SlideShare une entreprise Scribd logo

Building a privacy management program

Télécharger en tant que PPTX, PDF
D
Dylan Foos

Mike Muha

Technologie
1  sur  43
Building a Privacy Management Program
2 Security vs. Privacy Security Privacy Protects individual’s ability to control use of their personal information Protects systems & data
3 What data is privacy-related? Protected Health Data (PHI, ePHI) Personally Identifiable Information (PII) Financial Data, Credit Card Data
4 PERSONAL INFORMATION What data is privacy-related? Protected Health Data (PHI, ePHI) Personally Identifiable Information (PII) Financial Data, Credit Card Data And more!
5 • Risk management & compliance (avoid fines)? • Reputational risk avoidance? • Brand differentiator? • Enhance sales of products & services? Why do I need a privacy program? “Our mission is comply with privacy regulations to which we are subject, to inform stakeholders about how we manage and protect their personal information, and to provide assistance to our customers’ privacy compliance programs as required.”
6 What regulations apply? So many to choose from… US Privacy Regulations • California Consumer Privacy Act • HIPAA • Gramm-Leach Bliley Act • Children’s Online Privacy Protection Act International Privacy Laws • EU General Data Protection Regulation • Mexican Federal Law on Protection of Personal Data • Australian Privacy Directive Self-Regulatory Privacy Standards • PCI DSS • Direct Marketing Association Privacy Promise • VeriSign or TRUSTe
7 Who are the stakeholders and why? •Data subjects (employees, customers, suppliers, partners) How you will use my data? •Business units (HR, Marketing, Finance/Accounting, Product Development, Training, Support) How will the program impact my department? What changes are required? What info do you need? •Partners, Third-party processors (B2C and B2B) What do you need me to do to comply? •Resellers, Customers, Regulators (B2C and B2B) Prove to me that you comply.
8 Create a data inventory  What needs to be in the inventory?  Purpose of the processing (e.g., time and attendance)  Categories of “data subjects” (e.g., employees)  Categories of personal information (e.g., work personal information, pay code, personal phone number)  How the data is collected  Data retention period or calculation (e.g., 7 years after termination) What data needs to be protected?  Who has access to the data: • HR: Full access • Managers: access to staff • Employees: their own information • Third-parties • SaaS processor staff!  Where the data is stored and processed (e.g., SaaS provider’s US data center)  If the data is transferred to a third country (e.g., from Spain to the US)  Security controls in place to protect the data
9 Where are you today, where do you need to be? • Take a regulation and turn it into a checklist • Apply the checklist against each business area • Work on the easy wins (privacy notices) • Work through the gaps in order of risk Perform a gap assessment
10 Example Gap Assessment
11 Example Gap Assessment
12 Example: GDPR You can collect personal data only if one of these applies: 1. The data is necessary for the performance of a contract with the employee (i.e., employment agreement) or 2. The data is required by another regulation to which the you are subject (i.e., employment regulations, tax calculations, etc.) or 3. You have a legitimate reason for collecting the data (i.e., to measure job performance) or 4. The employee gives explicit, freely-given consent » Employer-employee relationship: can consent be freely given? » Employees can withdraw consent or 5. additional options… Are we collecting personal information lawfully?
13 GDPR You CAN’T collect this information:*  Race or ethnic origin  Political opinions  Religious or philosophical beliefs  Trade union membership  Genetic data  Biometric data  Health data  Sex life or sexual orientation  Criminal convictions & offenses Watch out for “Special Categories” of personal information *Unless:  The employee have given explicit consent  It’s necessary to carry out obligations to the employee  It’s necessary to assess the working capacity of an employee  …a few other exceptions Illinois Biometric Privacy Act: • You can’t collect biometric information without consent and proper & full notice • Must securely store • Must destroy in a timely manner
14 • DPIA (Data Protection Impact Assessments)  What’s the risk to the data subject?  How do I comply with the regulation?  Example template under “Resources” • Risk treatment plans  How do I address the risk? • Privacy by design, privacy by default  Think about privacy during the initiation of new projects/processes  Designs should protect data/rights from the very beginning Manage risk
15 Privacy Notices
16 “An internal statement that governs an organization or entity’s handling practices of personal information. It is directed at the users of the personal information. A privacy policy instructs employees on the collection and the use of the data, as well as any specific rights the data subjects may have.” Privacy policy vs. privacy notices Privacy Policy Privacy Notice “A statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. A privacy notice is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy.” Source: IAPP glossary
17 Write privacy notices The Privacy Notice must be: • Concise, transparent, intelligible and easily accessible • Written in clear and plain language • Free of charge • Must be provide at the time data is collected! Use-specific Privacy Notices: • Recruiting notice • Employee notice • Customer notice • Partner notice • Product notice
18 1. Contact details of the data owner. 2. Contact details of Data Protection Officer 3. Reason for collection the data. 4. Legal basis of processing. 5. Who will have access to the personal information. 6. If personal information will be transferred out of the EU. 7. Legal basis for transferring the data out of the EU » Adequacy decision » Privacy Shield » Binding Corporate Rules » Standard Data Protection Clauses What needs to be in a privacy notice? (GDPR example) 7. Where to obtain a copy of the legal basis for transferring data. 8. Retention period for the data. 9. Personal rights of the employee (see next slide) 10. If automated processing or profiling is used. 11. If data is contractually required and the impact of not providing that data.
19 What needs to be in a privacy notice? Personal rights of an individual: • Right of access • Right to rectification • Right of erasure • Right to restrict processing • Right to data portability • Right to object • Right to human intervention around automated processing activities Example: https://www.workforcesoftware.com/privacy-policy/
20 Privacy Processes
21 Create processes around the personal rights of individuals: • Right of access • Right to rectification • Right of erasure • Right to restrict processing • Right to data portability • Right to object • Right to human intervention around automated processing activities Embed data privacy into business operations Privacy Processes
22 Process needs to include: 1. How to determine if the person making the request is actually authorized to make the request 2. How to decide if the request must be fulfilled or can be denied 3. How to find all the locations of the data 4. How to actually delete the data 5. How to track the request and its final disposition 6. How to communicate with the data subject 7. How fast to respond and fulfill the request Example: The process to erase data upon request
23 Process needs to include: 1. How to determine if the person making the request is actually authorized to make the request 2. How to decide if the request must be fulfilled or can be denied 3. How to find all the locations of the data 4. How to actually delete the data 5. How to track the request and its final disposition 6. How to communicate with the data subject 7. How fast to respond and fulfill the request Example: The process to erase data upon request Data inventory! Can you actually delete data for an individual?
24 Showing proof of compliance  Documented processes  Must prove compliance, so keep a log! Document your processes; log your actions
25 Controllers vs. Processors
26 Controller Processor Sub-Processor Controller – Processor Relationship Determines how data is processed Processes data on behalf of the Data Controller, following instructions of Data Controller Processes data on behalf of the Data Controller, following instructions of Data Controller / Processor
27 Controller Processor Sub-Processor Controller – Processor Relationship Determines how data is processed Processes data on behalf of the Data Controller, following instructions of Data Controller Processes data on behalf of the Data Controller, following instructions of Data Controller / Processor You SaaS Provider Vendors used by SaaS Provier
28 • You’re responsible for your data, no matter who has it! • Third-party management  What third parties process personal data? » Store, transfer, process, view, edit, organize…  Data processing agreements in place?  Legal means of transferring data?  Risk assessments  Process to information/ask permission to use new third parties? Processors and Sub-processors
29 Controller & processor responsibilities Protect your data Ensure confidentiality Provide evidence of compliance • Appropriate security controls • Data protection impact assessments • Vulnerability management • Internal audit • Confidentiality agreements in place (employees & processors) • Annual required security and privacy training • Penetration tests • Internal IT & external audits (ISO 27001, SOC 2, etc.) • Evidence the privacy processes work
30 Controller & processor responsibilities Limited use of data Permission to use sub-processors Data protections flow down to Processors • Only collect necessary data • Delete it when it’s not needed • Only use data as defined in Privacy Notices • Processor can only use data per your instructions • Permission required by processor to use a partner • Can request information about existing use of partners • Processors & subprocessor must have data protections in place
31 Controller & processor responsibilities Ensure lawful transfers of data out of country Data deletion • Applies to you, processors & sub-processors • Adequacy, Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules • Data retention policies • Ability to actually delete data! • Contracts: Return data in a industry-standard format • Delete all data from all systems, including backups Breach Notification • All 50 states have breach notification laws • GDPR requires notifying Supervisory Authority within 24 hours of a breach
32 Governance
33 • Executive team  Need for program  Consequences of not having a program  Advantages of having a program • Department heads  What is the impact on a specific department?  How does it affect the department head? Selling privacy and your privacy program
34 CEO signs “Privacy Policy” • Communicates objectives of privacy program • Need to continuous improvement • Commitment of privacy compliance • Sets roles and responsibilities Leadership
35 SKILLSETS 1. Legal knowledge 2. Technical background 3. Operational experience 4. Communication skills 5. Credibility Data Privacy Officer
36 SKILLSETS 1. Legal knowledge 2. Technical background 3. Operational experience 4. Communication skills 5. Credibility Data Privacy Officer = Unicorn
37 SKILLSETS 1. Legal knowledge 2. Technical background 3. Operational experience 4. Communication skills 5. Credibility Data Privacy Officer LIKELY SUSPECTS… 1. In-house attorney Can understand the law; not tech-savvy, lack operations background 2. Someone from IT or Security Tech savvy, ops experience; doesn’t know the law 3. Internal audit / Compliance Know the law; conflict of interest in defining rules & checking compliance 4. Human resources or marketing Could see business opportunity; lacks overall corporate scope
38 Centralized vs decentralized vs hybrid? Centralized De- Centralized De- Centralized De- Centralized Centralized De- Centralized De- Centralized De- Centralized • Based in one country • Subject to limited set of privacy regulations • Other processes are centralize • Many countries • Subject to different privacy regulations • Other processes are decentralized • Many countries • Subject to same & unique privacy regulations • Many local variations
39 • Create policies, standards, procedures • Log (to prove compliance)  Opt-in / Opt-out  Time to respond to privacy requests  Breach notification • Get training for privacy professionals • Create privacy awareness & role-based training • Communicate! Especially successes! Privacy operations
40 • DA Piper Data Protection Laws of the World Compare data protection laws around the world. https://www.dlapiperdataprotection.com/index.html • EU General Data Protection Regulation table of contents Table of contents, cross-references, emphases http://www.privacy-regulation.eu/en/index.htm • BS 10012:2017 Data Protection – Specification for a personal information management system https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/ • NIST Privacy Framework (under development) https://www.nist.gov/privacy-framework Resources
41 • States Breach Notification Laws Summarizes states laws regarding breach notification https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html • Data Privacy Impact Assessment template Mainly GDPR, but could be adapted https://www.mikemuha.com/2017/09/how-to-perform-data-protection-impact.html • International Association of Privacy Professionals Wealth of privacy related webinars, news, software, training, certifications, best practices https://iapp.org/ Resources, 2nd page
42 1. Get buy in from management 2. Document where personal data resides and is transferred 3. Know how it’s protected, both legally and from a security perspective 4. Mind the gap 5. Ensure you have (documented) privacy processes 6. Make sure you have compliant privacy notices 7. Delete personal data if there’s no reason to keep it around 8. Keep records that show your compliance Key takeaways
43 Thanks! Michael J. Muha, Ph.D., CISSP, CRISC, CISM, CIPP/E, CIPM, Certified GDPR Practitioner mmuha@WorkForceSoftware.com workforcesoftware.com

Recommandé

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 

Recommandé

2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
marketingartwork
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
Skeleton Technologies
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
Neil Kimberley
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
contently
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
ThousandEyes
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
apidays
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
RTylerCroy
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Edi Saputra
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
apidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Juan lago vázquez
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
Gabriella Davis
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
debabhi2
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
Albert Qian
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 

Contenu connexe

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 

Dernier (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 

En vedette

Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Saba Software
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
Simplilearn
 

En vedette (20)

How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 
12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work12 Ways to Increase Your Influence at Work
12 Ways to Increase Your Influence at Work
 
ChatGPT webinar slides
ChatGPT webinar slidesChatGPT webinar slides
ChatGPT webinar slides
 
More than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike RoutesMore than Just Lines on a Map: Best Practices for U.S Bike Routes
More than Just Lines on a Map: Best Practices for U.S Bike Routes
 
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
Ride the Storm: Navigating Through Unstable Periods / Katerina Rudko (Belka G...
 
Barbie - Brand Strategy Presentation
Barbie - Brand Strategy PresentationBarbie - Brand Strategy Presentation
Barbie - Brand Strategy Presentation
 
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them wellGood Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
Good Stuff Happens in 1:1 Meetings: Why you need them and how to do them well
 
Introduction to C Programming Language
Introduction to C Programming LanguageIntroduction to C Programming Language
Introduction to C Programming Language
 

Building a privacy management program

  • 2. 2 Security vs. Privacy Security Privacy Protects individual’s ability to control use of their personal information Protects systems & data
  • 3. 3 What data is privacy-related? Protected Health Data (PHI, ePHI) Personally Identifiable Information (PII) Financial Data, Credit Card Data
  • 4. 4 PERSONAL INFORMATION What data is privacy-related? Protected Health Data (PHI, ePHI) Personally Identifiable Information (PII) Financial Data, Credit Card Data And more!
  • 5. 5 • Risk management & compliance (avoid fines)? • Reputational risk avoidance? • Brand differentiator? • Enhance sales of products & services? Why do I need a privacy program? “Our mission is comply with privacy regulations to which we are subject, to inform stakeholders about how we manage and protect their personal information, and to provide assistance to our customers’ privacy compliance programs as required.”
  • 6. 6 What regulations apply? So many to choose from… US Privacy Regulations • California Consumer Privacy Act • HIPAA • Gramm-Leach Bliley Act • Children’s Online Privacy Protection Act International Privacy Laws • EU General Data Protection Regulation • Mexican Federal Law on Protection of Personal Data • Australian Privacy Directive Self-Regulatory Privacy Standards • PCI DSS • Direct Marketing Association Privacy Promise • VeriSign or TRUSTe
  • 7. 7 Who are the stakeholders and why? •Data subjects (employees, customers, suppliers, partners) How you will use my data? •Business units (HR, Marketing, Finance/Accounting, Product Development, Training, Support) How will the program impact my department? What changes are required? What info do you need? •Partners, Third-party processors (B2C and B2B) What do you need me to do to comply? •Resellers, Customers, Regulators (B2C and B2B) Prove to me that you comply.
  • 8. 8 Create a data inventory  What needs to be in the inventory?  Purpose of the processing (e.g., time and attendance)  Categories of “data subjects” (e.g., employees)  Categories of personal information (e.g., work personal information, pay code, personal phone number)  How the data is collected  Data retention period or calculation (e.g., 7 years after termination) What data needs to be protected?  Who has access to the data: • HR: Full access • Managers: access to staff • Employees: their own information • Third-parties • SaaS processor staff!  Where the data is stored and processed (e.g., SaaS provider’s US data center)  If the data is transferred to a third country (e.g., from Spain to the US)  Security controls in place to protect the data
  • 9. 9 Where are you today, where do you need to be? • Take a regulation and turn it into a checklist • Apply the checklist against each business area • Work on the easy wins (privacy notices) • Work through the gaps in order of risk Perform a gap assessment
  • 12. 12 Example: GDPR You can collect personal data only if one of these applies: 1. The data is necessary for the performance of a contract with the employee (i.e., employment agreement) or 2. The data is required by another regulation to which the you are subject (i.e., employment regulations, tax calculations, etc.) or 3. You have a legitimate reason for collecting the data (i.e., to measure job performance) or 4. The employee gives explicit, freely-given consent » Employer-employee relationship: can consent be freely given? » Employees can withdraw consent or 5. additional options… Are we collecting personal information lawfully?
  • 13. 13 GDPR You CAN’T collect this information:*  Race or ethnic origin  Political opinions  Religious or philosophical beliefs  Trade union membership  Genetic data  Biometric data  Health data  Sex life or sexual orientation  Criminal convictions & offenses Watch out for “Special Categories” of personal information *Unless:  The employee have given explicit consent  It’s necessary to carry out obligations to the employee  It’s necessary to assess the working capacity of an employee  …a few other exceptions Illinois Biometric Privacy Act: • You can’t collect biometric information without consent and proper & full notice • Must securely store • Must destroy in a timely manner
  • 14. 14 • DPIA (Data Protection Impact Assessments)  What’s the risk to the data subject?  How do I comply with the regulation?  Example template under “Resources” • Risk treatment plans  How do I address the risk? • Privacy by design, privacy by default  Think about privacy during the initiation of new projects/processes  Designs should protect data/rights from the very beginning Manage risk
  • 16. 16 “An internal statement that governs an organization or entity’s handling practices of personal information. It is directed at the users of the personal information. A privacy policy instructs employees on the collection and the use of the data, as well as any specific rights the data subjects may have.” Privacy policy vs. privacy notices Privacy Policy Privacy Notice “A statement made to a data subject that describes how the organization collects, uses, retains and discloses personal information. A privacy notice is sometimes referred to as a privacy statement, a fair processing statement or sometimes a privacy policy.” Source: IAPP glossary
  • 17. 17 Write privacy notices The Privacy Notice must be: • Concise, transparent, intelligible and easily accessible • Written in clear and plain language • Free of charge • Must be provide at the time data is collected! Use-specific Privacy Notices: • Recruiting notice • Employee notice • Customer notice • Partner notice • Product notice
  • 18. 18 1. Contact details of the data owner. 2. Contact details of Data Protection Officer 3. Reason for collection the data. 4. Legal basis of processing. 5. Who will have access to the personal information. 6. If personal information will be transferred out of the EU. 7. Legal basis for transferring the data out of the EU » Adequacy decision » Privacy Shield » Binding Corporate Rules » Standard Data Protection Clauses What needs to be in a privacy notice? (GDPR example) 7. Where to obtain a copy of the legal basis for transferring data. 8. Retention period for the data. 9. Personal rights of the employee (see next slide) 10. If automated processing or profiling is used. 11. If data is contractually required and the impact of not providing that data.
  • 19. 19 What needs to be in a privacy notice? Personal rights of an individual: • Right of access • Right to rectification • Right of erasure • Right to restrict processing • Right to data portability • Right to object • Right to human intervention around automated processing activities Example: https://www.workforcesoftware.com/privacy-policy/
  • 21. 21 Create processes around the personal rights of individuals: • Right of access • Right to rectification • Right of erasure • Right to restrict processing • Right to data portability • Right to object • Right to human intervention around automated processing activities Embed data privacy into business operations Privacy Processes
  • 22. 22 Process needs to include: 1. How to determine if the person making the request is actually authorized to make the request 2. How to decide if the request must be fulfilled or can be denied 3. How to find all the locations of the data 4. How to actually delete the data 5. How to track the request and its final disposition 6. How to communicate with the data subject 7. How fast to respond and fulfill the request Example: The process to erase data upon request
  • 23. 23 Process needs to include: 1. How to determine if the person making the request is actually authorized to make the request 2. How to decide if the request must be fulfilled or can be denied 3. How to find all the locations of the data 4. How to actually delete the data 5. How to track the request and its final disposition 6. How to communicate with the data subject 7. How fast to respond and fulfill the request Example: The process to erase data upon request Data inventory! Can you actually delete data for an individual?
  • 24. 24 Showing proof of compliance  Documented processes  Must prove compliance, so keep a log! Document your processes; log your actions
  • 26. 26 Controller Processor Sub-Processor Controller – Processor Relationship Determines how data is processed Processes data on behalf of the Data Controller, following instructions of Data Controller Processes data on behalf of the Data Controller, following instructions of Data Controller / Processor
  • 27. 27 Controller Processor Sub-Processor Controller – Processor Relationship Determines how data is processed Processes data on behalf of the Data Controller, following instructions of Data Controller Processes data on behalf of the Data Controller, following instructions of Data Controller / Processor You SaaS Provider Vendors used by SaaS Provier
  • 28. 28 • You’re responsible for your data, no matter who has it! • Third-party management  What third parties process personal data? » Store, transfer, process, view, edit, organize…  Data processing agreements in place?  Legal means of transferring data?  Risk assessments  Process to information/ask permission to use new third parties? Processors and Sub-processors
  • 29. 29 Controller & processor responsibilities Protect your data Ensure confidentiality Provide evidence of compliance • Appropriate security controls • Data protection impact assessments • Vulnerability management • Internal audit • Confidentiality agreements in place (employees & processors) • Annual required security and privacy training • Penetration tests • Internal IT & external audits (ISO 27001, SOC 2, etc.) • Evidence the privacy processes work
  • 30. 30 Controller & processor responsibilities Limited use of data Permission to use sub-processors Data protections flow down to Processors • Only collect necessary data • Delete it when it’s not needed • Only use data as defined in Privacy Notices • Processor can only use data per your instructions • Permission required by processor to use a partner • Can request information about existing use of partners • Processors & subprocessor must have data protections in place
  • 31. 31 Controller & processor responsibilities Ensure lawful transfers of data out of country Data deletion • Applies to you, processors & sub-processors • Adequacy, Standard Contractual Clauses, Privacy Shield, Binding Corporate Rules • Data retention policies • Ability to actually delete data! • Contracts: Return data in a industry-standard format • Delete all data from all systems, including backups Breach Notification • All 50 states have breach notification laws • GDPR requires notifying Supervisory Authority within 24 hours of a breach
  • 33. 33 • Executive team  Need for program  Consequences of not having a program  Advantages of having a program • Department heads  What is the impact on a specific department?  How does it affect the department head? Selling privacy and your privacy program
  • 34. 34 CEO signs “Privacy Policy” • Communicates objectives of privacy program • Need to continuous improvement • Commitment of privacy compliance • Sets roles and responsibilities Leadership
  • 35. 35 SKILLSETS 1. Legal knowledge 2. Technical background 3. Operational experience 4. Communication skills 5. Credibility Data Privacy Officer
  • 36. 36 SKILLSETS 1. Legal knowledge 2. Technical background 3. Operational experience 4. Communication skills 5. Credibility Data Privacy Officer = Unicorn
  • 37. 37 SKILLSETS 1. Legal knowledge 2. Technical background 3. Operational experience 4. Communication skills 5. Credibility Data Privacy Officer LIKELY SUSPECTS… 1. In-house attorney Can understand the law; not tech-savvy, lack operations background 2. Someone from IT or Security Tech savvy, ops experience; doesn’t know the law 3. Internal audit / Compliance Know the law; conflict of interest in defining rules & checking compliance 4. Human resources or marketing Could see business opportunity; lacks overall corporate scope
  • 38. 38 Centralized vs decentralized vs hybrid? Centralized De- Centralized De- Centralized De- Centralized Centralized De- Centralized De- Centralized De- Centralized • Based in one country • Subject to limited set of privacy regulations • Other processes are centralize • Many countries • Subject to different privacy regulations • Other processes are decentralized • Many countries • Subject to same & unique privacy regulations • Many local variations
  • 39. 39 • Create policies, standards, procedures • Log (to prove compliance)  Opt-in / Opt-out  Time to respond to privacy requests  Breach notification • Get training for privacy professionals • Create privacy awareness & role-based training • Communicate! Especially successes! Privacy operations
  • 40. 40 • DA Piper Data Protection Laws of the World Compare data protection laws around the world. https://www.dlapiperdataprotection.com/index.html • EU General Data Protection Regulation table of contents Table of contents, cross-references, emphases http://www.privacy-regulation.eu/en/index.htm • BS 10012:2017 Data Protection – Specification for a personal information management system https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/ • NIST Privacy Framework (under development) https://www.nist.gov/privacy-framework Resources
  • 41. 41 • States Breach Notification Laws Summarizes states laws regarding breach notification https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html • Data Privacy Impact Assessment template Mainly GDPR, but could be adapted https://www.mikemuha.com/2017/09/how-to-perform-data-protection-impact.html • International Association of Privacy Professionals Wealth of privacy related webinars, news, software, training, certifications, best practices https://iapp.org/ Resources, 2nd page
  • 42. 42 1. Get buy in from management 2. Document where personal data resides and is transferred 3. Know how it’s protected, both legally and from a security perspective 4. Mind the gap 5. Ensure you have (documented) privacy processes 6. Make sure you have compliant privacy notices 7. Delete personal data if there’s no reason to keep it around 8. Keep records that show your compliance Key takeaways
  • 43. 43 Thanks! Michael J. Muha, Ph.D., CISSP, CRISC, CISM, CIPP/E, CIPM, Certified GDPR Practitioner mmuha@WorkForceSoftware.com workforcesoftware.com

Notes de l'éditeur

  1. Provide transparent notice to employee We can provide required details Biometrics! Trade unions! Right of access Controller process for providing access. PI may require intervention on HR person. Right to rectification Can be done by employee & manager (timesheet); PI driven from HR system of record Right of erasure Retention period per SaaS Agreement Currently a manual process that must be done by WFS In process of automating Individual right to be forgotten Manual process that must be done by WFS In process of automating Payroll and legal retention period issues Right to restrict processing (i.e., only store the data) if Inaccurate PI, unlawful processing, PI not needed for processing but required for legal claims (e.g., data subject doesn’t want the data erased), subject rights potentially override legitimate interests of controller. Old timesheets are locked – can’t be processes Right to data portability Currently a manual process that must be done by WFS Right to object if Public-interest task or legitimate interests of controller/processor, direct marketing, scientific or historical uses Old timesheets are locked Right to human intervention around automated processing activities HR should develop process to provide personal data from system