building an effective data privacy program – 6 steps from truste
DESCRIPTION
Six practical steps to build an effective data privacy program from conducting an initial privacy risk assessment to implementing controls & ongoing maintenance. Watch the complete webinar from leading privacy experts on 6 practical steps to build a data privacy program https://info.truste.com/lp/truste/On-Demand-Webinar-Reg-Page2.html?asset=KB5XQRQG-567TRANSCRIPT
1 v Privacy Insight Series v
Building an Effective Privacy
Program – Six Practical Steps
September 24, 2015
2 v Privacy Insight Series
Today’s Speakers
Beth Sipula, CIPP/US
Senior Consultant, TRUSTe
Paola Zeni
Director
Global Privacy, Ethics and Compliance
Symantec Corporation
3 v Privacy Insight Series
Six Practical Steps
Framework
Risk Mgmt
Privacy by Design
Incident Response
Vendor & Third Parties
Development and
Management
4 v Privacy Insight Series
Poll Question #1 –
What level on the maturity scale is your organization?
Level 1
Initial
Level 2
Managed
Level 3
Defined
Level 4
Quantitatively
Managed
Level 5
Optimized
Process in Place
& Proactive
Process
Unpredictable
Process
Measured & Controlled
Process
Characterized & Understood
Continuous
Improvement
Staged Maturity Levels
5 v Privacy Insight Series
Step 1 - Create the Framework
Create the Framework (based on the requirements for
your organization)
• Analysis of regulatory/contractual requirements
• Review legislative requirements/Geos
• Develop a budget and a roadmap
• Privacy Committee/Privacy Champions
6 v Privacy Insight Series
Poll Question #2
What team or business unit is primarily responsible for
managing privacy risks in your organization?
• Legal/Compliance
• IT/Security
• Internal Audit
• Product/Development
• Other
7 v Privacy Insight Series
Step 2 - Risk Management
Develop a Risk Management Process
• Data discovery and data inventory
• Comprehensive risk assessment process
• Risk Management Committee to rank ongoing risks
• Executive sponsor and champion
8 v Privacy Insight Series
Step 3 - Privacy by Design
Build in Privacy
• PIAs
• Create tools and processes for product/development
teams
• Identify risks and analysis of impacts
• Leverage existing development processes where
possible
• Training
9 v Privacy Insight Series
Incident Response
Develop an Incident Response Plan
• Process, plan and toolkit
• RACI charts
• Responsible/accountable/consulted/informed
• Privilege
• Crisis communications plan (internal/external)
• Test plan regularly and update
• Tabletop exercises
• Common scenarios
10 v Privacy Insight Series
Step 5 - Vendor and Third Party Management
Develop a Comprehensive Approach
• Understand who has access to sensitive data, purpose,
access and data transfers
• Documentation
• Contractual requirements
• Partner with Procurement
11 v Privacy Insight Series
Step 6 - Program Development and Ongoing Monitoring
How do you keep moving forward once you have the
basics in place?
• Monitor regulatory changes
• Establish metrics to measure your program effectiveness
• Reporting on program effectiveness
• Ongoing training and communication
• Building privacy champions
• Employee training
• Privacy sensitive culture
13 v Privacy Insight Series
Key Take-Aways
• Start with a roadmap and implement the basics
• Manage risks
• Partner with other areas of the organization
• Utilize tools and automate whenever possible
• Prioritize training and communicate privacy
• Building blocks of a privacy centric culture
14 v Privacy Insight Series
Moving Forward
Framework
Risk Mgmt
Privacy by Design
Incident Response
Vendor & Third Parties
Development and
Management
17 v Privacy Insight Series v
Don’t miss the next webinar in the Series – “ Top 5 Things the
CISO Needs to Know about Data Privacy” on October 15th
See http://www.truste.com/insightseries for details of future
webinars and recordings.
Thank You!