Abstract image of a woman sitting on books and studying on a laptop

Privacy Operations (PrivacyOps) Framework - Feroot Privacy

I
Ivan Tsarynny

The document outlines the PrivacyOps framework, which aims to integrate privacy practices across various organizational functions, thereby ensuring compliance with regulations like GDPR, HIPAA, and others while driving business growth. It emphasizes the importance of stakeholder alignment, data management, and operational transparency to transform privacy from a risk management function into a growth-oriented strategy. The framework identifies essential steps for embedding privacy into daily operations and highlights the benefits of adopting a holistic approach to privacy management.

Software
1 of 35
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
PrivacyOps Framework The world has changed. In the Data Driven age – Privacy needs to work throughout the full data lifecycle in Marketing, Sales, Customer Service, HR, Finance and other organizational boundaries to drive growth. We call this Privacy Operations. Written by Ivan Tsarynny • CEO & Founder of Feroot Privacy Published October 2018 • www.Feroot.com/PrivacyOps
Table of Contents Executive Summary................................................................. Page 4 What is PrivacyOps?................................................................ Page 6 • About The PrivacyOps Framework • Privacy Today • What’s Next? • The holistic Approach and Three Key Benefits Steps to embedding privacy into day-to-day operations........ Page 12 • Stakeholder Alignment • Data Inventorization • Privacy Impact Assessment • Data Subject Rights Framework: • Vendor Management • Ownership of the Tech-Stack • Who Owns and Leads PrivacyOps? • Product and Service Changes • Liabilities Under the GDPR Regime Getting Started With PrivacyOps……………………………………..…. Page 29 • Symptoms and Signs That You Need PrivacyOps • PrivacyOps Business Drivers • Customer Loyalty Conclusion…………………………………………………………………………... Page 36 PrivacyOps Framework
Executive Summary Privacy and Access: operations are an increasingly important functional area in organizations and businesses that process personal data governed by privacy laws, such as GDPR, HIPAA, PIPEDA, and DPA. PrivacyOps is a new organizational model that automates and unifies privacy and access operations across functional areas, such as marketing, sales, service, finance, and HR. PrivacyOps utilizes the Privacy by Design framework in order to align an organization’s resources and processes, and to deliver privacy compliance while freeing up resources to focus on their key business objectives and increasing customer trust. When applied effectively, PrivacyOps can lead to dramatically improved critical business metrics, including conversion rates, referrals, customer retention, and revenues. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
Disclaimer Note: this framework is not intended to construe legal advice or offer comprehensive guidance. The information presented in this framework is for information purposes only and should not construed as a legal, or other advice for any particular issue, topic, or subject, including compliance with relevant regulations or laws. You must consult a professional and licensed advisor with expert knowledge with your particular situation for any such advice PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
PrivacyOps Framework Privacy Operations, or PrivacyOps, is a new functional group and an emerging department that manages the full range of privacy operations across marketing, sales, analytics, services, HR and back-office operations. Privacy Operations unifies data governance and operation silos across all functional areas: privacy and access governance, on premise operations and third-party processing. PrivacyOps has one primary objective: transform an organization’s privacy perspective away from risk avoidance and towards opportunity-seeking and competitive differentiation. What is PrivacyOps? For information purposes only and should not construed as a legal, or other advice for any particular issue
What does PrivacyOps Success Look Like? • Individuals can intuitively and easily exercise their rights via an up-to-date user- centric experience, and be assured that their rights are respected. • Privacy and Access controls are part of technology solutions. • Fulfilling privacy and access obligations is a routine and automated activity. • Privacy and Access controls systems detect, predict, and report non-compliant events. • Privacy and Access natively operates across all departmental and intra- organizational boundaries without data and information silos. • Organizations are always prepared to demonstrate proof of privacy and access compliance. PrivacyOps leaders provide key stakeholders (customers, employees, and partners) the means—through an automated, user-centric, and always up-to-date experience—to intuitively, easily and respectfully exercise their privacy and data access rights. Privacy and Access controls systems detect, predict, and report non-compliant events; they operate across all departmental and intra-organizational boundaries; and they are always prepared to demonstrate proof of privacy and access compliance. Benefits of PrivacyOps: PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
About PrivacyOps Framework PrivacyOps Framework Feroot interviewed data privacy, governance, access rights, cybersecurity, IT operations, enterprise planning, marketing, sales, and customer success experts across a wide variety of industries. We used this data to create the definitive Privacy Operations framework – PrivacyOps. PrivacyOps is a new department that manages the full cycle of data operations across customer, employee, and back-office lifecycles. For information purposes only and should not construed as a legal, or other advice for any particular issue
Privacy Today Today’s privacy operating model was conceived during the era of fax machines and was continually updated with new requirements from the onset of transformation into the digital economy. The data-driven economy is forcing companies to rapidly innovate the way that they operate and do business. New technologies have never seen faster needs for adaptation. Customer expectations have never changed as rapidly as they are now. Buying and selling processes, customer service, and supply lines have never been as data-driven as they are today. Customer data comes with responsibility. There are numerous regulations governing privacy in the world, including GDPR, PIPEDA, DPA, HIPAA, PIPA, CCPA. While compliance with these laws is clearly one of the drivers of Privacy Management Programs, it is only the baseline for our approach to privacy. Protecting the privacy of the personal information entrusted by customers to organizations is mainly driven as a risk avoidance process in order to prevent enforcement, penalties, and lawsuits. However by leveraging customer-first commitments, you can build trust with your stakeholders so that they can know how to use data in a way that generates value, promotes respect and protection. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
What’s Next? Although most large companies have spent hundreds of thousands, if not millions, of dollars preparing for GDPR and other privacy regulations, many organizations are still struggling with the day-to-day complexities of consent management & privacy compliance operations. For instance, updating your privacy policies are just the first step. There's still a lot to do to manage subject right obligations and subject access requests. Our study found that most organizations are not yet ready to manage their processes effectively or efficiently and, as such, they leave themselves at risk of non- compliance. Ongoing management of privacy obligations is complicated. Many stakeholder touch points must be routinely coordinated in order to process requests effectively and to be documented for compliance and legal purposes. Spreadsheets and traditional point-to-point privacy software can’t scale and perform ongoing management of the new data relationship model in which data flows from the subjects (people) to data controllers (service providers), and data processors (third- party vendors). We found that most organizations aren’t prepared, nor do they have any embedded controls for managing data privacy across their third-party vendors, for on-premise applications, and for AI systems. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
PrivacyOps has one job: drive growth through a responsible use of data by embedding privacy controls into products and services. PrivacyOps’ holistic approach has four key benefits: 1 - Harmonization and Alignment PrivacyOps aligns departments and their stakeholders. This ensures privacy initiatives have a measurable business impact. When an organization is aligned, it generates more revenue at a reduced cost, and brings new data-driven products to the market. 2 – Customer-focused Product and Service Changes GDPR and other privacy regulations require changes to policies, operations, and products, not just for compliance reasons but also to foster user trust. The PrivacyOps framework enables organizations to operationalize privacy effectively, achieve proper consent management, maintain accurate data inventorization, and augment user transparency, and privacy controls. 3 - Removing Overhead Helps Focus Operations on the Key Objectives PrivacyOps assumes operational and technical privacy overheads that allow marketing, sales, customer service, HR, and other departments to focus on their core goals, objectives, and KPIs. 4 - Planning and Operations PrivacyOps helps to identify and remove roadblocks. It works with the concept of accountability, careful planning, and the implementation of privacy operational controls across the full data lifecycle flow and across departmental, organizational, franchise and other enterprise boundaries. These benefits transform privacy from a risk avoidance function into a business that increases, revenue and market share. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
Steps to embedding privacy into day-to- day operations PrivacyOps Framework Step 1 – Align Your Team around Documented Privacy Goals No stakeholder alignment = no results. Why is alignment so important? In many organizations, business, operations, legal, and IT tend to work in isolation. This is especially true of transformation, privacy, and IT-based projects, wherein the business quickly defines requirements, then throws them “over the wall” to operations or cross-functional teams. These teams implement the requirement, only to be find out unanticipated roadblocks. This is one of the most common examples of lack of alignment. For successful programs, the path to ROI is secured with a real partnership across all of the stakeholders from business to legal, privacy, marketing, sales, HR, and IT departments working together towards a common goal. This goal and vision should be discussed, agreed and clearly documented. For information purposes only and should not construed as a legal, or other advice for any particular issue
Action: One vision The first step is to engage and include all the relevant stakeholders and have full participation and alignment across all stakeholder groups. This vision should be articulated within commonly accepted business terms that are already part of your established culture and business practice. The vision should include clear business goals, objectives, and outcomes that the program will achieve. The document should also have a clear set of measurements for the project metrics to ensure expected outcomes are achieved. Project KPI’s should have a direct link to executive stakeholder KPI’s and KPI’s of departments involved in the project. The draft should be agreed to by stakeholders to secure their feedback, and to ensure ongoing buy-in, you should update the document to incorporate their feedback. 3 steps to getting your stakeholders aligned 1. Identify your stakeholders. • First, make a list of the stakeholders for your project. Be specific - find out precise names and titles. • We categorize using these seven types: • The Sponsor: This is the person with real skin in the game, they will either get the recognition or take the fall. • Financial decision-makers: These are the people who decide whether your project gets funded. • Strategic decision-makers: These are the people who have a problem that your project is expected to solve. • Mobilizers and Champions: These are the people you can count on for moving things forward to evangelize the importance of the project. • Blockers: these people don’t have official power, but they can intentionally or unintentionally stop the project in its tracks. • Influencers: These people have valuable opinions and insight to consider. • Doers or Implementers: These are the people who execute parts of or the entire project. They have very specific knowledge, action items, and are accountable for deliverables. 2. Get them involved. Alignment is about getting stakeholders to participate, support, and execute the project. They should feel invested and committed. Proper communication is critical to ensure all stakeholders are involved in an engaged and supportive way. Everyone needs to be aware of your project objectives and updated on project progress. Some stakeholders will be more involved than others, but don’t underestimate the value and importance of stakeholders with less participation. 3. Objections are needs or concerns in disguise. Nurture communication and understanding between stakeholders to avoid surprise roadblocks later. Keep in mind that needs are likely changing as the project progresses. The more you know about stakeholders’ concerns, the better you can address them. Regularly pause, re-assess, and align. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
What Do We Have? • Assessment • Data Processing • Data Inventory • Data Mapping Step 2 – Data Mapping & Documenting your Data Processing Activities Data mapping, or document your data processing activities, is the first critical element in an organization’s privacy compliance process. It is also required under Article 30 of the GDPR. Organizations (data controllers) face questions from data subjects (people) and have obligations to disclose third-party and third-country locations where their personal data is being processed and how and why it is being used. A successful data mapping exercise will help an organization answer these questions with confidence and will provide customers with the information that they expect concerning their personal data and its usage. Proper, up-to-date data mapping also greatly reduces risks associated with unauthorized personal information handling. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
Action: Initiate data process mapping exercise and keep your data map updated and accurate at all times. • How to map your organization’s enterprise data and know what questions to ask? • What type of data is collected? Is it sensitive and identifiable personal information? • Why is the data collected? • Who is collecting data? • Is data shared with third parties? • Where (what country) is data being stored and processed in? • When, why, and how is the data being used? Is the data used for the purpose for which it was collected? • How long is data retained? • What is the lawful purpose of data use? Under consent or other lawful purposes? Notes about the Legal Basis for processing data under the GDPR (Article 30) • The present guidelines clarified that if you rely on consent for a processing activity, you cannot depend on an alternative legal ground as a fallback or backup. For further clarity, you can’t ask the data subject for consent “to do X with their data” and then perform that processing activity and disregard their choice if they said no. However, there are possible cases in which you might be able to rely on more than one legal ground. In these cases, you should always get advice from your legal counsel. • In cases where you are relying on multiple legal grounds, you might be triggering additional obligations and rights such as, content of your privacy transparency notices, data portability, data erasure, and more. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
Additional Data Mapping Benefits: Although data mapping often requires significant effort from organizations, there are other additional important benefits. Data mapping helps organizations maintain detailed data processing records for compliance and legal purposes and ensures audit readiness at any time. In addition, data mapping provides evidence that an organization is adhering to data protection guidelines. Other benefits of data mapping include: • Improved IT systems by streamlining data flows. • IT operational efficiencies. • Mitigating risks of data breaches and reducing breach impact. • Responding quickly to subject requests and consequently reducing the cost of compliance. Summary: Data mapping is the essential first step in an organization’s privacy compliance program and assists in supporting customer and employee loyalty. On top of this, there are additional benefits of GDPR compliance, such as operational efficiencies, reduced incident impact, increased customer loyalty and competitive differentiation. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
Privacy Impact Assessment Step 3 - Privacy Impact Assessments What is a Privacy Impact Assessment (PIA)? Simply put, a PIA identifies and helps reduce privacy risks of any undertaking or process within an organization. PIAs are a key part of the GDPR path to “privacy by design.” With a PIA you can: • Readily predict potential problems • Begin the process to implement privacy by design. “Proactive, not reactive; preventative not remedial” • Improve your ability to adhere to GDPR requirements • Ensure that your organization is aware of and prepared to handle privacy and data protection obligations PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
Data Subject Rights Framework: • Privacy Notices • Disclosures • Consent • Control Step 4 – What do Consent and Information Notices, Disclosures, and Controls mean in the context of GDPR? For example, GDPR states that consent can be withdrawn at any time; can’t be assumed from inaction, and forced consent will be “invalid.” Consent must be freely given, specific, informed and unambiguous. Again, you should always get advice from your legal counsel. Recommended action: Collect consent and maintain proof of collected consent unless you are relying on processing data being done under other lawful proposes. PrivacyOps Framework
The GDPR Subject Access Request (“SAR”) Key Summary: • Data controllers are responsible for responding to all SARs. • Required SAR response time is 30 days or less, although complex requests can be extended with regulatory approval. • The identity of Data Subject must be verified to prevent privacy breaches. • Not all SARs should be fulfilled when other lawful reasons for data processing exist • Consent can be withdrawn at any time as easily as it was given. • Organizations cannot charge fees to comply with SARs under the GDPR unless the request is “manifestly unfounded or excessive.” • Any response to a SAR should allow the individual to easily identify what information has been collected and stored and what processing has been carried out. • An SAR may be made electronically, e.g., via email, and responses may also be provided in the same manner. What impact do SARs have on data controllers? GDPR-regulated organizations should consider: 1) implementing SAR policies and embedding SARs into customer and employee-facing services, systems, and mobile apps (both internal and external facing) in order to ensure that your organization can fully administer SARs across third-party vendors (processors); 2) developing a response process to streamline SAR fulfillment; 3) train employees on new GDPR requirements and SAR processes; 4) implement a self-serve approach for SAR fulfillment. PrivacyOps Framework
How can third-party vendors (processors) support data controllers in responding to SARs? In many cases, the initial contact from subject comes directly to the controller or the data processor. However, the data processor is not responsible for responding to the SAR by default. Action: Initiate SAR fulfilment and record keeping processes. Data controllers and data processors need to prepare to handle SARs in a coordinated and prepared manner. At the start of the data collection, data processors should provide clear information notices that will inform the subject of their rights under GDPR. • Organizations should be able to provide confirmation as to purpose, location, extent, duration of data processing, and confirmation of the data retention period. • The data processor should manage personal data in a way to ensure that information can be identified quickly and easily. • The data controller and processor should establish an approach to respond to any SAR easily and preferably in an automated fashion. • Training of all staff on how a SAR process is done. FAQ section on the processor’s website relating to SARs. A self-serve portal for SARs. • Agreement between the data controller and processors. This includes contractual provisions with the data controller on how SARs are to be handled, and immediate communication from data controller to processors to inform them of the SAR, to fulfill the request and keep auditable records of all steps. PrivacyOps Framework
Step 5 – GDPR Requires Changes to how your Products and Services functions • Key requirements • Legally valid for processing data • Identify each third party and their usage of personal data • Retain records • Ability for users to revoke consent Obtaining Consent Give customers the choice and the ability to obtains consent and revoke consent as easily as they gave it Managing Consent Respect your customer’s choice and manage data restrictions downstream to third parties PrivacyOps Framework Product and Service Changes • Consent • Transparency • Privacy Controls • Data Portability • Communication
Collecting Data Tell users the intent of data collection and what data you will collect Processing Data Process Data in a way that is consistent with user privacy expectations Plain language notices Clear retention and deletion policies User controls for retention and deletion Limit data processing based on the intended purpose Third country and third party sub-processor disclosure Breach notification readiness Audit readiness PrivacyOps Framework
Vendor Management Step 6 – Third-Party Sub-Processor Vendor Management Data controllers are required to ensure that their vendors (processors) properly handle all personal data shared with them. As with data mapping, modern systems and processes create data processing chains where data travels from one application to another and changes hands across SaaS and cloud service providers. Almost every data controller should review how it handles data and its relationship with its providers, and how data processors manage their own vendors/processors, and how GDPR subject rights will be enforced across the entire data processing chain. PrivacyOps Framework
Recommended Action: • Complete and maintain an accurate Data Processing Map. • Review agreements with all vendors to cover all GDPR applicable articles. • Compile and maintain an inventory of vendors. • Implement a programmatic approach to managing vendor data-chain. • Implement technologies to support vendor audits and SAR fulfillment compliance. • Include vendor escalation processes and embed remediation plans. Summary: taking control and implementing programmatic approaches to vendor management for data controller and data processor are key. A comprehensive approach to managing vendors and the data processing chain can reduce processing and regulatory enforcement risks. PrivacyOps Framework
Liabilities under GDPR regime Step 7 – Subject Access Rights violations, Data Breaches, and Liabilities GDPR Article 33 requires that data controllers notify the supervisory authority in case of a personal data breach without undue delay and, where feasible, no later than 72 hours after having become aware of the breach. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. GDPR Article 34 requires data controllers to notify the data subjects of a personal data breach when the data breach is likely to result in a high risk to the rights and freedoms of natural persons. The controller shall communicate the personal data breach to the data subject without undue delay unless the controller has implemented and applied appropriate technical and organizational protection measures to the personal data affected by the personal data that render the personal data unintelligible, because of encryption. PrivacyOps Framework • Violations • Breaches • Negligence
GDPR Article 82 provides the Right to compensation and liability to any person who has suffered material or non-material damage as a result of an infringement of GDPR provisions from the controller or processor. In addition, it states that any controller involved in processing shall be liable for the damage caused by processing that infringes GDPR; and the processor shall be liable for the damage caused by processing only where it has not complied with obligations of this regulation specifically directed to processors; or where it has acted outside or contrary to lawful instructions of the controller. Additionally, controllers or processors shall be exempt from liability under paragraph 2, if it proves that it is not in any way responsible for the event giving rise to the damage. Under GDPR Article 82 specifies that infringements of the following provisions Articles 8, 11, 25 to 39, 41, 42 and 43 shall be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. GDPR Article 83 specifies that infringements of the following Articles 5, 6, 7 and 9, and the data subjects’ rights pursuant to Articles 12 to 22, and 44 to 49, will lead to suspension of data flows by the supervisory authority pursuant to Article 58(2). At the same time, failure to provide access in violation of Article 58(1) shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In addition, data subjects may initiate private claims directly against data processors for breach. PrivacyOps Framework
Under GDPR, the data controller is ultimately accountable and, in cases when the data controller does not exercise sufficient control over the data processor, the data controller still must be able monitor the data processor; otherwise, it could still find itself subject to fines. Best practice tips: 1. Controllers and processors should perform appropriate due diligence on their providers and partners. 2. Controllers should continue to monitor their processors’ compliance post-appointment, on a regular and/or real-time basis. 3. Enter into DPA agreements Summary Data controllers and processors need to collaborate in order to ensure data subject rights and other GDPR obligations are respected and fulfilled. It’s essential to start by ensuring that privacy is at the core of all services, processes, and procedures. PrivacyOps Framework
PrivacyOps can start in two ways: distributed capabilities throughout your team, or specialized roles in a department. The right way to start depends upon your business model and company size. PrivacyOps starts out as a shared function with multiple departments and people performing aspects of privacy compliance. For example: • Privacy oversees governance, operations, and assessments. • CTOs performing PIAs, data-mapping, application and tools management. • DPOs overseeing applications and security. • Marketing managing third-party marketing tools and data-flows. Privacy operations maturity path helps these responsibilities become dedicated roles and can be brought under the PrivacyOps umbrella. Consolidation usually happens when data map management becomes sufficiently complex, typically around 50 internal and third-party applications. If your organization has more than 20 applications, you are likely facing siloed privacy management in your operations already. Bringing PrivacyOps roles together consolidates accountability. Reporting is also highly recommended at this time. PrivacyOps Framework Getting Started with PrivacyOps
Symptoms and Signs you need PrivacyOps Here are some common signs that you don’t have a properly functioning PrivacyOps system. If the examples below resonate or sounds familiar, it likely means that you’ve waited too long to implement PrivacyOps. The benefits of PrivacyOps could very well have a significant positive impact on your organization. Many non-EU businesses, including US and Canadian companies, incorrectly assume European laws don’t apply to them. Here we highlight five common GDPR myths: 1. “GDPR is for European companies” An organization doesn’t even have to accept payment from an EU-based customer to be subject to GDPR. The GDPR applies to any business that targets its activities to an EU market. Even if your U.S.-based business doesn’t target an EU market, GDPR may apply if your company monitors EU-base individuals or is processing their data as a sub-processor. 2. “We don’t use any personal data, so GDPR doesn’t apply.” GDPR defines “personal data” to include an identifier that could help identify a natural person. For example, it could include a person’s IP address and cookie. Storing data in a CRM can also trigger GDPR compliance. GDPR also provides enhanced protections to “special categories of personal data”, such as data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade-union memberships, among others. PrivacyOps Framework
3. “We have a privacy policy,” and “we are good, since we determined we are compliant”. When you do business with a customer over the Internet, you often collect information that can potentially be useful outside of the transaction. If you use any of that information in a way which can be linked back to the customer and without the customer's knowledge or consent, you are violating their privacy rights. It is up to you to properly destroy a customer’s information or to ensure it’s secure. 4. “We only collect minimal information on our clients for services and products ” If you collect, use or disclose any personal information about individuals, (such as email, address, names etc) you need to understand your privacy obligations. 5. “We have too many tools!” PrivacyOps consolidates the procurement, implementation, and management of privacy management processes and tools under one owner. This gives you full visibility across the organization, saves costs, and increases adoption of privacy. PrivacyOps Framework
The Chief Privacy Officer (CPO) and the Chief Risk Officer (CRO) have an emerging operational role in an organization. Traditionally, privacy has been tasked with governance and policy-setting responsibilities. But, in the age of GDPR, the increasing mandate around day-to-day privacy operations, and the operationalization of privacy-related tasks, make CPOs natural owners of data processing governance across Marketing, Sales, Customer Support, HR and other departments of business. In the case that your organization doesn’t have a CPO, PrivacyOps can live under a Chief Data Officer, CIO IT Operations, application owners, Risk Management, the CTO, and in some case, even under the marketing department. The ultimate organizational responsibility is driven by the needs of your business, talent and the skill-set of your teams. Did You Know? CPO’s, CDO’s and DPO’s are a growing job profile? According to LinkedIn, there are roughly 1,400 CPOs, 3,828 Chief Data Officers, and 6,000+ DPO’s, while there are 9,500+ CROs (risk officers) and over 34,000 CIOs. PrivacyOps Framework Who owns and leads PrivacyOps?
Ownership of the Tech-Stack Today, there are more than 25,000 SaaS tools available on the market. For instance, when we investigated typical global organizations, we found that they are using between 100 and 2,500 third-party, SaaS-based software tools in their tech-stack. The multi-party tech stack has become impossible to manage. Multiple tools exchange data, and complex integrations can increase the risk of data leakage and breaches. The wild west of self-service tools scatters customer data across jurisdictions and providers, leaving data controllers potentially liable to hundreds of millions of euros in penalties. The challenge is complex because in modern organizations no group fully owns the tech stack’s privacy. IT used to own the tech stack when all hardware, software, and data was on the premises, but today it's common for sales, marketing, HR, finance, and customer service to manage their own technology budgets and procure tools from third-party SaaS-based vendors. Sales, marketing, and customer services, in many cases, even have their own technology teams, leading to multiple owners for a single CRM, customer marketing, customer service, and communication systems and, thus, creating multiple silos of data. PrivacyOps Framework
In the PrivacyOps framework, a single team oversees privacy management of the tech stack across the organization. This helps ensure that all departments and lines of business can comply with GDPR and other regulatory obligations. Accountability and ownership go hand-in-hand. PrivacyOps facilitates close relationship across stakeholders, Privacy department, Digital and Innovation teams and IT, all in order to ensure that the organization meets privacy and data management requirements. Moreover, changes can be made quickly to respond to data and information governance demands and requirements. PrivacyOps Framework
Customer Loyalty "75% [potential customers] will not buy a product from a company — no matter how great the products are — if they don’t trust the company to protect their data " 2018 IBM Cybersecurity and Privacy Research VC Funding and Investors Steve Herrod of VC firm General Catalyst told The Privacy Advisor that evaluating a company’s privacy practices is now part of his firm’s due diligence, especially when companies are storing customer data in cloud services. PrivacyOps creates benefits for the marketing, sales, customer services, HR, finance and other business areas because it aligns a company around customer data and their needs. PrivacyOps also generates more sales by influencing key metrics including: customer trust, competitive differentiation, shorter sales cycles, and increased repeat business. Finally, PrivacyOps has a compounding effect on every part of your business, from the efficiency of managing sensitive data to lowering risks of breaches, penalties and litigations, and increasing customer loyalty. PrivacyOps Framework PrivacyOps Growths Business
PrivacyOps is a new organizational model that increases your competitive advantage and regulatory compliance through measurable improvements of operational effectiveness and efficiency across your entire data lifecycle. PrivacyOps unifies access management across informational silos such as customer information, medical records, employee data, back-office operations, and other key organizational departments that collect data. PrivacyOps streamlines privacy operations across all functional areas, freeing up resources to focus on key business objectives. PrivacyOps consolidates privacy and access operations into a smooth operating machine. PrivacyOps provides harmonization, simplification, alignment, and focus that will provide privacy compliance and ultimately a competitive advantage by increasing customer trust; and helps increase core metrics like conversion rates, referrals, customer retention, and revenues. PrivacyOps Framework Conclusion
Feroot’s Privacy Platform allows you to quickly and efficiently manage on- premise and third-party vendors across applications, both dynamically and automatically. No more chasing down vendors for their latest privacy agreements. No more updating stale spreadsheets. Enter information once, connect to your third-party party vendors, and everything from consent management, to data processing activities, to record-keeping documentation flows appropriately and continually to the key stakeholders. Your organization will save time, resources, and money and avoid the tedious task of manually updating documents every time a new vendor is added to your tech stack. Feroot’s Privacy platform helps you implement a PrivacyOps framework that will: • unify, automate and coordinate all aspects of GDPR Subject Access Request compliance obligations. • manages all stakeholder touchpoints automatically • support your organization’s ability to process requests efficiently • document responses for compliance and legal purposes PrivacyOps Framework Feroot is an award-winning PrivacyOps platform that helps you operationalize privacy management across all departments and data silos. We help organizations instantly transform their static data map into a dynamic, continually updated, and accurate data registry. Want to learn more about Feroot? Contact sales@feroot.com Our mission is to turn privacy compliance into your competitive advantage.

More Related Content

PPTX
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 
PPTX
Information Governance Program
Bohdiman
 
PDF
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Nick Inglis
 
PDF
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DATUM LLC
 
PDF
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DATUM LLC
 
PPTX
Optimization as a Golden Layer - Chris Diener, SVP Analytics, Absolutdata
Absolutdata Analytics
 
PDF
Building a Strategy customers and Auditors Love
jadams6
 
PPTX
Information Governance
Lorne Rogers, ECM-M, PMP [Open Networker]
 
Information Governance: Reducing Costs and Increasing Customer Satisfaction
Capgemini
 
Information Governance Program
Bohdiman
 
Learning From IG Experts In Healthcare & Beyond: How To Start An Information ...
Nick Inglis
 
DGIQ 2018 Presentation: How to be successful in the post GDPR landscape – bui...
DATUM LLC
 
DGIQ 2018 Presentation: A Lawyer, a Salesperson and the Operations Guy Walk ...
DATUM LLC
 
Optimization as a Golden Layer - Chris Diener, SVP Analytics, Absolutdata
Absolutdata Analytics
 
Building a Strategy customers and Auditors Love
jadams6
 
Information Governance
Lorne Rogers, ECM-M, PMP [Open Networker]
 

What's hot (18)

PPTX
Architecting the Framework for Compliance & Risk Management
jadams6
 
PDF
A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .
jadams6
 
PDF
Executing on Information Governance (Learning From Law Firms)
Nick Inglis
 
PDF
SME- Developing an information governance strategy 2016
Hybrid Cloud
 
PDF
Information Governance
Atle Skjekkeland
 
PPTX
Igs animation s;lide
Recommind
 
PPTX
Lessons in Information Governance
John Newton
 
PPTX
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 
DOCX
Article in Techsmart
Antionette van Zyl
 
PDF
“Rebuilding Corporate Trust: The Essential Role Of IT Governance
SUNIL KUMAR KOHLI, IDAS ndc
 
PDF
The best of data governance
Grant Thornton LLP
 
PDF
Mike2.0 Information Governance Overview
sean.mcclowry
 
PDF
Planning Information Governance and Litigation Readiness
Rich Medina
 
PPT
00 14092011-0900-derick-de leo
guiabusinessmedia
 
PPTX
Data Governance
DataMaestro
 
PDF
Information Governance Quick Wins
Nick Inglis
 
PDF
Better business outcomes with Big Data Analytics
Billington K
 
PPTX
Forrester Webinar: Security Ratings Set the Standard
SecurityScorecard
 
Architecting the Framework for Compliance & Risk Management
jadams6
 
A Lawyer, a Salesperson and the Operations Guy Walk into a Bar . . .
jadams6
 
Executing on Information Governance (Learning From Law Firms)
Nick Inglis
 
SME- Developing an information governance strategy 2016
Hybrid Cloud
 
Information Governance
Atle Skjekkeland
 
Igs animation s;lide
Recommind
 
Lessons in Information Governance
John Newton
 
Information Governance, Managing Data To Lower Risk and Costs, and E-Discover...
David Kearney
 
Article in Techsmart
Antionette van Zyl
 
“Rebuilding Corporate Trust: The Essential Role Of IT Governance
SUNIL KUMAR KOHLI, IDAS ndc
 
The best of data governance
Grant Thornton LLP
 
Mike2.0 Information Governance Overview
sean.mcclowry
 
Planning Information Governance and Litigation Readiness
Rich Medina
 
00 14092011-0900-derick-de leo
guiabusinessmedia
 
Data Governance
DataMaestro
 
Information Governance Quick Wins
Nick Inglis
 
Better business outcomes with Big Data Analytics
Billington K
 
Forrester Webinar: Security Ratings Set the Standard
SecurityScorecard
 
Ad

Similar to Privacy Operations (PrivacyOps) Framework - Feroot Privacy (20)

PPTX
PrivIQ Product Overview Plataforma de Compliance LGPD
RitaNeves55
 
PDF
A Practical Guide To Information Governance
Michael Curcio
 
PDF
TrustArc Webinar - Why Your Company Needs A Privacy Culture & Where To Start
TrustArc
 
PDF
TrustArc Webinar - 2025 Global Privacy Benchmarks Survey: Trends and Perspect...
TrustArc
 
PDF
privacy-transformation-services-2020.pdf
hardicgarg1
 
PPTX
Data protection: Steps Organisations can take to ensure compliance
EquiGov Institute
 
PPTX
Is Your Agency Data Challenged?
DLT Solutions
 
PDF
GDPR: A misunderstood piece of data privacy legislation and it's impact on ev...
Bear Analytics
 
PDF
TrustArc Webinar - 2024 Global Privacy Survey: A 360 View Into Key Privacy De...
TrustArc
 
PPTX
The Maturing of an Industry: Information Governance (#InfoGov14 Keynote)
Nick Inglis
 
PPTX
Nick Inglis - The Maturing Of An Industry: Information Governance (Opening Ke...
ARMA International
 
PPTX
Data Privacy and Security in UAE.pptx
Adarsh748147
 
DOCX
Data privacy and security in uae
RishalHalid1
 
PDF
Information governance presentation
Igor Swann
 
PDF
Healthcare IT Security Who's Responsible, Really?
Redspin, Inc.
 
PDF
Enterprise Information Management Strategy - a proven approach
Sam Thomsett
 
PPTX
Evolution of Records Management in Law Firms
Jim Merrifield, IGP, CIP
 
PPTX
Cost benefit analysis vs confidentiality
Prithvi Ghag
 
PPTX
Consumer Law Seminar ABTA
RedEye
 
PDF
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
ObservePoint
 
PrivIQ Product Overview Plataforma de Compliance LGPD
RitaNeves55
 
A Practical Guide To Information Governance
Michael Curcio
 
TrustArc Webinar - Why Your Company Needs A Privacy Culture & Where To Start
TrustArc
 
TrustArc Webinar - 2025 Global Privacy Benchmarks Survey: Trends and Perspect...
TrustArc
 
privacy-transformation-services-2020.pdf
hardicgarg1
 
Data protection: Steps Organisations can take to ensure compliance
EquiGov Institute
 
Is Your Agency Data Challenged?
DLT Solutions
 
GDPR: A misunderstood piece of data privacy legislation and it's impact on ev...
Bear Analytics
 
TrustArc Webinar - 2024 Global Privacy Survey: A 360 View Into Key Privacy De...
TrustArc
 
The Maturing of an Industry: Information Governance (#InfoGov14 Keynote)
Nick Inglis
 
Nick Inglis - The Maturing Of An Industry: Information Governance (Opening Ke...
ARMA International
 
Data Privacy and Security in UAE.pptx
Adarsh748147
 
Data privacy and security in uae
RishalHalid1
 
Information governance presentation
Igor Swann
 
Healthcare IT Security Who's Responsible, Really?
Redspin, Inc.
 
Enterprise Information Management Strategy - a proven approach
Sam Thomsett
 
Evolution of Records Management in Law Firms
Jim Merrifield, IGP, CIP
 
Cost benefit analysis vs confidentiality
Prithvi Ghag
 
Consumer Law Seminar ABTA
RedEye
 
The GDPR Most Wanted: The Marketer and Analyst's Role in Compliance
ObservePoint
 
Ad

Recently uploaded (20)

PPTX
assetexplorer- product-overview - presentation
nonameist3434
 
PPTX
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
PPTX
Introduction to Windows Operating System
ssuser1028f8
 
PDF
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
PDF
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
PDF
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
PDF
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
PPTX
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
PPTX
CNN LeNet5 Architecture: Neural Networks
DrRPonnusamyCIT
 
PPTX
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
PPTX
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
PPTX
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
PPTX
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
DOCX
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
PDF
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
PPTX
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
PDF
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
PDF
Website Design Services for Small Businesses.pdf
ecomme9
 
PDF
AI Guide for Business Growth - Arna Softech
Arna Softech
 
PPTX
Tech Workshop Escape Room Tech Workshop
muthuiyad
 
assetexplorer- product-overview - presentation
nonameist3434
 
AMADEUS TRAVEL AGENT SOFTWARE | AMADEUS TICKETING SYSTEM
philipnathen82
 
Introduction to Windows Operating System
ssuser1028f8
 
Cost to Outsource Software Development in 2025
Omega Incorporations- Best Software Development Company
 
Product Update: Alluxio AI 3.7 Now with Sub-Millisecond Latency
Alluxio, Inc.
 
DuckDuckGo Private Browser Premium APK for Android Crack Latest 2025
hashmi66g66
 
Autodesk AutoCAD Crack Free Download 2025
hggfcrd hgggref
 
Why Generative AI is the Future of Content, Code & Creativity?
Webuters Technologies Pvt. Ltd
 
CNN LeNet5 Architecture: Neural Networks
DrRPonnusamyCIT
 
Advanced SystemCare Ultimate Crack + Portable (2025)
adanataj41
 
Trending Python Topics for Data Visualization in 2025
IT IDOL Technologies
 
Computer Software and OS of computer science of grade 11.pptx
GauravDahal9
 
Cybersecurity: Protecting the Digital World
SURULIAPPANPREMKMAR
 
How to Use SharePoint as an ISO-Compliant Document Management System
Sharepoint Designs
 
Multiverse AI Review 2025: Access All TOP AI Model-Versions!
Moshiur Rahman Jisan
 
Patient Appointment Booking in Odoo with online payment
AxisTechnolabs
 
EaseUS PDF Editor Pro 6.2.0.2 Crack with License Key 2025
halimaanam8
 
Website Design Services for Small Businesses.pdf
ecomme9
 
AI Guide for Business Growth - Arna Softech
Arna Softech
 
Tech Workshop Escape Room Tech Workshop
muthuiyad
 

Privacy Operations (PrivacyOps) Framework - Feroot Privacy

  • 1. PrivacyOps Framework The world has changed. In the Data Driven age – Privacy needs to work throughout the full data lifecycle in Marketing, Sales, Customer Service, HR, Finance and other organizational boundaries to drive growth. We call this Privacy Operations. Written by Ivan Tsarynny • CEO & Founder of Feroot Privacy Published October 2018 • www.Feroot.com/PrivacyOps
  • 2. Table of Contents Executive Summary................................................................. Page 4 What is PrivacyOps?................................................................ Page 6 • About The PrivacyOps Framework • Privacy Today • What’s Next? • The holistic Approach and Three Key Benefits Steps to embedding privacy into day-to-day operations........ Page 12 • Stakeholder Alignment • Data Inventorization • Privacy Impact Assessment • Data Subject Rights Framework: • Vendor Management • Ownership of the Tech-Stack • Who Owns and Leads PrivacyOps? • Product and Service Changes • Liabilities Under the GDPR Regime Getting Started With PrivacyOps……………………………………..…. Page 29 • Symptoms and Signs That You Need PrivacyOps • PrivacyOps Business Drivers • Customer Loyalty Conclusion…………………………………………………………………………... Page 36 PrivacyOps Framework
  • 3. Executive Summary Privacy and Access: operations are an increasingly important functional area in organizations and businesses that process personal data governed by privacy laws, such as GDPR, HIPAA, PIPEDA, and DPA. PrivacyOps is a new organizational model that automates and unifies privacy and access operations across functional areas, such as marketing, sales, service, finance, and HR. PrivacyOps utilizes the Privacy by Design framework in order to align an organization’s resources and processes, and to deliver privacy compliance while freeing up resources to focus on their key business objectives and increasing customer trust. When applied effectively, PrivacyOps can lead to dramatically improved critical business metrics, including conversion rates, referrals, customer retention, and revenues. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 4. Disclaimer Note: this framework is not intended to construe legal advice or offer comprehensive guidance. The information presented in this framework is for information purposes only and should not construed as a legal, or other advice for any particular issue, topic, or subject, including compliance with relevant regulations or laws. You must consult a professional and licensed advisor with expert knowledge with your particular situation for any such advice PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 5. PrivacyOps Framework Privacy Operations, or PrivacyOps, is a new functional group and an emerging department that manages the full range of privacy operations across marketing, sales, analytics, services, HR and back-office operations. Privacy Operations unifies data governance and operation silos across all functional areas: privacy and access governance, on premise operations and third-party processing. PrivacyOps has one primary objective: transform an organization’s privacy perspective away from risk avoidance and towards opportunity-seeking and competitive differentiation. What is PrivacyOps? For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 6. What does PrivacyOps Success Look Like? • Individuals can intuitively and easily exercise their rights via an up-to-date user- centric experience, and be assured that their rights are respected. • Privacy and Access controls are part of technology solutions. • Fulfilling privacy and access obligations is a routine and automated activity. • Privacy and Access controls systems detect, predict, and report non-compliant events. • Privacy and Access natively operates across all departmental and intra- organizational boundaries without data and information silos. • Organizations are always prepared to demonstrate proof of privacy and access compliance. PrivacyOps leaders provide key stakeholders (customers, employees, and partners) the means—through an automated, user-centric, and always up-to-date experience—to intuitively, easily and respectfully exercise their privacy and data access rights. Privacy and Access controls systems detect, predict, and report non-compliant events; they operate across all departmental and intra-organizational boundaries; and they are always prepared to demonstrate proof of privacy and access compliance. Benefits of PrivacyOps: PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 7. About PrivacyOps Framework PrivacyOps Framework Feroot interviewed data privacy, governance, access rights, cybersecurity, IT operations, enterprise planning, marketing, sales, and customer success experts across a wide variety of industries. We used this data to create the definitive Privacy Operations framework – PrivacyOps. PrivacyOps is a new department that manages the full cycle of data operations across customer, employee, and back-office lifecycles. For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 8. Privacy Today Today’s privacy operating model was conceived during the era of fax machines and was continually updated with new requirements from the onset of transformation into the digital economy. The data-driven economy is forcing companies to rapidly innovate the way that they operate and do business. New technologies have never seen faster needs for adaptation. Customer expectations have never changed as rapidly as they are now. Buying and selling processes, customer service, and supply lines have never been as data-driven as they are today. Customer data comes with responsibility. There are numerous regulations governing privacy in the world, including GDPR, PIPEDA, DPA, HIPAA, PIPA, CCPA. While compliance with these laws is clearly one of the drivers of Privacy Management Programs, it is only the baseline for our approach to privacy. Protecting the privacy of the personal information entrusted by customers to organizations is mainly driven as a risk avoidance process in order to prevent enforcement, penalties, and lawsuits. However by leveraging customer-first commitments, you can build trust with your stakeholders so that they can know how to use data in a way that generates value, promotes respect and protection. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 9. What’s Next? Although most large companies have spent hundreds of thousands, if not millions, of dollars preparing for GDPR and other privacy regulations, many organizations are still struggling with the day-to-day complexities of consent management & privacy compliance operations. For instance, updating your privacy policies are just the first step. There's still a lot to do to manage subject right obligations and subject access requests. Our study found that most organizations are not yet ready to manage their processes effectively or efficiently and, as such, they leave themselves at risk of non- compliance. Ongoing management of privacy obligations is complicated. Many stakeholder touch points must be routinely coordinated in order to process requests effectively and to be documented for compliance and legal purposes. Spreadsheets and traditional point-to-point privacy software can’t scale and perform ongoing management of the new data relationship model in which data flows from the subjects (people) to data controllers (service providers), and data processors (third- party vendors). We found that most organizations aren’t prepared, nor do they have any embedded controls for managing data privacy across their third-party vendors, for on-premise applications, and for AI systems. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 10. PrivacyOps has one job: drive growth through a responsible use of data by embedding privacy controls into products and services. PrivacyOps’ holistic approach has four key benefits: 1 - Harmonization and Alignment PrivacyOps aligns departments and their stakeholders. This ensures privacy initiatives have a measurable business impact. When an organization is aligned, it generates more revenue at a reduced cost, and brings new data-driven products to the market. 2 – Customer-focused Product and Service Changes GDPR and other privacy regulations require changes to policies, operations, and products, not just for compliance reasons but also to foster user trust. The PrivacyOps framework enables organizations to operationalize privacy effectively, achieve proper consent management, maintain accurate data inventorization, and augment user transparency, and privacy controls. 3 - Removing Overhead Helps Focus Operations on the Key Objectives PrivacyOps assumes operational and technical privacy overheads that allow marketing, sales, customer service, HR, and other departments to focus on their core goals, objectives, and KPIs. 4 - Planning and Operations PrivacyOps helps to identify and remove roadblocks. It works with the concept of accountability, careful planning, and the implementation of privacy operational controls across the full data lifecycle flow and across departmental, organizational, franchise and other enterprise boundaries. These benefits transform privacy from a risk avoidance function into a business that increases, revenue and market share. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 11. Steps to embedding privacy into day-to- day operations PrivacyOps Framework Step 1 – Align Your Team around Documented Privacy Goals No stakeholder alignment = no results. Why is alignment so important? In many organizations, business, operations, legal, and IT tend to work in isolation. This is especially true of transformation, privacy, and IT-based projects, wherein the business quickly defines requirements, then throws them “over the wall” to operations or cross-functional teams. These teams implement the requirement, only to be find out unanticipated roadblocks. This is one of the most common examples of lack of alignment. For successful programs, the path to ROI is secured with a real partnership across all of the stakeholders from business to legal, privacy, marketing, sales, HR, and IT departments working together towards a common goal. This goal and vision should be discussed, agreed and clearly documented. For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 12. Action: One vision The first step is to engage and include all the relevant stakeholders and have full participation and alignment across all stakeholder groups. This vision should be articulated within commonly accepted business terms that are already part of your established culture and business practice. The vision should include clear business goals, objectives, and outcomes that the program will achieve. The document should also have a clear set of measurements for the project metrics to ensure expected outcomes are achieved. Project KPI’s should have a direct link to executive stakeholder KPI’s and KPI’s of departments involved in the project. The draft should be agreed to by stakeholders to secure their feedback, and to ensure ongoing buy-in, you should update the document to incorporate their feedback. 3 steps to getting your stakeholders aligned 1. Identify your stakeholders. • First, make a list of the stakeholders for your project. Be specific - find out precise names and titles. • We categorize using these seven types: • The Sponsor: This is the person with real skin in the game, they will either get the recognition or take the fall. • Financial decision-makers: These are the people who decide whether your project gets funded. • Strategic decision-makers: These are the people who have a problem that your project is expected to solve. • Mobilizers and Champions: These are the people you can count on for moving things forward to evangelize the importance of the project. • Blockers: these people don’t have official power, but they can intentionally or unintentionally stop the project in its tracks. • Influencers: These people have valuable opinions and insight to consider. • Doers or Implementers: These are the people who execute parts of or the entire project. They have very specific knowledge, action items, and are accountable for deliverables. 2. Get them involved. Alignment is about getting stakeholders to participate, support, and execute the project. They should feel invested and committed. Proper communication is critical to ensure all stakeholders are involved in an engaged and supportive way. Everyone needs to be aware of your project objectives and updated on project progress. Some stakeholders will be more involved than others, but don’t underestimate the value and importance of stakeholders with less participation. 3. Objections are needs or concerns in disguise. Nurture communication and understanding between stakeholders to avoid surprise roadblocks later. Keep in mind that needs are likely changing as the project progresses. The more you know about stakeholders’ concerns, the better you can address them. Regularly pause, re-assess, and align. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 13. What Do We Have? • Assessment • Data Processing • Data Inventory • Data Mapping Step 2 – Data Mapping & Documenting your Data Processing Activities Data mapping, or document your data processing activities, is the first critical element in an organization’s privacy compliance process. It is also required under Article 30 of the GDPR. Organizations (data controllers) face questions from data subjects (people) and have obligations to disclose third-party and third-country locations where their personal data is being processed and how and why it is being used. A successful data mapping exercise will help an organization answer these questions with confidence and will provide customers with the information that they expect concerning their personal data and its usage. Proper, up-to-date data mapping also greatly reduces risks associated with unauthorized personal information handling. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 14. Action: Initiate data process mapping exercise and keep your data map updated and accurate at all times. • How to map your organization’s enterprise data and know what questions to ask? • What type of data is collected? Is it sensitive and identifiable personal information? • Why is the data collected? • Who is collecting data? • Is data shared with third parties? • Where (what country) is data being stored and processed in? • When, why, and how is the data being used? Is the data used for the purpose for which it was collected? • How long is data retained? • What is the lawful purpose of data use? Under consent or other lawful purposes? Notes about the Legal Basis for processing data under the GDPR (Article 30) • The present guidelines clarified that if you rely on consent for a processing activity, you cannot depend on an alternative legal ground as a fallback or backup. For further clarity, you can’t ask the data subject for consent “to do X with their data” and then perform that processing activity and disregard their choice if they said no. However, there are possible cases in which you might be able to rely on more than one legal ground. In these cases, you should always get advice from your legal counsel. • In cases where you are relying on multiple legal grounds, you might be triggering additional obligations and rights such as, content of your privacy transparency notices, data portability, data erasure, and more. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 15. Additional Data Mapping Benefits: Although data mapping often requires significant effort from organizations, there are other additional important benefits. Data mapping helps organizations maintain detailed data processing records for compliance and legal purposes and ensures audit readiness at any time. In addition, data mapping provides evidence that an organization is adhering to data protection guidelines. Other benefits of data mapping include: • Improved IT systems by streamlining data flows. • IT operational efficiencies. • Mitigating risks of data breaches and reducing breach impact. • Responding quickly to subject requests and consequently reducing the cost of compliance. Summary: Data mapping is the essential first step in an organization’s privacy compliance program and assists in supporting customer and employee loyalty. On top of this, there are additional benefits of GDPR compliance, such as operational efficiencies, reduced incident impact, increased customer loyalty and competitive differentiation. PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 16. Privacy Impact Assessment Step 3 - Privacy Impact Assessments What is a Privacy Impact Assessment (PIA)? Simply put, a PIA identifies and helps reduce privacy risks of any undertaking or process within an organization. PIAs are a key part of the GDPR path to “privacy by design.” With a PIA you can: • Readily predict potential problems • Begin the process to implement privacy by design. “Proactive, not reactive; preventative not remedial” • Improve your ability to adhere to GDPR requirements • Ensure that your organization is aware of and prepared to handle privacy and data protection obligations PrivacyOps Framework For information purposes only and should not construed as a legal, or other advice for any particular issue
  • 17. Data Subject Rights Framework: • Privacy Notices • Disclosures • Consent • Control Step 4 – What do Consent and Information Notices, Disclosures, and Controls mean in the context of GDPR? For example, GDPR states that consent can be withdrawn at any time; can’t be assumed from inaction, and forced consent will be “invalid.” Consent must be freely given, specific, informed and unambiguous. Again, you should always get advice from your legal counsel. Recommended action: Collect consent and maintain proof of collected consent unless you are relying on processing data being done under other lawful proposes. PrivacyOps Framework
  • 18. The GDPR Subject Access Request (“SAR”) Key Summary: • Data controllers are responsible for responding to all SARs. • Required SAR response time is 30 days or less, although complex requests can be extended with regulatory approval. • The identity of Data Subject must be verified to prevent privacy breaches. • Not all SARs should be fulfilled when other lawful reasons for data processing exist • Consent can be withdrawn at any time as easily as it was given. • Organizations cannot charge fees to comply with SARs under the GDPR unless the request is “manifestly unfounded or excessive.” • Any response to a SAR should allow the individual to easily identify what information has been collected and stored and what processing has been carried out. • An SAR may be made electronically, e.g., via email, and responses may also be provided in the same manner. What impact do SARs have on data controllers? GDPR-regulated organizations should consider: 1) implementing SAR policies and embedding SARs into customer and employee-facing services, systems, and mobile apps (both internal and external facing) in order to ensure that your organization can fully administer SARs across third-party vendors (processors); 2) developing a response process to streamline SAR fulfillment; 3) train employees on new GDPR requirements and SAR processes; 4) implement a self-serve approach for SAR fulfillment. PrivacyOps Framework
  • 19. How can third-party vendors (processors) support data controllers in responding to SARs? In many cases, the initial contact from subject comes directly to the controller or the data processor. However, the data processor is not responsible for responding to the SAR by default. Action: Initiate SAR fulfilment and record keeping processes. Data controllers and data processors need to prepare to handle SARs in a coordinated and prepared manner. At the start of the data collection, data processors should provide clear information notices that will inform the subject of their rights under GDPR. • Organizations should be able to provide confirmation as to purpose, location, extent, duration of data processing, and confirmation of the data retention period. • The data processor should manage personal data in a way to ensure that information can be identified quickly and easily. • The data controller and processor should establish an approach to respond to any SAR easily and preferably in an automated fashion. • Training of all staff on how a SAR process is done. FAQ section on the processor’s website relating to SARs. A self-serve portal for SARs. • Agreement between the data controller and processors. This includes contractual provisions with the data controller on how SARs are to be handled, and immediate communication from data controller to processors to inform them of the SAR, to fulfill the request and keep auditable records of all steps. PrivacyOps Framework
  • 20. Step 5 – GDPR Requires Changes to how your Products and Services functions • Key requirements • Legally valid for processing data • Identify each third party and their usage of personal data • Retain records • Ability for users to revoke consent Obtaining Consent Give customers the choice and the ability to obtains consent and revoke consent as easily as they gave it Managing Consent Respect your customer’s choice and manage data restrictions downstream to third parties PrivacyOps Framework Product and Service Changes • Consent • Transparency • Privacy Controls • Data Portability • Communication
  • 21. Collecting Data Tell users the intent of data collection and what data you will collect Processing Data Process Data in a way that is consistent with user privacy expectations Plain language notices Clear retention and deletion policies User controls for retention and deletion Limit data processing based on the intended purpose Third country and third party sub-processor disclosure Breach notification readiness Audit readiness PrivacyOps Framework
  • 22. Vendor Management Step 6 – Third-Party Sub-Processor Vendor Management Data controllers are required to ensure that their vendors (processors) properly handle all personal data shared with them. As with data mapping, modern systems and processes create data processing chains where data travels from one application to another and changes hands across SaaS and cloud service providers. Almost every data controller should review how it handles data and its relationship with its providers, and how data processors manage their own vendors/processors, and how GDPR subject rights will be enforced across the entire data processing chain. PrivacyOps Framework
  • 23. Recommended Action: • Complete and maintain an accurate Data Processing Map. • Review agreements with all vendors to cover all GDPR applicable articles. • Compile and maintain an inventory of vendors. • Implement a programmatic approach to managing vendor data-chain. • Implement technologies to support vendor audits and SAR fulfillment compliance. • Include vendor escalation processes and embed remediation plans. Summary: taking control and implementing programmatic approaches to vendor management for data controller and data processor are key. A comprehensive approach to managing vendors and the data processing chain can reduce processing and regulatory enforcement risks. PrivacyOps Framework
  • 24. Liabilities under GDPR regime Step 7 – Subject Access Rights violations, Data Breaches, and Liabilities GDPR Article 33 requires that data controllers notify the supervisory authority in case of a personal data breach without undue delay and, where feasible, no later than 72 hours after having become aware of the breach. The processor shall notify the controller without undue delay after becoming aware of a personal data breach. GDPR Article 34 requires data controllers to notify the data subjects of a personal data breach when the data breach is likely to result in a high risk to the rights and freedoms of natural persons. The controller shall communicate the personal data breach to the data subject without undue delay unless the controller has implemented and applied appropriate technical and organizational protection measures to the personal data affected by the personal data that render the personal data unintelligible, because of encryption. PrivacyOps Framework • Violations • Breaches • Negligence
  • 25. GDPR Article 82 provides the Right to compensation and liability to any person who has suffered material or non-material damage as a result of an infringement of GDPR provisions from the controller or processor. In addition, it states that any controller involved in processing shall be liable for the damage caused by processing that infringes GDPR; and the processor shall be liable for the damage caused by processing only where it has not complied with obligations of this regulation specifically directed to processors; or where it has acted outside or contrary to lawful instructions of the controller. Additionally, controllers or processors shall be exempt from liability under paragraph 2, if it proves that it is not in any way responsible for the event giving rise to the damage. Under GDPR Article 82 specifies that infringements of the following provisions Articles 8, 11, 25 to 39, 41, 42 and 43 shall be subject to administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. GDPR Article 83 specifies that infringements of the following Articles 5, 6, 7 and 9, and the data subjects’ rights pursuant to Articles 12 to 22, and 44 to 49, will lead to suspension of data flows by the supervisory authority pursuant to Article 58(2). At the same time, failure to provide access in violation of Article 58(1) shall be subject to administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. In addition, data subjects may initiate private claims directly against data processors for breach. PrivacyOps Framework
  • 26. Under GDPR, the data controller is ultimately accountable and, in cases when the data controller does not exercise sufficient control over the data processor, the data controller still must be able monitor the data processor; otherwise, it could still find itself subject to fines. Best practice tips: 1. Controllers and processors should perform appropriate due diligence on their providers and partners. 2. Controllers should continue to monitor their processors’ compliance post-appointment, on a regular and/or real-time basis. 3. Enter into DPA agreements Summary Data controllers and processors need to collaborate in order to ensure data subject rights and other GDPR obligations are respected and fulfilled. It’s essential to start by ensuring that privacy is at the core of all services, processes, and procedures. PrivacyOps Framework
  • 27. PrivacyOps can start in two ways: distributed capabilities throughout your team, or specialized roles in a department. The right way to start depends upon your business model and company size. PrivacyOps starts out as a shared function with multiple departments and people performing aspects of privacy compliance. For example: • Privacy oversees governance, operations, and assessments. • CTOs performing PIAs, data-mapping, application and tools management. • DPOs overseeing applications and security. • Marketing managing third-party marketing tools and data-flows. Privacy operations maturity path helps these responsibilities become dedicated roles and can be brought under the PrivacyOps umbrella. Consolidation usually happens when data map management becomes sufficiently complex, typically around 50 internal and third-party applications. If your organization has more than 20 applications, you are likely facing siloed privacy management in your operations already. Bringing PrivacyOps roles together consolidates accountability. Reporting is also highly recommended at this time. PrivacyOps Framework Getting Started with PrivacyOps
  • 28. Symptoms and Signs you need PrivacyOps Here are some common signs that you don’t have a properly functioning PrivacyOps system. If the examples below resonate or sounds familiar, it likely means that you’ve waited too long to implement PrivacyOps. The benefits of PrivacyOps could very well have a significant positive impact on your organization. Many non-EU businesses, including US and Canadian companies, incorrectly assume European laws don’t apply to them. Here we highlight five common GDPR myths: 1. “GDPR is for European companies” An organization doesn’t even have to accept payment from an EU-based customer to be subject to GDPR. The GDPR applies to any business that targets its activities to an EU market. Even if your U.S.-based business doesn’t target an EU market, GDPR may apply if your company monitors EU-base individuals or is processing their data as a sub-processor. 2. “We don’t use any personal data, so GDPR doesn’t apply.” GDPR defines “personal data” to include an identifier that could help identify a natural person. For example, it could include a person’s IP address and cookie. Storing data in a CRM can also trigger GDPR compliance. GDPR also provides enhanced protections to “special categories of personal data”, such as data relating to health, racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade-union memberships, among others. PrivacyOps Framework
  • 29. 3. “We have a privacy policy,” and “we are good, since we determined we are compliant”. When you do business with a customer over the Internet, you often collect information that can potentially be useful outside of the transaction. If you use any of that information in a way which can be linked back to the customer and without the customer's knowledge or consent, you are violating their privacy rights. It is up to you to properly destroy a customer’s information or to ensure it’s secure. 4. “We only collect minimal information on our clients for services and products ” If you collect, use or disclose any personal information about individuals, (such as email, address, names etc) you need to understand your privacy obligations. 5. “We have too many tools!” PrivacyOps consolidates the procurement, implementation, and management of privacy management processes and tools under one owner. This gives you full visibility across the organization, saves costs, and increases adoption of privacy. PrivacyOps Framework
  • 30. The Chief Privacy Officer (CPO) and the Chief Risk Officer (CRO) have an emerging operational role in an organization. Traditionally, privacy has been tasked with governance and policy-setting responsibilities. But, in the age of GDPR, the increasing mandate around day-to-day privacy operations, and the operationalization of privacy-related tasks, make CPOs natural owners of data processing governance across Marketing, Sales, Customer Support, HR and other departments of business. In the case that your organization doesn’t have a CPO, PrivacyOps can live under a Chief Data Officer, CIO IT Operations, application owners, Risk Management, the CTO, and in some case, even under the marketing department. The ultimate organizational responsibility is driven by the needs of your business, talent and the skill-set of your teams. Did You Know? CPO’s, CDO’s and DPO’s are a growing job profile? According to LinkedIn, there are roughly 1,400 CPOs, 3,828 Chief Data Officers, and 6,000+ DPO’s, while there are 9,500+ CROs (risk officers) and over 34,000 CIOs. PrivacyOps Framework Who owns and leads PrivacyOps?
  • 31. Ownership of the Tech-Stack Today, there are more than 25,000 SaaS tools available on the market. For instance, when we investigated typical global organizations, we found that they are using between 100 and 2,500 third-party, SaaS-based software tools in their tech-stack. The multi-party tech stack has become impossible to manage. Multiple tools exchange data, and complex integrations can increase the risk of data leakage and breaches. The wild west of self-service tools scatters customer data across jurisdictions and providers, leaving data controllers potentially liable to hundreds of millions of euros in penalties. The challenge is complex because in modern organizations no group fully owns the tech stack’s privacy. IT used to own the tech stack when all hardware, software, and data was on the premises, but today it's common for sales, marketing, HR, finance, and customer service to manage their own technology budgets and procure tools from third-party SaaS-based vendors. Sales, marketing, and customer services, in many cases, even have their own technology teams, leading to multiple owners for a single CRM, customer marketing, customer service, and communication systems and, thus, creating multiple silos of data. PrivacyOps Framework
  • 32. In the PrivacyOps framework, a single team oversees privacy management of the tech stack across the organization. This helps ensure that all departments and lines of business can comply with GDPR and other regulatory obligations. Accountability and ownership go hand-in-hand. PrivacyOps facilitates close relationship across stakeholders, Privacy department, Digital and Innovation teams and IT, all in order to ensure that the organization meets privacy and data management requirements. Moreover, changes can be made quickly to respond to data and information governance demands and requirements. PrivacyOps Framework
  • 33. Customer Loyalty "75% [potential customers] will not buy a product from a company — no matter how great the products are — if they don’t trust the company to protect their data " 2018 IBM Cybersecurity and Privacy Research VC Funding and Investors Steve Herrod of VC firm General Catalyst told The Privacy Advisor that evaluating a company’s privacy practices is now part of his firm’s due diligence, especially when companies are storing customer data in cloud services. PrivacyOps creates benefits for the marketing, sales, customer services, HR, finance and other business areas because it aligns a company around customer data and their needs. PrivacyOps also generates more sales by influencing key metrics including: customer trust, competitive differentiation, shorter sales cycles, and increased repeat business. Finally, PrivacyOps has a compounding effect on every part of your business, from the efficiency of managing sensitive data to lowering risks of breaches, penalties and litigations, and increasing customer loyalty. PrivacyOps Framework PrivacyOps Growths Business
  • 34. PrivacyOps is a new organizational model that increases your competitive advantage and regulatory compliance through measurable improvements of operational effectiveness and efficiency across your entire data lifecycle. PrivacyOps unifies access management across informational silos such as customer information, medical records, employee data, back-office operations, and other key organizational departments that collect data. PrivacyOps streamlines privacy operations across all functional areas, freeing up resources to focus on key business objectives. PrivacyOps consolidates privacy and access operations into a smooth operating machine. PrivacyOps provides harmonization, simplification, alignment, and focus that will provide privacy compliance and ultimately a competitive advantage by increasing customer trust; and helps increase core metrics like conversion rates, referrals, customer retention, and revenues. PrivacyOps Framework Conclusion
  • 35. Feroot’s Privacy Platform allows you to quickly and efficiently manage on- premise and third-party vendors across applications, both dynamically and automatically. No more chasing down vendors for their latest privacy agreements. No more updating stale spreadsheets. Enter information once, connect to your third-party party vendors, and everything from consent management, to data processing activities, to record-keeping documentation flows appropriately and continually to the key stakeholders. Your organization will save time, resources, and money and avoid the tedious task of manually updating documents every time a new vendor is added to your tech stack. Feroot’s Privacy platform helps you implement a PrivacyOps framework that will: • unify, automate and coordinate all aspects of GDPR Subject Access Request compliance obligations. • manages all stakeholder touchpoints automatically • support your organization’s ability to process requests efficiently • document responses for compliance and legal purposes PrivacyOps Framework Feroot is an award-winning PrivacyOps platform that helps you operationalize privacy management across all departments and data silos. We help organizations instantly transform their static data map into a dynamic, continually updated, and accurate data registry. Want to learn more about Feroot? Contact sales@feroot.com Our mission is to turn privacy compliance into your competitive advantage.