CHAPTER 1

Introduction to privacy program management

Privacy program management

It is a structured approach of combining several disciplines into a framework that allows

organisations to meet legal compliance requirements and the expectations of business clients and
customers, while reducing the risk of data breach. It considers privacy regulations from around the
world, and incorporates common privacy principles and implements concepts like privacy by design
and privacy by default.

Businesses want to be compliant with regulations to protect their brand name, reputation and
customer trust.

Responsibilities of a privacy program manager-

i) to identify privacy obligations of the company;

ii) to identify business, employee and customer privacy risk;
iii) to identify existing documentation, policies and procedures; and
iv) to create, revise and implement policies and procedure that effect positive
practice and together comprise a privacy program.

Goal of a privacy program-

i) to meet regulatory and compliance obligations

ii) promote consumer trust and confidence;
iii) to enhance brand reputation;
iv) facilitate privacy program awareness, where relevant, of employees, customers,
partners;
v) reduce risk if data breach and respond effectively to breaches;
vi) meet expectations of clients
vii) continually monitor, maintain and improve privacy program.

Specific responsibilities of privacy program manager-

i) policies, procedure and governance

ii) privacy related awareness and trainings
iii) incident response
iv) communications
v) privacy controls
vi) privacy issues with existing products and services
vii) privacy related monitoring
viii) PIA
ix) Privacy by design in product development
x) Privacy related vendor management
xi) Privacy audits
xii) Cross-border data transfer
xiii) Preparation for legislative and regulatory changes
xiv) Redress and customer outreach
xv) Privacy specific and privacy enhancing softwares
xvi) Privacy related web certifications
 xvii) Cross-functional collaboration with legal, IT, cybersecurity and ethics team,
among others.

Accountability-

Accountable organisations have proper policies and procedure to promote proper handling of
personal information, and generally, demonstrate that they have capacity to comply with applicable
laws. They need to take the ownership of data collected by them and take care of it throughout the
data life cycle.

Privacy program managers are accountable for safe keeping and responsible use of information- not
just to investors and regulators, but also to every day customers and employees.

If the organization has a privacy policy they must follow it or document why they have deviated from
the policy.

Why does not organisation need a privacy program?

i) To enhance companies brand and customer trust

ii) Meet regulatory compliance obligations
iii) Enable global operations and enter into new markets
iv) Reduce risk of data breach
v) Increase revenue by cross-selling and direct marketing
vi) Increase value and quality of data

Privacy across the organisation

Managing privacy requires contribution and participation of many functions of that organisation.
Privacy policies are created and enforced at a functional level. Many functions directly support
various activities of privacy program.

Activities-

i) Adoption of privacy policies and procedures

ii) Development of privacy training and communication
iii) Deployment of privacy and security enhancing controls
iv) Contract development and management of third parties who will process personal
information of organisation
v) Assessment of compliance with regulations and established control mechanisms.

Activities that contribute to the protection of employees, customers and other data subject’s
personal information span the entire organisation, most of the groups should have some policies to
address appropriate use and protection of personal information specific to their own functional
areas.

Departments-

1. Legal, ethics and compliance- policies imposing general obligations on employees

2. IT- employees use of tech infrastructure
3. Procurement- policies governing privacy requirements of 3rd party service providers. Must
perform due diligence, appropriate data privacy contractual language is imposed on service
providers, make sure contractual language reduces exposure to organisation.
 4. HR (L&D)- employee details, training and awareness, enables policies and procedures to be
translated into teachable content, and help conceptualize privacy principles into tangible
operations and processes.
5. Communications- publishing intranet content, emails, posters
6. IS- security control to protect personal information (encryption, parameter security controls,
DLP tools, appropriate technological controls (complex passwords, encryption, role based
access etc.)
7. IT- adding processes and controls that support privacy principles, creating processes to
develop and test software applications in a manner that do not require use of production
data- decreases the chances that data will be compromised and restricts access, systems
that support role based access, implementing privacy by design, example- limiting data fields
built into a tool or application to only those that are actually required to perform the
function, or by building functions that enable the user to easily delete data according to
retention schedule.
8. Internal audit- to ensure that controls are in place to protect personal information and
whether people and processes within the organisation are abiding by these controls.
9. Marketing, BD, finance, governance, R&D, risk, governance, security

Privacy management program is like an orchestra, many people, functions and talents will merge to
create a vision. Become a part of the business solution and not an inhibitor.

CHAPTER 2

Privacy Governance

The term privacy governance generally refers to the components that guide a privacy function
towards compliance with privacy laws and regulations, and enable it to support organisations
broader business objectives and goals.

1. Creating the organisation privacy vision and mission statement

2. Defining scope of privacy program
3. Selecting an appropriate privacy framework
4. Developing organisational privacy strategy
5. Structuring privacy team

1. Privacy vision and mission statement

Privacy vision should align with organisations broader purpose and business objectives.

It is typically composed of a few short sentences that succinctly describes the privacy function’s
raison d etre- most important reason for its existence.

A few sentences that clearly communicates to stakeholders where the organisation stands on
privacy, how privacy policies affect them, legal requirements are met and their interest are
protected.

Example- Microsoft vision & mission statement

Control- Put in control of privacy with easy-to-use tools and clear choices

Transparency- Will be transparent about data collection and use so that you can make informed
choices.
Security, strong legal protection, benefits, no content-based targeting

2. Defining privacy program scope

Two important steps-

1. Identify the personal information collected and processed;

2. Identify the applicable privacy and data protection laws and regulations.

Information gathering interviews with different functions to determine the categories and location
of PD.

Article 30 GDPR- requirement of maintaining a written documentation about PD (including

information about how the organisation processes the data, categories of individuals impacted,
recipients of data)

Some key questions are-

1. Who collects, uses and maintains the PD relating to individuals, customers and employees?
(includes service providers-need to understand their roles and obligations too)
2. What type of PD is collected and the purpose of collection?
3. Where is the data stored physically?
4. To whom it is transferred?
5. When (e. g. during a transaction or hiring process) and how (e.g. through an online form) is
data collected?
6. How long is data retained and how it is deleted?
7. What security controls are in place to protect the data?

Next step-

Identifying organisation’s privacy obligations. Multiple data protection and privacy laws may be
applicable. Example, healthcare services- domestic regulations governing handling of PI, financial
reporting regulations if handling financial transactions.

Scope challenges-

Global programs would need to be cognizant of cultural norms, differences and approach to privacy
protection.

US takes a sectoral approach (HIPAA, GLBA, COPPA), EU EDPR takes a comprehensive approach.

Applies whether you are located and operate in a particular country or just transfer PD from that
country to home location.

USA- Sectoral- laws that specifically address a particular industry (Financial transactions, credit
records, law enforcement, medical records, communication).

EU- Comprehensive laws-collection, use, dissemination of PI in public and private sector with an
official oversight agency.

Australia- co-regulatory model-variant of comprehensive model where industry develops

enforcement standards that are overseen by a private agency.

US, JP, Singapore- self regulated model- companies use code of practices by industry bodies. E.g.
Online privacy alliance (OPA), TrustArc, BBBonline and WebTrust .
US- a key challenge is to identify if your organisation constitutes an entity that is subject to a law or
industry standard that regulates collection of data from certain individual.

Financial institutions are subject to GLBA

Covered entities (health care providers and health plans (medical plans, organization benefit plans,
are subject to HIPAA).

Website collection information from children under 13- FTC and COPPA.

Merchant of any card- Payment card Industry PCI DSS. It has notification obligation in the event of
breach.

46 US states have data breach notification requirements. In case a non-encrypted data is

compromised, obligation may include notifying the residents of state, government bodies, and state
attorney general offices.

Scoping data privacy program includes-

1. Understanding of end-to-end PI data life cycle;

2. Consideration of global perspectives- cultural, legal and personal expectations;
3. Customizing privacy approach from both local and global perspective;
4. Awareness of privacy challenges- laws, regulations, enforcement activities;
5. Monitoring all legal compliance factors from both local and global markets.

3. Develop and implement a Framework

Once it is determined which laws apply, a manageable approach must be designed to operationalize
the controls that are needed to handle and protect the PI.

The term framework is used for the various processes, templates, tools, laws and standards that may
guide the privacy professional.

Framework can be broadly grouped into 3 categories-

1. Principles and standards;

2. Laws, regulations and programs; and
3. Privacy program management solutions.

Principles and standards- fair information practices (rights of individuals, controls on information (IS
and I quality), information life cycle (collection, use, retention, disclosure), and management
(management/admin, monitoring and enforcement).

OECD guidelines on protection of privacy and transborder flow of personal data, Convention 108 are
the basis of EU data protection directive and GDPR.

Privacy codes- APEC privacy framework, Canadian Standards Association (CSA) privacy code which
formed the basis of PIPEDA, BCR (Art. 47 GDPR, approved by competent supervisory authority),
GAPP (Generally accepted privacy principles) by AICPA, Europe Telecommunications Standard
Institute (ETSI).

Laws regulations and programs- PIPEDA, CNIL (French authority issuing guidelines), HIPAA (protects
privacy and security of personal health information, e-healthcare transactions, basic rule- patients
must opt in before their information is shared with other org. exceptions, treatment, payment,
healthcare operations.

Privacy program management solutions

PbD, recommendations on cyber security from European Union Agency for Network and Information
Security (ENISA), National Institute of Standards and Technologies (NIST).

Questions that most privacy framework answer-

1- Are organizations privacy risks properly defined and identified?

2- Has the organisation assigned responsibility and accountability for managing privacy
program?
3- Does the org. understand any gap in privacy management?
4- Does the org. monitor privacy management?
5- Are employees trained?
6- Does the organisation follow industry best practices for data inventories, risk assessment
and PIAs?
7- Does the organisation has an incident response plan?
8- Does the org communicate privacy related matters and update that material if needed?
9- Does the org. use a common language to address and manage cyber security risks based on
business and organisation needs?

Rationalizing requirements

Most privacy legislations impose similar type of obligations on regulated entities. Rationalizing also
necessitates addressing requirements that fall outside of the common obligations on a case-to-case
basis. Outliers result when countries local laws exceed the requirements of national laws, or when
countries have industry specific requirements.

Providing standard access procedures and timelines. Look for strictest standards when seeking a
solution, provided that it does not violate any data privacy laws, exceed budgetary restrictions or
contradicts organisation goals.

Privacy tech vendors- vendors may manage assessment, consent, data mapping, incident response,
privacy information, website scanning/cookie compliance.

Enterprise program management services- activity monitoring, data discovery, de-identification,

pseudonymization, enterprise communication, Governance Risk and compliance tools (GRC). GRC
tools are generally used to-

i) Create and distribute policies and controls, and map them to regulations and internal
compliance requirements;
ii) Assess whether controls are in place and working, and fix if not working; and
iii) Ease risk assessment and mitigation.

Develop a privacy strategy

Privacy strategy is an organization’s approach to communicating and obtaining support for the
privacy program.

Building a privacy strategy may mean changing the mindset and perspective of an entire
organisation.
Management- needs to approve funding to resources, privacy enhancing technologies, support
initiatives such as training and awareness.

Sales- secure business contact data and respect choices of these individuals.

Engineers/developers- security controls, safe website, create solutions that require the collection or
use of data that is necessary to accomplish the purpose.

All staff- employ fundamental practices to protect PD- secure methods for collection, storing, and
transmitting PD (both hard copy and e-docs)

The chain is as strong as its weakest link.

Identify stakeholders and internal partnerships

One of the most challenging aspects of building a privacy program and necessary supporting strategy
is gaining consensus form management on privacy as business imperative.

Stagewise process-

1. Informal conversations with different functions

2. Identify program “sponsor” for privacy program (final budgetary decision makers preferred)

Most of the organisations use PI for staff recruitment, ongoing employment, CRM, marketing, order
fulfilment.

Best practices when developing internal partnerships-

i) Become aware of how others treat and view PI;

ii) Understand use of data in business context;
iii) Asist with building privacy requirements into ongoing projects;
iv) Offer to help staff to meet their objectives while offering solutions to reduce risk;
v) Invite staff to be part of privacy advocacy group.

Conduct a privacy workshop for stakeholders

This is an opportunity to ensure that everyone has same baseline understanding of risks and
challenges that organisation faces, data privacy obligations that are imposed on it, expectations of
protection of personal information in the marketplace.

Keeping a record of ownership

Structure the privacy team

Governance models

The positioning of the privacy team within an organisation should rely on the authority it will receive
under the governance model (e.g. positioning under corporate legal/IT umbrella) it follows.
Irrespective of model, some important steps to integrate into it are-

i) Involve senior leadership

ii) Involve stakeholders
iii) Develop internal partnerships
iv) Provide flexibility
v) Leverage communication
vi) Leverage collaboration
Models-

Centralized- one team/person responsible for privacy related affairs.

De-centralized- delegating decision-making authority down to lower levels, bottom to top flow of
decision making and ideas. Advantage- if controls are in place, bottom to top flow of information
allows informed decision making about low tier operations.

Hybrid- when a large organisation assigns a main team/individual responsibility to manage privacy
related affairs, and for issuing policies and directives to rest of the organisation e.g. regional
compliance hubs in MNCs.

Advantage- decentralised decision making, but provides organizational resources of larger

centralised organisation.

Establish the organisation model, responsibilities and reporting structure.

DPO (Article 37, GDPR)-

Conditions which trigger the requirement of a DPO- where the organisation’s core activity consists of
processing operations that require “regular and systematic monitoring of data subjects at a large
scale, or core activities consist of “processing special categories data at a large scale”.

Under Art. 38 DPO is required to report to the highest level of C or P.

Art. 37 mandates that DPO possess “expert knowledge of data protection laws and practices”.

Art. 39 requires DPO to perform certain activities, e.g. monitoring company’s compliance, advice
during DPIA, cooperating with supervisory authority.

CHAPTER 4

Data assessments

Data assessments help to inventory and track personal information and help organisations in
identifying privacy risks to individuals in advance, so that they can deal with them effectively at the
beginning of any project that involves processing of PD.

Data inventory identifies the data as it move across various systems, thus indicating where it is
located, how it is organised and shared, how it is used and why it is important. Data is then
categorized by subject area (which identifies inconsistent data versions), serves to identify the least
and most valuable data and reveals how it is accessed, used and stored.

Questions can be used to determine the data asset of organisation. They should be specific to
organisations line of business; and may be organized around the data lifecycle- collection, usage,
transfer, retention, destruction; internal policies, procedure, laws, regulations, standards.

Data inventory is a good starting point for the privacy team to prioritize resources, efforts, risk
assessment, and current policy in the response to an incident.

Elements of data inventory-

- What is the context and purpose of the repository?

- Where is the data moving from and to?
- How much data is in the repository?
- Is this a paper or e-repository? Structured or unstructured?
 - How is the information being used?
- Nature of information in the repository
- In which country data is stored? From which countries data can be accessed, how will
the data flow from country to country?
- Is the data shared with 3rd parties? Are they Cs or Ps?

Helpful in addressing incident and standard risk assessment. Help in setting up organisational
priorities for privacy initiatives by providing data location, data use, data storage, and data access.

When building a data inventory, select a tool that will enable your organisation to most easily
update it (Spreadsheets, GRC (governance, risk and compliance tools), use privacy compliance tools.

Task requires efforts and resources. Consider international, local, industry specific standards and
laws.

Records of processing activities under the GDPR

Art. 30 requires the C and P to maintain a detailed record of their processing activities.

- Name and contact details of C or P, DPO, data protection representative

- Cs- Purpose of processing, categories of PD and data subjects, recipients, retention
period of various categories.
- Ps- categories of processing
- International data transfer
- Safeguards implemented

Exemption from maintaining a detailed record- C or P employs fewer than 250 people, processing is
occasional, does not include SPD, not likely to result in risk for the rights and freedom of individuals.

To meet the requirement to maintain a record under the GDPR, businesses should maintain a data
flow analysis report (categories, purpose, recipients, way data flows around the business and
externally through systems.

Starting point-

I) Identify and interview all data owners.

1. Consultation with data team (if any)- custodians of data)

2. Digital marketing team- what information they gather to reach to customers
3. Corporate counsel team (info on data types as they need to know how to freeze such data
for litigation purpose)
4. IT organisation (databases)
5. Team responsible for backups and business continuity should know what data is retained
and what needs to be restored
6. Software team- list of software.
7. Compliance team- details of PD required for other privacy regulations.
8. Administrator who answers all data subject access requests.

Data inventory should have both PD and non-PD.

Implementing a new process means that revised or new apps or systems must thoroughly document
the PD they are processing, which will help to keep data inventory from outdated.
II) Information needed- How the data is being processed? Type of security used to protect data,
retention period, who has access to it, who it is disclosed to, legal basis of processing.

If done correctly, a data and processing inventory will be helpful in defining the obligations of C and
P, understand compliance situation of organisation and formulate gap plans to remediate any non-
compliance.

Assessments and Impact assessments

Privacy assessment- measuring compliance (education and awareness, monitoring and responding
to regulatory environment, data systems and process assessments, risk assessment, incident
response, contracts, remediation to reduce/minimize risks, program assurance, audits.

Privacy assessments are conducted internally through audits. Methods- employee interviews,
information system logs.

Privacy impact assessment- analysis of privacy risk associated with processing of PD in relation to a
project, product or service. Requirements regarding PIAs emanate from industry codes, organisation
policies, laws, regulations, supervisory authorities.

PIAs can help facilitate privacy by design, which is the concept of building privacy directly into
technology, systems and practices, at the design phase. It helps to ensure that privacy is considered
from the outset and not as an afterthought.

PIA should be accomplished be accomplished-

i) prior to deployment of a project, product, or a service that involves collection of

personal data.
ii) when there are changes in industry standards, organisation policies, laws and
regulations.
iii) when organisation creates new privacy risk through changes to methods by which
personal information is handled.
- Conversion of information from anonymous to identifiable format
- Records from paper-based format to e-format
- Merging, matching, manipulation of multiple databases containing personal information
- Application of user-authentication technology to a publicly accessible system
- Application of new technologies
- Retiring of old systems
- Incorporation of personal information from commercial or public sources to existing
databases
- Alteration of business process resulting in significant new collection, use and disclosure
of personal information
- Addition of new types of personal information
- Implementation of projects using third party service providers.

One of the biggest challenges is to prioritize projects, products and services that should be
submitted to PIA.

To identify data processing activities that pose higher risk, some organisation conduct a
express PIA- questionnaire that asses the need for a full PIA or not.

PIAs in the US
 U.S government requires PIA from the govt. agencies under the E-Government Act of 2002
when developing or procuring IT systems containing PII of public or collection of PII. This
requirement is preceded by a privacy threshold analysis (PTA) to determine if a PIA is
needed or not.

PIA will describe in detail the information collected or maintained, sources, use, possible
disclosure, potential threat to information.

The uses to which the information is put by the system are described next, including the
legal authority for collecting the data, retention period, destruction, potential threats based
on use of data, information dissemination and controls used, rights, info security,
compliance with privacy Acts.

ISO

ISO 29134 is a set of guidelines for process of running a PIA and the structure of resulting
report.

Data protection impact assessment

DPIA is a process designed to identify risks to individuals arising out of processing of PD, and
to minimize risks as early as possible.

DPIA are tolls for negating risk and demonstrating compliance under the GDPR

DPIA has specific triggers under the GDPR. Non-compliance (failure, incorrect manner, not
consulting authority when needed) can result in fines (10k pounds, 2% of annual worldwide
revenue).

Under the GDPR, DPIA is required in case the processing is “likely to result in high risk to the
rights and freedoms of natural persons”. The Controller shall prior to the processing conduct
a DPIA. The nature, scope, context, purpose, type of processing, use of new technologies
should be taken into account. Art. 35 provides examples when a processing operation is
likely to result in high risks-

- Systematic and extensive evaluation of personal aspects of natural persons which is

based upon automated processing, including profiling, and on which decisions are
based that produce “legal effects” concerning the natural person, or “similarly
significantly effect” the natural person.
- Processing on a large scale special categories of data, or personal data relating to
criminal convictions.
- Systematic monitoring of publicly accessible area on a large scale.

Tool to demonstrate compliance with data protection law. In addition, as a part of accountability
principle every C shall maintain a record (cat of data, purpose, recipients, tech and org security
measures) of processing activities under its responsibility and must asses whether a high risk is likely,
whether they conduct a DPIA or not.

Minimum features of DPIA-

- Description of processing, including its purpose and legitimate interest

- Assessment of necessity and proportionality of processing, and the risks that it poses to
data subjects
- Measure to address the risks identified.
 - Documentation, monitoring and review.

Set of processing operations that require DPIA due to inherent high risk, under WP 29

- Evaluation or scoring- profiling and evaluation, especially of aspects concerning

performance at work, economic situation, health, personal preferences, interest,
reliability, behaviour, locations and movements.
- Automated decision making with legal or similar significant effects
- Systematic monitoring i. e. data collected through networks and monitoring of publicly
accessible areas.
- Sensitive data- criminal convictions, special categories, personal nature
- Data processed on a large scale- factors considered are- i) number of data subjects
concerned, ii) volume of data, iii) range of different data items being processed, iv)
duration/permanence of processing activity, v) geographical extent of processing.
- Matching/combining datasets- for example, originating from two or more data
processing operations performed for different purposes, and/or by different data
controllers, in a way that exceeds reasonable expectations of data subject.
- Data concerning vulnerable data subjects- power imbalance between data subject and
controller, employee, children, elderly, people with mental health concerns etc.
- Application of new technologies- combining finger prints and face recognition to
improve physical access.
- When processing itself prevents data subject from exercising a right or using a service

Under the Accountability principle under Art. 30 (1), organisation must assess whether a high risk is
likely, even if they ultimately decide not to carry out a DPIA.

When must the supervisory authority be contacted?

Whenever data controller cannot find sufficient measures to reduce the risks to an acceptable level
(residual risks are still high), consulation with supervisory authority will be necessary. Examples-
illegitimate access to data leading to threat on life, layoff or financial jeopardy, inability to reduce
access to number of people, when a well-known vulnerability is not patched.

Also, Controllers may have to consult the supervisory authority whenever member state law require
them to in public interest.

Attestation- a form of self-assessment

A tool for ensuring that functions outside the privacy team are held accountable for privacy related
responsibilities. The designated department is required to answer questions and provide evidence.

Physical and environment assessment

Information security is the protection of information from loss, unauthorized access and misuse. It is
an ongoing assessment of threats and risks to information, and procedures and controls to preserve
the information based on confidentiality (access to data is limited to authorised parties), integrity
(assurance that data is authentic and complete) and availability (data is accessible as needed by
those who are authorized to use it).

Information security is achieved by implementing security controls.

Security control- mechanisms put in place to prevent, detect or correct a security incident. Three
types of controls- physical, technical and administrative.
Assessing vendors

Standards for selecting vendors- reputation, financial condition and insurance, information security
controls, mechanism of securing transfer at the point of transfer, disposal of information, employee
training, vendor incident response, audit rights.

Contract language should include privacy protection and regulation requirements within the
statement of work and mapped to service level agreements. Contract should clearly bring out data
privacy responsibilities, breach response, incident response, media press releases on breaches,
possible fines. Examples of kind of information that may be considered-

- Type of personal information which the vendor will have access at remote location
- Vendors plans to protect personal information
- Vendor’s responsibilities in the event of breach
- Disposal of data upon termination
- Limitations on use of data i.e. ensure that it will be used for the specified purpose only
- Rights of audit and investigation
- Liability of data breach

Article 28 of the GDPR limits controller’s use of processors who can provide sufficient guarantees
about implementation of appropriate technical and organisational measures for compliance with
GDPR for protection of rights of data subjects. While use of contracts operate as key controls, focus
should be on processor’s competence.

The idea of sufficient guarantees must encompass assurance mechanism through vetting of
processor by a 3rd party assessment or certification, audit processes. The Controller must be able to
provide proof of processor’s competence. If the processor steps out of boundaries of C’s
instructions, it risks being defined as a Controller.

Art. 28 (3) (f)- duty of processor to assist the Controller, including achieving compliance with
reducing risks, handling data breach notification requirement.

M&A, divestitures, privacy check points

An organisation can be exposed to corporate risk by merging with or acquiring companies which
have different regulatory concerns. M&A processes must include checkpoints that evaluate- i)
applicable new compliance requirements, sector specific laws, standards, jurisdictional regulations,
existing client agreements, new resources, technologies and processes to identify all actions to bring
them into alignment with privacy and policies before they are integrated into the system.

Training and awareness

CHAPTER 8

Protecting personal information

Protecting personal information starts with Privacy by design, includes determining which
information security privacy controls are needed; and continues through ensuring that controls are
successfully designed, engineered, deployed and monitored in (project, product, service, IT
systems, business processes) that is processing personal information.

PdB framework dictates that Privacy and data protection are embedded throughout the entire life
cycle of technology.
7 foundational principles of Pdb-

1. Proactive, not reactive, preventive, not remedial- don’t wait for the privacy risk to
materialize.
2. Privacy as a default- no action is required by the individuals to maintain their privacy; it is
built into the system by default.
3. Privacy embedded in design- privacy in an integral component of the core functionality
being designed and delivered.
4. Full functionality- positive sum, not zero sum- PdB seeks to accommodate all legitimate
interest and objectives, rather than making unnecessary trade-offs.
5. End-to-end security- full life cycle protection.
6. Visibility and transparency- all components and parts of operation remain visible to the
users and providers, alike. Essential for establishing accountability and trust.
7. Respect for user privacy- strong privacy defaults, appropriate notices, user friendly option.

Paradigm of Privacy by Design

Privacy and security controls are aligned with organisation’s tolerance for risk, its compliance with
regulations and its commitment to building a sustainable privacy minded culture.

The paradigm of PbD include-

Being proactive, embedded privacy controls, demonstrate respect to users (privacy and security
control co-exist transparently to user). Protection of organizational information is enabled without
unnecessary trade-offs.

Data protection by design and default (Art. 25 and Recital 78)

Concept- information security should be built in design process and not added as an afterthought.

The controller shall both at the time of determination of means of processing and at the time of
processing itself, implement appropriate technical and organisational measures, such as
pseudonymisation, which are designed to implement data protection principles, in an effective
manner and to integrate the necessary safeguards into processing to meet the requirements under
the regulation.

The Controller shall implement appropriate tech and org measures to ensure that by default only
PD necessary for each specific purpose of processing are processed. PD shall not be made accessible
without individual’s intervention to an indefinite number of people.

Privacy engineering- aims to provide methodologies, tools, techniques, taxonomy, ontology,

requirements, metrices.

Privacy engineering is a concept for which PbD is a facilitator. Privacy engineering adds to and
extends PbD. It provides methodology and technical tools based upon industry guidelines and best
practices.

Diagramming PbD

1. Visually lay out, at a high-level data flow diagrams, including administrative (company staff)
and end users (customers at different locations), first party and third-party processors and
geographical locations (countries, e-stores, e-marketing tools, websites, customer
relationship management (CRM), ledger, warehouse)
2. Add the data flow, add risks/ gaps in security.
3. Look for gaps in access control, cross-border transfer, marketing rules
4. Categorise into likely, less likely, edge-case risk (harms, threats, vulnerabilities)
5. Identify what privacy and information security controls are warranted
6. What must change about design

Article 25- privacy by design and default

Throughout the life cycle of things, there will be dependency on IS to protect the data that is
being processed.

C- prevention of unauthorized disclosure of information

I-Unauthorized or unintentional alteration, modification or deletion

A-info readily accessible to authorized users.

Additionally, IS includes the concept of accountability and assurance. Accountability means

entity ownership is traceable and assurance means all four objectives are met.

IS defines risk as combination of probability of event and its consequences. ID depends on risk
management practices to provide-

- Identification of risk
- Selection and implementation of controls and measures to mitigate risk
- Tracking and evaluation of risk to validate the first two parts

Controls- information security uses controls to manage risk.

Control- the means of managing risk, including policies, procedures, guidelines, practices or
organization structures which can be administrative, technical, management or legal in nature.

Preventive controls (prevent an incident from occurring), detective controls (identify and
characterize an incident in progress), correction controls (limit the extent of damage caused by
incident and helps company to restore normal working status as early as possible, physical
control, administrative and policy control (incident response process, management oversight,
security awareness and training), technical control (software processes and data, user
authentication login, access control, anti-virus software, firewalls).

ISO/ IEC 27001, provides requirements for Information Security Management Systems (ISMS).

ISO/IEC 27002, code of practice for information security management.

Information privacy vs. information security

Privacy addresses the rights of individuals to control how to what extent their personal
information is collected and further processed.

Information security is about assuring the CIA of the information assets.

Overlaps-

The safeguards enable the “authorized” in the “authorized access and use” element that is the
cornerstone of operational definition of privacy.

Confidentiality- only when the data is personal information and non-public.

Integrity (IS)- Accuracy (P)

Availability (IS)- Access (P)

Accountability (both)

Disconnect-

1. Privacy has wider set of obligations and responsibility (relevance, collection limitation,
openness, use limitation). This means there are issues that privacy addresses that
information security does not.
2. Confidentiality- personal information is not always non-public. Information security applies
to confidential information, privacy applies to personal information.
3. Information security techniques can be privacy enabling techniques, but these PETs can
become feral if applied incorrectly (in an invasive manner). We can have security without
privacy but you cannot have privacy without security.

Information privacy classifies personal information as private and sensitive private.

Information security classifies based upon degree of confidentiality as public, confidential, highly
confidential and restricted.

Confidentiality is a state determined by two parties regarding how to manage access to some
kind of information. While personal information depends upon the degree to which it identifies
an individual. No characteristics of a person if anonymised.

Information privacy and IS alignment

1. Both are interested in data minimisation, having good data maps and inventories, ensuring
right controls and measures are in place and accessed.
2. Many PETs and standards are IS technologies and standards.
3. Limitation of time and money.

To realize better alignment four principles should be followed- teaming, don’t reinvent, stay
aware, rank and prioritize.

Access control

No employee should have greater access than it is necessary to perform their job functions.

Basic security principles for role-based access include-

1. Segregation of duties-ensure one person can’t exploit or get access to information

inappropriately.
2. Least privilege- grant access to the lowest possible level required to perform the function.
3. Need to know access- restrict access only to information that is critical to performance an
authorized, assigned mission.

Data classification

IS classification is based on risk to business in an event of unauthorized access or loss of data.

Information privacy classifies data as personal data and sensitive personal data. Another axis is
identifiability and likability.

1. Identified + linked- unique identifiers available, contact information stored in profile

information
 2. Pseudonymous + linkable with reasonable and automatable efforts- no unique identifiers,
but common attributes across database, contact information stored separately from profile
information
3. Pseudonymous + not linkable with reasonable efforts- same as above, with no common
attributes across database, tech enforced deletion of profile details
4. Anonymous + unlinkable- no collection of contact information, no collection of long term
personal characteristics, anonymity with large k values.

Privacy policy and technical controls

It is the policy that dictates the control, which in turn establish what mechanisms or processes must
be implemented to ensure that control is enabled.

Type of control (laws and regulations, self-regulation, industry practice, corporate policy), source
(specific law, standard etc.), control (e.g. delete data on request; encrypt card holder, get explicit
consent for sensitive data etc), implementation (through tech).

Technical controls fall in four areas-

1. Obfuscation- personal data made obscure, unclear (masking, tokenization, randomization,

noise, hashing)
2. Data minimization (granulation, desegregation, deletion, de-identification, aggregation)
3. Security-(encryption, access control (physical and virtual), data loss management,
destruction, auditing, testing)
4. Privacy engineering technologies- (secure multiparty computations, homomorphic
encryption, differential privacy, mix networks, anonymous digital credentials)

Check policy control examples in BOK, ISO standards.

CHAPTER 9

Data breach incident plan

There are wide range of laws that apply when a company is responding to data breach. In US, there
are laws in every state and industry specific federal laws, EU GDPR. After addressing notification
requirements companies often find themselves exposed to post-notice scrutiny. This can take form
of regulatory enquiries, law suits, including law suits from class action lawyers.

Incident planning

What is at risk-

There are laws that require companies to provide notification to affected individuals and/or
government authorities in the event of a data breach.

Risks- PR scrutiny, bad press, follow on law suits and regulatory action, accusing company of failing
to take proper actions to protect information.

Legal exposure and reputational liability, potential regulatory scrutiny

Factors that may be considered during scrutiny-

- Purported obligation to prevent unauthorised access or use of data

- If the company satisfies and applicable industry standard of care
 - Whether a damage or injury has occurred and whether the company’s conduct is the
proximate cause of damages.

Cost when addressing an incident

Cost of incident itself, potential loss of revenue due to litigation, fine, loss of existing and
potential business, impact on business relationships and third-party contracts, cost to affected
individuals.

How breaches occur-

Employee error and negligence, hacking, malware, device loss theft, unintended disclosure of
information.

Security incident vs. breach

Incident- when CIA with respect to the personal information is compromised.

Data breach- typically would involve some sort of unauthorized access and acquisition of
information, though the definition of breach varies.

Until a lawyer has made a determination that a fact pattern meets the legal definition,
companies should refer to a security incident just an incident.

Getting prepared

What will the company do when prevention fails?

Preparedness falls into 5 different categories- i) training, ii) getting an incident response plan in
place; iii) understanding key stakeholders; iv) getting insurance coverage where appropriate; v)
managing vendors who might be a part of the incident.

1. Training- why tarin, which function should fund training, who should receive training, form
of training.
2. Creating an incident response plan

Key factors to be considered in putting together a plan-

- Type of information collected

- Format
- Method of collection
- Applicable laws
- Third party relationships- what vendors are most likely to have a breach that would
effect you?
- Internal administration
- Learnings from prior incidents
- How to protect privilege
- Roles and responsibilities of team members
- How to escalate possible issues and report suspicious activities
- Severity ranking (what triggers escalation and what type of escalation)
- Interactions with external parties (regulators, vendors, insurance providers, investigators
for impacted individuals)
- Integration with business continuity plan
- Provide a mechanism in learning post-incident
 - Map out for people in organisation-what to do. Help team understand what they may be
facing if an incident occurs
3. Knowing your stakeholders (IT, HR, marketing, CRM, audit and compliance, shareholder
management; BD, communication, union, finance, CEO, Board.
4. Insurance coverage-expenses are- forensic investigations, outside counsel fees, crisis
management services, PR experts, breach notification, call centre cost, credit monitoring,
fraud resolution services. Coordinate with legal department before sharing information with
third parties.
5. Management of vendors who may be the source of incident- obligation to notify breach may
fall on company not the vendor. Important to have good understanding of what information
vendor have, how they use it, what they will do if they suffer. Not only the language of
contract but an on ground due diligence to get an understanding of preparedness and
ensure coordination in the event of an incident.

Roles in incident response planning by function

Core elements of incident response planning are-

i) incident detection;
ii) incident handling;
iii) customer notification.

Incident detection

1. Identifying the roles and responsibilities in planning for a possible breach.

- IS- they have a broad enough perspective on the organisations e-assets, and provide
guidance regarding how the organisation addresses detection, isolation, removal and
preservation of affected systems;
- Legal- they understand the legal precedents and requirements of handling data and
reporting breach. Their guidance helps limit the company’s liability and economic
consequences of a breach, including avoidance of litigation and fine. They can help in
negotiations with business partners. They can ensure response program is designed to
protect privilege and limit legal liability.
- HR- provide employee perspective, employee data handling, security awareness training
- Marketing- advise about CRM. They handle a vast amount of customer data and through
analysis of such data they get insights into voice of brand to external audience and voice
of customer to engg, R&D
- BD- represent knowledge in handling and keeping the account, developing
understanding of their corporate culture, decision makers personalities, potential
customers.
- PR- plan strategic and tactical communication to inform and influence
- Union- represent union interest
- Finance- calculate and manage bottom-line impact of containment and correction
- CEO- demonstrate value of preventing breach through actions
- Customer care- offer insight on customer and caller behaviour, social engineering- a
threat that can surface in a call centre, as criminals call repeatedly to probe an test how
security procedures apply.

2. Integrating incident response into the business continuity plan

 BCP help organisations run smoothly in the time of a crisis. The plans spells out actions that
action teams must take before during and after an event.

Table top exercises- is a structured readiness testing activity that simulates an emergency
situation in an informal stress-free setting. Participants and decision makers gather to
discuss roles, responsibilities and procedures in context of the emergency situation.

Updated plan- After concluding the exercise results must be summarized, recorded and
distributed and actionable insights added to BCP. Plan must be updated to include up-to-
date timelines, action steps, policies and procedures, emergency contact information.

Budgeting for training and response

Best practices

Typical cost incurred in responding to a breach include threat isolation, forensic

investigation, engaging legal counsel, PR and media outreach, reporting and notification.

ii) Incident handling

Breach response task has 3 broad categories

i) Secure operations; ii) notify appropriate parties; iii) fix vulnerabilities

Incident detection- privacy is a business function and not a technical function and depends
upon various departments to execute breach detection and response.

Privacy incident- any potential or actual compromise of personal information in a form that
facilitates intentional or unintentional access by unauthorized third parties.

Employee training- how and when to report suspicious incidents to their supervisors who in turn
should know how to properly escalate the incident to internal authorities.

Reporting worksheets-

1. Person discovery the incident

2. Date and time when incident was discovered
3. Incident date, time and location
4. Type of data suspected to be involved (internal employee/ client customer/ 3 rd party/vendor
5. Employee’s description of what occurred- how the incident was discovered, does the
incident involve paper or e-records, what type of records/media was involved (paper,
electronic, media)
6. If the device or information was password protected/encrypted?
7. If PII (social security numbers, user name, passwords) were exposed
8. How many records were involved?
9. Has the incident been contained? Or there are still chances of leak or loss of data.

Collaboration among stakeholders- IT and HR work together for detection of a virus or any other
cybersecurity threat. It will detect intrusion and give specific containment instructions to employees.

Physical security- access limiting security measures maintained by facilities.

HR- revision of data access privileges during role change, physical or e-access to those departing.

Third parties- should be accounted for incident detection and planning. Requiring 3 rd parties to notify
when servers websites and business- critical systems are taken offline. Organisation must also
inform partners when their servers are hit by a virus.

Tools for prevention- prevention techniques and their various applications.

As soon as the investigator confirms that sensitive information is compromised, pre-notification

process is triggered.

Team roles during an incident

Companies dealing with an incident may find themselves balancing two conflicting issues:
containment and legal exposures.

Legal (to address legal exposure and privilege) and IT (containment and remediation).

CPO/CCO wants to ensure that breach is handled correctly from compliance standpoint.

CISO-investigation and containment, recommending outside forensic experts to help ascertain the
incident cause, size and scope, evidence preservation, taking affected systems offline, correcting
vulnerabilities that facilitated the incident.

Check BOK for details on tips to help manage expectations of executives. (pg 193- 202)

Investigating and incident

Breach investigation occurs when investigator has concluded that sensitive information has been
compromised. Forensic investigators can capture forensic images of affected systems, collect and
analyse evidence and outline remediation steps.

On the containment side, focus in on isolating the compromised systems; containing the damage
and documenting any actions taken. On the legal side, focus is on whether the even constitutes a
breach under the definition provided under the law., preserving electronic evidence and establishing
a chain of custody.

Containment-

Need to prevent further loss by taking appropriate steps is critical. These include securing physical
areas and blocking bad actors access to impacted data. Fixing the vulnerabilities all allowed bad
actor to access the system in the first place. Addressing third parties that might have been involved.

Where necessary it may be appropriate to share the learnings but this should be done in conjunction
with legal steps discussed in the next section.

Factors to be considered-

i) Service provider-
- were they involved?
- is there a need to change access to privileges?
- what steps do they need to take to prevent future breaches?
- how can you verify that they have taken these steps?
 ii) Network segmentation- ensure your segmentation plan was effective in containing the
breach.

Importance of privilege

When investigating an incident, a company will want to make sure that its investigation and related
communications and work product are protected by attorney-client privilege. It is better to have the
process directed by an outside counsel, because courts have in some instances ruled that there
was no privilege where inside counsel appeared to be acting in a business, rather than a legal
capacity. A proper investigation may generate communications and documents having facts and
opinion that reflect badly on the company, or sensitive material such as trade secret. Investigation
directed by a counsel will maintain privilege so the company can perform a thorough investigation
without fear of communication and documents created during the process, being used during a
litigation.

Notification and cooperation with insurer

Credit card incidents

Third party forensics

Privacy policy components

Reporting obligations and execution timelines

Not all breaches require notification. There are various types of notification requirements to
regulators and effected individuals.

Because of the potential consequences to the organisation and to those whose data has been
exposed, organisations must quickly initiate the notification process. This includes verifying
addresses, writing mailing notifications, setting up a call centre, arranging support services such as
identify theft protection to affected individuals.

Internal announcement, external announcement, regulator notifications.

Letter drops, call centre launches

Remediation offers

Besides trying to protect incident victim’s identity companies tend to offer remediation services to
soften the blow of the breach. If a remediation offer is made, company should facilitate the dialogue
between the parties involved which includes credit monitoring provider, letter print shop and call
centre.

The notification should contain full description of remediation product, enrolment instructions and
customer service phone number, and activation code to redeem the remediation product.

Progress reporting

For complex large-scale breaches where notification is required, keeping track of letters mailed, calls
received and credit monitoring enrolments and reporting up and down is important. During the
breach notification period incident team may be called upon to provide metrices about how the
event is being received by the affected individuals, press, regulators and public generally.
When putting together a reporting plan, keep in mind who is asking, what they need to know, legal
issues of privilege and risk.

It is a good practice to update senior management at least weekly for the first few months after the
breach.

Recovering from breach

Lessons learned from all incidents must be captured, recorded and incorporated into a plan. Among
the most beneficial questions to answer about the response are-

- Which parts of the process clearly worked as intended?

- Which worked only after some modification?
- What did not work at all?
- What did the team do exceptionally well? What did not go well?
- Were any unforeseen complications encountered? How could they have been avoided?
- How well was the team prepared for unexpected?
- How realistic were the plan’s response timelines?
- What was the difference between actual and budgeted cost?
- Was the team sufficiently staffed?
- Were all relevant parties part of the team?
- What could be learned and what be improved upon for the next potential breach?

Calculating and quantifying the cost

Breach related cost that can be identified, lost business opportunities and damage to brand equity.

Legal costs, internal cost (outside counsel, crisis management, PR, forensic investigator, call centre
support), equipment replacement and security enhancement, insurance, card replacement,
employee training), remediation cost (victim notification, remediation (credit monitoring, fraud
resolution, identity theft insurance to victims), victim damages (cost related to correcting incurred by
breach victims), intangible cost (customer retention, lost revenue, stock value, opportunity cost).

Benefiting from breach

Review of items post data breach: staffing and resourcing; containment, including timing and
process, C suite commitment, including sign off of measures and allocation of resources; clarity of
roles of response team; notification process for individuals, regulatory bodies.

CHAPTER 10

Monitoring and auditing program performance

General best practices for identifying, defining, selecting, collecting and analysing metrics specific to
privacy.

Organisations must ensure that proper protections are in place and functioning optimally. Tracking
and benchmarking through performance measurement is critical.

Performance measurement is used by organisations to inform different stakeholders. Measurement

systems must be easy to understand, repeatable and reflective of relevant indicators.

A metric is a unit of measurement that should be as objective as possible. Metrices can provide data
that can help to answer specific questions. A metric must add value by accurately reflecting the state
of business objectives and goals. An objective can be broad based but a goal should be structured in
a way that is measurable. Example, objective- to develop privacy notices; goal- to provide privacy
notices to 100% customer base in a definite period of time.

How metrices help the entire organization understand and implement effective privacy policy?

- Assist leaders in tracking specific privacy objectives and goals

- Help conversation about privacy regime to be meaningful to key stakeholders
- Use of metric can help eliminate terminology jargon, making it easier for decision to be
made at program and operational level
- Metrics consider but are not based on a specific technology and application
- Using metrices advances the maturity levels of privacy programs
- Help demonstrate ROI of privacy program and privacy resource utilization- and thus feed
into overall business resiliency metrics.

To be meaningful metric must be described clearly.

Generic privacy metrices should be developed for different processes e.g. collection, response to
data subject enquiries, use, retention, disclosure, incident, training, review, coverage, risk
assessment. Once defined data should be captured regularly to enable trending-over-time analysis.

Metric identification is difficult and must be done in consideration of what is both sustainable and
scalable.

Using the right metric as KPIs can help the organisation set and track multiple objectives and goals.

Start with identifying which metrices are critical to your organisation and why. Consideration should
include all layers of organisation to encourage overall success and usefulness of any metric beyond
the needs of privacy professional.

Intended audience

Relevant stakeholders are those who will use the data to view, discuss and make strategic decisions.
Primary- DPO, CIO, CSO, senior leadership, program manager, information system owner, ISO.

Secondary- CFO, training org, HR, HIPAA inspector

Tertiary- external watch groups, sponsors and shareholders

Metric owner

Person with privacy knowledge so as to limit the errors in interpretation of privacy laws. A metric
owner should know-

- What is critical about the metric and how it fits into the business objective?
- Monitoring process performance
- Accountable for keeping process documentation up to date
- Minimizing variance
- Undertaking visualizations (flowcharts, graphs)
- Performing regular review to determine if the metric is still effective
- Ensuring improvements are incorporated and maintained in the process

Analysis (trend analysis, ROI, business resiliency, program maturity)

Trend analysis
Once metric have been collected, data analysis is conducted using statistical methods (automated
tools). This approach attempts to spot a pattern in the information as viewed over a period of time.
Different statistical trending methods are- simple data patterns, fitting a trend (least squares), trends
in random data (data as a trend plus noise, noisy time series), the goodness of fit (R squared).
Privacy professional can focus on looking for data patterns.

Time series analysis- trends in an upward or downward tendency (e.g. number of privacy breaches
over time)

Cyclic component- data over a time period focussed on regular fluctuations (e.g. number of privacy
breaches in a month after training, explains changes in the number reported as the distance from
training increases)

Irregular component or noise- what is left over when the other components (time and cyclic) in the
series have been accounted for, e.g. absence of privacy breaches.

ROI

An indicator used to measure the financial loss or gain of a project or program. It provides a
quantitative measurement of benefit and cost and strengths and weakness of organisations privacy
control.

An attempt to form an economical risk assessment to determine the probability of loss and probable
economic consequences.

Two considerations in developing a metric-

1. ROI of a given function must be related to the reason for implementing that function
2. Value of information assets must be defined. Privacy professional should consider how that
changes over time- for example, the costs of producing information, repercussions if the
information is not available, other factors such as harm to reputation and loss of confidence.

Business Resiliency

Organisation’s business continuity or disaster recovery office should be contacted to assist in use
and selection of data for this metric type. Not solely focusing on disasters but using a proactive
approach to respond to unexpected events more quickly and more effectively. A strong business
resilience program helps organisations to prepare for audits and demonstrate compliance.

Program maturity

The privacy maturity model (PMM) is a model that sets out maturity levels for privacy programs and
operations. Maturity is a useful metric as it focusses on the scale rather than the end point. For
example, acceptable data privacy protection may be in place without being “most mature”. PMM
uses five maturity levels-

- Adhoc- procedures and processes are informal, incomplete, inconsistently applied

- Repeatable- procedures and processes are in place, but not fully documented and do
not cover all aspects.
- Defined- fully documented, implemented and cover all aspects
- Managed- reviews are conducted to asses the effectiveness of controls in place
- Optimized- regular review and feedback are used to ensure continual improvement
towards optimization of a given process.
 Key start-up activities for PMM-

- Identifying a sponser
- Assigning responsibilities for the project
- Considering stakeholder/oversight committee with non-privacy representation (legal,
audit, risk management)

It is important to be transparent about the process and results to ensure that identifiable
risk and compliance issues are appropriately escalated.

An initial assessment can identify strengths and weakness. Once the baseline assessment
has been established, the organisation can decide at which level of maturity it wants to
operate.

Metrics in action: reporting to the board

Metrics help the DPO to demonstrate the status of compliance to the management.

Activities mandated for DPO and created metrics for demonstrating compliance. IAPP
resources.

Examples of metrics in the report are-

- Number of privacy staff

- Total privacy budget
- Number of products and services utilizing personal data
- Total number of data subjects about whom data is held
- Number of processors
- Ratio of employee in compliance to legal or employees as whole
- How many business processes use consumer data vs. employee data
- How many DPIA have been conducted
- How many data subject access request have been received?
- How many complaints have been received?
- How many data security incidents have been discovered an reported
- How many of those were elevated for notification of DPA or data subject

Activities might be tracked by month or quarter. Helpful in assessing whether more time and
resources are required.

Indicators-

Complains increasing- poorly performing program-need for more staff and budget

Access requests increasing- trust issue with business, PR and marketing needs to be involved.

Monitor

Ongoing activities that an organisation undertake to control, manage and report risk associated
with privacy management practices.

Monitoring should be continual based on the organisations risk goals, and executed through defined
roles and responsibilities that may include privacy, audit, risk and security personnel.

Outcome of monitoring include compliance, increased awareness, transparency and credibility,

detecting privacy failures, obtaining feedback for privacy program improvement.
How monitoring practices and used and maintained for privacy management, and to validate that
programs are being implemented in a manner consistent with organisations privacy policy and
standards.

Types of monitoring

1. Compliance- compliance monitoring is focused on collection, use and retention of personal

information to ensure that necessary policies and controls are in place.
Degree of monitoring required depends on sensitivity of information, compliance risk
factors, industry.
Four common approaches- i) self-monitoring, ii) audit management, iii) security/system
management and iv) risk management.
Compliance monitoring is necessary for correcting violations, supporting enforcement
actions, and evaluating progress.
2. Regulation- monitor changes and update policies.
3. Environment- monitoring internal and external environment, focuses on vulnerabilities. E.g.
Physical concerns, programmatic concerns, training and awareness, insider threat,
sabotaging, modifying and stealing information for personal gains, cybersecurity threats.

Forms of monitoring

1. Tools- active scanning tools for network and storage. For example, scan results may find a
file with PD stored on a network which is publicly accessible. This helps in proactively
identifying a potential privacy breach.
2. Audit- people, processes, technology, finances
3. Breaches- tracking the type of breach over time, severity and time to remediation can be
helpful in determining if both training activities and program processes are sufficient.
4. Complaints- complaint monitoring process track, report, document and provide resolutions
of customers, patient, employee, supplier complaints. Tracking the type and origin of
complaint can provide early indication of potential for regulatory activity.
5. Data retention- looking for potential areas of risk present in retention schedules, practices,
such as excessive collection, inadequate controls (access and use), or undue disclosure
practices.
6. Controls- assessing the design and efficacy of a given control set. GRC tools.
7. Human resource- work place monitoring.
8. Suppliers- agreements should contain monitoring protection procedures. Includes,
appropriate privacy and security requirements, and providers performance.

Audit

Audits are an ongoing process of evaluating the effectiveness of controls throughout the
organisation’s operations, systems and processes.

The purpose of a privacy audit is to determine the degree to which technology, processes and
people comply with privacy policies and practices.

Privacy audits help measure-

1. Efficacy of privacy procedures

2. Demonstrate compliance
3. Increase level of general privacy awareness
4. Reveal gaps
 5. Form a basis of remediation planning.

Audits differ in assessment in that they are evidence based.

Reasons to perform audits

1. To obtain evidence regarding whether privacy operations are doing what they are designed
to do, and privacy controls are correctly managed.
2. When changes occur-
i) Policy’s degradation
ii) System updates and maintenance
iii) Accidents
iv) Security and privacy breaches
v) Request from regulators, leadership or media
vi) New categories of customers
vii) Acquiring of new lines of businesses
viii) Changing priorities
ix) New suppliers
x) New countries of operation
xi) Risks identified through other business processes

Different phases of audits

Auditor must have full authority to conduct audit. Stakeholders and their roles and responsibilities
must be defined before audit begins.

Scoping the audit- critical to determine the type of personnel (employee, contractor, 3 rd party) who
are permitted to handle personal information.

Five phase audit approach-

1. Audit planning-
i) Conducting a risk assessment
ii) Setting a schedule
iii) Selecting the right auditor
iv) Completing a pre-audit questionnaire
v) Hosting an introductory meeting to prepare for an audit
vi) Compiling a checklist

2. Preparation phase-
i) Confirming the schedule
ii) Preparing additional checklist for sampling criterion
iii) Finalizing the audit plan

3. Audit
i) Meeting with stakeholders and business process owners
ii) Executing the functional goal of audit

4. Reporting
i) recording and reporting on non-compliance (categorizing instance as minor/major)
ii) drafting a formal audit report
iii) hosting a closeout meeting
 iv) copy of an audit report comprising what was audited, when, areas that comply/do
not comply, details to support findings, suggestive corrections.
v) Work estimates, risks, remediation plans, cost estimates

5. Follow up
i) Confirmation of scope of remediation activity
ii) Scheduling activities
iii) Addressing around methodologies

Types of audits

Frequency will depend on resources, risk tolerance, culture, and demand.

1. First party (internal)- support self-certifications.

i) Current state of compliance
ii) Relevant facts, data, documentation
iii) Alignment with a privacy standard, guidelines or policy
iv) Risk factors
v) Control design and implementation

2. Second party (supplier)- contract language should include specific privacy protection and
regulatory requirements and be mapped to service level agreements as if the supplier was a
part of the organisation. Right to audit supplier to obtain evidence of compliance.

3. Third party (independent)- conducted by independent outside sources, typically under a

consent decree or regulatory request. They may align to various regional or industry
frameworks NIST, ISO.

Advantages-
- Identify weakness of internal controls
- Make first party audits more credible
- Expert recommendations
Disadvantages-
bringing in external party, cost, scheduling, time

Review

Evaluate the program or specific pieces of it

Summary-

How metrics provide a baseline for evaluating projects. Help privacy professionals to communicate
what value they add to organisation.

Ongoing monitoring help identify gaps in privacy program function and provide a mechanism of
optimization.

Audits- how well the program and controls are working together.

Communication about metrics, audit and monitoring activities help to create awareness of privacy
program.

Glossary
Performance measurement- the process of formulating and selecting metrics to evaluate
implementation, efficiency or effectiveness; gathering of data and production of quantifiable output
that describes performance.

Metrics- tools that facilitate decision making and accountability through collection, analysis, and
reporting of data.

They must be measurable, meaningful, clearly defined (with boundaries) and able to indicate
progress and answer a specific question to be valuable and practical.

Metrics lifecycle-process and method to sustain a metric to match the ever-changing need of
organisation.

Metric audience- primary, sec, and tertiary stakeholder who obtain value from metric

Metrics owner- process owner, champion, evangelist, responsible for management of metric
throughout its Lifecyle.

Purpose- goal of privacy policy and program

Scope- which resources the policy protects (facilities, hardware, software, information, personnel)

Risk and responsibilities- assigns responsibilities to roles throughout the organisation.

Compliance- potential compliance factors

- General organization compliance to ensure that privacy policy assigns responsibilities at

proper level to create an oversight group. This group will monitor compliance, conduct
enforcement activities, aligning with organisation’s priority.
- Ability to apply penalties and disciplinary action
- Understanding of penalties for non-compliance