building an effective data privacy program – 6 steps from truste

1 v Privacy Insight Series v

Building an Effective Privacy

Program – Six Practical Steps

September 24, 2015

2 v Privacy Insight Series

Today’s Speakers

Beth Sipula, CIPP/US

Senior Consultant, TRUSTe

Paola Zeni

Director

Global Privacy, Ethics and Compliance

Symantec Corporation


Six Practical Steps

Framework

Risk Mgmt

Privacy by Design

Incident Response

Vendor & Third Parties

Development and

Management


Poll Question #1 –

What level on the maturity scale is your organization?

Level 1

Initial

Level 2

Managed

Level 3

Defined

Level 4

Quantitatively

Managed

Level 5

Optimized

Process in Place

& Proactive

Process

Unpredictable

Process

Measured & Controlled

Process

Characterized & Understood

Continuous

Improvement

Staged Maturity Levels


Step 1 - Create the Framework

Create the Framework (based on the requirements for

your organization)

• Analysis of regulatory/contractual requirements

• Review legislative requirements/Geos

• Develop a budget and a roadmap

• Privacy Committee/Privacy Champions


Poll Question #2

What team or business unit is primarily responsible for

managing privacy risks in your organization?

• Legal/Compliance

• IT/Security

• Internal Audit

• Product/Development

• Other


Step 2 - Risk Management

Develop a Risk Management Process

• Data discovery and data inventory

• Comprehensive risk assessment process

• Risk Management Committee to rank ongoing risks

• Executive sponsor and champion


Step 3 - Privacy by Design

Build in Privacy

• PIAs

• Create tools and processes for product/development

teams

• Identify risks and analysis of impacts

• Leverage existing development processes where

possible

• Training


Incident Response

Develop an Incident Response Plan

• Process, plan and toolkit

• RACI charts

• Responsible/accountable/consulted/informed

• Privilege

• Crisis communications plan (internal/external)

• Test plan regularly and update

• Tabletop exercises

• Common scenarios


Step 5 - Vendor and Third Party Management

Develop a Comprehensive Approach

• Understand who has access to sensitive data, purpose,

access and data transfers

• Documentation

• Contractual requirements

• Partner with Procurement


Step 6 - Program Development and Ongoing Monitoring

How do you keep moving forward once you have the

basics in place?

• Monitor regulatory changes

• Establish metrics to measure your program effectiveness

• Reporting on program effectiveness

• Ongoing training and communication

• Building privacy champions

• Employee training

• Privacy sensitive culture


Key Take-Aways


Key Take-Aways

• Start with a roadmap and implement the basics

• Manage risks

• Partner with other areas of the organization

• Utilize tools and automate whenever possible

• Prioritize training and communicate privacy

• Building blocks of a privacy centric culture


Moving Forward

Framework

Risk Mgmt

Privacy by Design

Incident Response

Vendor & Third Parties

Development and

Management


Questions?


Beth Sipula [email protected]

Paola Zeni [email protected]

Contacts

mailto:[email protected]

mailto:[email protected]


Don’t miss the next webinar in the Series – “ Top 5 Things the

CISO Needs to Know about Data Privacy” on October 15th

See http://www.truste.com/insightseries for details of future

webinars and recordings.

Thank You!

http://www.truste.com/insightseries

building an effective data privacy program – 6 steps from truste

Documents