Uploaded byEryk Budi Pratama
Privacy-ready Data Protection Program Implementation
The document discusses the importance of implementing a structured data privacy program that combines various disciplines to ensure compliance with regulations and protect sensitive personal information. It outlines key components and steps involved in establishing a data privacy framework, including impact assessments, governance, and incident management. Additionally, it emphasizes the critical relationship between data privacy and information security and the need for continuous improvement in these areas.
In this document
Powered by AI
Eryk Budi Pratama is introduced as an expert in Cyber Security, Data Protection, and Data Privacy.
Emphasizes that data privacy cannot be achieved without effective information security measures.
Discusses the significance of data protection laws, organization reputation, customer trust, technology adoption, and the risks of exposing sensitive data.
Outlines the components of a comprehensive Data Privacy Program framework essential for legal compliance and risk reduction.
Describes high-level steps to implement a Data Privacy Program aligned with business strategies and regulatory requirements.
Introduces the concept of skepticism in data handling processes with the phrase 'never trust, always verify'.
Presents the NIST Cyber Security Framework, aligning information security with privacy practices across the data lifecycle.
Describes how security capabilities can align with privacy governance, ensuring comprehensive protection measures.
Explains the stepwise journey for implementing a data protection program focusing on continuous improvement and data lifecycle analysis.
Discusses automation of privacy operations, the importance of training, monitoring, and policy management in improving privacy maturity.
Open floor for questions and answers to clarify concepts discussed in previous slides.
Acknowledges attendees and provides links for further engagement and resources related to Data Privacy and Protection.
More Related Content
Similar to Privacy-ready Data Protection Program Implementation
Privacy-ready Data Protection Program Implementation
- 1. Eryk Budi Pratama CyberSecurity, Data Protection, & Data Privacy Associate Director at Global Consulting Company Founder Komunitas Data Privacy & Protection Indonesia (t.me/dataprotectionid) Chapter Chair International Association of Privacy Professionals (IAPP) Indonesia 18 August 2022 CDEF 16th Meetup Privacy-ready Data Protection Program Implementation
- 2. “ We canimplement information security without considering data privacy, but we cannot implement data privacy without considering information security”
- 3. Why data protectionand privacy is important? Rationale Data Protection/Privacy Regulation Noncompliance with local regulation related to personal data protection and privacy (Undang-Undang, Peraturan Pemerintah, Peraturan Menteri, Peraturan Sektoral) Organization Reputation Consequences of noncompliance can have adverse implications on the organization which include brand and reputational loss Customer Trust Customer defection due to loss of trust in organization data protection and privacy practices consequently financial and reputation losses Technology Adoption Technology to engage with customers is creating challenges in protecting sensitive personal information and organizational intellectual property Critical Data Records Exposure of sensitive data to unauthorized users, compromising its Confidentiality, Availability, and Integrity Key Drivers
- 4. Data Privacy ProgramDomain Implementing Privacy Program Data Privacy Program is the structured approach of combining several disciplines into a framework that allows an organization to meet legal compliance requirements and the expectations of business clients or customer while reducing the risk of a data breach. The framework follows program management principles and considers privacy regulations from around the globe. ▪ Privacy Vision & Mission ▪ Privacy Program Scope ▪ Develop & Implement Framework ▪ Develop Privacy Strategy ▪ Privacy Team & Governance Model ▪ Inventories & Record / Data Discovery ▪ Record of Processing Activities ▪ Privacy Impact Assessment ▪ Vendor/Third Party Risk Assessment ▪ Privacy in Mergers, Acquisitions, & Divestiture ▪ Privacy Policies & Notices ▪ Choice, Consents, and Opt-out ▪ Data Subject Request ▪ Handling Complaint Training & Awareness Privacy by Design & Privacy by Default Incident Management Monitoring & Auditing Program Performance Privacy Governance Data Assessment Data Subject Rights Cross Border Data Transfer
- 5. Operationalize Data PrivacyProgram Implementing Privacy Program High level approach that organization can adopt to develop and implement Data Privacy Program that align with business risks and growth. Identify Personal Data Processing Activities Conduct Assessment Conduct Privacy Impact Assessment (PIA) Identify Relevant Regulation related to Privacy/PDP Understand the Products Conduct Gap Assessment Develop the Privacy Controls Consent Management Privacy Policy & Notice Data Retention Data Classification & Handling Incident & Complaint Management Third Party Contract Guideline Cross Border Data Transfer Implement & Monitor the Controls Assess Design Implement & Monitor Alignment with Cybersecurity Strategy, Program, and Operating Model Data Subject Request and Complaint Handling
- 6. “ never trust,always verify … ”
- 7. Cyber Security Framework(NIST) Privacy-Aligned Information Security Framework Framework Building block to align Privacy and Information Security Identify Protect Detect Respond Recover Data Lifecycle Collect Store Use/Rectify Transfer Disposal *Zero Trust Approach* Identities Workloads Data Networks Devices Telemetry & Analytics Automation & Orchestration ▪ Identity governance and management ▪ Risk-based authentication & authorization ▪ Privilege Access Management Governance Strategy Risk-based Management Operating Model Culture ▪ Application Security ▪ DevSecOps ▪ Data Discovery ▪ Data Loss/Lekage Prevention ▪ Data Classification ▪ Network Architecture ▪ Network Security ▪ On-Prem & Cloud Networks ▪ IT Asset Management ▪ Path Management Audit, Monitoring, and Assurance Compliance Requirements
- 8. Privacy-Aligned Information SecurityFramework Framework Align privacy and security capabilities Security Governance Data discovery and inventory Data classification Data encryption, masking, & tokenization Key and certificate management Information rights management Application security Data retention and destruction Data loss prevention Data access governance Database security Control Framework (e.g. NIST Cybersecurity & SP, CIS, ISO 27001) Information Security Capabilities Governance & Trust Data discovery and mapping Incident & breach response management Record of processing activities Consent management Training, awareness and communications Compliance monitoring and testing Privacy by Design & Privacy Impact Assessment Third-party risk management Data subject rights management Data protection and security Control Framework (e.g. NIST Privacy, ISO 27701, Local and international regulation) Privacy Capabilities
- 9. Roadmap to ProtectPersonal Data Journey A journey to implement data protection program Continuous Improvement • Improve overall capabilities from process and technology aspects Data Lifecycle Analysis • Evaluate the data flow / lifecycle • Understand the data sensitivity • Requirements identification to protect data based on lifecyle Data Classification • Establish the policies, standards and procedures for data classification, • Define data classification and criticality mapping to the data • Defines response time required to detect and resolve Data Loss incident, including analysis, containment, eradication, recovery and post-incident procedures Technology Implementation • Develop high and low level architecture • Install data protection technology solution as per defined architecture • Plan data protection technology implementation in a phased manner beginning from high-risk areas and across data at-rest, in-transit and end- points • Enforces established policies and standards on business processes and supporting technology 1 2 3 4
- 10. Privacy Management Technology PrivacyImprovement The implementation of privacy management tools to automate privacy operation Research & Program Maturity Privacy Program Management Privacy Rights & Consent Regulatory Research Track the Evolving Privacy Landscape Awareness Training Train Employees on Privacy Best Practices Maturity & Planning Track Program Maturity Over Time Program Benchmarking Compare Maturity to Similar Organizations Data Mapping Understand Your Data Processing Automated Assessment Automate PIAs, DPIAs, and Privacy by Design Vendor Risk Management Centralized Assessments, Contracts, & DPAs Incident Response Plan for and Respond to Incidents & Breaches Policy & Notice Management Centrally Manage & Host Privacy Policies Privacy Rights (DSAR) Manage Request from Intake to Fulfillment Cookie Consent Automate Valid Consent on Web Properties Mobile App Consent Scan & Capture Consent in Mobile Apps Universal Consent & Preferences Compares Maturity to Similar Organizations Common Solution Features
- 11.
- 12. Thank You https://medium.com/@proferyk https://www.slideshare.net/proferyk IT Advisory& Risk (t.me/itadvindonesia) Data Privacy & Protection (t.me/dataprivid) Cloud Security (t.me/cloudsecid) Komunitas Data Privacy & Protection (t.me/dataprotectionid)