You are on page 1of 16

Building a Privacy Governance

Program
October 21, 2016

Privacy Insight Series


- truste.com/insightseries
v

TRUSTe Inc., 2016


1
TRUSTe Inc., 2016

Todays Speakers
Michelle Fleury,
Senior Director, Supply Chain Operations,
Cisco

Patrick Curry,
Director, Privacy and Compliance,
McKesson

Eleanor Treharne-Jones (Moderator)


Vice President Consulting
TRUSTe

Privacy Insight Series


- truste.com/insightseries
v

2
TRUSTe Inc., 2016

Todays Agenda

Welcome & Introductions


Understanding the Role of Data in Corporate
Strategy
Building Data Protection Programs
Steps for Rapid Deployment
Q&A

Privacy Insight Series


- truste.com/insightseries
v

3
TRUSTe Inc., 2016

Privacy Insight Series


- truste.com/insightseries
v

4
TRUSTe Inc., 2016

Ciscos Strategy
#DigitalBusiness Depends on #Data

Intellectual
Property
Deal
Prospects
Corporate
Strategy

Support Data
Product
Roadmaps
Customer Sat
Ratings

Key Activities

Relationships

Employee
Information

Sales Records

Trade Secrets
Brand Strategy

Pricing Details
Discount
Rates
Customers

Strategic Partners

Key Resources

Privacy Insight Series


- truste.com/insightseries
v

Distribution Channels

The Business Model Canvas by @strategyzer

5
TRUSTe Inc., 2016

180+ Years in Health Care

Privacy Insight Series


- truste.com/insightseries
v

6
TRUSTe Inc., 2016

Healthcare Trends

Innovation
`
Cost Containment

Chronic
Diseases

Global Shift in
Demographics
Ongoing growth in 65+ years1

Consolidation

Regulatory
Change

Diabetes - worldwide: 55%


percent increase by 20352

Value-Based Care
2/3 of the market by

20203

Rise of `
Consumerism

Patient-centered model = Health data for millions of patients


110

Projections for the Global Population in 2050, Pew Research Center, Feb. 2, 2014. 22014 IDF Diabetes Atlas, International Diabetes
Foundation. 3The State of Value-Based Reimbursement and the Transition from Volume to Value in 2014, McKesson Health Solutions, 2014.

Privacy Insight Series


- truste.com/insightseries
v

7
TRUSTe Inc., 2016

Strategic Considerations

Legal
Obligations

Customer &
Market Expectations

Competitive
Differentiation

Risk Landscape

Ciscos Data Protection Program


8

Privacy Insight Series


- truste.com/insightseries
v

8
TRUSTe Inc., 2016

Guiding Principles

Involve the
Business in the
Program

Leverage Your
Operational
Strengths

Privacy Insight Series


- truste.com/insightseries
v

Manage Complexity
and Ambiguity
through Iteration

9
TRUSTe Inc., 2016

Ciscos Data Protection Program

Policies and
Standards

Oversight and
Enforcement

Identification and
Classification

Privacy by Design &


Intl Privacy Policy

Privacy Insight Series


- truste.com/insightseries
v

Data Risk and


Organizational Maturity

Incident
Response

Security by Design &


Data Loss Prevention

Awareness and
Education

10
TRUSTe Inc., 2016

McKesson US Pharmaceuticals Privacy Program


Based on Federal Sentencing
Guidelines/HHS OIG guidance

GRC-based; process
harnessed for privacy, IT
security risk
PHI is king: Priority to
regulatory & legal obligations

Program
Governance &
Resources
Risk
Assessment

Policies &
Procedures

Enforcement,
Discipline &
Incentives

Communications

Helps coordinate multi-faceted


approach
Provides functional backdrop
and process for analysis for
considerations of choice, data
use, consent, collection, etc.

Privacy Insight Series


- truste.com/insightseries
v

Investigations
& Response

Training

Monitoring

11
TRUSTe Inc., 2016

McKesson case example: Programmatic PIA


Observation: risk of changes to data
use without review
Follow the circle:

Program
Governance
& Resources
Risk
Assessment

Policies &
Procedures

What structures need to be in place


Who owns / manages the process
What policies / procedures are needed

Enforcement

Awareness

Who needs to know what about the


updates to the process
How do we know the process is
effective?

Investigation
& Response

Training

Monitoring

What do we do if people dont follow the


rules?

Outcome: stable and documented process; general awareness of


goals and changes; auditable framework
Privacy Insight Series
- truste.com/insightseries
v

12
TRUSTe Inc., 2016

Steps for Rapid Deployment of a DPP

Form a multi-disciplinary team,


including Privacy and Security

Inventory your data

Assess your organizations

Choose a program framework and


set goals

start with
high-risk categories & PII

data protection maturity

Privacy Insight Series


- truste.com/insightseries
v

Collect and connect capabilities

Identify and prioritize most

Take agile approach to

Get the word out

and processes

significant gaps
address
gaps wise to iterate
people as
important as technology

13
TRUSTe Inc., 2016

Questions?

Privacy Insight Series


- truste.com/insightseries
v

TRUSTe Inc., 2016


14
TRUSTe Inc., 2016

Contacts
Michelle Fleury
Patrick Curry
Eleanor Treharne-Jones

Privacy Insight Series


- truste.com/insightseries
v

mfleury@cisco.com
Patrick.Curry@McKesson.com
eleanor@truste.com

TRUSTe Inc., 2016


15
TRUSTe Inc., 2016

Thank You!
Details of our 2016 Summer/Fall Webinar Series are now available. Register
now for our next webinar on November 10 Understanding new EU
Guidance on DPIA/PIA requirements

See http://www.truste.com/insightseries for the 2016 Privacy Insight Series


and past webinar recordings.
TRUSTe Inc., 2016
v
16
Privacy Insight Series
truste.com/insightseries
v
TRUSTe Inc., 2016