Changing Role of the CPO in

Today's Privacy Ecosystem

September 22, 2016

Privacy Insight Series

- truste.com/insightseries
v

TRUSTe Inc., 2016

1
TRUSTe Inc., 2016

Todays Speakers
Hilary Wandall
General Counsel & Chief Data Governance Officer
TRUSTe

Scott Taylor
AVP Compliance & Chief Privacy Officer
Merck & Co., Inc.

Barbara Lawler
Chief Privacy Officer
Intuit

Privacy Insight Series

- truste.com/insightseries
v

2
TRUSTe Inc., 2016

Todays Agenda

Welcome & Introductions

Evolution of the Role

Core Responsibilities
Making it Operational
Addressing the EU GDPRs DPO Requirements
Q&A

Privacy Insight Series

- truste.com/insightseries
v

3
TRUSTe Inc., 2016

Evolution of the Role

Privacy Insight Series

- truste.com/insightseries
v

TRUSTe Inc., 2016

4
TRUSTe Inc., 2016

How the role has developed over more than a half century
1970s: First Privacy Officer positions were created in Germany
1991: First CPO appointed in the U.S. in 1991
2002: International Association of Privacy Professionals (IAPP) created
2003: HIPAA Privacy Officer positions required in the U.S.
2007: EU WD 153 - Elements and Principles for BCRs - Governance
2011: Designated individual required by APEC Cross-Border Privacy
Rules
2004-2014: Data Protection Officer (DPO) roles required outside U.S.
and EU, such Canada, Colombia, Ghana, India, Israel, Korea, Mexico,
Montenegro, Philippines, Russia, Singapore, South Africa, Ukraine
2016: U.S. Federal Agencies required to appoint a Senior Agency
Official for Privacy (SAOP)
2018: GDPR requires appointment of mandatory DPOs with specific
statutory criteria for expertise, professional qualities, responsibilities,
resourcing, independence and reporting
Privacy Insight Series
- truste.com/insightseries
v

5
TRUSTe Inc., 2016

Core Responsibilities

Privacy Insight Series

- truste.com/insightseries
v

TRUSTe Inc., 2016

6
TRUSTe Inc., 2016

Program Goals: Compliance. Accountability. Governance.

Driven by organizational experience, culture, resources, business
aspirations
Regulatory
Compliance

Privacy notices
Consents
Opt-outs
Contracts
Security program
Breach management
and notification
Complaint and
individual rights
requests handling

Accountability
& Stewardship

Regulatory Compliance +
Management ownership
Privacy leader or team
Comprehensive policies
Awareness and training
Risk assessment
Privacy by design
Ongoing assurance
Continuous improvement

Privacy Insight Series

- truste.com/insightseries
v

Strategic Data
Governance

Accountability +
Holistic approach
Interoperable across
jurisdictions
Data as an asset
Integrated with other
data-driven
obligations, e.g..:
data security
IP & trade secrets
e-discovery
records management
7
TRUSTe Inc., 2016

According to IAPP-EY Annual Privacy Governance Report 2016

Privacy Insight Series

- truste.com/insightseries
v

8
TRUSTe Inc., 2016

DEMONSTRATION

EFFECTIVE APPROACH

OVERSIGHT

Privacy Framework

Identify Risks and Opportunities

Commitment
Solid policies aligned to
external criteria
Management commitment
Full transparency

Integrated Governance

Implementation
Mechanisms to ensure
policies and commitments
are put into effect with
employees

Validation
Monitoring and assurance
programs that validate both
coverage and effectiveness
of implementation

Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board)

Demonstrate capacity to external stakeholders (Trust Agents, Regulators)
Demonstrate capacity to individual data subjects

Data Stewardship in an Evolving Digital World

Is the role of the CPO changing?

Privacy in products
and services

Whats Remains the Same

Promoting trust online (and
offline)
Global and local tensions
about appropriate and ethical
collection, transfer and uses
of data
Data Stewardship Principles
and FIPPs-based privacy
policies
Customer first
Product-focused
Confidential
and Proprietary
IntuitPbD
& PIA

Products

Ecosystems

Data governance and

privacy across product
ecosystems
Whats Changed
Enabling or driving innovation
Promoting digital trust
everywhere
Data at the center of every
discussion
Robust analytics machine
learning A.I.
Platforms and distributed
services
Demonstrating (and
documenting) compliance

Making it Operational

Privacy Insight Series

- truste.com/insightseries
v

TRUSTe Inc., 2016

11
TRUSTe Inc., 2016

Putting Policies and Standards into Practice

We often hear from privacy professionals that are starting up
a program or looking to take it to the next stage that they
find it difficult to translate legal opinions and the letter of
laws and regulations into effective, sustainable practices
within their organizations.
1. How have you addressed this challenge in your career?

2. Are there any best practices that you would recommend?

3. Do you have any insights for SMEs?

Privacy Insight Series

- truste.com/insightseries
v

12
TRUSTe Inc., 2016

Addressing the GDPRs DPO

Requirements

Privacy Insight Series

- truste.com/insightseries
v

TRUSTe Inc., 2016

13
TRUSTe Inc., 2016

According to IAPP-EY Annual Privacy Governance Report 2016

Privacy Insight Series

- truste.com/insightseries
v

14
TRUSTe Inc., 2016

Compliance and Accountability: EU GDPR DPO Role

Controllers and
Processors are
Required to
Appoint If:

The organizations core activities consist of processing on a large scale of sensitive

data (e.g., health, race, ethnicity, biometric, religion) or criminal data
The organizations core activities consist of processing that requires regular and
systematic monitoring of individuals on a large scale
Processing is carried out by a public authority or body
Mandated by EU country law (e.g., Germany)

DPO
Competencies

Expertise in data protection law

Professional qualities (e.g., leadership, communications, program management,
business acumen, understanding of technology, strategic thinking, influence)

Role and
Responsibilities

Governance: employee or contractor, single appointee for corporate group as long

as readily accessible from any location of the organization
Transparency: DPO contact details published and communicated to DPAs
Professional responsibility: independent decisions, reports to senior
management, no conflicts, protected from dismissal, duty of confidentiality

Training and awareness of staff

Monitoring and assurance: advice to staff on obligations and assurance of
implementation, risk assessment, consultation and monitoring on DPIAs, auditing
Complaint handling: individuals can raise concerns and exercise rights with DPO
Regulatory liaison: primary contact to DPAs, cooperation with DPAs on
complaints, investigations, demonstration of organizational accountability, prior
consultation on DPIAs and breaches

Organizational support and resources: organizations must ensure timely and

proper involvement of the DPO in all data protection-related issues, as well as to 15
Privacy Insight Series
- truste.com/insightseries
v provide
proper resources for DPO to fulfill responsibilities and maintain expertise
TRUSTe Inc., 2016

According to IAPP-EY Annual Privacy Governance Report 2016

Privacy Insight Series

- truste.com/insightseries
v

16
TRUSTe Inc., 2016

Questions?

Privacy Insight Series

- truste.com/insightseries
v

TRUSTe Inc., 2016

17
TRUSTe Inc., 2016

Contacts
Hilary Wandall
Scott Taylor
Barb Lawler

Privacy Insight Series

- truste.com/insightseries
v

hilary@truste.com
scott.taylor3@merck.com
barbara_lawler@intuit.com

TRUSTe Inc., 2016

18
TRUSTe Inc., 2016

Thank You!
Details of our 2016 Summer/Fall Webinar Series are now available. Register
now for our next webinar on October 21 Building a Privacy Governance
Program

See http://www.truste.com/insightseries for the 2016 Privacy Insight Series

and past webinar recordings.
TRUSTe Inc., 2016
v
19
Privacy Insight Series
truste.com/insightseries
v
TRUSTe Inc., 2016