be willinq Lo qive up
some ol Lheir personally idenLilable inlormaLion and privacy. However, as Lechnoloqy
evolves, consumers are qivinq up more and more ol Lheir personally idenLilable
inlormaLion, olLen wiLhouL even knowinq iL.
As such, iL is increasinqly incumbenL upon orqanizaLions Lo Lake qreaLer care and
responsibiliLy lor Lhe daLa Lhey are collecLinq. 1his includes noL only Lhe orqanizaLions
doinq Lhe collecLinq direcLly, such as Lhe applicaLion and solLware companies, buL also all
ol Lhe corollary orqanizaLions, such as inlrasLrucLure companies and device or operaLinq
sysLem manulacLurers. Lvery orqanizaLion LhaL Louches consumer daLa should be
accounLable lor manaqinq Lhe privacy ol LhaL daLa. HZ< would enlorce LhaL accounLabiliLy.
I
t has been more than two
years since privacy
commissioners gathered at the
32
nd
International ConIerence oI
Data Protection and Privacy
Commissioners in Jerusalem,
Israel to discuss and endorse the
concept oI HZ<. In that time,
regulators around the world have
lauded HZ< as a standard that all
organizations should adopt.
MarieIIe CaIIc
Member ol Luropean ParliamenL, Member
ol Lhe CommiLLee on Leqal Allairs
Brussels, Belqium
Changes to the role oI the European DPA
under proposed changes to the EU
Directive on data protection
On 25 January 2012, Lhe LU Commission proposed an ambiLious and comprehensive
relorm ol Lhe 1995 daLa proLecLion rules. 1he proposal is buildinq on Lhe principles ol Lhe
previous direcLive buL ensures a hiqher level ol proLecLion lor Lhe users, parLicularly in Lhe
online world.
One ol Lhe key chanqes in Lhe relorm is Lhe seLLinq up ol Lhe "onesLop shop" and
consisLency mechanism. Companies will have Lo deal wiLh a sinqle DPA in Lhe LU counLry
where Lhey have Lheir main esLablishmenL.
1he proposal ensures consisLency amonq supervisory auLhoriLies by Lwo mechanisms:
1. lL seLs ouL a cooperaLion and muLual assisLance reqime, in cases where more Lhan one
DPA has an inLeresL in supervision. 1his will be Lhe case lor insLance, when daLa
sub|ecLs lrom more Lhan one Member SLaLes have lodqed complainLs.
2. lL creaLes a consisLency mechanism Lhrouqh Lhe Luropean DaLa ProLecLion Board
(LDPB) LhaL has Lhe compeLence Lo deliver opinions on crossborder maLLers. 1he
LDPB's opinions, however, will noL be bindinq lor Lhe lead DPA.
1he LU Commission's proposal is currenLly under scruLiny by Lhe Luropean ParliamenL. As
Lhe dralLsperson ol Lhe CommiLLee on Leqal Allairs, l am very much in lavor ol Lhe
onesLop shop mechanism LhaL will boosL Lhe LU sinqle markeL, reduce red Lape and
adminisLraLive cosLs lor companies and laciliLaLe Lhe lree low ol daLa in Lurope.
However, more musL be done. A clearer delniLion ol Lhe main esLablishmenL is needed
and Lhe same criLeria should apply Lo boLh conLrollers and processors. 1he cooperaLion
and muLual assisLance reqime should be sLrenqLhened and in Lhe consisLency mechanism
we musL lnd Lhe riqhL balance beLween Lhe powers ol Lhe LU Commission and Lhose ol
Lhe LDPB and naLional DPAs.
Conclusion
Our everdeepeninq loray inLo diqiLal is Lranslorminq businesses in ways we have noL seen
since Lhe onseL ol Lhe indusLrial revoluLion. lL is openinq doors Lo a world ol opporLuniLy and
Lremendous risk Lo privacy. Privacy requlaLors are doinq everyLhinq Lhey can Lo keep up, buL
as Lhe Lechnoloqy's evoluLion acceleraLes iLs pace, requlaLors conLinue Lo lall behind.
RequlaLion remains a uselul Lool Lo improve privacy proLecLion. However, privacy requlaLors
will have Lo make a lundamenLal shilL lrom compliance ollcers Lo sLraLeqic advisors. 1hey
will have Lo work wiLh orqanizaLions Lo laciliLaLe sLronqer decisionmakinq when iL comes Lo
privacy manaqemenL.
On Lhe business side, orqanizaLions need Lo be more accounLable. ll orqanizaLions are
unwillinq Lo inLeqraLe privacy inLo l1 LranslormaLion iniLiaLives, as HZ< suqqesLs, requlaLors
should be lookinq Lo mandaLe iL.
1he diqiLal ecosysLem is sLill younq and many orqanizaLions have yeL Lo lully qrasp noL
only Lhe opporLuniLies, buL also Lhe responsibiliLies LhaL come wiLh operaLinq in a diqiLal
environmenL. OrqanizaLions and requlaLors alike need Lo appreciaLe Lhe qovernance role
Lhey musL play in salequardinq personal inlormaLion and servinq as examples LhaL Lhe
resL ol socieLy can lollow.
LrnsL & Younq
Assurance | 1ax | 1ransacLions | Advisory
About Ernst & Young
LrnsL & Younq is a qlobal leader in assurance, Lax,
LransacLion and advisory services. Worldwide,
our 167,000 people are uniLed by our shared
values and an unwaverinq commiLmenL Lo qualiLy.
We make a dillerence by helpinq our people,
our clienLs and our wider communiLies achieve
Lheir poLenLial.
LrnsL & Younq relers Lo Lhe qlobal orqanizaLion
ol member lirms ol LrnsL & Younq Clobal
LimiLed, each ol which is a separaLe leqal enLiLy.
LrnsL & Younq Clobal LimiLed, a UK company
limiLed by quaranLee, does noL provide services
Lo clienLs. For more inlormaLion abouL our
orqanizaLion, please visiL www.ey.com.
About Ernst & Young's Advisory 5ervices
1he relaLionship beLween risk and perlormance
improvemenL is an increasinqly complex and
cenLral business challenqe, wiLh business
perlormance direcLly connecLed Lo Lhe recoqniLion
and ellecLive manaqemenL ol risk. WheLher your
locus is on business LranslormaLion or susLaininq
achievemenL, havinq Lhe riqhL advisors on your side
can make all Lhe dillerence. Our 25,000 Advisory
prolessionals lorm one ol Lhe broadesL qlobal
advisory neLworks ol any prolessional orqanizaLion,
deliverinq seasoned mulLidisciplinary Leams
LhaL work wiLh our clienLs Lo deliver a powerlul
and superior clienL experience. We use proven,
inLeqraLed meLhodoloqies Lo help you achieve
your sLraLeqic prioriLies and make improvemenLs
LhaL are susLainable lor Lhe lonqer Lerm. We
undersLand LhaL Lo achieve your poLenLial as an
orqanizaLion you require services LhaL respond Lo
your specilc issues, so we brinq our broad secLor
experience and deep sub|ecLmaLLer knowledqe
Lo bear in a proacLive and ob|ecLive way. Above
all, we are commiLLed Lo measurinq Lhe qains and
idenLilyinq where Lhe sLraLeqy is deliverinq Lhe
value your business needs. lL's how LrnsL & Younq
makes a dillerence.
1he views ol Lhird parLies seL ouL in Lhis publicaLion
are noL necessarily Lhe views ol Lhe qlobal
LrnsL & Younq orqanizaLion or iLs member lrms.
Moreover, Lhey should be seen in Lhe conLexL ol
Lhe Lime Lhey were made.
2013 LYCM LimiLed.
All RiqhLs Reserved.
LYC no. AU1^0^
ln line wiLh LrnsL & Younq's commiLmenL Lo minimize
iLs impacL on Lhe environmenL, Lhis documenL has
been prinLed on paper wiLh a hiqh recycled conLenL.
1his publicaLion conLains inlormaLion in summary lorm and is
Lherelore inLended lor qeneral quidance only. lL is noL inLended
Lo be a subsLiLuLe lor deLailed research or Lhe exercise ol
prolessional |udqmenL. NeiLher LYCM LimiLed nor any oLher
member ol Lhe qlobal LrnsL & Younq orqanizaLion can accepL
any responsibiliLy lor loss occasioned Lo any person acLinq
or relraininq lrom acLion as a resulL ol any maLerial in Lhis
publicaLion. On any specilic maLLer, relerence should be made
Lo Lhe appropriaLe advisor.
LD 011^
At Ernst & Young, our services Iocus on our clients' specihc business needs and issues because
we recognize that these are unique to that business.
LllecLive risk manaqemenL is criLical Lo helpinq modern orqanizaLions achieve Lheir qoals and
iL ollers Lhe opporLuniLy Lo acceleraLe perlormance while proLecLinq aqainsL Lhe uncerLainLies,
barriers and piLlalls inherenL in any business. lnLeqraLinq sound risk manaqemenL principles and
pracLices LhrouqhouL operaLional, lnancial and even culLural aspecLs ol Lhe orqanizaLion can
provide a compeLiLive advanLaqe in Lhe markeL and drive cosLellecLive risk processes inLernally.
Our 6,000 Risk prolessionals draw on exLensive personal experience Lo qive you lresh perspecLives
and open, ob|ecLive supporL wherever you are in Lhe world. We work wiLh you Lo develop an
inLeqraLed, holisLic approach Lo manaqinq risk and can provide resources Lo address specilc risk
issues. We undersLand LhaL Lo achieve your poLenLial, you need Lailored services as much
as consisLenL meLhodoloqies. We work Lo qive you Lhe benelL ol our broad secLor experience,
our deep sub|ecLmaLLer knowledqe and Lhe laLesL insiqhLs lrom our work worldwide. lL's how
LrnsL & Younq makes a dillerence.
For more inlormaLion on how we can make a dillerence in your orqanizaLion, conLacL your local
LrnsL & Younq prolessional or a member ol our Leam lisLed below.
Contact details oI our leaders
CIcbaI
Paul van Kessel +31 88 ^0 71271 paul.van.kesselnl.ey.com
Pandall J MIller +1 312 879 3536 randall.millerey.com
Areas
Americas
Michael L. Herrinton +1 703 7^7 0935 michael.herrinLoney.com
Bernard P. Wedge +1 ^0^ 817 5120 bernard.wedqeey.com
EMEIA
Jonathan Blackmore +^^ 20 795 11616 |blackmoreuk.ey.com
Manuel Ciralt Herrero +3^ 91 572 7^79 manuel.qiralLherreroes.ey.com
AsiaPacihc
Jenny 5. Chan +86 21 2228 2602 |enny.s.chancn.ey.com
Pob Perry +61 3 9288 8639 rob.perryau.ey.com
Japan
Yoshihiro Azuma +81 3 3503 1100 azumayshhrshinnihon.or.|p
Haruyoshi Yokokawa +81 3 3503 28^6 yokokawahryshshinnihon.or.|p
How Ernst & Young makes a diIIerence

Privacy Trends 2013 - The Uphill Climb Continues

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Privacy Trends 2013 - The Uphill Climb Continues

Uploaded by

Copyright:

Available Formats

The uphill climb continues

law parLner and

You might also like