Hong Kong Accountability Benchmarking Micro-Study. Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong

Similar documents
Hong Kong s Personal Data (Privacy) Ordinance

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

An Accountability Approach to Compliance

A Regulator s Perspective on Accountability and How to Incentivise It

Building Trust in the Cloud Era - Protect, Respect Personal Data

GDPR: A QUICK OVERVIEW

"Charting the Course... Certified Information Systems Auditor (CISA) Course Summary

MNsure Privacy Program Strategic Plan FY

Security and Privacy Governance Program Guidelines

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Isaca EXAM - CISM. Certified Information Security Manager. Buy Full Product.

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

A company built on security

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

<< Practice Test Demo - 2PassEasy >> Exam Questions CISM. Certified Information Security Manager.

IT SECURITY OFFICER. Department: Information Technology. Pay Range: Professional 18

HPE DATA PRIVACY AND SECURITY

Exam4Tests. Latest exam questions & answers help you to pass IT exam test easily

USER CORPORATE RULES. These User Corporate Rules are available to Users at any time via a link accessible in the applicable Service Privacy Policy.

Protecting your data. EY s approach to data privacy and information security

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Code of Ethics Certification 2018 CHECKLIST

Oracle Data Cloud ( ODC ) Inbound Security Policies

Jeff Wilbur VP Marketing Iconix

Creation and Evolution of the Colombian DPA

Canada Life Cyber Security Statement 2018

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Position Description IT Auditor

Embedding Privacy by Design

Cyber Risks in the Boardroom Conference

Application for Certification

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

REVIEW OF MANAGEMENT AND OVERSIGHT OF THE INTEGRATED BUSINESS MANAGEMENT SYSTEM (IBMS) January 16, 2009

It applies to personal information for individuals that are external to us such as donors, clients and suppliers (you, your).

Information Security Incident Response Plan

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

PRODUCT SAFETY PROFESSIONAL CERTIFICATION PROGRAM DETAILS. Overview

Privacy Code of Conduct on mhealth apps the role of soft-law in enhancing trust ehealth Week 2016

Workday s Robust Privacy Program

EU General Data Protection Regulation (GDPR) Achieving compliance

2 The IBM Data Governance Unified Process

SECURITY & PRIVACY DOCUMENTATION

ISSMP is in compliance with the stringent requirements of ANSI/ISO/IEC Standard

CCISO Blueprint v1. EC-Council

Avanade s Approach to Client Data Protection

Data Protection and GDPR

Cybersecurity: Considerations for Internal Audit. Gina Gondron Senior Manager Frazier & Deeter Geek Week August 10, 2016

ADIENT VENDOR SECURITY STANDARD

Passguide CISM 631q. Number: CISM Passing Score: 800 Time Limit: 120 min File Version: Isaca CISM

Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.

NYDFS Cybersecurity Regulations

Certified Information Security Manager (CISM) Course Overview

Information Security Incident Response Plan

This Policy has been prepared with due regard to the General Data Protection Regulation (EU Regulation 2016/679) ( GDPR ).

China Code of Ethics Certification 2018 CHECKLIST

EXAM PREPARATION GUIDE

University of Texas Arlington Data Governance Program Charter

STRATEGIC PLAN

Motorola Mobility Binding Corporate Rules (BCRs)

Managing Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Credit Card Data Compromise: Incident Response Plan

DATA PRIVACY & PROTECTION POLICY POLICY INFORMATION WE COLLECT AND RECEIVE. Quality Management System

Checklist: Credit Union Information Security and Privacy Policies

Security Architecture

Manager, Infrastructure Services. Position Number Community Division/Region Yellowknife Technology Service Centre

An Overview of ISO/IEC family of Information Security Management System Standards

General Data Protection Regulation: Knowing your data. Title. Prepared by: Paul Barks, Managing Consultant

Google Cloud & the General Data Protection Regulation (GDPR)

University of Pittsburgh Security Assessment Questionnaire (v1.7)

NY DFS Cybersecurity Regulations August 8, 2017

01.0 Policy Responsibilities and Oversight

ISACA. Certification Details for Certified in the Governance of Enterprise IT (CGEIT )

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

EXAM PREPARATION GUIDE

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

2016 Data Protection & Breach Readiness Webinar Will Start Shortly. please download the guide at

General Data Protection Regulation (GDPR)

Department of Management Services REQUEST FOR INFORMATION

NEW DATA REGULATIONS: IS YOUR BUSINESS COMPLIANT?

Function Category Subcategory Implemented? Responsible Metric Value Assesed Audit Comments

BPS Suite and the OCEG Capability Model. Mapping the OCEG Capability Model to the BPS Suite s product capability.

WHO SHOULD ATTEND? ITIL Foundation is suitable for anyone working in IT services requiring more information about the ITIL best practice framework.

Information Technology General Control Review

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Fiscal 2015 Activities Review and Plan for Fiscal 2016

2017 RIMS CYBER SURVEY

Lakeshore Technical College Official Policy

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Ferrous Metal Transfer Privacy Policy

Trust Services Principles and Criteria

SOLUTION BRIEF RSA ARCHER IT & SECURITY RISK MANAGEMENT

FISMAand the Risk Management Framework

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

Big data privacy in Australia

Cyber Security Program

Transcription:

Hong Kong Accountability Benchmarking Micro-Study Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong

Interactive Workshop What we will do: Your participation: Provide background on the Study and Nymity Accountability Research that supports Benchmarking Discuss highlights of the Study and analysis of privacy management programs in participating organizations Guide you through learning how to benchmark your own privacy management program Interact share your experiences and perspectives Gain insight on core privacy initiatives for accountable privacy management Ask a lot of questions Help shape the future of Accountability Research and Reports Learn from your experience and knowledge

What will you leave with? The latest insights on privacy management programme and accountability benchmarking Practical knowledge to measure and enhance your organization s privacy management performance by learning: How does my privacy management program compare to others? In which privacy activities have most organizations invested? What are the privacy management program priorities for the future? Attendees will Receive 1. A copy of the Hong Kong Accountability Benchmarking Micro- Study Report and Workshop presentation 2. Nymity Benchmarking Worksheet Template 3. Nymity Privacy Management Program Accountability Framework 4. Hong Kong PMP Best Practice Guide

BACKGROUND

PCPD and Nymity Collaborated to Conduct Micro-Study The PCPD has advocated and promoted the adoption of Privacy Management Programmes (PMP) in organizations as a strategic framework to protect personal data privacy A Best Practice Guide to facilitate organizations to embrace personal data protection and implement good practices (18 February 2014) Key data users in Hong Kong have pledged to implement PMP in their respective organizations

Introducing Nymity A Data Privacy Research Company Focus: Dedicated to global data privacy compliance research Established: 2002 Headquarters: Toronto, Canada Research: Inventor of several compliance methodologies & frameworks Funding: Partially funded by government R&D grants. Solutions for the Privacy Office Privacy Management Solutions: Nymity Attestor Nymity Benchmarks Nymity Templates Compliance Research Solutions: PrivaWorks Nymity MofoNotes Nymity LawTables Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance. Nymity s research is funded in part by government research & development grants.

Nymity Privacy Management Accountability Framework Nymity views privacy management as a set of ongoing organizational privacy management activities not a checklist Accountability = responsible privacy management activities For years, Nymity has been conducting ongoing research through workshops, implementations of privacy management solutions, creation of templates, and Nymity s traditional research, all of which is: Global Jurisdictional Neutral Sector/Industry Neutral Framework was developed to communicate the status of the privacy program i.e. demonstrate accountability (13 processes, 152 PMAs )

Nymity Privacy Management Accountability Framework BACKGROUND Each privacy management process contains a number of Privacy Management Activities (PMAs), each of which is supported by a Scope and Business Case, for example: Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers) Scope To help the organization meet its privacy mission statement and legal obligations around appointing data protection officers, individuals responsible for privacy have clear roles and job descriptions. Roles that may be defined include: Chief Privacy Officer; Privacy Managers; Data Protection Officers (DPO); Privacy Analysts; Business line Privacy leaders/stewards; and Incident response team members. Outside the scope of this privacy management activity is a sectoral and regional salary and benefit determination. Business Case At many organizations, privacy is a new or still-undeveloped organizational function but all organizations are critically dependant on the work of its people to achieve privacy compliance. If an organization has not clarified its privacy roles and responsibilities, it is much less likely to be successful with other tasks related to privacy compliance, e.g., if the responsibility for privacy training and awareness has not yet been assigned, the probability is high that this job is not being done adequately. Therefore, defining clear roles and responsibilities in a job description is an essential prerequisite for all privacy activities. The benefits of having specific documented role and responsibility statements include: Greater respect and greater resources; Demonstrable senior management support; Clarifying the privacy function and where it fits into the organizational structure; Development of formal communication channels with senior management that can be used to help get important projects underway; Proactive privacy compliance; Reducing costs to adequately handle privacy; and Legal compliance. 8

Hong Kong Privacy Management Programme Benchmarking Research MEASURING ACCOUNTABILITY

Nymity Benchmarking Research: Participating Organizations 16 organizations Pledging organizations and members of the DPOC All have a Privacy Office In various stages of implementing a privacy management programme Data as of 3 September 2014

Nymity Privacy Management Benchmarking Research 16 Organizations identified 152 Privacy Management Activities as either: Implemented Planned Desired N/A Implemented and are either: Core: Fundamental to privacy management, mandatory; or Elective: Advanced, beyond the minimum required. In progress OR scheduled to be implemented in the next 12 months. Privacy office could anticipate or wish to implement if no resource constraints. Not desired, required, applicable or justified based on privacy risk and business priorities. Research Results: Privacy Management Activity Status 97 Implemented

Topics Overview of Privacy Management Top Implemented Privacy Management Activities Top Desired Privacy Management Activities The Status of Privacy Management in Relation to the PMP Best Practice

Overview of Privacy Management: TOP IMPLEMENTED AND DESIRED ACTIVITIES

Top Implemented Activities Prioritize Compliance with PDPO Implemented activities are those that are resourced, developed, maintained, and documented Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code 100% Maintain a data privacy policy DPP 5 100% Integrate data privacy into records retention practices DPP 2 100% Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) DPP 4 100% Provide data privacy notice at all points where personal data is collected DPP 1 35 C, J 100% Maintain procedures to respond to access/correction requests DPP 6 17A 25, 27, 28 and 29 100% Maintain policies/procedures for collecting consent preferences DPP 3 100% Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates) DPP 2. 4 65 100% Maintain procedures to restrict access to personal information (e.g. role-based access, DPP 4 segregation of duties) 100% Maintain policies/procedures for collection and use of sensitive personal data (including DPP 1, 3 biometric data) 100% Integrate data privacy into employee background check practices Code of Practice on HR Management 100% Maintain a data privacy notice for employees (processing of employee personal data) Code of Practice on HR Management 100% Assign accountability at a senior level -

Top Implemented Activities cont. Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code 93% Maintain a separate employee data privacy policy Code or Practice on HR Management 93% Maintain policies/procedures for secure destruction of personal data DPP 4 93% Maintain procedures to address complaints - 93% Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel) 93% Maintain procedures to execute contracts or agreements with all processors - DPP 2, 4 65 93% Maintain policies/procedures for maintaining data quality DPP 2 93% Maintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media DPP 4 93% Document guiding principles for consent DPP 3

Highest-Ranking Desired Privacy Management Activities Desired activities are defined as those activities that the privacy office could anticipate or wish to implement if there were no resource constraints.

Top Ranked Desired Privacy Management Activities The top desired activities that are identified as applicable to privacy management programmes span 5 key privacy management process areas within the Nymity Accountability Framework: Privacy Management Activity Data Breach Privacy Management Program Conduct periodic testing of breach protocol and document findings and changes made Monitor for New Operational Practices % Desired Metrics for PIAs 60 Procedures to address issues identified during PIAs 53 Privacy by Design framework for all system and product development 40 PIA guidelines and templates 40 60

Top Ranked Desired Privacy Management Activities cont. Privacy Management Activity Training and Awareness % Desired Internal data privacy intranet, blog, FAQ etc. 47 Second-level training program 47 One-time, one-off tactical training and communication around relevant topics 40 Deliver a privacy newsletter of incorporate into existing corporate communications 40 Manage Third Party Risk Ongoing due diligence around the data privacy and security posture of 53 vendors/processors based on a risk assessment Review long-term contracts for new or evolving data protection risks 47 Procedures for Inquiries and Complaints Customer frequently asked questions 53 Metrics for data protection complaints 47 Procedures to identify root causes for data protection complaints 40

Top Implemented and Planned Activities

Benchmarking Exercise

Data as of 4 March 2015

9. Maintain Procedures for Inquiries and Complaints

9. Maintain Procedures for Inquiries and Complaints Ranking of Implemented "Maintain Procedures for Inquiries and Complaints" Privacy Management Activities Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain procedures to respond to 100 0 0 0 access requests 2 Maintain procedures to address 93 0 7 0 complaints 3 Maintain procedures to respond to 93 0 0 7 requests for information 4 Maintain procedures to respond to 87 0 13 0 requests to update or revise personal data 5 Maintain procedures to respond to 86 0 7 7 requests to opt-out 6 Maintain escalation procedures for 87 0 13 0 serious complaints or complex access requests 7 Maintain procedures to investigate root causes of data protection complaints 60 0 40 0 8 Maintain metrics for data protection complaints (e.g. number, root cause) 9 Maintain customer Frequently Asked Questions 47 7 46 0 33 0 54 13

The Status of Privacy Management in Relation to the PMP Best Practice Guide

Highlights Targeted organizations have made significant strides in proactively embracing privacy and data protection Organizational commitment Data inventory Data privacy policy and privacy notices Core training activities Additional resources are desired in order to more fully develop key areas of a comprehensive privacy management programme Build out of PIA processes and procedures and PbD More training and awareness activities Managing third-party risk

Structure of the PMP Best Practice Guide The PMP Best Practice Guide suggests three management commitments, seven programme controls, and two processes to implement an accountability framework Part A Baseline Fundamentals of a Privacy Management Programme 1. Organisational Commitments a. Buy-in from the Top b. Data Protection Office and/or Officer c. Reporting 2. Programme Controls a. Personal Data inventory b. Policies c. Risk Assessment Tools d. Training and Education Requirements e. Breach Handling f. Data Processor Management g. Communication Part B Ongoing Assessment and Revision a. Develop and oversight and review plan b. Assess and Revise Programme Controls

PMP and Nymity Accountability Framework The aggregated results of the Micro-Study will be discussed within each area of the PMP Best Practice Guide and compared to the actual privacy management activities identified in the Nymity Privacy Management Accountability Framework.

Part A Baseline Fundamentals of a Privacy Management Programme A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) This first component is an internal governance structure that fosters a privacy respectful culture. PMP Best Practice Guide a) Buy-in from the Top Top management support is key to a successful privacy management programme and essential for a privacy respectful culture. Nymity Accountability Framework b) Data Protection Officer/Data Protection Office Organisations should appoint or designates someone to manage the privacy management programme. c) Reporting Reporting mechanisms should be established, and reflected in the organisation s programme controls.

A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Assign accountability for data privacy at a senior level 100 0 0 0 2 Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel) 93 0 0 7 3 Assign responsibility for data privacy throughout the organization 93 7 0 0 4 Require employees to acknowledge and agree to adhere to the data privacy policies 87 0 0 13 5 Conduct an Enterprise Privacy Risk Assessment 80 7 13 0 6 Maintain a privacy strategy 80 7 13 0 7 Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers) 80 0 20 0 8 Conduct regular communication between individuals accountable and responsible for data privacy 80 0 20 0 9 Maintain a privacy program charter/mission statement 73 7 13 7

A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) cont. Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 10 Report, on a scheduled basis, on the status of the privacy program (e.g. board of directors, management board) 11 Consult with stakeholders throughout the organization on data privacy matters 73 0 27 0 73 0 27 0 12 Integrate data privacy into a Code of Conduct 73 0 13 13 13 Maintain a strategy to align activities with legal requirements (e.g. address conflicts, differences in standards, creating rationalized rule sets) 73 0 7 20 14 Integrate data privacy into ethics guidelines 67 0 7 27 15 Integrate data privacy into business risk assessments/reporting 60 0 27 13 16 Report periodically on the status of the privacy program to external stakeholders, as appropriate (e.g. annual reports, thirdparties, clients) 33 0 20 47 17 Appoint a representative in member states where the organization does not maintain a physical presence 13 0 7 80

A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework) Programme controls form the second component of a privacy management programme. These help ensure that what is mandated in the governance structure is implemented in the organisation. Data as of 4 March 2015

A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework) cont. Data as of 4 March 2015

A. 2 (a) Programme Controls: Personal Data Inventory (Nymity Privacy Management Process: Maintain Personal Data Inventory) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain an inventory of key personal data holdings (what personal data is held and where) 2 Classify personal data holdings by type (e.g. sensitive, confidential, public) 3 Obtain approval for data processing (where prior approval is required) 4 Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) 87 7 7 0 80 13 7 0 80 0 20 40 0 27 33

HK Organizations Compared to Global Organizations

A. 2 (b) Programme Controls: Policies (Nymity Privacy Management Process: Maintain Data Privacy Policy) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain a data privacy policy 100 0 0 0 2 Maintain a separate employee data privacy policy 93 0 0 7 3 Document guiding principles for consent 93 0 7 0 4 Document legal basis for processing personal data 73 0 13 13 5 Obtain board approval for data privacy policy 67 0 7 27

A. 2 (c) Programme Controls: Risk Assessment Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Conduct a security risk assessment which considers data privacy risk 87 0 13 0 2 Conduct an Enterprise Privacy Risk Assessment 80 7 13 0 3 Conduct due diligence around the data privacy and security posture of potential vendors/processors 4 Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause) 73 0 20 7 67 7 27 0 5 Conduct PIAs for new programs, systems, processes 67 0 33 0 6 Integrate data privacy into business risk assessments/reporting 60 0 27 13 7 Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit) 53 0 33 13 8 Conduct ad-hoc walk-throughs 53 0 40 7 9 Conduct self-assessments managed by the Privacy Office 47 7 47 0 10 Maintain a Privacy by Design framework for all system and product development 47 0 40 13 11 Maintain a vendor data privacy risk assessment process 47 0 33 20 12 Review long-term contracts for new or evolving data protection risks 40 0 47 13 13 Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment 33 0 53 13 14 Conduct assessments through use of third-party verification 20 0 33 47

A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain a core training program for all employees 80 0 20 0 2 Conduct training for newly appointed employees upon 80 0 20 0 assignment to privacy-sensitive positions 3 Integrate data privacy into other training programs, such as 80 0 13 7 HR, security, call centre, retail operations training 4 Provide ongoing education and training for the Privacy Office 80 0 20 0 (e.g. conferences, webinars, guest speakers) 5 Conduct regular refresher training to reflect new 73 0 27 0 developments 6 Measure participation in data privacy training activities (e.g. 73 0 27 0 numbers of participants, scoring) 7 Maintain ongoing awareness material (e.g. posters and 67 0 27 7 videos) 8 Conduct one-off, one-time tactical training and 60 0 40 0 communication dealing with specific, highly-relevant issues/topics 9 Maintain a second level training program reflecting job specific content 47 0 47 7

A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 10 Maintain an internal data privacy intranet, privacy blog, or 47 0 47 7 repository of privacy FAQs and information 11 Deliver a privacy newsletter, or incorporate privacy into 47 0 40 13 existing corporate communications 12 Conduct data privacy training needs analysis by position/job 40 0 53 7 responsibilities 13 Provide data privacy information on system logon screens 27 0 47 27 14 Require completion of data privacy training as part of 13 0 40 47 performance reviews 15 Maintain certification for individuals responsible for data 13 0 53 33 privacy, including continuing professional education 16 Hold an annual data privacy day/week 7 0 67 27 17 Measure comprehension of data privacy concepts using exams 0 0 33 67

Global Statistics for Employee Training Of the 102 countries that have omnibus privacy or data protection laws in place, only 14 require employee training Education and Training Activities in Organizations: 73% provide ongoing education and training for individuals responsible for privacy in the organization (e.g. conferences, webinars, and guest speakers) 70% maintain a core training program for all employees and 20% plan this for 2015 55% consider that certification for individuals responsible for data privacy, including continuing professional education is requirement of their privacy program 53% conduct training for newly appointed employees upon assignment to privacy-sensitive positions and 17% plan to offer and maintain such training this year Awareness Activities in Organizations 54% maintain an internal data privacy intranet, privacy blog, or repository of privacy FAQs and an additional 20% are planning this 42% maintain ongoing awareness material (e.g. posters and videos) 37% deliver a privacy newsletter or incorporate privacy into existing corporate communications 29% hold an annual data privacy day/week Data as of 4 March 2015

A. 2 (e) Programme Controls: Breach Handling (Nymity Privacy Management Process: Maintain Data Breach Management Program) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) 1 Maintain a documented data privacy incident/breach response protocol 2 Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol N/A (%) 87 0 13 0 87 0 13 0 3 Maintain a breach incident log to track nature/type of all breaches 80 7 13 0 4 Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause) 5 Maintain a record preservation protocol to protect relevant log history 6 Conduct periodic testing of breach protocol and document findings and changes made 67 7 27 0 40 0 27 33 33 7 60 0 7 Engage a breach response remediation provider 20 0 20 60 8 Engage a forensic investigation team 20 0 20 60 9 Obtain data privacy breach insurance coverage 13 0 20 67

A. 2 (f) Programme Controls: Data Processor Management (Nymity Privacy Management Process: Manage Third Party Risk) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates) 2 Maintain procedures to execute contracts or agreements with all processors 3 Maintain procedures to address instances of non-compliance with contracts and agreements 4 Conduct due diligence around the data privacy and security posture of potential vendors/processors 100 0 0 0 93 0 0 7 73 0 27 0 73 0 20 7 5 Maintain a vendor data privacy risk assessment process 47 0 33 20 6 Review long-term contracts for new or evolving data protection risks 7 Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment 40 0 47 13 33 0 53 13 8 Maintain a policy governing use of cloud providers 13 0 27 60

A. 2 (g) Programme Controls: Communication (Nymity Privacy Management Processes: Maintain Notices and Maintain Procedures for Inquiries and Complaints) Maintain Notices Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Provide data privacy notice at all points where personal data is collected 100 0 0 0 2 Maintain a data privacy notice for employees 100 0 0 0 3 Maintain a data privacy notice that details the organization s personal data handling policies 93 0 7 0 4 Provide notice in all forms, contracts and terms 87 0 13 0 5 Provide notice by means of on-location signage, posters 74 0 13 13 6 Provide notice in marketing communications (e.g. emails, flyers, offers) 7 Maintain scripts for use by employees to explain the data privacy notice 8 Provide data privacy education to individuals (e.g. preventing identity theft) 9 Maintain a privacy Seal or Trustmark to increase customer trust 60 0 7 33 60 0 27 13 60 0 33 7 13 0 20 67

A. 2 (g) Programme Controls: Communication cont. Maintain Procedures for Inquiries and Complaints Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain procedures to respond to access requests 100 0 0 0 2 Maintain procedures to address complaints 93 0 7 0 3 Maintain procedures to respond to requests for information 4 Maintain procedures to respond to requests to update or revise personal data 5 Maintain procedures to respond to requests to optout 6 Maintain escalation procedures for serious complaints or complex access requests 7 Maintain procedures to investigate root causes of data protection complaints 8 Maintain metrics for data protection complaints (e.g. number, root cause) 93 0 0 7 87 0 13 0 87 0 7 7 87 0 13 0 60 0 40 0 47 7 47 0 9 Maintain customer Frequently Asked Questions 33 0 53 13

Part B Ongoing Assessment and Revision PMP Best Practice Guide Nymity Accountability Framework 1. Develop an Oversight and Review Plan An oversight and review plan will help the organisation keep its privacy management programme on track and up to date. 1. Assess and Revise Programme Controls The effectiveness of programme controls should be monitored, periodically audited, and where necessary, revised.

Develop an Oversight and Review Plan and Assess and Revise Programme Controls (Nymity Accountability Framework: Monitor Data Handling Practices) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) 1 Conduct ad-hoc audits/assessments based on complaints/inquiries/breaches 2 Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit) N/A (%) 73 0 27 0 53 0 33 13 3 Conduct ad-hoc walk-throughs 53 0 40 7 4 Conduct self-assessments managed by the Privacy Office 47 7 47 0 5 Benchmark results of audits/assessments (e.g. comparison to previous audit, comparison to other business units) 40 0 47 13 6 Maintain privacy program metrics 33 0 67 0 7 Conduct assessments through use of third-party verification 20 0 33 47

Wrap-Up QUESTIONS, COMMENTS AND FUTURE ACCOUNTABILITY RESEARCH

What did we learn? What would you like to see in the Future?

For More Information For questions about the Study, please contact Teresa Troester-Falk at teresa.troester-falk@nymity.com For more information on Nymity Benchmarks please contact info@nymity.com.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback