SlideShare una empresa de Scribd logo

How to Build a Privacy Program

S
secratic

Privacy is on the minds of people everywhere, including your customers and users. Along with a flurry of new legislation that is already in place or in progress around the world or the US states you do operate in, having a formal privacy program in your company or organization is becoming mandatory. This webinar will cover the basics of how to start a privacy program for organizations of all sizes. Secratic's Managing Partner and Founder, Daniel Ayala, will also review how to build privacy into the products and services you sell to achieve a better competitive advantage and build the trust of your customers, employees and business partners.

Tecnología
1 de 52
Descargar para leer sin conexión
HOW TO BUILD A PRIVACY PROGRAM S E C R A T I C W E B I N A R S E R I E S # 2 THURSDAY 9 JANUARY 2020 Daniel Ayala (@buddhake) Managing Partner
Secratic was built on the premise that a strong bridge between information security and privacy and the broader company can help a business not just succeed, but flourish. Secratic provides strategic security and privacy advisory to growing companies through the benefit of decades of its global enterprise experience and helps its clients find the right balance in concert with the business at hand by acting as their outside CISO/CPO. By spending ample time getting to know these companies, Secratic uses that insight to give contextual, informed guidance on topics such as risk, compliance and incident response, and ensures that a company's security and privacy programs properly align with what the business needs and does.
Curated privacy news, via web or RSS https://maven.secratic.com PRIVACY MAVEN
What is Privacy? The state or condition of being free from observed or disturbed by other people.
https://www.theinformation.com/articles/apples-ad-targeting-crackdown-shakes-up-ad-market https://www.billboard.com/articles/business/legal-and-management/8545568/tiktok-class-action-lawsuit-child-privacy Privacy in the News
https://live.ces.tech/detail/videos/streaming/video/6115374727001/chief-privacy-officer-roundtable:-what-do- consumers-want Privacy in the News
Step 1: Look At Yourself in the Mirror
What are your regulatory requirements?
PCI Credit card processing security, privacy and reporting requirements HIPAA Protected Health Information (PHI) privacy, including policy, process and technical controls PRIVACY SHIELD Proves equivalency by US companies to EU and Switerland definitions of data protection
California Consumer Privacy Act (CCPA) Minimal Discrimination Restriction on Sale of Personal Info Breach Notification* Right to Access* Right to be Forgotten* Data Portability* Privacy by Design* Data Protection Officers* Data Rectification*
General Data Protection Regulation (GDPR) Increased territorial scope Consent Breach Notification* Right to Access* Right to be Forgotten* Data Portability* Privacy by Design* Data Protection Officers* Data Rectification*
https://iapp.org/resources/article/state-comparison-table/
What are your regulatory requirements? What jurisdictions are you operating in?
What are your regulatory requirements? What is your customer culture? What jurisdictions are you operating in?
The Creepy Line http://creepyline.com
Balance Security & Privacy Utility
Balance Fully Open Fully Collecting Fully Private Fully Secure Utility ??? Uninformed What do I pick? Huge utility, huge data disclosure
Now add in transparency Fully Open Fully Collecting Fully Private Fully Secure Utility Better informed Still want utility Might make better choices It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly
Now add in transparency and choice Fully Open Fully Collecting Fully Private Fully Secure Utility OMG! I can use w/o sharing everything? I can decide what to share? It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly
Finally, add trust (but verify) and accountability Fully Open Fully Collecting Fully Private Fully Secure Utility I can trust because I’ve verified They do what they say they do More value, more control Data security practises Depersonalisation (and even better, aggregation) Retention (GET RID OF IT FAST!) Use an identity that user’s care about and protect
Trust
What are your regulatory requirements? What is your customer culture? What jurisdictions are you operating in? What is your company culture?
What type of company are you? Data slurper? Risk Averse? Bleeding Edge? Fast Follower? Data Economy Mandate? Consider your culture, and that of your customer
What are your regulatory requirements? What is your customer culture? What jurisdictions are you operating in? How can you build support for a privacy program?What is your company culture?
Find some champions with influence, get them on board and have them flow the message. Communicate like mad! ORGANISATIONAL CHANGE MANAGEMENT MINDSET Competitive advantage Improve customer sentiment/trust Enable later (ethical) data yse FIND WAYS TO TIE TO BUSINESS VALUE Look Inside Build Support
Step 2: What Do You Have?
How is it Protected? What Data Do We Have? What is Sensitive? How Does the Data Flow?
Coexistence Privacy Security
Step 3: What Do You Do With Your Data?
How does data move from system to system? Who has access to it? Who do you share it with? Why? Who processes it for you? Have you reviewed their security and privacy controls?
Step 4: Data Governance & Ethics
Data Use Institutional Review Board
Data Use IRB Model
Data Use Institutional Review Board Who is responsible? (aka The Data Protection Officer) Ethical Boundaries Exercise Annual review
Step 5: Privacy By Design
Integrate reviews into the product lifecycle Integrate reviews into the development lifecycle Tie Into the Data Use IRB Privacy by Design
Privacy by Design (rolls into existing product management planning processes) Data Pseudonymisation of individuals in storage, separation of people data Data Retention (Define the length of keeping data, and purge accordingly) REMEDIATION BY BUSINESS/TECHNOLOGY
Clear, concise disclosure of data collected, processed, used, shared, and consent kept w/ recall Cookie acceptance before cookie is dropped and consent w/ recall REMEDIATION BY BUSINESS/TECHNOLOGY
Request & process for what we know, right to be forgotten, data correction  Store personal data securely (access control, encryption, deletion) Add link to privacy notice to all pages and applications REMEDIATION BY BUSINESS/TECHNOLOGY
Step 6: Educate Colleagues
Focus on things like data collection, data use policies and reasons. Help them understand why it's important and what can happen to the organisation and customers if the rules are not followed. Educate Colleagues
Step 7: Communicate With Transparency
Privacy Policy Build Trust & Customer Confidence Data Subject Access Requests & Don't Sell Descriptive Privacy Site Privacy as a Business Differentiator Communicate With Transparency
Step 8: Documentation & Such
Register with: US Privacy Shield and EU Data Processing Authority (DPA) Document your data flows and IRB outcomes Declare compliance with any others? Review your third parties for both security and privacy compliance
Step 9: Stay Informed (and Plan Ahead)
Privacy Laws & Changes IAPP (https://iapp.org) Bloomberg Law (https://news.bloomberglaw.com) Cybersecurity Insurance Insurance acts as a last-mile risk assurance in case of incidents. But know what it covers (and what it doesn't). News, Analysis & Business Impacts Privacy Maven (https://maven.secratic.com) Lawfare (https://lawfare.com) Lexology (https://lexology.com) Connect with your General Counsel If you are not an attorney, you will want to build a relationship with one. If you are an attorney, you may want to also have expert outside counsel for specific questions. Prepare for Incidents Data incidents happen quickly, and require very fast response under regulations. Plan your incident beforehand, and consider retaining an incident response expert to guide and advise before and during an incident.
The Steps
Security, privacy and compliance are closer than ever and growing closer Privacy is a topic that customers are taking seriously, and are part of business Not only that, robust and transparent privacy can be business enablers The privacy world is in a very large state of flux, especially in the US, so keep up to date on happenings around the states You don’t have to boil the ocean to get a privacy programme going. Start with your most important data Think about the ways that data use can be used for bad, along with how they can be used for good as they are developed. Push back on the idea that if some data is good, then more data is better. Use Governance to agree on ethics, legal, security approach. Balance! Depersonalization of data alone doesn’t actually keep it private Location and biometrics will see increased challenge both in courts of law and courts of public opinion. On privacy, be Gretsky: skate to where the puck is going, not where it is now. Transparency and leaning into security, privacy and compliance in tech builds trust and reputation. In Summary...
Privacy is dead It's still not great, but it's getting better not yet
The future of privacy is interesting
TWITTER @secraticllc @buddhake LINKEDIN /company/secratic /in/danielaayala EMAIL info@secratic.com daniel@secratic.com

Recomendados

GarminFinalDoc
GarminFinalDocGarminFinalDoc
GarminFinalDocRobert Larry
 
IA FINAL
IA FINALIA FINAL
IA FINALKhadija Ahmed
 
At &t
At &t At &t
At &t Besa Azemi
 
4 P's of Vodafone company
4 P's of Vodafone company 4 P's of Vodafone company
4 P's of Vodafone company Sumeet Patel
 
Recall Presentation
Recall PresentationRecall Presentation
Recall PresentationMichael Claudio
 
Market Segmentation Strategies in Telecoms Industry
Market Segmentation Strategies in Telecoms Industry Market Segmentation Strategies in Telecoms Industry
Market Segmentation Strategies in Telecoms Industry Wystan Robertson
 
Young Lions 2018 - Shortlist Planning - Como ser um Data Strategist me ajudou...
Young Lions 2018 - Shortlist Planning - Como ser um Data Strategist me ajudou...Young Lions 2018 - Shortlist Planning - Como ser um Data Strategist me ajudou...
Young Lions 2018 - Shortlist Planning - Como ser um Data Strategist me ajudou...Júnior Siri
 
Wolpert- Verizon Wireless Strategic Analysis
Wolpert- Verizon Wireless Strategic AnalysisWolpert- Verizon Wireless Strategic Analysis
Wolpert- Verizon Wireless Strategic AnalysisEric Wolpert
 

Recomendados

GarminFinalDoc
GarminFinalDocGarminFinalDoc
GarminFinalDocRobert Larry
 
IA FINAL
IA FINALIA FINAL
IA FINALKhadija Ahmed
 
At &t
At &t At &t
At &t Besa Azemi
 
4 P's of Vodafone company
4 P's of Vodafone company 4 P's of Vodafone company
4 P's of Vodafone company Sumeet Patel
 
Recall Presentation
Recall PresentationRecall Presentation
Recall PresentationMichael Claudio
 
Market Segmentation Strategies in Telecoms Industry
Market Segmentation Strategies in Telecoms Industry Market Segmentation Strategies in Telecoms Industry
Market Segmentation Strategies in Telecoms Industry Wystan Robertson
 
Young Lions 2018 - Shortlist Planning - Como ser um Data Strategist me ajudou...
Young Lions 2018 - Shortlist Planning - Como ser um Data Strategist me ajudou...Young Lions 2018 - Shortlist Planning - Como ser um Data Strategist me ajudou...
Young Lions 2018 - Shortlist Planning - Como ser um Data Strategist me ajudou...Júnior Siri
 
Wolpert- Verizon Wireless Strategic Analysis
Wolpert- Verizon Wireless Strategic AnalysisWolpert- Verizon Wireless Strategic Analysis
Wolpert- Verizon Wireless Strategic AnalysisEric Wolpert
 
How to Build a Privacy Program
How to Build a Privacy ProgramHow to Build a Privacy Program
How to Build a Privacy ProgramDaniel Ayala
 
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docxambersalomon88660
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdfMd. Sajjat Hossain
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
How to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityHow to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityDATAVERSITY
 
Building Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageBuilding Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageAccenture Technology
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analyticsMarc Vael
 
Protect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and ActionProtect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and ActionWolters Kluwer Tax & Accounting US
 
Information Governance Outcomes and Benefits
Information Governance Outcomes and BenefitsInformation Governance Outcomes and Benefits
Information Governance Outcomes and BenefitsHoward Diesel (CDMP BI, DW, DBA, Msc Elec Eng)
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfEnov8
 
How to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityHow to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityPrecisely
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarEryk Budi Pratama
 
ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)
ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)
ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)Peter Bihr
 
Potential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackPotential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackSusan Kennedy
 
Cloud Information Management for Dummies
Cloud Information Management for DummiesCloud Information Management for Dummies
Cloud Information Management for DummiesLiberteks
 
Life Science Patient Data Privacy
Life Science Patient Data PrivacyLife Science Patient Data Privacy
Life Science Patient Data PrivacyTracey Zdravkovic
 
Closing the Governance Gap - Enabling Governed Self-Service Analytics
Closing the Governance Gap - Enabling Governed Self-Service AnalyticsClosing the Governance Gap - Enabling Governed Self-Service Analytics
Closing the Governance Gap - Enabling Governed Self-Service AnalyticsPrivacera
 
Challenges & Opportunities the Data Privacy Act Brings
Challenges & Opportunities the Data Privacy Act BringsChallenges & Opportunities the Data Privacy Act Brings
Challenges & Opportunities the Data Privacy Act BringsRobert 'Bob' Reyes
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 

Más contenido relacionado

Similar a How to Build a Privacy Program

How to Build a Privacy Program
How to Build a Privacy ProgramHow to Build a Privacy Program
How to Build a Privacy ProgramDaniel Ayala
 
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docxambersalomon88660
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael Priyanka Aash
 
How to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityHow to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityDATAVERSITY
 
Building Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageBuilding Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageAccenture Technology
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analyticsMarc Vael
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfEnov8
 
How to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityHow to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityPrecisely
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Dana Gardner
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarEryk Budi Pratama
 
ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)
ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)
ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)Peter Bihr
 
Potential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackPotential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackSusan Kennedy
 
Cloud Information Management for Dummies
Cloud Information Management for DummiesCloud Information Management for Dummies
Cloud Information Management for DummiesLiberteks
 
Life Science Patient Data Privacy
Life Science Patient Data PrivacyLife Science Patient Data Privacy
Life Science Patient Data PrivacyTracey Zdravkovic
 
Closing the Governance Gap - Enabling Governed Self-Service Analytics
Closing the Governance Gap - Enabling Governed Self-Service AnalyticsClosing the Governance Gap - Enabling Governed Self-Service Analytics
Closing the Governance Gap - Enabling Governed Self-Service AnalyticsPrivacera
 
Challenges & Opportunities the Data Privacy Act Brings
Challenges & Opportunities the Data Privacy Act BringsChallenges & Opportunities the Data Privacy Act Brings
Challenges & Opportunities the Data Privacy Act BringsRobert 'Bob' Reyes
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDATAVERSITY
 

Similar a How to Build a Privacy Program (20)

How to Build a Privacy Program
How to Build a Privacy ProgramHow to Build a Privacy Program
How to Build a Privacy Program
 
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
1. Reply to Discussion ( Minimum 200 Words)1. What types of et.docx
 
Security policy.pdf
Security policy.pdfSecurity policy.pdf
Security policy.pdf
 
Proactive information security michael
Proactive information security michael Proactive information security michael
Proactive information security michael
 
How to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityHow to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data Quality
 
Building Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital ageBuilding Digital Trust : The role of data ethics in the digital age
Building Digital Trust : The role of data ethics in the digital age
 
The value of big data analytics
The value of big data analyticsThe value of big data analytics
The value of big data analytics
 
Protect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and ActionProtect Your Firm: Knowledge, Process, Policy and Action
Protect Your Firm: Knowledge, Process, Policy and Action
 
Information Governance Outcomes and Benefits
Information Governance Outcomes and BenefitsInformation Governance Outcomes and Benefits
Information Governance Outcomes and Benefits
 
Article - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdfArticle - 10 best data compliance practices .pdf
Article - 10 best data compliance practices .pdf
 
How to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data QualityHow to Strengthen Enterprise Data Governance with Data Quality
How to Strengthen Enterprise Data Governance with Data Quality
 
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
Right-Sizing the Security and Information Assurance for Companies, a Core-ver...
 
The Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI WebinarThe Rise of Data Ethics and Security - AIDI Webinar
The Rise of Data Ethics and Security - AIDI Webinar
 
ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)
ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)
ThingsCon: Trustable Tech Mark (27 Oct 2018, Mozfest Edition)
 
Potential Advantages Of An Insider Attack
Potential Advantages Of An Insider AttackPotential Advantages Of An Insider Attack
Potential Advantages Of An Insider Attack
 
Cloud Information Management for Dummies
Cloud Information Management for DummiesCloud Information Management for Dummies
Cloud Information Management for Dummies
 
Life Science Patient Data Privacy
Life Science Patient Data PrivacyLife Science Patient Data Privacy
Life Science Patient Data Privacy
 
Closing the Governance Gap - Enabling Governed Self-Service Analytics
Closing the Governance Gap - Enabling Governed Self-Service AnalyticsClosing the Governance Gap - Enabling Governed Self-Service Analytics
Closing the Governance Gap - Enabling Governed Self-Service Analytics
 
Challenges & Opportunities the Data Privacy Act Brings
Challenges & Opportunities the Data Privacy Act BringsChallenges & Opportunities the Data Privacy Act Brings
Challenges & Opportunities the Data Privacy Act Brings
 
DAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) DataDAMA Webinar: The Data Governance of Personal (PII) Data
DAMA Webinar: The Data Governance of Personal (PII) Data
 

Último

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkPixlogix Infotech
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Nikki Chapple
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 

Último (20)

Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
React Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App FrameworkReact Native vs Ionic - The Best Mobile App Framework
React Native vs Ionic - The Best Mobile App Framework
 
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
Microsoft 365 Copilot: How to boost your productivity with AI – Part one: Ado...
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 

How to Build a Privacy Program

  • 1. HOW TO BUILD A PRIVACY PROGRAM S E C R A T I C W E B I N A R S E R I E S # 2 THURSDAY 9 JANUARY 2020 Daniel Ayala (@buddhake) Managing Partner
  • 2. Secratic was built on the premise that a strong bridge between information security and privacy and the broader company can help a business not just succeed, but flourish. Secratic provides strategic security and privacy advisory to growing companies through the benefit of decades of its global enterprise experience and helps its clients find the right balance in concert with the business at hand by acting as their outside CISO/CPO. By spending ample time getting to know these companies, Secratic uses that insight to give contextual, informed guidance on topics such as risk, compliance and incident response, and ensures that a company's security and privacy programs properly align with what the business needs and does.
  • 3. Curated privacy news, via web or RSS https://maven.secratic.com PRIVACY MAVEN
  • 4. What is Privacy? The state or condition of being free from observed or disturbed by other people.
  • 7. Step 1: Look At Yourself in the Mirror
  • 9. PCI Credit card processing security, privacy and reporting requirements HIPAA Protected Health Information (PHI) privacy, including policy, process and technical controls PRIVACY SHIELD Proves equivalency by US companies to EU and Switerland definitions of data protection
  • 10. California Consumer Privacy Act (CCPA) Minimal Discrimination Restriction on Sale of Personal Info Breach Notification* Right to Access* Right to be Forgotten* Data Portability* Privacy by Design* Data Protection Officers* Data Rectification*
  • 11. General Data Protection Regulation (GDPR) Increased territorial scope Consent Breach Notification* Right to Access* Right to be Forgotten* Data Portability* Privacy by Design* Data Protection Officers* Data Rectification*
  • 13. What are your regulatory requirements? What jurisdictions are you operating in?
  • 14. What are your regulatory requirements? What is your customer culture? What jurisdictions are you operating in?
  • 17. Balance Fully Open Fully Collecting Fully Private Fully Secure Utility ??? Uninformed What do I pick? Huge utility, huge data disclosure
  • 18. Now add in transparency Fully Open Fully Collecting Fully Private Fully Secure Utility Better informed Still want utility Might make better choices It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly
  • 19. Now add in transparency and choice Fully Open Fully Collecting Fully Private Fully Secure Utility OMG! I can use w/o sharing everything? I can decide what to share? It’s clear what is collected It’s clear what it is used for It’s clear who they share it with It’s clear how long they keep it It’s presented so that average beings can read it quickly and clearly
  • 20. Finally, add trust (but verify) and accountability Fully Open Fully Collecting Fully Private Fully Secure Utility I can trust because I’ve verified They do what they say they do More value, more control Data security practises Depersonalisation (and even better, aggregation) Retention (GET RID OF IT FAST!) Use an identity that user’s care about and protect
  • 21. Trust
  • 22. What are your regulatory requirements? What is your customer culture? What jurisdictions are you operating in? What is your company culture?
  • 23. What type of company are you? Data slurper? Risk Averse? Bleeding Edge? Fast Follower? Data Economy Mandate? Consider your culture, and that of your customer
  • 24. What are your regulatory requirements? What is your customer culture? What jurisdictions are you operating in? How can you build support for a privacy program?What is your company culture?
  • 25. Find some champions with influence, get them on board and have them flow the message. Communicate like mad! ORGANISATIONAL CHANGE MANAGEMENT MINDSET Competitive advantage Improve customer sentiment/trust Enable later (ethical) data yse FIND WAYS TO TIE TO BUSINESS VALUE Look Inside Build Support
  • 26. Step 2: What Do You Have?
  • 27. How is it Protected? What Data Do We Have? What is Sensitive? How Does the Data Flow?
  • 29. Step 3: What Do You Do With Your Data?
  • 30. How does data move from system to system? Who has access to it? Who do you share it with? Why? Who processes it for you? Have you reviewed their security and privacy controls?
  • 34. Data Use Institutional Review Board Who is responsible? (aka The Data Protection Officer) Ethical Boundaries Exercise Annual review
  • 36. Integrate reviews into the product lifecycle Integrate reviews into the development lifecycle Tie Into the Data Use IRB Privacy by Design
  • 37. Privacy by Design (rolls into existing product management planning processes) Data Pseudonymisation of individuals in storage, separation of people data Data Retention (Define the length of keeping data, and purge accordingly) REMEDIATION BY BUSINESS/TECHNOLOGY
  • 38. Clear, concise disclosure of data collected, processed, used, shared, and consent kept w/ recall Cookie acceptance before cookie is dropped and consent w/ recall REMEDIATION BY BUSINESS/TECHNOLOGY
  • 39. Request & process for what we know, right to be forgotten, data correction  Store personal data securely (access control, encryption, deletion) Add link to privacy notice to all pages and applications REMEDIATION BY BUSINESS/TECHNOLOGY
  • 41. Focus on things like data collection, data use policies and reasons. Help them understand why it's important and what can happen to the organisation and customers if the rules are not followed. Educate Colleagues
  • 43. Privacy Policy Build Trust & Customer Confidence Data Subject Access Requests & Don't Sell Descriptive Privacy Site Privacy as a Business Differentiator Communicate With Transparency
  • 45. Register with: US Privacy Shield and EU Data Processing Authority (DPA) Document your data flows and IRB outcomes Declare compliance with any others? Review your third parties for both security and privacy compliance
  • 47. Privacy Laws & Changes IAPP (https://iapp.org) Bloomberg Law (https://news.bloomberglaw.com) Cybersecurity Insurance Insurance acts as a last-mile risk assurance in case of incidents. But know what it covers (and what it doesn't). News, Analysis & Business Impacts Privacy Maven (https://maven.secratic.com) Lawfare (https://lawfare.com) Lexology (https://lexology.com) Connect with your General Counsel If you are not an attorney, you will want to build a relationship with one. If you are an attorney, you may want to also have expert outside counsel for specific questions. Prepare for Incidents Data incidents happen quickly, and require very fast response under regulations. Plan your incident beforehand, and consider retaining an incident response expert to guide and advise before and during an incident.
  • 49. Security, privacy and compliance are closer than ever and growing closer Privacy is a topic that customers are taking seriously, and are part of business Not only that, robust and transparent privacy can be business enablers The privacy world is in a very large state of flux, especially in the US, so keep up to date on happenings around the states You don’t have to boil the ocean to get a privacy programme going. Start with your most important data Think about the ways that data use can be used for bad, along with how they can be used for good as they are developed. Push back on the idea that if some data is good, then more data is better. Use Governance to agree on ethics, legal, security approach. Balance! Depersonalization of data alone doesn’t actually keep it private Location and biometrics will see increased challenge both in courts of law and courts of public opinion. On privacy, be Gretsky: skate to where the puck is going, not where it is now. Transparency and leaning into security, privacy and compliance in tech builds trust and reputation. In Summary...
  • 50. Privacy is dead It's still not great, but it's getting better not yet
  • 51. The future of privacy is interesting