Data Protection: An Approach to Privacy
Download as PPTX, PDF1 like475 views
This document outlines key aspects of establishing an effective privacy program. It discusses defining a privacy mission and strategy, establishing a governance team, developing a framework aligned to policies and standards, and defining performance metrics. It also covers the privacy operational lifecycle, including assessing privacy using maturity models, protecting data through its lifecycle via data lifecycle management and privacy by design, sustaining privacy through compliance monitoring and audits, and responding to incidents and requests. The presenter provides this overview to help organizations effectively address privacy through all stages from assessment to response.
Data Protection: An Approach to Privacy
- 1. DATA PROTECTION Andrew Nooks An Approach To Privacy
- 2. Symptai • Symptai Consulting Limited is an independent IS Audit, Security & Business Assurance firm founded in 1998. • We are an industry leader in technology consulting services for assurance, security, business processes, and compliance with numerous success stories and excellent client retention rates.
- 3. Symptai Consulting Ltd Director eGov Jamaica Member, Board of Directors Andrew A. Nooks Certs: CISA, CISSP, CISSP-ISSAP, CIPM, CSSLP, CISM, CRISC, PCIP, ISO27001, ITSM Interests: Volleyball Swimming Aikido
- 4. Disclaimer • This presentation is based on research collated from the Internet leveraging articles from the International Association of Privacy Professionals (IAPP), an organization of which I am a member, and its contributors. • I have also leveraged my own experience being as an IS practitioner for over twenty-five (25) years of which thirteen (13) of which has been dedicated to Information Security and related controls to include privacy, as well as and the knowledge and experience from the Symptai team.
- 5. Definition of Privacy Privacy The right to be left alone, or freedom from interference or intrusion. Information privacy The right to have some control over how your personal information is collected and used. Impact How organization protect data in its various states: At rest, in-transit and in use.
- 6. Why is Privacy Important? Due to advancement in technological innovation, information privacy is becoming more complex by the minute as more data is being collected and exchanged. As the technology gets more sophisticated so do the uses of data. This leaves organizations facing an incredibly complex risk matrix for ensuring that personal information is protected.
- 7. In the News (Source https://www.scmagazine.com) Source: https://iapp.org/news
- 8. Business Risk • Health • Banking • Insurance • Telecoms Inherent High Risk • GDPR and other Data Protection Legislations • PCI DSS • HIPAA Legal & Compliance
- 9. Primary Components of a Privacy Program Privacy Program Governance Privacy Operational Life-Cycle Management
- 10. Privacy Program Governance • Vision and Mission • Develop a strategy • Team structure and composition Strategy Management
- 11. Privacy Program Governance • Vision and Mission • Develop a strategy • Team structure and composition Strategy Management • Frameworks • Policies Procedures Standards and guidelines Framework
- 12. Privacy Program Governance • Vision and Mission • Develop a strategy • Team structure and composition Strategy Management • Frameworks • Policies Procedures Standards and guidelinesFramework • Metrics and measurements (identify, Define, Select, Collect, Analyze) Performance
- 13. Business Case • Organizational Privacy Office Guidance • Define Privacy • Laws and Regulations • Technical Controls • External Privacy Organizations • Industry Frameworks • Privacy information Technology • Education and Awareness • Program Assurance
- 15. Assess • AICPA/CICA Privacy Maturity Model • GAPP • Privacy by Design Assessment Models • Data • Systems • Processes Assess Business Privacy Operational Lifecycle Assess Protect Sustain Respond
- 16. • Need for DLM • DLM Principles Data Lifecycle Management • Standards and Frameworks Information Security Practices • Proactive, Default Settings • Embedded, End2End Protection • Transparency, Respect for Users Privacy by Design • Privacy Impact Assessments • Risk Assessments Analyze and Assess Privacy Operational Lifecycle Assess Protect Sustain Respond Protect
- 17. • Compliance with Privacy Policy • Monitor regulations and legislation • Compliance and Risk • Environment Monitor • Align Privacy operations • Compliance with Policies and Standards • Access Modification Disclosure • Communication of Findings Audit • Awareness • Flexibility • Catalog and maintain documents • Train Communicate Sustain Privacy Operational Lifecycle Assess Protect Sustain Respond
- 18. • Handling, Access • Redress, Correction • Integrity Information Request • Preventing Harm • Accountability • Monitoring Legal Compliance • Roles and Responsibility • Integration in BCP • Detection Incident Planning • Pre-notification • Response Plan, Plan Execution • Reporting, Evaluation Incident Handling Respond Privacy Operational Lifecycle Assess Protect Sustain Respond
- 19. In Summary 1. Define the privacy mission statement 2. Develop a strategy 3. Define team structure 4. Develop a framework – aligned to organization 5. Develop and communicate policies, procedures, standards and guidelines 6. Define performance metrics 7. Assess the based on governance model 8. Protect – DLM, Info Sec embedding privacy in the organization 9. Conduct RA and PIA 10. Monitor, audit and communicate 11. Respond to request 12. Accountability 13. Incident management
- 20. Additional Reading • IAPP.org • APEC.org • ICO.gov.uk • Priv.gc.ca • OECD.org
- 21. Questions? Andrew Nooks Symptai Consulting Limited Email: info@symptai.com
Editor's Notes
- #2: Welcome everyone Thank you for joining us today
- #11: Privacy Framework: An implementation Roadmap that provides a structure or checklists to guide the privacy professional through privacy management and prompts them for details to determine all privacy-relevant decisions of the organization Strategy Management Vision and Mission (statements, scope, compliance, legal) - Develop a strategy (Stakeholders –CISO, CRO, GLC, CIO, HRM, CMO), Key Functions, Interfacing, Data Governance Strategy (Collection, Authorized use, access, Security Destruction), Privacy Workshop Team structure (Governance Model – Centralized, Decentrlized, Hybrid, Org Model – CPO, privacy manager, Professional Competency – CIPM, CIPP, CIPT)
- #12: Privacy Framework: An implementation Roadmap that provides a structure or checklists to guide the privacy professional through privacy management and prompts them for details to determine all privacy-relevant decisions of the organization. Managing risk Framework Assist in risk management Minimize incidents of data loss Protect reputation and market value Aids in Compliance to lawas regulation and standards Frameworks (privacy by Design, Privacy Maturity Model) APEC Privacy Framework – Enable regional data transfers C2B, B2B, B2G Guidance from UK Information Commissioner’s Office Canadian Personal Information and Electronic Documents Act PIPEDA Australian Privacy Principles Organization for Economic Co-operation amd Development Privacy Guidelines Framework questions Are risks defined identified and is there a business case Who has responsibility Are gaps in privacy management understood Is privacy management being monitored Are employees trained Are best practices for data inventory, risk assessments and privacy impact assessments Is there an incident response plan Is there a communication policy on privacy-related matters and are materials updated Policies Procedures Standards and guidelines (Business Case, Gap Analysis, Review Process and Monitoring, Communicate to stakeholders
- #13: Performance Measurable, meaningful, unambiguous, specific
- #14: Externalprovacy – Data Commissioner’s office Privacy enhancing technologied Industry frameworks such as AICPA – Generally Accepted Privacy Principles -- collection use
- #15: Assess – measure Protect – Improve Sustain – evaluate Support – respond
- #16: PMM – Levels adhoc repeatable, defined, managed, optimized PbD – Assess org objectives and goals – Dr Ann Cavoukian Support for these areas Internal Audit and Risk Management Informaiton Technology – Business Continuity/DRP InformationSecurity – Response and Breach Notification Legal and Contracts – Compliance, Mergers, Acquisitions, divestitures Processors and thirdparty vendors Human Resourcesmarketting and business development Gobernment relations and public policy Finance/business contrls
- #17: DLM Principles Alignment with enterprise objectives Minimalism Simplify processes Provide adequate infrastructure Information Security Authenticity of subjects records Retrievability Distribution Controls Auditability Consistency of policies Enforcement