Privacy is on the minds of people everywhere, including your customers and users. Along with a flurry of new legislation that is already in place or in progress around the world or the US states you do operate in, having a formal privacy program in your company or organization is becoming mandatory. This webinar will cover the basics of how to start a privacy program for organizations of all sizes. Secratic's Managing Partner and Founder, Daniel Ayala, will also review how to build privacy into the products and services you sell to achieve a better competitive advantage and build the trust of your customers, employees and business partners.
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
How to Build a Privacy Program
1. HOW TO
BUILD A
PRIVACY
PROGRAM
S E C R A T I C W E B I N A R S E R I E S # 2
THURSDAY 9 JANUARY 2020
Daniel Ayala (@buddhake)
Managing Partner
2. Secratic was built on the premise that a strong bridge between information
security and privacy and the broader company can help a business not just
succeed, but flourish.
Secratic provides strategic security and privacy advisory to growing
companies through the benefit of decades of its global enterprise
experience and helps its clients find the right balance in concert with the
business at hand by acting as their outside CISO/CPO. By spending ample
time getting to know these companies, Secratic uses that insight to give
contextual, informed guidance on topics such as risk, compliance and
incident response, and ensures that a company's security and privacy
programs properly align with what the business needs and does.
9. PCI
Credit card processing security,
privacy and reporting
requirements
HIPAA
Protected Health Information (PHI)
privacy, including policy, process
and technical controls
PRIVACY SHIELD
Proves equivalency by US
companies to EU and Switerland
definitions of data protection
10. California Consumer
Privacy Act
(CCPA)
Minimal Discrimination
Restriction on Sale of
Personal Info
Breach Notification*
Right to Access*
Right to be Forgotten*
Data Portability*
Privacy by Design*
Data Protection Officers*
Data Rectification*
11. General Data
Protection Regulation
(GDPR)
Increased territorial
scope
Consent
Breach Notification*
Right to Access*
Right to be Forgotten*
Data Portability*
Privacy by Design*
Data Protection
Officers*
Data Rectification*
18. Now add in
transparency
Fully Open
Fully Collecting
Fully Private
Fully Secure
Utility
Better informed
Still want utility
Might make better choices
It’s clear what is collected
It’s clear what it is used for
It’s clear who they share it with
It’s clear how long they keep it
It’s presented so that average beings can read it
quickly and clearly
19. Now add in
transparency
and choice
Fully Open
Fully Collecting
Fully Private
Fully Secure
Utility
OMG!
I can use w/o sharing everything?
I can decide what to share?
It’s clear what is collected
It’s clear what it is used for
It’s clear who they share it with
It’s clear how long they keep it
It’s presented so that average beings can read it
quickly and clearly
20. Finally, add trust
(but verify) and
accountability
Fully Open
Fully Collecting
Fully Private
Fully Secure
Utility
I can trust because I’ve verified
They do what they say they do
More value, more control
Data security practises
Depersonalisation (and even better, aggregation)
Retention (GET RID OF IT FAST!)
Use an identity that user’s care about and protect
23. What type of company are you?
Data slurper?
Risk Averse?
Bleeding Edge?
Fast Follower?
Data Economy Mandate?
Consider your culture,
and that of your customer
24. What are your
regulatory
requirements?
What is your
customer culture?
What jurisdictions
are you operating
in?
How can you build
support for a
privacy program?What is your
company culture?
25. Find some champions with influence,
get them on board and have them
flow the message.
Communicate like mad!
ORGANISATIONAL CHANGE
MANAGEMENT MINDSET
Competitive advantage
Improve customer sentiment/trust
Enable later (ethical) data yse
FIND WAYS TO TIE TO
BUSINESS VALUE
Look Inside
Build Support
30. How does data
move from
system to
system?
Who has access to
it?
Who do you share
it with? Why?
Who processes it
for you? Have you
reviewed their
security and
privacy controls?
36. Integrate reviews into the product lifecycle
Integrate reviews into the development lifecycle
Tie Into the Data Use IRB
Privacy by Design
37. Privacy by Design (rolls into
existing product management
planning processes)
Data Pseudonymisation of
individuals in storage, separation of
people data
Data Retention (Define the length
of keeping data, and purge
accordingly)
REMEDIATION BY
BUSINESS/TECHNOLOGY
38. Clear, concise disclosure of data
collected, processed, used, shared,
and consent kept w/ recall
Cookie acceptance before cookie is
dropped and consent w/ recall
REMEDIATION BY
BUSINESS/TECHNOLOGY
39. Request & process for what we
know, right to be forgotten, data
correction
Store personal data securely
(access control, encryption,
deletion)
Add link to privacy notice to all
pages and applications
REMEDIATION BY
BUSINESS/TECHNOLOGY
41. Focus on things like data collection, data use policies and reasons. Help
them understand why it's important and what can happen to the
organisation and customers if the rules are not followed.
Educate Colleagues
43. Privacy Policy
Build Trust & Customer Confidence
Data Subject Access Requests & Don't Sell
Descriptive Privacy Site
Privacy as a Business Differentiator
Communicate With Transparency
45. Register with:
US Privacy
Shield and EU
Data Processing
Authority (DPA)
Document your
data flows and IRB
outcomes
Declare compliance
with any others?
Review your third
parties for both
security and
privacy compliance
47. Privacy Laws & Changes
IAPP (https://iapp.org)
Bloomberg Law
(https://news.bloomberglaw.com)
Cybersecurity Insurance
Insurance acts as a last-mile risk assurance in
case of incidents. But know what it covers
(and what it doesn't).
News, Analysis & Business
Impacts
Privacy Maven (https://maven.secratic.com)
Lawfare (https://lawfare.com)
Lexology (https://lexology.com)
Connect with your General
Counsel
If you are not an attorney, you will want to
build a relationship with one. If you are an
attorney, you may want to also have expert
outside counsel for specific questions.
Prepare for Incidents
Data incidents happen quickly, and require
very fast response under regulations. Plan
your incident beforehand, and consider
retaining an incident response expert to
guide and advise before and during an
incident.
49. Security, privacy and compliance are closer than ever and growing closer
Privacy is a topic that customers are taking seriously, and are part of business
Not only that, robust and transparent privacy can be business enablers
The privacy world is in a very large state of flux, especially in the US, so keep up
to date on happenings around the states
You don’t have to boil the ocean to get a privacy programme going. Start with
your most important data
Think about the ways that data use can be used for bad, along with how they can
be used for good as they are developed.
Push back on the idea that if some data is good, then more data is better. Use
Governance to agree on ethics, legal, security approach. Balance!
Depersonalization of data alone doesn’t actually keep it private
Location and biometrics will see increased challenge both in courts of law and
courts of public opinion.
On privacy, be Gretsky: skate to where the puck is going, not where it is now.
Transparency and leaning into security, privacy and compliance in tech builds
trust and reputation.
In Summary...