Common Practice in Data Privacy Program Management

Common Practice in Data Privacy Program Management

• 1.
  11 Eryk B. Pratama ITAdvisory & Cyber Security Consultant at Global Consulting Firm Komunitas Data Privacy & Protection Indonesia 29 Aug 2020 | 20.00 OSI Webinar Common Practice in Data Privacy Program Management
• 2.
  https://www.slideshare.net/proferyk
• 3.
  https://medium.com/@proferyk
• 4.
  Agenda 01 Global PrivacyNews 02 Regulations & Frameworks 03 Privacy Program Management Practice
• 5.
  Understanding Privacy Management GlobalPrivacy News Source: https://assets.kpmg/content/dam/kpmg/be/pdf/2017/Factsheet_DATA_PRIVACY_AND_PROTECTION_2016.pdf
• 6.
  2020 ?? Understanding regulatoryrequirements is very important
• 7.
  RUU Perlindungan DataPribadi Regulation Key Highlight ▪ Explicit Consent is required from the data owner for personal data processing. ▪ Responding timelines for Data subject rights have been separately called out in the RUU PDP. ▪ Data controller to notify the data owner and the Minister within 3 days of data breach. ▪ Penalties for non-compliance may range from Rp 20 Billion to Rp 70 Billion or Imprisonment ranging from 2 to 7 years Data Owner Data Controller Data Processor Data Protection Officer
• 8.
  COVID-19 Impact onPrivacy and Data Protections Global Privacy News Source: TrustAcrc – Global Privacy Benchmarks Survey 2020 The Pandemic had forced a global response including lockdowns in Europe, Asia and North America. Some 42% of companies expected to have either a decrease or steep decrease in revenues as a result. When asked what percent of their company's workforce had switched to working from home as a result of COVID–19, 62% indicated that more than half their workforce had done so. Over half of all respondents believe the Pandemic has increased risk across a number of areas
• 9.
  Types of PrivacyAssessment Global Privacy News Source: IAPP TrustArc - Measuring Privacy Operations 2019 There’s less of a difference between highly regulated and unregulated firms when it comes to the types of privacy assessments they conduct, other than a slight up-tick in GDPR-related assessments among unregulated firms, which are more likely to be doing business in the EU regardless of where they are located.
• 10.
  Data Privacy Framework Regulations& Frameworks NIST Privacy KPMG PrivacyISO/IEC 27701 ▪ Information Lifecycle Management ▪ Governance and Operating Model ▪ Inventory/Data Mapping ▪ Regulatory Management ▪ Risk and Control ▪ Policies ▪ Processes, Procedures and Technology ▪ Security for Privacy ▪ Third Party Oversight ▪ Training and Awareness ▪ Monitoring ▪ Incident Management ▪ Inventory and Mapping ▪ Data Processing Ecosystem Risk Management ▪ Governance Policies, Processes, and Procedures ▪ Awareness and Training ▪ Monitoring and Review ▪ Data Processing Management ▪ Communication ▪ Data Security ▪ Protective Technology ▪ Detection Processes ▪ Respond Processes ▪ Recovery Processes ▪ Conditions for collection and processing ▪ Obligations to PII principals ▪ Privacy by design and privacy by default ▪ PII sharing, transfer, and disclosure ▪ PIMS-specific requirements related to ISO/IEC 27001 ▪ PIMS-specific requirements related to ISO/IEC 27002 ▪ Additional ISO/IEC 27002 guidance for PII controllers ▪ Additional ISO/IEC 27002 guidance for PII processors Data Privacy Framework
• 11.
  Privacy Program Management- IAPP Privacy Program Management Practice ▪ Privacy Vision & Mission ▪ Privacy Program Scope ▪ Develop & Implement Framework ▪ Develop Privacy Strategy ▪ Privacy Team & Governance Model ▪ Inventories & Record ▪ Record of Processing Activities ▪ Impact Assessment ▪ Vendor/Third Party Assessment ▪ Privacy in Mergers, Acquisitions, & Divestiture Privacy Policy ▪ Privacy Notices & Policies ▪ Choice, Consents, and Opt-out ▪ Data Subject Request ▪ Handling Complaint Training & Awareness Privacy by Design & Privacy by Default Incident Management Monitoring & Auditing Program Performance Privacy Governance Data Assessment Data Subject Rights Privacy Program Management is the structured approach of combining several disciplines into a framework that allows an organization to meet legal compliance requirements and the expectations of business clients or customer while reducing the risk of a data breach. The framework follows program management principles and considers privacy regulations from around the globe.
• 12.
  Privacy Management Area- Practical Privacy Program Management Practice Research & Program Maturity Privacy Program Management Privacy Rights & Consent Regulatory Research Track the Evolving Privacy Landscape Awareness Training Train Employees on Privacy Best Practices Maturity & Planning Track Program Maturity Over Time Program Benchmarking Compare Maturity to Similar Organizations Data Mapping Understand Your Data Processing Automated Assessment Automate PIAs, DPIAs, and Privacy by Design Vendor Risk Management Centralized Assessments, Contracts, & DPAs Incident Response Plan for and Respond to Incidents & Breaches Policy & Notice Management Centrally Manage & Host Privacy Policies Privacy Rights (DSAR) Manage Request from Intake to Fulfillment Cookie Consent Automate Valid Consent on Web Properties Mobile App Consent Scan & Capture Consent in Mobile Apps Universal Consent & Preferences Compares Maturity to Similar Organizations
• 13.
  Q & A https://medium.com/@proferyk https://www.slideshare.net/proferyk ITAdvisory & Risk (t.me/itadvindonesia) Data Privacy & Protection (t.me/dataprivid) Komunitas Data Privacy & Protection (t.me/dataprotectionid)