You are on page 1of 25

Privacy Program Management: A

Framework for Success


March 23, 2017

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 1
TRUSTe Inc., 2017
Todays Speaker

Hilary Wandall
General Counsel
Chief Data Governance Officer
TRUSTe

Privacy Insight Series


v - truste.com/insightseries 2
TRUSTe Inc., 2017
Todays Agenda

Welcome & Introductions


Policy and Regulatory Origins and Developments
Choosing a Model
Framework for Core Program Elements
3Ds: Design, Document & Demonstrate
Q&A

Privacy Insight Series


v - truste.com/insightseries 3
TRUSTe Inc., 2017
Policy and Regulatory Origins and
Developments

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 4
TRUSTe Inc., 2017
Policy and Regulatory Origins
OECD Privacy Guidelines 1980
Accountability Principle
PIPEDA (Canada) 2000
Accountability Principle
APEC Privacy Framework 2005
Accountability Principle
CIPL Accountability Project 2008
APEC CBPRs 2011
Canada Privacy Management Program 2012
Revised OECD Privacy Guidelines 2013
Privacy Management Programme
EU GDPR 2016
Privacy Insight Series
v - truste.com/insightseries 5
TRUSTe Inc., 2017
OECD Privacy Guidelines 2013
New Part III Implementing Accountability
Establish a Privacy Management Programme
o Implements requirements of the Guidelines
o Tailored based on structure, scale, sensitivity and
volume of the operations (risk factors)
o Safeguards implemented based on privacy risk
assessment
o Integrated with organizational governance and
oversight mechanisms
o Inquiry and incident response mechanisms
o Update based on monitoring and periodic assessment
Demonstrate the programme to regulators and others
responsible for enforcement
Privacy Insight Series
v - truste.com/insightseries 6
TRUSTe Inc., 2017
EU GDPR Example Provisions
Article 5.2
Controllers are responsible for demonstrating compliance with
the principles of:
o Lawfulness, fairness and transparency
o Purpose limitation
o Data minimization
o Accuracy
o Storage limitation
o Integrity and confidentiality
Article 24
Controllers are responsible for implementing organizational
and technical measures to ensure and demonstrate that
processing is compliant, such as policies and procedures,
codes of conduct, or certification
Article 39 Tasks of the DPO
Advice, monitoring compliance, awareness, training, audits
Privacy Insight Series
v - truste.com/insightseries 7
TRUSTe Inc., 2017
Choose a Model

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 8
TRUSTe Inc., 2017
Choose a Model

Consider organizational structure


Where are you headquartered?
Centralized versus distributed
Is central coordination possible and effective?
How do other organizational governance functions operate?
Consider functional alignment and coordination
Which organizational area is best suited to support sustainable
success of the program?
Is there a strong executive champion?
What levels of cross-functional coordination are needed
strategic vs. tactical?
Consider legal requirements, ethical obligations and risk
Legal drivers, culture toward ethical and CSR considerations
Organizational risk tolerance
Privacy Insight Series
v - truste.com/insightseries 9
TRUSTe Inc., 2017
Aligning Organizational Governance & Oversight

Compliance
Ethics
Legal CSR
Regulatory
Government IT
Affairs

Privacy

Risk Mgmt. Data &


Records
Mgmt.
Business
Analytics

Privacy Insight Series


v - truste.com/insightseries 10
TRUSTe Inc., 2017
Aligning Organizational Governance & Oversight
Elements of an Effective Ethics and Compliance Program
Establish Policies, Procedures and Controls
Exercise Effective Compliance & Ethics Oversight
Exercise Due Diligence (third party risk)
Communicate and Educate Employees
Monitor and Audit for Effectiveness
Ensure Consistent Rewards and Sanctions
Incident Response and Prevention

Privacy Insight Series


v - truste.com/insightseries 11
TRUSTe Inc., 2017
Framework for Core Program Elements

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 12
TRUSTe Inc., 2017
Build Your Program 6 Essential Elements
Integrated Identify stakeholders. Establish
Governance program leadership and governance.
Define program mission, vision and
goals.
Risk Identify, assess and classify data-
Build Assessment related strategic, operational, legal
Establish, maintain compliance and financial risks.
and evolve an Resource Establish budgets. Define roles and
integrated privacy Allocation responsibilities. Assign competent
and data governance personnel.
program aligned with
Policies & Develop policies, procedures and
other data
Standards guidelines to define and deploy
management and effective and sustainable governance
information risk and controls for managing data-
functions such as related risks.
security, IP, trade
secret protection and Processes Establish, manage, measure and
e-discovery continually improve processes for
PIAs, vendor assessments, incident
management and breach notification,
Learn and Evolve Over Time complaint handling and individual
rights management.
Awareness & Communicate expectations. Provide
Training general & contextual training.
Privacy Insight Series
v - truste.com/insightseries 13
TRUSTe Inc., 2017
Demonstrate Your Program 2 Core Standards

Demonstrate
Demonstrate program
and practices
Monitoring & Evaluate and audit effectiveness of
compliance, maturity,
Assurance controls and risk mitigation initiatives.
responsibility and
value to Reporting & Demonstrate the value and
organizational Certification effectiveness of your program and
leadership, regulators, controls to customers, employees,
customers, other management, the board of directors,
stakeholders through regulators and the public.
monitoring,
assurance, reporting
and certification

Learn and Evolve Over Time

Privacy Insight Series


v - truste.com/insightseries 14
TRUSTe Inc., 2017
3Ds: Design, Document, Demonstrate

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 15
TRUSTe Inc., 2017
Tools to Build and Demonstrate Your Program

Supported by the TRUSTe Data Privacy Management Platform

Privacy Insight Series


v - truste.com/insightseries 16
TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment

Privacy Insight Series


v - truste.com/insightseries 17
TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment

Privacy Insight Series


v - truste.com/insightseries 18
TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment

Privacy Insight Series


v - truste.com/insightseries 19
TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment

Privacy Insight Series


v - truste.com/insightseries 20
TRUSTe Inc., 2017
Privacy & Data Governance Program Assessment

Privacy Insight Series


v - truste.com/insightseries 21
TRUSTe Inc., 2017
Questions?

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 22
TRUSTe Inc., 2017
Contact:
Hilary Wandall
hilary@truste.com

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 23
TRUSTe Inc., 2017
Thank You!
Register now for the next webinar in our 2017 Winter/Spring Webinar Series
on April 13, 2017 Swiss-US Privacy Shield Rollout: What to Expect
https://info.truste.com/swiss-us-privacy-shield-rollout-webinar.html

See http://www.truste.com/insightseries for the 2017 Privacy Insight Series


and past webinar recordings.

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 24
TRUSTe Inc., 2017
Thank You!
Register now for the next webinar in our 2017 Winter/Spring Webinar Series
on April 27, 2017 ROI of Privacy: Building a Case for Investment
https://info.truste.com/roi-of-privacy-webinar.html

See http://www.truste.com/insightseries for the 2017 Privacy Insight Series


and past webinar recordings.

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 25
TRUSTe Inc., 2017