This material was presented at Orang Siber Indonesia regular webinar.
Content:
> Understanding privacy management
> Global privacy news
> Understanding privacy regulations and frameworks
> Data Privacy Program Management practices
Common Practice in Data Privacy Program Management
1. 11
Eryk B. Pratama
IT Advisory & Cyber Security Consultant at Global Consulting Firm
Komunitas Data Privacy & Protection Indonesia
29 Aug 2020 | 20.00
OSI Webinar
Common Practice in Data Privacy
Program Management
7. RUU Perlindungan Data Pribadi
Regulation
Key Highlight
▪ Explicit Consent is required from the data owner for
personal data processing.
▪ Responding timelines for Data subject rights have been
separately called out in the RUU PDP.
▪ Data controller to notify the data owner and the Minister
within 3 days of data breach.
▪ Penalties for non-compliance may range from Rp 20 Billion
to Rp 70 Billion or Imprisonment ranging from 2 to 7 years
Data Owner Data Controller Data Processor Data Protection Officer
8. COVID-19 Impact on Privacy and Data Protections
Global Privacy News
Source: TrustAcrc – Global Privacy Benchmarks Survey 2020
The Pandemic had forced a global response including lockdowns in Europe, Asia and North America. Some 42% of companies expected to
have either a decrease or steep decrease in revenues as a result. When asked what percent of their company's workforce had switched to
working from home as a result of COVID–19, 62% indicated that more than half their workforce had done so. Over half of all respondents
believe the Pandemic has increased risk across a number of areas
9. Types of Privacy Assessment
Global Privacy News
Source: IAPP TrustArc - Measuring Privacy Operations 2019
There’s less of a difference between highly regulated and unregulated firms when it comes to the types of privacy assessments they
conduct, other than a slight up-tick in GDPR-related assessments among unregulated firms, which are more likely to be doing business in
the EU regardless of where they are located.
10. Data Privacy Framework
Regulations & Frameworks
NIST Privacy KPMG PrivacyISO/IEC 27701
▪ Information Lifecycle Management
▪ Governance and Operating Model
▪ Inventory/Data Mapping
▪ Regulatory Management
▪ Risk and Control
▪ Policies
▪ Processes, Procedures and
Technology
▪ Security for Privacy
▪ Third Party Oversight
▪ Training and Awareness
▪ Monitoring
▪ Incident Management
▪ Inventory and Mapping
▪ Data Processing Ecosystem Risk
Management
▪ Governance Policies, Processes, and
Procedures
▪ Awareness and Training
▪ Monitoring and Review
▪ Data Processing Management
▪ Communication
▪ Data Security
▪ Protective Technology
▪ Detection Processes
▪ Respond Processes
▪ Recovery Processes
▪ Conditions for collection and
processing
▪ Obligations to PII principals
▪ Privacy by design and privacy by
default
▪ PII sharing, transfer, and disclosure
▪ PIMS-specific requirements related
to ISO/IEC 27001
▪ PIMS-specific requirements related
to ISO/IEC 27002
▪ Additional ISO/IEC 27002 guidance
for PII controllers
▪ Additional ISO/IEC 27002 guidance
for PII processors
Data Privacy Framework
11. Privacy Program Management - IAPP
Privacy Program Management Practice
▪ Privacy Vision & Mission
▪ Privacy Program Scope
▪ Develop & Implement Framework
▪ Develop Privacy Strategy
▪ Privacy Team & Governance Model
▪ Inventories & Record
▪ Record of Processing Activities
▪ Impact Assessment
▪ Vendor/Third Party Assessment
▪ Privacy in Mergers, Acquisitions, &
Divestiture
Privacy Policy
▪ Privacy Notices & Policies
▪ Choice, Consents, and Opt-out
▪ Data Subject Request
▪ Handling Complaint
Training & Awareness
Privacy by Design &
Privacy by Default
Incident Management
Monitoring & Auditing Program Performance
Privacy Governance Data Assessment Data Subject Rights
Privacy Program Management is the structured approach of combining several disciplines into a framework that allows an organization to
meet legal compliance requirements and the expectations of business clients or customer while reducing the risk of a data breach. The
framework follows program management principles and considers privacy regulations from around the globe.
12. Privacy Management Area - Practical
Privacy Program Management Practice
Research & Program Maturity Privacy Program Management Privacy Rights & Consent
Regulatory Research
Track the Evolving Privacy Landscape
Awareness Training
Train Employees on Privacy Best Practices
Maturity & Planning
Track Program Maturity Over Time
Program Benchmarking
Compare Maturity to Similar Organizations
Data Mapping
Understand Your Data Processing
Automated Assessment
Automate PIAs, DPIAs, and Privacy by
Design
Vendor Risk Management
Centralized Assessments, Contracts, & DPAs
Incident Response
Plan for and Respond to Incidents &
Breaches
Policy & Notice Management
Centrally Manage & Host Privacy Policies
Privacy Rights (DSAR)
Manage Request from Intake to Fulfillment
Cookie Consent
Automate Valid Consent on Web Properties
Mobile App Consent
Scan & Capture Consent in Mobile Apps
Universal Consent & Preferences
Compares Maturity to Similar Organizations