Hong Kong Accountability Benchmarking Micro-Study Nymity Accountability Workshop 10 June 2015, Office of the PCPD, Hong Kong
Interactive Workshop What we will do: Your participation: Provide background on the Study and Nymity Accountability Research that supports Benchmarking Discuss highlights of the Study and analysis of privacy management programs in participating organizations Guide you through learning how to benchmark your own privacy management program Interact share your experiences and perspectives Gain insight on core privacy initiatives for accountable privacy management Ask a lot of questions Help shape the future of Accountability Research and Reports Learn from your experience and knowledge
What will you leave with? The latest insights on privacy management programme and accountability benchmarking Practical knowledge to measure and enhance your organization s privacy management performance by learning: How does my privacy management program compare to others? In which privacy activities have most organizations invested? What are the privacy management program priorities for the future? Attendees will Receive 1. A copy of the Hong Kong Accountability Benchmarking Micro- Study Report and Workshop presentation 2. Nymity Benchmarking Worksheet Template 3. Nymity Privacy Management Program Accountability Framework 4. Hong Kong PMP Best Practice Guide
BACKGROUND
PCPD and Nymity Collaborated to Conduct Micro-Study The PCPD has advocated and promoted the adoption of Privacy Management Programmes (PMP) in organizations as a strategic framework to protect personal data privacy A Best Practice Guide to facilitate organizations to embrace personal data protection and implement good practices (18 February 2014) Key data users in Hong Kong have pledged to implement PMP in their respective organizations
Introducing Nymity A Data Privacy Research Company Focus: Dedicated to global data privacy compliance research Established: 2002 Headquarters: Toronto, Canada Research: Inventor of several compliance methodologies & frameworks Funding: Partially funded by government R&D grants. Solutions for the Privacy Office Privacy Management Solutions: Nymity Attestor Nymity Benchmarks Nymity Templates Compliance Research Solutions: PrivaWorks Nymity MofoNotes Nymity LawTables Nymity is a global data privacy compliance research company specializing in accountability, risk, and compliance software solutions for the Privacy Office. Nymity s suite of software solutions helps organizations attain, maintain, and demonstrate data privacy compliance. Nymity s research is funded in part by government research & development grants.
Nymity Privacy Management Accountability Framework Nymity views privacy management as a set of ongoing organizational privacy management activities not a checklist Accountability = responsible privacy management activities For years, Nymity has been conducting ongoing research through workshops, implementations of privacy management solutions, creation of templates, and Nymity s traditional research, all of which is: Global Jurisdictional Neutral Sector/Industry Neutral Framework was developed to communicate the status of the privacy program i.e. demonstrate accountability (13 processes, 152 PMAs )
Nymity Privacy Management Accountability Framework BACKGROUND Each privacy management process contains a number of Privacy Management Activities (PMAs), each of which is supported by a Scope and Business Case, for example: Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers) Scope To help the organization meet its privacy mission statement and legal obligations around appointing data protection officers, individuals responsible for privacy have clear roles and job descriptions. Roles that may be defined include: Chief Privacy Officer; Privacy Managers; Data Protection Officers (DPO); Privacy Analysts; Business line Privacy leaders/stewards; and Incident response team members. Outside the scope of this privacy management activity is a sectoral and regional salary and benefit determination. Business Case At many organizations, privacy is a new or still-undeveloped organizational function but all organizations are critically dependant on the work of its people to achieve privacy compliance. If an organization has not clarified its privacy roles and responsibilities, it is much less likely to be successful with other tasks related to privacy compliance, e.g., if the responsibility for privacy training and awareness has not yet been assigned, the probability is high that this job is not being done adequately. Therefore, defining clear roles and responsibilities in a job description is an essential prerequisite for all privacy activities. The benefits of having specific documented role and responsibility statements include: Greater respect and greater resources; Demonstrable senior management support; Clarifying the privacy function and where it fits into the organizational structure; Development of formal communication channels with senior management that can be used to help get important projects underway; Proactive privacy compliance; Reducing costs to adequately handle privacy; and Legal compliance. 8
Hong Kong Privacy Management Programme Benchmarking Research MEASURING ACCOUNTABILITY
Nymity Benchmarking Research: Participating Organizations 16 organizations Pledging organizations and members of the DPOC All have a Privacy Office In various stages of implementing a privacy management programme Data as of 3 September 2014
Nymity Privacy Management Benchmarking Research 16 Organizations identified 152 Privacy Management Activities as either: Implemented Planned Desired N/A Implemented and are either: Core: Fundamental to privacy management, mandatory; or Elective: Advanced, beyond the minimum required. In progress OR scheduled to be implemented in the next 12 months. Privacy office could anticipate or wish to implement if no resource constraints. Not desired, required, applicable or justified based on privacy risk and business priorities. Research Results: Privacy Management Activity Status 97 Implemented
Topics Overview of Privacy Management Top Implemented Privacy Management Activities Top Desired Privacy Management Activities The Status of Privacy Management in Relation to the PMP Best Practice
Overview of Privacy Management: TOP IMPLEMENTED AND DESIRED ACTIVITIES
Top Implemented Activities Prioritize Compliance with PDPO Implemented activities are those that are resourced, developed, maintained, and documented Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code 100% Maintain a data privacy policy DPP 5 100% Integrate data privacy into records retention practices DPP 2 100% Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring) DPP 4 100% Provide data privacy notice at all points where personal data is collected DPP 1 35 C, J 100% Maintain procedures to respond to access/correction requests DPP 6 17A 25, 27, 28 and 29 100% Maintain policies/procedures for collecting consent preferences DPP 3 100% Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates) DPP 2. 4 65 100% Maintain procedures to restrict access to personal information (e.g. role-based access, DPP 4 segregation of duties) 100% Maintain policies/procedures for collection and use of sensitive personal data (including DPP 1, 3 biometric data) 100% Integrate data privacy into employee background check practices Code of Practice on HR Management 100% Maintain a data privacy notice for employees (processing of employee personal data) Code of Practice on HR Management 100% Assign accountability at a senior level -
Top Implemented Activities cont. Implemented (%) Privacy Management Activity PDPO Section/ DPP or Code 93% Maintain a separate employee data privacy policy Code or Practice on HR Management 93% Maintain policies/procedures for secure destruction of personal data DPP 4 93% Maintain procedures to address complaints - 93% Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel) 93% Maintain procedures to execute contracts or agreements with all processors - DPP 2, 4 65 93% Maintain policies/procedures for maintaining data quality DPP 2 93% Maintain administrative and technical measures to encrypt personal data in transmission and at rest, including removable media DPP 4 93% Document guiding principles for consent DPP 3
Highest-Ranking Desired Privacy Management Activities Desired activities are defined as those activities that the privacy office could anticipate or wish to implement if there were no resource constraints.
Top Ranked Desired Privacy Management Activities The top desired activities that are identified as applicable to privacy management programmes span 5 key privacy management process areas within the Nymity Accountability Framework: Privacy Management Activity Data Breach Privacy Management Program Conduct periodic testing of breach protocol and document findings and changes made Monitor for New Operational Practices % Desired Metrics for PIAs 60 Procedures to address issues identified during PIAs 53 Privacy by Design framework for all system and product development 40 PIA guidelines and templates 40 60
Top Ranked Desired Privacy Management Activities cont. Privacy Management Activity Training and Awareness % Desired Internal data privacy intranet, blog, FAQ etc. 47 Second-level training program 47 One-time, one-off tactical training and communication around relevant topics 40 Deliver a privacy newsletter of incorporate into existing corporate communications 40 Manage Third Party Risk Ongoing due diligence around the data privacy and security posture of 53 vendors/processors based on a risk assessment Review long-term contracts for new or evolving data protection risks 47 Procedures for Inquiries and Complaints Customer frequently asked questions 53 Metrics for data protection complaints 47 Procedures to identify root causes for data protection complaints 40
Top Implemented and Planned Activities
Benchmarking Exercise
Data as of 4 March 2015
9. Maintain Procedures for Inquiries and Complaints
9. Maintain Procedures for Inquiries and Complaints Ranking of Implemented "Maintain Procedures for Inquiries and Complaints" Privacy Management Activities Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain procedures to respond to 100 0 0 0 access requests 2 Maintain procedures to address 93 0 7 0 complaints 3 Maintain procedures to respond to 93 0 0 7 requests for information 4 Maintain procedures to respond to 87 0 13 0 requests to update or revise personal data 5 Maintain procedures to respond to 86 0 7 7 requests to opt-out 6 Maintain escalation procedures for 87 0 13 0 serious complaints or complex access requests 7 Maintain procedures to investigate root causes of data protection complaints 60 0 40 0 8 Maintain metrics for data protection complaints (e.g. number, root cause) 9 Maintain customer Frequently Asked Questions 47 7 46 0 33 0 54 13
The Status of Privacy Management in Relation to the PMP Best Practice Guide
Highlights Targeted organizations have made significant strides in proactively embracing privacy and data protection Organizational commitment Data inventory Data privacy policy and privacy notices Core training activities Additional resources are desired in order to more fully develop key areas of a comprehensive privacy management programme Build out of PIA processes and procedures and PbD More training and awareness activities Managing third-party risk
Structure of the PMP Best Practice Guide The PMP Best Practice Guide suggests three management commitments, seven programme controls, and two processes to implement an accountability framework Part A Baseline Fundamentals of a Privacy Management Programme 1. Organisational Commitments a. Buy-in from the Top b. Data Protection Office and/or Officer c. Reporting 2. Programme Controls a. Personal Data inventory b. Policies c. Risk Assessment Tools d. Training and Education Requirements e. Breach Handling f. Data Processor Management g. Communication Part B Ongoing Assessment and Revision a. Develop and oversight and review plan b. Assess and Revise Programme Controls
PMP and Nymity Accountability Framework The aggregated results of the Micro-Study will be discussed within each area of the PMP Best Practice Guide and compared to the actual privacy management activities identified in the Nymity Privacy Management Accountability Framework.
Part A Baseline Fundamentals of a Privacy Management Programme A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) This first component is an internal governance structure that fosters a privacy respectful culture. PMP Best Practice Guide a) Buy-in from the Top Top management support is key to a successful privacy management programme and essential for a privacy respectful culture. Nymity Accountability Framework b) Data Protection Officer/Data Protection Office Organisations should appoint or designates someone to manage the privacy management programme. c) Reporting Reporting mechanisms should be established, and reflected in the organisation s programme controls.
A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Assign accountability for data privacy at a senior level 100 0 0 0 2 Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel) 93 0 0 7 3 Assign responsibility for data privacy throughout the organization 93 7 0 0 4 Require employees to acknowledge and agree to adhere to the data privacy policies 87 0 0 13 5 Conduct an Enterprise Privacy Risk Assessment 80 7 13 0 6 Maintain a privacy strategy 80 7 13 0 7 Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers) 80 0 20 0 8 Conduct regular communication between individuals accountable and responsible for data privacy 80 0 20 0 9 Maintain a privacy program charter/mission statement 73 7 13 7
A.1 Organizational Commitment (Nymity Accountability Framework: Maintain Governance Structure) cont. Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 10 Report, on a scheduled basis, on the status of the privacy program (e.g. board of directors, management board) 11 Consult with stakeholders throughout the organization on data privacy matters 73 0 27 0 73 0 27 0 12 Integrate data privacy into a Code of Conduct 73 0 13 13 13 Maintain a strategy to align activities with legal requirements (e.g. address conflicts, differences in standards, creating rationalized rule sets) 73 0 7 20 14 Integrate data privacy into ethics guidelines 67 0 7 27 15 Integrate data privacy into business risk assessments/reporting 60 0 27 13 16 Report periodically on the status of the privacy program to external stakeholders, as appropriate (e.g. annual reports, thirdparties, clients) 33 0 20 47 17 Appoint a representative in member states where the organization does not maintain a physical presence 13 0 7 80
A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework) Programme controls form the second component of a privacy management programme. These help ensure that what is mandated in the governance structure is implemented in the organisation. Data as of 4 March 2015
A. 2. Programme Controls (Maps to Several Privacy Management Processes within the Nymity Accountability Framework) cont. Data as of 4 March 2015
A. 2 (a) Programme Controls: Personal Data Inventory (Nymity Privacy Management Process: Maintain Personal Data Inventory) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain an inventory of key personal data holdings (what personal data is held and where) 2 Classify personal data holdings by type (e.g. sensitive, confidential, public) 3 Obtain approval for data processing (where prior approval is required) 4 Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) 87 7 7 0 80 13 7 0 80 0 20 40 0 27 33
HK Organizations Compared to Global Organizations
A. 2 (b) Programme Controls: Policies (Nymity Privacy Management Process: Maintain Data Privacy Policy) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain a data privacy policy 100 0 0 0 2 Maintain a separate employee data privacy policy 93 0 0 7 3 Document guiding principles for consent 93 0 7 0 4 Document legal basis for processing personal data 73 0 13 13 5 Obtain board approval for data privacy policy 67 0 7 27
A. 2 (c) Programme Controls: Risk Assessment Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Conduct a security risk assessment which considers data privacy risk 87 0 13 0 2 Conduct an Enterprise Privacy Risk Assessment 80 7 13 0 3 Conduct due diligence around the data privacy and security posture of potential vendors/processors 4 Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause) 73 0 20 7 67 7 27 0 5 Conduct PIAs for new programs, systems, processes 67 0 33 0 6 Integrate data privacy into business risk assessments/reporting 60 0 27 13 7 Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit) 53 0 33 13 8 Conduct ad-hoc walk-throughs 53 0 40 7 9 Conduct self-assessments managed by the Privacy Office 47 7 47 0 10 Maintain a Privacy by Design framework for all system and product development 47 0 40 13 11 Maintain a vendor data privacy risk assessment process 47 0 33 20 12 Review long-term contracts for new or evolving data protection risks 40 0 47 13 13 Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment 33 0 53 13 14 Conduct assessments through use of third-party verification 20 0 33 47
A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain a core training program for all employees 80 0 20 0 2 Conduct training for newly appointed employees upon 80 0 20 0 assignment to privacy-sensitive positions 3 Integrate data privacy into other training programs, such as 80 0 13 7 HR, security, call centre, retail operations training 4 Provide ongoing education and training for the Privacy Office 80 0 20 0 (e.g. conferences, webinars, guest speakers) 5 Conduct regular refresher training to reflect new 73 0 27 0 developments 6 Measure participation in data privacy training activities (e.g. 73 0 27 0 numbers of participants, scoring) 7 Maintain ongoing awareness material (e.g. posters and 67 0 27 7 videos) 8 Conduct one-off, one-time tactical training and 60 0 40 0 communication dealing with specific, highly-relevant issues/topics 9 Maintain a second level training program reflecting job specific content 47 0 47 7
A. 2 (d) Programme Controls: Training and Education (Nymity Privacy Management Process: Maintain Training and Awareness) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 10 Maintain an internal data privacy intranet, privacy blog, or 47 0 47 7 repository of privacy FAQs and information 11 Deliver a privacy newsletter, or incorporate privacy into 47 0 40 13 existing corporate communications 12 Conduct data privacy training needs analysis by position/job 40 0 53 7 responsibilities 13 Provide data privacy information on system logon screens 27 0 47 27 14 Require completion of data privacy training as part of 13 0 40 47 performance reviews 15 Maintain certification for individuals responsible for data 13 0 53 33 privacy, including continuing professional education 16 Hold an annual data privacy day/week 7 0 67 27 17 Measure comprehension of data privacy concepts using exams 0 0 33 67
Global Statistics for Employee Training Of the 102 countries that have omnibus privacy or data protection laws in place, only 14 require employee training Education and Training Activities in Organizations: 73% provide ongoing education and training for individuals responsible for privacy in the organization (e.g. conferences, webinars, and guest speakers) 70% maintain a core training program for all employees and 20% plan this for 2015 55% consider that certification for individuals responsible for data privacy, including continuing professional education is requirement of their privacy program 53% conduct training for newly appointed employees upon assignment to privacy-sensitive positions and 17% plan to offer and maintain such training this year Awareness Activities in Organizations 54% maintain an internal data privacy intranet, privacy blog, or repository of privacy FAQs and an additional 20% are planning this 42% maintain ongoing awareness material (e.g. posters and videos) 37% deliver a privacy newsletter or incorporate privacy into existing corporate communications 29% hold an annual data privacy day/week Data as of 4 March 2015
A. 2 (e) Programme Controls: Breach Handling (Nymity Privacy Management Process: Maintain Data Breach Management Program) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) 1 Maintain a documented data privacy incident/breach response protocol 2 Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) protocol N/A (%) 87 0 13 0 87 0 13 0 3 Maintain a breach incident log to track nature/type of all breaches 80 7 13 0 4 Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause) 5 Maintain a record preservation protocol to protect relevant log history 6 Conduct periodic testing of breach protocol and document findings and changes made 67 7 27 0 40 0 27 33 33 7 60 0 7 Engage a breach response remediation provider 20 0 20 60 8 Engage a forensic investigation team 20 0 20 60 9 Obtain data privacy breach insurance coverage 13 0 20 67
A. 2 (f) Programme Controls: Data Processor Management (Nymity Privacy Management Process: Manage Third Party Risk) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates) 2 Maintain procedures to execute contracts or agreements with all processors 3 Maintain procedures to address instances of non-compliance with contracts and agreements 4 Conduct due diligence around the data privacy and security posture of potential vendors/processors 100 0 0 0 93 0 0 7 73 0 27 0 73 0 20 7 5 Maintain a vendor data privacy risk assessment process 47 0 33 20 6 Review long-term contracts for new or evolving data protection risks 7 Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment 40 0 47 13 33 0 53 13 8 Maintain a policy governing use of cloud providers 13 0 27 60
A. 2 (g) Programme Controls: Communication (Nymity Privacy Management Processes: Maintain Notices and Maintain Procedures for Inquiries and Complaints) Maintain Notices Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Provide data privacy notice at all points where personal data is collected 100 0 0 0 2 Maintain a data privacy notice for employees 100 0 0 0 3 Maintain a data privacy notice that details the organization s personal data handling policies 93 0 7 0 4 Provide notice in all forms, contracts and terms 87 0 13 0 5 Provide notice by means of on-location signage, posters 74 0 13 13 6 Provide notice in marketing communications (e.g. emails, flyers, offers) 7 Maintain scripts for use by employees to explain the data privacy notice 8 Provide data privacy education to individuals (e.g. preventing identity theft) 9 Maintain a privacy Seal or Trustmark to increase customer trust 60 0 7 33 60 0 27 13 60 0 33 7 13 0 20 67
A. 2 (g) Programme Controls: Communication cont. Maintain Procedures for Inquiries and Complaints Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) N/A (%) 1 Maintain procedures to respond to access requests 100 0 0 0 2 Maintain procedures to address complaints 93 0 7 0 3 Maintain procedures to respond to requests for information 4 Maintain procedures to respond to requests to update or revise personal data 5 Maintain procedures to respond to requests to optout 6 Maintain escalation procedures for serious complaints or complex access requests 7 Maintain procedures to investigate root causes of data protection complaints 8 Maintain metrics for data protection complaints (e.g. number, root cause) 93 0 0 7 87 0 13 0 87 0 7 7 87 0 13 0 60 0 40 0 47 7 47 0 9 Maintain customer Frequently Asked Questions 33 0 53 13
Part B Ongoing Assessment and Revision PMP Best Practice Guide Nymity Accountability Framework 1. Develop an Oversight and Review Plan An oversight and review plan will help the organisation keep its privacy management programme on track and up to date. 1. Assess and Revise Programme Controls The effectiveness of programme controls should be monitored, periodically audited, and where necessary, revised.
Develop an Oversight and Review Plan and Assess and Revise Programme Controls (Nymity Accountability Framework: Monitor Data Handling Practices) Status of All Organizations Rank Privacy Management Activity Implemented (%) Planned (%) Desired (%) 1 Conduct ad-hoc audits/assessments based on complaints/inquiries/breaches 2 Conduct audits/assessments of the privacy program outside of the Privacy Office (e.g. Internal Audit) N/A (%) 73 0 27 0 53 0 33 13 3 Conduct ad-hoc walk-throughs 53 0 40 7 4 Conduct self-assessments managed by the Privacy Office 47 7 47 0 5 Benchmark results of audits/assessments (e.g. comparison to previous audit, comparison to other business units) 40 0 47 13 6 Maintain privacy program metrics 33 0 67 0 7 Conduct assessments through use of third-party verification 20 0 33 47
Wrap-Up QUESTIONS, COMMENTS AND FUTURE ACCOUNTABILITY RESEARCH
What did we learn? What would you like to see in the Future?
For More Information For questions about the Study, please contact Teresa Troester-Falk at teresa.troester-falk@nymity.com For more information on Nymity Benchmarks please contact info@nymity.com.