Professional Documents
Culture Documents
law parLner
and Luropean Privacy Seal (LuroPriSe) leqal experL, suqqesLs
LhaL BCR sLaLus, once an opLional qoal lor larqe mulLinaLional
orqanizaLions, is becominq a musL have.
Mary Ellen Callahan, ParLner aL Jenner & Block LLP and
lormer Chiel Privacy Ollcer lor Lhe U.S. DeparLmenL ol Homeland
SecuriLy dispels Lhe myLh LhaL Lhe Luropean Union's (LU)
privacy approach is more riqorous Lhan Lhe UniLed SLaLes'
secLorial approach LhaL, in lacL, Lhe Lwo reqions have lar
more in common Lhan many would Lhink.
Marielle Callo, Member ol Luropean ParliamenL and a Member
ol Lhe CommiLLee on Leqal Allairs ouLlines how Lhe role ol Lhe
Luropean Commission DaLa ProLecLion AuLhoriLy (DPA) will shilL
under proposed chanqes Lo Lhe LU DirecLive on daLa proLecLion.
All observaLions lollow a similar paLh Loward qovernance and
accounLabiliLy. As Lhe uphill climb Lo sound privacy manaqemenL
conLinues, orqanizaLions and requlaLors need make Lhe |ourney
LoqeLher.
4 Insights on governance, risk and compliance | January 2013
Dr. Sai Leizercv
Americas Leader ol Privacy
Advisory and Assurance
Services, LrnsL & Younq
Virqinia, US
Privacy's watchwords:
governance and accountability
ln Lhe lasL 15 years, privacy requlaLions have had Lo evolve quickly Lo address operaLional
and lilesLyle chanqes brouqhL lorLh by Lechnoloqy.
ln Lhe laLe 1990s and early 2000s, requlaLors around Lhe world implemenLed requlaLions
and quidelines Lo address specilc compliance challenqes, includinq HealLh lnsurance
PorLabiliLy and AccounLabiliLy AcL (HlPAA), Lhe clinical Lrial direcLive, spam and LexL messaqe
adverLisinq. 1hese requlaLory responses were reacLions Lo Lechnoloqical developmenLs.
For example, an imporLanL driver ol Lhe HlPAA privacy and securiLy rules was Lhe advances
in qeneLic research and Lhe concern LhaL such healLh inlormaLion could impacL individuals
as well as Lheir bloodrelaLed relaLives. 1he LU elecLronic communicaLion direcLive also
was creaLed because ol Lechnoloqydriven communicaLion. ln China, Lhe sLaLe imposed
requlaLions limiLinq spamminq on cell phones.
ln Lhe mid2000s, personal inlormaLionbased lraud became a requlaLory local poinL. Breach
noLilcaLion and inlormaLion securiLy leqislaLion shilLed Lhe Lide Loward privacy as a maLerial
business risk. Companies and criminal orqanizaLions alike came Lo realize Lhe immense value
ol qaininq access Lo personal inlormaLion. Criminals saw Lhe moneLary value. OrqanizaLions
beqan Lo undersLand Lhe lnancial and repuLaLional cosLs ol allowinq unauLhorized access
Lo personally idenLilable inlormaLion. ln Lhe US, AsiaPacilc and Lurope, requlaLors beqan
lninq orqanizaLions lor privacy qalles. 1he LU passed a breach noLilcaLion law lor Lhe
LelecommunicaLion indusLry. And oLher |urisdicLions passed requlaLions requirinq encrypLion
soluLions Lo proLecL daLa. ln addiLion, orqanizaLions sLarLed Lalkinq ol privacy, PCl and
crisis manaqemenL in Lhe same breaLh. lL is a Lrend LhaL conLinues Loday.
We are now enLerinq a new era, where qovernance and accounLabiliLy play a cenLral role in
ellecLive privacy manaqemenL. RequlaLors realize LhaL Lhey can'L keep chasinq Lechnoloqical
developmenLs wiLh specilc requiremenLs. lnsLead, Lhey are emphasizinq Lhe imporLance
ol a "Lhinkinq" privacy proqram LhaL assesses impacL and applies Lhe core requiremenLs
ol privacy Lo chanqes in processes and Lechnoloqy. We saw iL in Lhe requlaLions developed
by Lhe SLaLe ol MassachuseLLs in Lhe US lor deLailed securiLy proqrams over personal
inlormaLion. We see iL in recenL U.S. Federal 1rade Commission (F1C) consenL decrees.
We see iL in upcominq privacy requlaLion chanqes and Lhe increased emphasis on BCR as
soluLions. We also see iL cominq direcLly lrom requlaLors, such as Lhe quidelines lrom Lhe
Ollce ol Lhe Privacy Commissioner ol Canada.
ln Lhis publicaLion we discuss key Lrends in Lhis new era and soluLions Lo help orqanizaLions
naviqaLe Lhe everevolvinq privacy landscape. We hope you en|oy Lhe discussion.
4 Insights on governance, risk and compliance | January 2013
5 Insights on governance, risk and compliance | January 2013
Ccvernance evolves Ior
regulators and businesses
Clobally, requlaLors are doinq everyLhinq Lhey can Lo keep pace wiLh Lhe chanqes
LhaL necessiLaLe qreaLer privacy proLecLion. BuL lor every one sLep Lhey Lake
lorward, Lechnoloqy seems aL leasL Lwo sLeps ahead. 1echnoloqy is evolvinq aL
such a raLe LhaL requlaLors may never caLch up. lnsLead ol climbinq uphill Lo a
peak Lhey may never reach, requlaLors are recoqnizinq LhaL Lhey may be more
ellecLive wiLh a Lwopronqed ellorL: 1) conLinue Lo improve privacy proLecLion
Lhrouqh leqislaLion and requlaLion; and 2) become sLraLeqic advisors and acLive
parLicipanLs in decisionmakinq discussions wiLh orqanizaLions and consumers.
On Lhe business side, orqanizaLions have been aLLempLinq Lo use a number ol
Lools LhaL have been creaLed Lo oller independenL assurance ol privacy proqrams.
However, many orqanizaLions are noL yeL maLure enouqh Lo meeL all Lhe riqorous
requiremenLs LhaL assurance sLandards demand. OrqanizaLions and requlaLors
need Lo lnd a middle qround LhaL moLivaLes orqanizaLions Lo be accounLable
wiLhouL causinq Lhem Lo lail in Lheir ellorLs.
One ol Lhe challenqes orqanizaLions lace is LhaL inlormaLion securiLy and privacy
remain relaLively new phenomena. SLill only approximaLely 30 years younq,
socieLy as a whole is sLill sLruqqlinq Lo undersLand Lhe everexpendinq diqiLal
boundaries. lnappropriaLe online eLiqueLLe, cyber bullyinq and Lhe oversharinq
ol personal inlormaLion LhaL consLanLly pushes privacy limiLs are |usL some ol
Lhe issues Lhe diqiLal world has creaLed. WiLhin orqanizaLions, undersLandinq and
esLablishinq Lhese boundaries becomes increasinqly imporLanL.
OrqanizaLions and requlaLors need Lo share Lhe role ol pillars ol Lhe diqiLal
communiLy, seLLinq Lhe sLandards ol LrusL and respecL LhaL Lhe resL ol socieLy
can lollow.
5 Insights on governance, risk and compliance | January 2013
Insights on governance, risk and compliance | January 2013
From enIorcer to
strategic advisor
For example, in Canada, Lhe OnLario lnlormaLion & Privacy Commissioner, Dr. Ann Cavoukian,
has developed quidance relaLinq Lo Lhe personal daLa ecosysLem (PDL) and Lhe use ol
personal daLa vaulLs (PDV), which Lake advanLaqe ol emerqinq Lechnoloqies Lo help
consumers Lo collecL, sLore, use, share, qranL access Lo and manaqe Lheir own personal
inlormaLion in a manner LhaL is compleLely wiLhin Lheir own conLrol.
1
Dr. Cavoukian also
is crediLed wiLh creaLinq HjanY[q Zq <]ka_f (HZ<), Lhe sevenprinciple model LhaL
requlaLors qlobally sLronqly recommend orqanizaLions use Lo embed privacy inLo l1
sysLem implemenLaLions.
ln lacL, in June 2012, HZ< was Lhe Lopic ol a larqe oneday conlerence hosLed and
orqanized by Lhe Ollce ol Lhe Privacy Commissioner lor Personal DaLa in Honq Konq.
Described as a privacy landmark evenL in Honq Konq, Lhe local commissioner inviLed a
panel ol disLinquished speakers lrom AusLralia, Canada, Lhe US and New Zealand. 1he
inLended audience ol Lhe conlerence was broad, ranqinq lrom daLa proLecLion and
compliance prolessionals, Lo privacy advocaLes and academics, Lo markeLinq manaqers,
policymakers, consulLanLs and audiLors. Sponsors included Lech qianLs Cooqle and MicrosolL,
as well as LrnsL & Younq. 1he ob|ecLive was Lo educaLe local privaLe and public secLor
orqanizaLions abouL HZ<, Lhe imporLance ol iLs role in Lhe luLure ol privacy manaqemenL
and how orqanizaLions could qo abouL implemenLinq iL.
AlLhouqh Lhe locus may be shilLinq, enlorcemenL remains a crucial Lool in a requlaLor's
arsenal. One ol privacy's biqqesL challenqes remains a lack ol enlorcemenL acLion amonq
cerLain indusLries and counLries. RequlaLors voice Lhese very concerns Lhe Lension
beLween workinq wiLh orqanizaLions and enlorcinq requlaLions durinq discussions abouL
Lhe proposed chanqes Lo privacy requlaLions in Lhe LU. UK lnlormaLion Commissioner
ChrisLopher Craham said ol Lhe issue LhaL Lhe proposals "demand LhaL daLa proLecLion
auLhoriLies musL impose lnes . leavinq no room lor requlaLors Lo exercise discreLion."
He wenL on Lo say LhaL iL would lorce requlaLors Lo "pick and choose," and resulL in
inconsisLencies in Lhe requlaLion's applicaLion across Lurope.
2
ForLunaLely, when iL comes Lo enlorcemenL, privacy requlaLors are qeLLinq some help lrom
indusLry requlaLors and oLhers operaLinq ouLside Lhe privacy sphere.
ln Lhe US, lor insLance, healLh care indusLry requlaLors have enacLed Lhe HealLh lnlormaLion
1echnoloqy lor Lconomic and Clinical HealLh (Hl1LCH) AcL, which calls lor Lhe sLaLes' aLLorney
qenerals and Lhe U.S. DeparLmenL ol JusLice (DOJ), Lo enlorce HlPAA. AL a sLaLe level,
Calilornia's ALLorney Ceneral recenLly announced Lhe lormaLion ol a Privacy LnlorcemenL
and ProLecLion UniL wiLhin Lhe DOJ. 1he uniL is mandaLed Lo proLecL consumers Lhrouqh
civil prosecuLion ol boLh sLaLe and lederal privacy laws.
3
Similarly, in Lhe UK, Lhe Financial
Services AuLhoriLy is respondinq Lo privacy violaLions and levyinq heavy lnes lor noncompliance.
T
he accelerating pace oI
technological change
has shiIted regulators
Irom regulationmakers to
strategic advisors. Where their
primary role was once to
enIorce the rules they created,
many regulators are now equal
parts compliance monitors,
educators, liaisons between
business and government, and
active participants in the
privacy debate.
1
Cavoukian, Ann, PhD, HjanY[q Zq <]ka_f Yf\ l`] =e]j_af_ H]jkgfYd <YlY =[gkqkl]e, Ollce ol Lhe lnlormaLion and Privacy Commissioner, OnLario, Canada, OcLober 2012, hLLp://www.ipc.on.ca/imaqes/
Resources/pbdpde.pdl.
2
"lCO, Facebook Call lor Chanqes Lo Proposed Law," A9HH, 9 November 2012, hLLps://www.privacyassociaLion.orq/publicaLions/2012_11_09_ico_lacebook_call_lor_chanqes_Lo_proposed_law.
3
"ALLorney Ceneral Kamala D. Harris Announces Privacy LnlorcemenL and ProLecLion UniL," KlYl] g^ ;Yda^gjfaY <]hYjle]fl g^ Bmkla[]$ G^[] g^ l`] 9llgjf]q ?]f]jYd, 19 July 2012, hLLp://oaq.ca.qov/
news/pressreleases/aLLorneyqeneralkamaladharrisannouncesprivacyenlorcemenLandproLecLion.
7 Insights on governance, risk and compliance | January 2013
AIIan Chian
Privacy Commissioner lor
Personal DaLa
Honq Konq, China
Personal data protection needs to be a
business imperative
ln my work as Privacy Commissioner lor Personal DaLa in Honq Konq, l am consLanLly
conlronLed wiLh leqal challenqes relaLed Lo our requlaLory role under Lhe Personal DaLa
(Privacy) Ordinance (Lhe Ordinance). 1here have been several cases in Lhe lasL Lwo years
ol orqanizaLions lallinq aloul ol Lhe Ordinance LhaL we have souqhL Lo invesLiqaLe. ln
many cases, our ollce laced leqal challenqes as Lo wheLher we were empowered under
Lhe Ordinance Lo acL.
Our response Lo Lhese challenqes was simple: we asked Lhese companies Lo ask Lhemselves
wheLher iL made business sense |usL Lo leave Lhe issue in Lhe hands ol Lheir leqal and
compliance prolessionals. lnvariably, Lhey deLermined LhaL Lhe repuLaLional risk associaLed
wiLh Lhe privacy conLravenLions was Loo hiqh Lo only meeL whaL Lhey considered Lo be Lhe
minimum leqal requiremenLs. As such, we were able Lo work wiLh Lhe Lop manaqemenL ol
Lhese orqanizaLions Lo address Lhe relevanL privacy and daLaproLecLion issues.
However, Lhis shouldn'L be done alLer Lhe lacL. OrqanizaLions should be incorporaLinq
privacy inLo Lheir business processes in much Lhe same way LhaL Lhey incorporaLe oLher
core values such as lairness, Lransparency and proporLionaliLy. 1o achieve an endurinq
and hiqher level ol success, enLerprises have Lo embrace personal daLa proLecLion as a
business imperaLive.
7 Insights on governance, risk and compliance | January 2013
8 Insights on governance, risk and compliance | January 2013
Vendor assurance is not
as easy as it looks
ln 2010, Lhe American lnsLiLuLe ol CerLiled Public AccounLanLs (AlCPA) lnalized Lhe
KlYl]e]fl gf KlYf\Yj\k ^gj 9ll]klYlagf =f_Y_]e]flk Fg& ).$ J]hgjlaf_ gf ;gfljgdk Yl Y
K]jna[] Gj_YfarYlagf KK9= ).!. 1his qlobal audiLinq sLandard replaced Lhe SAS 70, which
had been Lhe auLhoriLaLive quidance lor reporLinq on service orqanizaLions. SSAL 16
enables orqanizaLions Lo obLain service orqanizaLion conLrols (SOC) reporLs in Lhe areas
ol privacy, securiLy, inLeqriLy, conldenLialiLy and availabiliLy. 1he demand lor J]hgjlk gf
;gfljgdk Yl Y K]jna[] Gj_YfarYlagf J]d]nYfl lg K][mjalq$ 9nYadYZadalq$ Hjg[]kkaf_ Afl]_jalq$
;gf\]flaYdalq Yf\ HjanY[q KG; *! has increased siqnilcanLly since iL Look ellecL in 2011.
However, in iLs lrsL lull reporLinq year (2012), many orqanizaLions have been challenqed Lo
meeL Lhe riqorous requiremenLs ol developinq, mainLaininq and documenLinq Lhe necessary
conLrols, especially when iL comes Lo privacy.
1he HealLh lnlormaLion 1rusL Alliance (Hl1RUS1), borne lrom Lhe need lor healLh care
providers Lo assure inlormaLion securiLy lor healLh inlormaLion sysLems and exchanqes,
has developed a common securiLy lramework (CSF) LhaL can be used by any orqanizaLion
wiLhin or ouLside Lhe healLh care indusLry LhaL creaLes, accesses, sLores or exchanqes
personal healLh and lnancial inlormaLion. lL is a lramework LhaL orqanizaLions consulL,
yeL lew acLually use lor aLLesLaLion.
1he world ol privacy assurance looks much Lhe way Lhe lnancial landscape looked when
Lhe SarbanesOxley AcL was lrsL inLroduced. lniLially, many public companies LhouqhL iL
would be easy Lo meeL Lhe requiremenLs. Many sullered a rude awakeninq when Lhey
realized LhaL a subsLanLial porLion ol Lheir lnancial conLrols were insullcienL lor Lheir
audiLors. Companies lound Lhemselves havinq Lo invesL siqnilcanL resources inLo improvinq
Lheir inLernal conLrols.
KG; * represenLs Lhe luLure lor assurinq privacy manaqemenL, buL iL may Lake orqanizaLions
some Lime Lo improve Lheir conLrols Lo meeL Lhe riqors Lhe audiL criLeria require. However,
as Lhe risk associaLed wiLh personal inlormaLion conLinues Lo escalaLe, Lhe Lrend lor
independenL assurance in Lhe privacy sphere will conLinue Lo qrow.
A
uditors, thirdparty
attestation providers
and industry oversight
bodies have made great strides
in developing tools to address
vendor management risk.
9 Insights on governance, risk and compliance | January 2013
Jchn Cevertz
Clobal Chiel Privacy
Ollcer aL AuLomaLic
DaLa Processinq, lnc.
New York, US
The need Ior a standard privacy compliance
Iramework grows
AuLomaLic DaLa Processinq (ADP) is one ol Lhe world's larqesL providers ol business
ouLsourcinq soluLions. Lvery day, we work wiLh clienLs Lo manaqe Lheir human resources,
payroll, Lax and benelLs adminisLraLion, amonq oLher businesses. Our business success
depends on Lhe ellcienL and sale handlinq ol sensiLive inlormaLion. As a resulL, our privacy
proqram and our securiLy proqram are closely enLwined noL only concepLually, buL
orqanizaLionally. Our privacy proqram is principally locused on: 1) securiLy; 2) compliance;
and 3) business enablemenL. Our privacy Leam lorms parL ol our securiLy orqanizaLion,
buL iL also reporLs inLo leqal, qiven Lhe imporLance ol compliance wiLhin Lhe proqram.
ln Lhe lace ol everchanqinq and quickly evolvinq LhreaLs, Lechnoloqy and requlaLions,
ADP has implemenLed a qovernance, risk and compliance (CRC) approach LhaL enables
our privacy proqram Lo remain aqile in respondinq qlobally Lo consLanLly chanqinq
requlaLions, LhreaLs and Lechnoloqies, as well as Lhe evolvinq needs ol our clienLs.
As a qlobal service provider, one ol Lhe challenqes we have, and see conLinuinq inLo 2013,
is a lack ol consisLency in Lhe developmenL and applicaLion ol requlaLions qlobally. We are
seeinq boLh converqence and diverqence in Lhe requlaLory space. MulLinaLional clienLs are
sLruqqlinq Lo address disparaLe requlaLory developmenLs in mulLiple |urisdicLions. RequlaLions
and sLandards vary, noL only lrom reqion Lo reqion, buL also lrom one indusLry Lo anoLher.
As such, each orqanizaLion is Lryinq Lo esLablish iLs own baseline ol requiremenLs iL places
on iLs vendors. Some requiremenLs are qeared Loward requlaLors who are raisinq Lhe bar.
OLhers are respondinq Lo pasL breaches. SLill oLhers are seekinq Lo meeL Lheir own inLernal
sLandards. AlLhouqh we are sLandardizinq our securiLy and privacy conLrols enLerprisewide,
we olLen are called Lo respond on an individual orqanizaLional basis. No one seL ol policies,
sLandards or conLrols meeLs Lhe needs ol all ol our clienLs or even a seqmenL ol our
clienLs. 1his creaLes inellciencies in our privacy and securiLy manaqemenL proqrams.
As Lhe prolileraLion and complexiLy ol requlaLions qrows qlobally, so Loo does Lhe need lor
a soluLion in Lhe lorm ol a sLandard lramework or approach LhaL clienLs can use Lo
esLablish Lheir baselines and vendors can use Lo develop consisLenL, sLreamlined and
ellecLive privacy manaqemenL proqrams. KG; * reporLinq may be one such soluLion.
However, much like Lhe discussions occurrinq around harmonizinq requlaLions qlobally,
consensus around a lramework or reporLinq sLandards will Lake Lime Lo achieve.
9 Insights on governance, risk and compliance | January 2013
10 Insights on governance, risk and compliance | January 2013
The changing role oI
the privacy oIhcer
1he need lor a privacy ollcer (Lhe LiLle is dillerenL across indusLries and |urisdicLions) is
menLioned in exisLinq privacy requlaLions such as HlPAA in Lhe US, as well as proposed
privacy requlaLions such as Lhe LU privacy requlaLion, Lhe consenL decrees by Lhe F1C and
quidance provided by daLa proLecLion auLhoriLies in Canada.
We see Lwo dillerenL Lypes ol developmenLs in Lhe privacy ollcer role. ln Lhe larqe
mulLinaLionals and Lhe rapidlychanqinq, inlormaLioninLensive orqanizaLions, Lhe role
ol Lhe privacy ollcer has evolved siqnilcanLly. As Lhe role ol Lhe privacy ollcer has
maLured, Lhese privacy ollcers lnd LhaL Lhey need Lo be more Lhan luminaries or policy
seLLers. 1hey also need Lo deal wiLh onqoinq business issues and oversee a qrowinq
neLwork ol privacy prolessionals in Lheir orqanizaLions Lo which Lhey may only have a
doLLed reporLinq relaLionship.
However, anoLher class ol privacy ollcers has emerqed. 1hese are Lhe privacy ollcers LhaL
are manaqinq proqrams LhaL experience small chanqes over Lime. Once Lheir privacy proqram
is in place and operaLinq ellecLively, Lheir orqanizaLions move lrom low maLuriLy Lo Lhe
moderaLely maLure level where mainLenance, breach handlinq and proqram updaLes are
Lhe main luncLions. ln Lhis conLexL, Lhe need lor a "Chiel Privacy Ollcer (CPO)" disappears.
Once a career desLinaLion, privacy responsibiliLies in slowly evolvinq or mediumsize
orqanizaLions LhaL are noL daLa inLensive are increasinqly held by low Lo midlevel
manaqers lor whom privacy is one ol many posiLions alonq Lhe career paLh.
ln lacL, Lhe number ol privacy ollcers in midlevel manaqemenL posiLions is increasinq even
in larqe and leadinq mulLinaLionals. 1his diverqence in Lhe privacy ollcer posiLion is noL
neqaLive. ln lacL, when sLrucLured appropriaLely, iL should aliqn well Lo Lhe needs ol Lhe
orqanizaLions. NoL every orqanizaLion needs a "super CPO."
1he maLuraLion ol Lhe privacy ollcer has a direcL ellecL on Lhe maLuriLy ol privacy
manaqemenL as a whole. When a privacy manaqer moves on wiLhin Lhe orqanizaLion, LhaL
person Lakes LhaL knowledqe wiLh Lhem. 1his noL only creaLes a luency in privacy across
oLher parLs ol Lhe orqanizaLions, buL also makes privacy everyone's responsibiliLy. ln Lhis
way, privacy becomes imbedded inLo Lhe labric ol Lhe orqanizaLion. lL is as inLeqral Lo an
orqanizaLion as HR, procuremenL or inLernal audiL.
Privacy maLuriLy is no lonqer measured by Lhe sophisLicaLion ol soluLions. RaLher, iL is
measured in Lerms ol consisLency and consideraLion amonq a wide ranqe ol business
demands. For some orqanizaLions, iL is Lhe abiliLy Lo mainLain a larqe neLwork ol
prolessionals, olLen spanninq borders and conLinenLs, Lo mainLain a level ol aLLenLion
necessary Lo be ellecLive in dayLoday operaLions. For oLhers, iL is mainLaininq a
consisLenL level ol compliance, noL more buL noL less.
T
he role oI the privacy
oIIicer continues to evolve.
Where it was once leading
practice to have a privacy oIIicer,
today, it is common business
practice. In Iact, in many
regulatory |urisdictions, the
position is mandatory.
11 Insights on governance, risk and compliance | January 2013
DanieIa Fabian Mascch
Clobal Head DaLa Privacy,
NovarLis lnLernaLional AC
Basel, SwiLzerland
11 Insights on governance, risk and compliance | January 2013
5tandards Ior data privacy need to be both
strong and Ilexible
Our approach Lo manaqinq daLa privacy wiLhin Lhe NovarLis Croup requires NovarLis
allliaLes Lo Lake ownership and be accounLable lor local compliance wiLh daLa privacy
laws and requlaLions and lor implemenLinq our qlobal privacy proqram.
Our privacy proqram is desiqned Lo supporL NovarLis allliaLes worldwide Lo comply wiLh
privacy requiremenLs and Lo qovern qlobal pro|ecLs and inLernaLional daLa lows. While
Lhe NovarLis Privacy Policy lramework esLablishes a common sLandard on Lhe appropriaLe
proLecLion ol personal inlormaLion wiLhin Lhe NovarLis Croup, iL is also imporLanL Lo keep
some lexibiliLy Lo accommodaLe naLional requiremenLs. For example, sLandard operaLinq
procedures LhaL companies musL lollow may vary lrom counLry Lo counLry, as could Lhe
requiremenLs lor seLLinq up awareness and Lraininq proqrams, ensurinq LhaL our privacy
sLandards are implemenLed and moniLored on an onqoinq basis.
A criLical componenL lor an ellecLive implemenLaLion ol our privacy proqram and BCR is
Lhe esLablishmenL ol a qlobal privacy neLwork, includinq privacy ollcers aL various levels
ol Lhe orqanizaLion wiLhin divisions, counLries, luncLions and allliaLes LhrouqhouL Lhe
NovarLis Croup. DaLa Privacy Ollcers are responsible lor ensurinq compliance wiLh daLa
privacy requiremenLs and lor embeddinq Lhe appropriaLe manaqemenL ol daLa privacy
inLo processes and sysLems. Reqular assessmenLs ol privacy conLrols indicaLe Lhe
maLuriLy level aL company level and help Lo idenLily exisLinq qaps in Lhe implemenLaLion
ol Lhe proqram and poLenLial risks lor our orqanizaLion.
Our approach Lo daLa privacy has proven Lo be ellecLive. However, as requlaLions in Lhe
LU and elsewhere evolve, we need Lo keep our approach Lo daLa proLecLion dynamic so
LhaL we can remain nimble and responsive Lo a consLanLly chanqinq privacy environmenL.
12 Insights on governance, risk and compliance | January 2013 12 Insights on governance, risk and compliance | January 2013
Many organizations see themselves as moderately mature when it
comes to privacy
ln =jfkl Qgmf_k *()* ?dgZYd Af^gjeYlagf K][mjalq Kmjn]q2 _`laf_ lg [dgk] l`] _Yh, we asked survey parLicipanLs Lo raLe Lhe maLuriLy ol
Lheir privacy luncLion and several inlormaLion securiLy luncLions wiLhin Lheir orqanizaLions in Lerms ol maLuriLy on a scale lrom nonexisLenL
Lo very maLure. Only 77 ol respondenLs view Lheir orqanizaLions as very maLure when iL comes Lo privacy. A near ma|oriLy ^17 see
Lhemselves as moderaLely maLure. 1hey've made proqress, buL know LhaL Lhey can do more when iL comes Lo privacy proLecLion.
Cther
Privacy
5ecurity awareness, training and communication
Data integrityrelated activities
Threat and vulnerability management
5ecurity testing
5ecurity incident and event management
5ecurity governance and management
Compliance management and support
Identity and access management
Business continuity management and disaster recovery
5ecurity operations
What is the approximate percentage oI total spend on the Iollowing inIormation security
Iunctional areas in your organization?
187
157
57
47
77
7
7
7
57
57
57
37
13 Insights on governance, risk and compliance | January 2013
TechncIcy oIIers opportunity, but
includes a steep learning curve
1he Lechnoloqy evoluLion is someLhinq ol a doubleedqed sword. For orqanizaLions
and consumers alike, Lechnoloqy opens Lhe doors Lo a world ol opporLuniLies. BuL
Lhere are risks. Consumer demand is drivinq Lhe need lor diqiLal LranslormaLion
a lundamenLal shilL in cusLomer relaLionships, business models and value chains.
Some orqanizaLions are usinq Lechnoloqy Lo inLroduce new producLs or services,
improve ellciency and collecL more inlormaLion abouL Lheir cusLomers Lhan Lhey
currenLly need or know how Lo use. lL is Lhe laLLer LhaL creaLes Lhe biqqesL privacy risk.
1o beLLer manaqe LhaL risk, many orqanizaLions have implemenLed moniLorinq
Lechnoloqy. However, Lhis raises new issues as Lhe moniLorinq Lechnoloqy Lends
Lo shine a spoLliqhL on privacy lailures LhaL are olLen cosLly Lo correcL. lnLernally,
Lhe BYOD phenomenon is creaLinq challenqes beLween Lhe need Lo secure Lhe
orqanizaLion's daLa wiLhouL compromisinq employee privacy.
13 Insights on governance, risk and compliance | January 2013
14 Insights on governance, risk and compliance | January 2013
Digital transIormation
demands accountability
By usinq Lhe inLerneL, social media, mobile and realLime 360 analyLics, orqanizaLions
can enhance cusLomer relaLionships, increase Lopline qrowLh, sLreamline operaLions,
empower LalenL and use innovaLion Lo reinvenL compeLiLive soluLions and business models.
1he app revoluLion is a prime example. AlmosL every orqanizaLion wanLs an app Lo drive
more consumer Lrallc. Lven orqanizaLions LhaL are relaLively immaLure in Lechnoloqical
maLuriLy undersLand Lhe value an app can provide, lrom increasinq Lheir appeal in Lhe
markeL Lo collecLinq reams ol consumer inlormaLion, wheLher Lhey need iL or noL. ln lacL,
many orqanizaLions have liLLle or no idea whaL Lo do wiLh all Lhe inlormaLion Lhey collecL.
1he challenqe Lhis creaLes is LhaL where leadinq edqe Lechnoloqy orqanizaLions have
been pluqqed inLo Lhe privacy debaLe lor some Lime, orqanizaLions slow Lo |oin Lhe diqiLal
parLy olLen know very liLLle abouL privacy risks or manaqemenL and have no resources on
sLall Lo eiLher idenLily or address Lhem. As a resulL, we are seeinq an increasinq number
ol "rookie" misLakes impacLinq sLronq qlobal brands as Lhey sLep inLo Lhe diqiLal world.
1heir learninq curve is sLeep. 1hey will need Lo deLermine Lhe requiremenLs, esLablish a
privacy proqram and become accounLable lor Lheir diqiLal LranslormaLion.
D
igital is widely seen as
the most transIormative
business Iorce since
mass production. It is aIIecting
how almost every industry
interacts with its customers and
enables organizations to create
a seamless, uniIied experience
across channels, processes
and geographies.
15 Insights on governance, risk and compliance | January 2013
When creating technology standards, put
privacy Iirst
Mobile is a complex, qlobal ecosysLem wiLh many conLribuLinq players in dillerenL roles and
lrom dillerenL reqions. OlLen, one player acLs in mulLiple roles simulLaneously. For example,
a device manulacLurer also may be Lhe operaLinq sysLem (OS) provider, run iLs own
applicaLion disLribuLion channels and publish iLs own applicaLions. AlLernaLively, Lhese roles
could all be perlormed independenLly by dillerenL parLies.
AL Lhe same Lime, vasL numbers ol individuals and companies are lndinq new ways Lo
parLicipaLe in Lhe world as users and creaLors ol applicaLions as well as processors and
conLrollers ol personal daLa. AdverLisinq and analyLics providers creaLe new opporLuniLies
lor applicaLion developers Lo moneLize and develop Lheir applicaLions.
1he dynamics ol Lhe ecosysLem lorms a puzzle where all conLribuLors musL provide pieces
il Lhe privacy challenqe is Lo be solved. One small mishap by one ol Lhe conLribuLinq players
can cause siqnilcanL privacy issues Lo individuals. No one player can acL as Lhe ulLimaLe
onesLop shop Lo manaqe privacy across Lhe ecosysLem. Lach player needs Lo do iLs parL
Lo ensure LhaL Lhere is no hidden, unconLrolled, excessive or unsecured collecLion and use
ol personal daLa.
Accordinqly, OS providers musL make hardware capabiliLies, such as various sensors, exposed
by device manulacLurers, accessible Lo developers in a conLrolled and privacylriendly manner.
OS providers need Lo ensure LhaL access Lo inlormaLion, such as conLacLs or conLenL on Lhe
OS is conLrolled and LransparenL Lo users. As well, applicaLion sLores should impose privacy
requiremenLs on developers. 1his imporLanL sLep improves privacy awareness amonq Lhe
developer communiLy. Users also need Lo be made aware ol Lhe privacy impacLs ol leaLures
ol OS, hardware and applicaLions and Lhere should be ways lor users Lo reporL malicious
pracLices. MainsLream applicaLion sLores have already developed privacy requiremenLs wiLh
which developers musL comply belore an applicaLion can be published.
CurrenL privacy requlaLory reqimes may noL be sullcienL Lo address privacy issues in hiqhly
inLerdependenL ecosysLems, where daLa is lowinq across reqions and conLinenLs, and where
dillerenL players are sub|ecL Lo dillerenL laws and users can access Lhe services anywhere.
OlLen some ol Lhe acLiviLies ol some ol Lhe key players, such as OS providers and applicaLion
sLores appear noL Lo be covered by LradiLional daLa proLecLion delniLions, such as a daLa
conLroller. ln lacL, lor many services, users Lhemselves may acL as daLa conLroller.
Nokia undersLands Lhe imporLance ol Lechnoloqy sLandards Lo susLain Lhe luLure ol Lhe
mobile ecosysLem. Accordinqly, we have shared wiLh a number ol Lechnoloqy sLandards
bodies a model Lo laciliLaLe Lhe LranslormaLion ol privacy principles inLo acLual privacy
consideraLions in Lechnoloqy sLandards. Our qoal is Lo enshrine privacy in Lhe sLandards
developmenL process, so LhaL each parLy implemenLinq Lhe sLandard is inlormed and can
adhere Lo Lhese expecLaLions.
15 Insights on governance, risk and compliance | January 2013
Henri KujaIa
Privacy ollcer, LocaLion &
Commerce, Nokia
Berlin, Cermany
1 Insights on governance, risk and compliance | January 2013
Monitoring uncovers
privacy Iailures
ln LrnsL & Younq's HjanY[q lj]f\k *()* l`] [Yk] ^gj _jgoaf_ Y[[gmflYZadalq, we discussed
Lhe rise in orqanizaLions' awareness ol Lhe need Lo moniLor how personal inlormaLion is
manaqed. We also Lalked abouL Lhe increasinq implemenLaLion ol DLP Lools Lrackinq lor
sharinq daLa, Lools Lo Lrack neLwork lolders and applicaLions LhaL moniLor use paLLerns
on daLabases.
We indicaLed LhaL in 2012 we expecLed LhaL orqanizaLions would increase Lheir invesLmenL
in privacy moniLorinq Lools Lo demonsLraLe qreaLer accounLabiliLy by moniLorinq Lhe
personally idenLilable inlormaLion Lhey collecL. However, once implemenLed, Lhe new
privacy moniLorinq Lools demonsLraLed more Lhan accounLabiliLy. lL also uncovered more
evidence ol privacy lailures.
1hese lailures reveal Lhe imporLance ol implemenLinq Lhese Lools and Lhe need lor
accounLabiliLy. 1he challenqe orqanizaLions now lace is Lhe siqnilcanL cosL lor remediaLion.
ln lacL, many ol Lhe issues cannoL simply be addressed wiLh sLopqap measures. RaLher,
Lhey require a subsLanLial invesLmenL in new Lechnoloqies. Many orqanizaLions sLill rely on
sysLems LhaL were developed in Lhe 1990s, when limiLinq access Lo sensiLive inlormaLion
and encrypLion soluLions were on lew orqanizaLions' radar. As such, many orqanizaLions
would have Lo underLake a compleLe l1 LranslormaLion Lo address Lhe privacy issues
moniLorinq Lools are laqqinq. WiLh many orqanizaLions sLill leelinq Lhe ellecLs ol a
sluqqish economy, lew are ready Lo make Lhe required invesLmenL. ln lacL, we anLicipaLe
LhaL privacy budqeLs (and Lhe securiLy budqeLs supporLinq Lhe proLecLion ol personal
inlormaLion) will sLay larqely Lhe same as in 2012.
ln =jfkl Qgmf_k *()* ?dgZYd Af^gjeYlagf K][mjalq Kmjn]q$ >a_`laf_ lg [dgk] l`] _Yh,
707 ol respondenLs indicaLe LhaL Lhey planned on spendinq relaLively Lhe same amounL
over Lhe nexL year as Lhey did in Lhe previous year on privacy. 1haL number may have Lo
chanqe Lo address Lhe increased invesLmenL required Lo improve privacy conLrols.
T
he elements oI any
program include policies,
controls and monitoring.
For years, privacy programs had
robust policies and average
controls, but very little
monitoring. Many organizations
didn't have the tools to monitor
privacy given the vast amounts
oI data and processes involved.
17 Insights on governance, risk and compliance | January 2013
CIIshoring/outsourcing security activities
Forensics/Iraud support
Pecruiting security resources
Privacy
5ecure development processes
InIormation security transIormation
Incident response capabilities
Implementing security standards
5ecurity incident and event management
Compliance monitoring
Threat and vulnerability management technologies and processes
5ecurity governance and management
5ecurity operations
5ecurity testing
InIormation security risk management
5ecurity awareness and training
Identity and access management technologies and processes
Data leakage/date loss prevention technologies and processes
Business continuity/disaster recovery
5ecuring new technologies
5pend more 5pend the same
Compared to the previous year, does your organization plan to spend more, less or relatively the same amount over the
next year Ior the Iollowing activities? K]d][l gfdq l`gk] Yj]Yk o`]j] qgm `Yn] hdYff]\ ]ph]f\almj]&
177
187
227
247
257
27
277
287
307
317
317
327
347
347
37
387
427
457
477
557 7
77
7
7
7
57
87
7
77
57
57
7
97
7
97
77
7
137
157
17 77
37
7
707
757
17
77
37
47
47
47
27
597
587
597
57
527
497
47
397
5pend less
18 Insights on governance, risk and compliance | January 2013
Personal privacy versus
corporate security:
it's a hne balance
Less Lhan lve years aqo, Lhe locus was on proLecLinq Lhe perimeLer. More recenLly, as Lhe
perimeLer qave way Lo a borderless world, orqanizaLions shilLed Lheir locus Lo proLecLinq
Lhe daLa. Now, wiLh Lhe rise ol Lhe mobile worklorce, orqanizaLions may have Lo shilL Lheir
locus aqain. Unable Lo conLrol Lhe daLa, orqanizaLions will need Lo deLermine who can be
LrusLed wiLh Lhe daLa.
1he prolileraLion ol BYOD wheLher inside Lhe more LradiLional workplace or as parL
ol Lhe new virLual mobile workplace model has qeneraLed boLh ellciencies and Lrue
concerns. Many ol Lhe more popular mobile devices don'L have sullcienL builLin conLrols
Lo meeL securiLy expecLaLions. As well, employees are able Lo upqrade Lheir mobile device
Lhemselves wiLhouL havinq Lo qo Lhrouqh Lhe corporaLe l1 deparLmenL. And Lhen Lhere
is Lhe privacy challenqe. For securiLy manaqemenL purposes, orqanizaLions wanL Lo use
moniLorinq Lools Lo keep an eye on Lheir daLa. However, in Lhe process, Lhe Lools also end
up moniLorinq an employee's personal inlormaLion.
An ideal soluLion lor resolvinq some ol Lhe privacy issues associaLed wiLh dual use devices
is Lo consider parLiLioninq Lhe device. 1he device would have Lwo dillerenL deskLops one
lor work and one lor personal locaLed on Lwo separaLe componenLs ol Lhe device's hard
drive. UnlorLunaLely, Lhe size ol Lhe mobile device's hard drive and Lhe power ol iLs baLLery
does noL yeL supporL Lhis soluLion.
AnoLher opLion available LhaL may be more leasible is Lhe use ol a quesL neLwork LhaL is
separaLe lrom Lhe main neLwork. 1his allows employees Lo use Lheir personal device Lo qain
access Lo Lhe web direcLly, perhaps even Lhrouqh a workonly email accounL. OrqanizaLions
also may wanL Lo consider usinq LhirdparLy services or Lheir own codinq Lo creaLe "sand
boxes" where company daLa and companyissued applicaLions reside, ellecLively separaLinq
Lhem lrom any inLeracLion wiLh personal daLa, applicaLions or online services. 1hese opLions
serve Lhe dual purpose ol proLecLinq Lhe orqanizaLion's daLa lrom unauLhorized access as
well as Lhe employee's personal inlormaLion lrom beinq moniLored by Lhe orqanizaLion.
M
ore than ever beIore
we are seeing a
transition to a Iully
mobile workIorce. 5ome
organizations have closed
entire brick and mortar
oIIices in a shiIt to a Iully
virtual workplace model.
These organizations are
managing the risks with
administrative checks and
balances. But is it enough?
19 Insights on governance, risk and compliance | January 2013
JuIes PcIcnetsky
DirecLor and Cochair ol
Lhe FuLure ol Privacy Forum
WashinqLon, DC, US
Who owns the data?
As mobile devices become cenLral Lo our personal lives and crucial Lo work producLiviLy,
discerninq who owns Lhe daLa LhaL lives on our mobile devices has become incredibly
challenqinq. Policies and pracLices LhaL were reasonable when a mobile device was clearly
Lhe properLy ol Lhe company, wiLh only minor personal use allowed, are less reasonable in
a world where Lhe line beLween work and personal is indisLinquishable. Lmployees are
expecLed Lo be available 2^ hours a day, work Lime may include Lypinq an email aL
midniqhL while on vacaLion; and personal Lime may include doinq an online search lor |usL
Lhe riqhL birLhday qilL on an employerissued LableL in beLween meeLinqs in Lhe ollce.
1his is an area where law and compliance pracLice are beinq challenqed Lo adapL.
We need soluLions LhaL are boLh convenienL and ellecLive in seqreqaLinq work and
personal inlormaLion. 1echnoloqies LhaL can comparLmenLalize devices are helplul, buL
orqanizaLions also need Lo adopL a more lexible and balanced view ol whaL consLiLuLes
personal versus work.
1o daLe, wiLh only a lew courL cases deparLinq lrom Lhe norm, employers have been able
Lo rely on clear policies LhaL noLily employees LhaL Lheir equipmenL may be moniLored and
LhaL devices may be wiped il Lhe employee is LerminaLed. BuL iL is increasinqly likely LhaL il
a company Lakes sLeps Lo wipe personal daLa lrom a device is owned by Lhe employee, Lhe
courLs will apply Lheir scruLiny Lo proLecL Lhe employee. Consider Lhe |unior assisLanL who
checks email on Lhe weekend aL his boss's insisLence, and who has minimal access Lo
sensiLive daLa, buL who loses Lhe video ol his child's lrsL sLeps when his device is wiped
alLer he is laid oll |usL belore ChrisLmas.
ln a hiqhly requlaLed environmenL, or an environmenL LhaL deals wiLh hiqhly conldenLial
daLa, Lhe orqanizaLion's acLions may hold up under LhaL scruLiny. However, in cases where
Lhe inlormaLion access is more qeneral, companies will need Lo have a more
accommodaLinq and lexible policy in place.
Lookinq more broadly aL privacy issues in Lhe mobile world, iL is clear LhaL Lhe rapid pace
ol chanqe is lorcinq new Lhinkinq abouL privacy. 1he diqiLal evoluLion has creaLed a
lraqmenLed ecosysLem comprisinq ol carriers, plaLlorms, conLenL creaLors and
disLribuLors, devices, apps and analyLics all ol whom have some role Lo play in how
privacy is manaqed, buL none ol whom has sole responsibiliLy or accounLabiliLy. 1his
lraqmenLaLion will conLinue Lo sLress Lhe boundaries ol privacy. And yeL, despiLe Lhese
concerns, Lhe ecosysLem will conLinue Lo innovaLe Lo leed a voracious consumer appeLiLe.
Amid Lhe chaos and innovaLion Lhis diqiLal evoluLion brinqs, privacy cannoL be lorqoLLen.
LeqislaLion and requlaLion will have Lo keep chasinq Lhe Lrends, ensurinq LhaL policy,
compliance and leqal sLrucLures lor Lhe privacy ol personal inlormaLion are no more Lhan
one sLep behind.
19 Insights on governance, risk and compliance | January 2013
20 Insights on governance, risk and compliance | January 2013
ReuIaticns struggle to keep up
RequlaLors conLinue Lo lace an uphill climb when iL comes Lo proLecLinq privacy.
An onqoinq locus on specilc privacy requiremenLs raLher Lhan sweepinq
requlaLions has some orqanizaLions respondinq LacLically raLher Lhan sLraLeqically,
while oLhers look lor Lhe loopholes. 1here is no doubL LhaL requlaLors have
increasinqly complex quesLions Lo answer. Consider, lor example, Lhe balance
needed beLween Lhe riqhL Lo be lorqoLLen and Lhe riqhL ol oLhers Lo remember,
which hinqes qreaLly on lreedom ol expression. Rapid advances in Lechnoloqy have
direcLly impacLed our social norms. Privacy proqrams need Lo be able Lo bridqe
Lhese qaps laiLhlully adherinq Lo requlaLory requiremenLs while pracLically
addressinq Lhe challenqes ol Lheir orqanizaLions and sLakeholders. 1o achieve Lhis
balance, privacy proqrams need Lo lorm an inLeqral parL ol an orqanizaLion's
decisionmakinq process raLher Lhan a simple checkLhebox compliance exercise
LhaL only seeks Lo meeL minimum requlaLory requiremenLs.
1he ideal soluLion would be lor orqanizaLions Lo use HjanY[q Zq <]ka_f (HZ<) or
HjanY[q Zq J]<]ka_f Lo embed privacy inLo new sysLem implemenLaLions or l1
LranslormaLion iniLiaLives. However, alLhouqh HZ< has been widely accepLed as
a concepL, iL has yeL Lo qain LracLion wiLh orqanizaLions in Lerms ol implemenLaLion.
20 Insights on governance, risk and compliance | January 2013
21 Insights on governance, risk and compliance | January 2013
Privacy matures
Irom compliance
to accountability
1he LU, lonq seen as seLLinq Lhe sLandard lor oLher counLries Lo lollow when iL comes
Lo daLa proLecLion, is raisinq Lhe bar aqain. Mere monLhs alLer Lhe cookie law came
inLo lorce, Lhe LU is lookinq Lo updaLe iLs DaLa ProLecLion DirecLive Lo harmonize Lhe
daLa proLecLion laws across Lhe LU Member SLaLes and address evolvinq Lechnoloqy
advancemenLs. 1he proposed leqislaLion will apply Lo anyone processinq daLa wiLhin Lhe
LU, includinq any orqanizaLion ouLside ol Lurope LhaL ollers qoods and services Lo LU
residenLs. As well, lor Lhe lrsL Lime, daLa processors will share in boLh Lhe responsibiliLy
and liabiliLy relaLed Lo complyinq wiLh Lhe new laws.
Under Lhe proposed LU requlaLions, orqanizaLions will be required Lo prove LhaL Lhey
underLake reqular daLa proLecLion audiLs and privacy impacL assessmenLs. OrqanizaLions
wiLh more Lhan 250 employees will also have Lo hire a daLa proLecLion ollcer. 1hese new
LU requiremenLs don'L ask orqanizaLions Lo be accounLable Lhey are demandinq iL. Any
orqanizaLion wanLinq Lo do business in Lhe LU or wiLh iLs ciLizens will need Lo review and
improve, where necessary, daLa proLecLion and privacy proqrams Lo ensure compliance.
1o achieve such compliance, many orqanizaLions are pursuinq BCR sLaLus. As we
discussed in HjanY[q lj]f\k *()*2 l`] [Yk] ^gj _jgoaf_ Y[[gmflYZadalq, BCR comprises
a seL ol inLernal quidelines, similar Lo a Code ol ConducL, LhaL esLablishes policies lor
Lranslerrinq personal inlormaLion wiLhin Lhe orqanizaLion and across inLernaLional
boundaries. BCR sLaLus is challenqinq Lo achieve, buL early adopLers, such as CL and
Philips, are already yieldinq Lhe benelLs. Over Lhe nexL several years we expecL an
increasinq number ol mulLinaLional orqanizaLions Lo pursue BCR sLaLus.
T
he Ernst & Young 2012
privacy trends report
Iocused on the notion oI
accountability. Companies taking
a more strategic view oI privacy
and regulators requiring prooI oI
an organization's privacy program
are two signs that privacy is
beginning to mature Irom strictly
a compliance exercise to a
declaration oI accountability.
22 Insights on governance, risk and compliance | January 2013
JusL as Lhe LU seeks Lo improve iLs daLa proLecLion requlaLions,
Lhe F1C is busy Lakinq similar acLion. ln 2012, Lhe F1C issued
a lnal reporL LhaL esLablishes leadinq pracLices lor proLecLinq
consumer privacy and qivinq consumers qreaLer conLrol over
collecLion ol Lheir personal inlormaLion. 1he reporL also recommends
LhaL Lhe U.S. Conqress inLroduce leqislaLion aL a lederal level LhaL
would address privacy proLecLion, daLa breach noLilcaLion and
daLa brokerinq. 1o aid compliance wiLh Lhese leadinq pracLices,
Lhe lnal reporL recommends LhaL businesses: adopL HZ<; simplily
choice lor businesses and consumers abouL whaL inlormaLion is
shared and wiLh whom; and provide qreaLer Lransparency around
Lhe collecLion and use ol consumer daLa.
5
ln addiLion Lo Lhese recommendaLions, Lhe F1C has pursued
leqal acLion aqainsL several social media and inLerneL services
companies lor violaLinq Lheir own commiLmenLs Lo privacy. 1hese
consenL decrees also emphasized Lhe imporLance ol esLablishinq
Lhe LeneLs ol an ellecLive privacy proqram in a manner LhaL
addresses proqram chanqes, compliance wiLh requiremenLs and
privacy risk manaqemenL.
ln Lhe AsiaPacilc reqion, Lhe AsiaPacilc Lconomic CooperaLion
(APLC) LlecLronic Commerce SLeerinq Croup has developed a
volunLary, cerLilcaLionbased sysLem. Known as Lhe CrossBorder
Privacy Rules (CBPR) SysLem, iL enables orqanizaLions doinq
business in Lhe 21 parLicipaLinq APLC counLries, which includes
Lhe US, Lo esLablish a consisLenL seL ol daLa privacy pracLices.
6
ln a July 2012 APLC news release, Lourdes YapLinchay, Chair ol
Lhe LlecLronic Commerce SLeerinq Croup, was quoLed as sayinq
LhaL "Lhe qoal ol Lhe sysLem is Lo enhance elecLronic commerce,
laciliLaLe Lrade and economic qrowLh, and sLrenqLhen consumer
privacy proLecLions across Lhe AsiaPacilc reqion, Lhereby
promoLinq reqional economic inLeqraLion."
7
Added AcLinq SecreLary
ol Commerce and DepuLy SecreLary ol Commerce Rebecca Blank:
"1his sysLem will enable parLicipaLinq companies in Lhe UniLed
SLaLes and oLher APLC member economies Lo more ellcienLly
exchanqe daLa in a secure manner and will enhance consumer
daLa privacy by esLablishinq a consisLenL level ol proLecLion and
accounLabiliLy in Lhe APLC reqion."
8
As requlaLors around Lhe world seek Lo bolsLer requiremenLs
lor privacy proqram accounLabiliLy, Lhe dillerences amonq
requlaLions conLinues Lo diminish. 1his is qood news lor
orqanizaLions seekinq Lo develop encompassinq privacy proqrams
LhaL achieve accounLabiliLy, qovernance and moniLorinq
ob|ecLives. 1his comprehensive approach addresses a wide ranqe
ol compliance requiremenLs raLher Lhan locusinq privacy ellorLs
on specilc, |urisdicLional requlaLions.
5
"F1C lssues Final Commission ReporL on ProLecLinq Consumer Privacy," >]\]jYd LjY\] ;geeakkagf, 26 March 2012, hLLp://www.lLc.qov/opa/2012/03/privacylramework.shLm.
6
"APLC CrossBorder Privacy Rules SysLem qoes public," 9kaY%HY[a[ =[gfgea[ ;ggh]jYlagf, 31 July 2012, hLLp://www.apec.orq/Press/NewsReleases/2012/0731_cbpr.aspx.
7
lbid.
8
lbid.
Privacy maLures lrom compliance Lo accounLabiliLy
23 Insights on governance, risk and compliance | January 2013
Fabrice NaftaIski
LrnsL & Younq SocieLe d'AvocaLs