2: Privacy Program Framework: Privacy Governance Flashcards
Privacy Governance
The components that guide a privacy function toward compliance with laws and regulations and enable it to support the organization’s broader business objectives
Organizational Privacy Vision and Mission Statement
*Lays the groundwork for the privacy program
*Should align with organization’s broader purpose and business objectives
*Refined with feedback from key stakeholders and reviewed and approved by executive leadership
*Describes the purpose and ideas in just a few sentences
Defining Privacy Program Scope
- Identify what personal info the org collects, uses, stores, processes
Advise is to take a robust approach for example hiring an outside consultancy to assess where personal information is collected, stored, used and shared.
Final state: A documented data inventory - Identify in-scope privacy and data protection laws and regulations
Understanding the data lifecycle, considering global perspectives and remaining, awareness of the global and local regulatory landscape.
Develop and Implement a Framework
Frameworks can be broadly grouped into three categories: principles and standards; laws, regulations and programs; and privacy program management solutions”
Frameworks are essentially a benchmark for a privacy program to measure itself against.
Key Questions:
Are privacy and the organization’s privacy risks properly defined and identified in the organization?
Has the organization assigned responsibility and accountability for managing a privacy program?
Does the organization understand any gaps in privacy management?
“A rationalized approach that seeks to address both sets of requirements would result in the organization establishing a standard access process that generally meets the demands of many countries, with a local process that meets specific time frame requirements for individuals in EU countries only.”
Contrasted against the strictest standard approach.
Technology and GRC tools are invaluable
Privacy Strategy
“There are no shortcuts, and every individual within an organization contributes to the success of the privacy program.”
“The first major step in building a coalition of supporters is to conduct informal one-on-one conversations with executives within the organization who have accountability for information management and/or security, risk, compliance or legal decisions. ”
Identifying a champion who serves as a sponsor of Privacy
“Conduct a privacy workshop for stakeholders to level the privacy playing field by defining privacy for the organization, explaining the market expectations, answering questions, and reducing confusion.”
Keep a record of ownership
Privacy Team Structure
Centralized: One team or one person primarily responsible for Privacy
Decentralized: Bottom up decision making
“delegating decision-making authority down to the lower levels in an organization, at a distance from and below a central authority.”
Hybrid: An individual or team is responsible for decision making, local entities fulfill and support the policies and directives
Organization Structure and RACI
Define roles and responsibilities, map out hierachy complexity and type of structure.