Privacy Insight Series

Winter / Spring 2017 Webinar Program

Privacy Program Management: A

Framework for Success
March 23, 2017

TRUSTe Inc., 2017

Powering Privacy Compliance and Trust

Todays Speaker

Hilary Wandall
General Counsel
Chief Data Governance Officer
TRUSTe

Privacy Insight Series - truste.com/insightseries

Todays Agenda

Welcome & Introductions

Policy and Regulatory Origins and Developments
Choosing a Model
Framework for Core Program Elements
3Ds: Design, Document & Demonstrate
Q&A

Privacy Insight Series - truste.com/insightseries

 Privacy Insight Series
Winter / Spring 2017 Webinar Program

Policy and Regulatory Origins and

Developments

TRUSTe Inc., 2017

Powering Privacy Compliance and Trust

Policy and Regulatory Origins
OECD Privacy Guidelines 1980
Accountability Principle
PIPEDA (Canada) 2000
Accountability Principle
APEC Privacy Framework 2005
Accountability Principle
CIPL Accountability Project 2008
APEC CBPRs 2011
Canada Privacy Management Program 2012
Revised OECD Privacy Guidelines 2013
Privacy Management Programme
EU GDPR 2016

Privacy Insight Series - truste.com/insightseries

OECD Privacy Guidelines 2013
New Part III Implementing Accountability
Establish a Privacy Management Programme
o Implements requirements of the Guidelines
o Tailored based on structure, scale, sensitivity and volume of the
operations (risk factors)
o Safeguards implemented based on privacy risk assessment
o Integrated with organizational governance and oversight
mechanisms
o Inquiry and incident response mechanisms
o Update based on monitoring and periodic assessment
Demonstrate the programme to regulators and others responsible for
enforcement

Privacy Insight Series - truste.com/insightseries

EU GDPR Example Provisions
Article 5.2
Controllers are responsible for demonstrating compliance with the principles of:
o Lawfulness, fairness and transparency
o Purpose limitation
o Data minimization
o Accuracy
o Storage limitation
o Integrity and confidentiality
Article 24
Controllers are responsible for implementing organizational and technical
measures to ensure and demonstrate that processing is compliant, such as
policies and procedures, codes of conduct, or certification
Article 39 Tasks of the DPO
Advice, monitoring compliance, awareness, training, audits
Privacy Insight Series - truste.com/insightseries
 Privacy Insight Series
Winter / Spring 2017 Webinar Program

Choose a Model

TRUSTe Inc., 2017

Powering Privacy Compliance and Trust

Choose a Model
Consider organizational structure
Where are you headquartered?
Centralized versus distributed
Is central coordination possible and effective?
How do other organizational governance functions operate?
Consider functional alignment and coordination
Which organizational area is best suited to support sustainable success of the
program?
Is there a strong executive champion?
What levels of cross-functional coordination are needed strategic vs. tactical?
Consider legal requirements, ethical obligations and risk
Legal drivers, culture toward ethical and CSR considerations
Organizational risk tolerance
Privacy Insight Series - truste.com/insightseries
Aligning Organizational Governance & Oversight

Compliance
Ethics
Legal CSR
Regulatory
Government IT
Affairs

Privacy

Risk Mgmt. Data &

Records
Mgmt.
Business
Analytics

Privacy Insight Series - truste.com/insightseries

Aligning Organizational Governance & Oversight

Elements of an Effective Ethics and Compliance Program

Establish Policies, Procedures and Controls
Exercise Effective Compliance & Ethics Oversight
Exercise Due Diligence (third party risk)
Communicate and Educate Employees
Monitor and Audit for Effectiveness
Ensure Consistent Rewards and Sanctions
Incident Response and Prevention

Privacy Insight Series - truste.com/insightseries

 Privacy Insight Series
Winter / Spring 2017 Webinar Program

Framework for Core Program Elements

TRUSTe Inc., 2017

Powering Privacy Compliance and Trust

Build Your Program 6 Essential Elements
Integrated Identify stakeholders. Establish program
Governance leadership and governance. Define program
mission, vision and goals.
Build
Risk Identify, assess and classify data-related
Establish, maintain and Assessment strategic, operational, legal compliance and
evolve an integrated financial risks.
privacy and data
governance program Resource Establish budgets. Define roles and
Allocation responsibilities. Assign competent personnel.
aligned with other data
management and Policies & Develop policies, procedures and guidelines to
information risk Standards define and deploy effective and sustainable
functions such as governance and controls for managing data-
security, IP, trade related risks.
secret protection and e- Processes Establish, manage, measure and continually
discover improve processes for PIAs, vendor assessments,
incident management and breach notification,
complaint handling and individual rights
Learn and Evolve Over Time management.
Awareness & Communicate expectations. Provide general &
Training contextual training.
Privacy Insight Series - truste.com/insightseries
Demonstrate Your Program 2 Core Standards

Demonstrate
Demonstrate program
and practices
Monitoring & Evaluate and audit effectiveness of controls and
compliance, maturity, Assurance risk mitigation initiatives.
responsibility and value
Reporting & Demonstrate the value and effectiveness of
to organizational
Certification your program and controls to customers,
leadership, regulators, employees, management, the board of
customers, other directors, regulators and the public.
stakeholders through
monitoring, assurance,
reporting and
certification

Learn and Evolve Over Time

Privacy Insight Series - truste.com/insightseries

 Privacy Insight Series
Winter / Spring 2017 Webinar Program

3Ds: Design, Document, Demonstrate

TRUSTe Inc., 2017

Powering Privacy Compliance and Trust

Tools to Build and Demonstrate Your Program

Supported by the TRUSTe Data Privacy Management Platform

Privacy Insight Series - truste.com/insightseries

Privacy & Data Governance Program Assessment

Privacy Insight Series - truste.com/insightseries

Privacy & Data Governance Program Assessment

Privacy Insight Series - truste.com/insightseries

Privacy & Data Governance Program Assessment

Privacy Insight Series - truste.com/insightseries

Privacy & Data Governance Program Assessment

Privacy Insight Series - truste.com/insightseries

Privacy & Data Governance Program Assessment

Privacy Insight Series - truste.com/insightseries

 Privacy Insight Series
Winter / Spring 2017 Webinar Program

Questions?

TRUSTe Inc., 2017

Powering Privacy Compliance and Trust

 Privacy Insight Series
Winter / Spring 2017 Webinar Program

Contact
Hilary Wandall
hilary@truste.com

TRUSTe Inc., 2017

Powering Privacy Compliance and Trust

 Privacy Insight Series
Winter / Spring 2017 Webinar Program

Thank You!
See http://www.truste.com/insightseries for the 2017 Privacy Insight Series and past
webinar recordings.

TRUSTe Inc., 2017

Powering Privacy Compliance and Trust