1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Changing Role of the CPO in Today's Privacy Ecosystem September 22, 2016
Jan 07, 2017
1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Changing Role of the CPO in
Today's Privacy Ecosystem
September 22, 2016
2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Today’s Speakers
Barbara Lawler
Chief Privacy Officer
Intuit
Hilary Wandall
General Counsel & Chief Data Governance Officer
TRUSTe
Scott Taylor
AVP Compliance & Chief Privacy Officer
Merck & Co., Inc.
3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• Welcome & Introductions
• Evolution of the Role
• Core Responsibilities
• Making it Operational
• Addressing the EU GDPR’s DPO Requirements
• Q & A
Today’s Agenda
4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Evolution of the Role
5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
• 1970s: First Privacy Officer positions were created in Germany
• 1991: First CPO appointed in the U.S. in 1991
• 2002: International Association of Privacy Professionals (IAPP) created
• 2003: HIPAA Privacy Officer positions required in the U.S.
• 2007: EU WD 153 - Elements and Principles for BCRs - Governance
• 2011: Designated individual required by APEC Cross-Border Privacy
Rules
• 2004-2014: Data Protection Officer (DPO) roles required outside U.S.
and EU, such Canada, Colombia, Ghana, India, Israel, Korea, Mexico,
Montenegro, Philippines, Russia, Singapore, South Africa, Ukraine
• 2016: U.S. Federal Agencies required to appoint a Senior Agency
Official for Privacy (SAOP)
• 2018: GDPR requires appointment of mandatory DPOs with specific
statutory criteria for expertise, professional qualities, responsibilities,
resourcing, independence and reporting
How the role has developed over more than a half century
6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Core Responsibilities
7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Driven by organizational experience, culture, resources, business
aspirations
Program Goals: Compliance. Accountability. Governance.
Regulatory Compliance
Accountability & Stewardship
Strategic Data Governance
• Privacy notices
• Consents
• Opt-outs
• Contracts
• Security program
• Breach management
and notification
• Complaint and
individual rights
requests handling
Regulatory Compliance +
• Management ownership
• Privacy leader or team
• Comprehensive policies
• Awareness and training
• Risk assessment
• Privacy by design
• Ongoing assurance
• Continuous improvement
Accountability + • Holistic approach • Interoperable across
jurisdictions • Data as an asset • Integrated with other
data-driven obligations, e.g..: • data security • IP & trade secrets • e-discovery • records management
8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
According to IAPP-EY Annual Privacy Governance Report 2016
Privacy Framework
Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board)
Demonstrate capacity to external stakeholders (Trust Agents, Regulators)
Demonstrate capacity to individual data subjects
DE
MO
NS
TR
AT
ION
Commitment Implementation Validation
• Solid policies aligned to
external criteria
• Management commitment
• Full transparency
• Mechanisms to ensure
policies and commitments
are put into effect with
employees
• Monitoring and assurance
programs that validate both
coverage and effectiveness
of implementation
EF
FE
CT
IVE
AP
PR
OA
CH
Identify Risks and Opportunities Integrated Governance
OV
ER
SIG
HT
Intuit Confidential and Proprietary
Data Stewardship in an Evolving Digital World Is the role of the CPO changing?
What’s Remains the Same
• Promoting trust online (and
offline)
• Global and local tensions
about appropriate and ethical
collection, transfer and uses
of data
• Data Stewardship Principles
and FIPPs-based privacy
policies
• Customer first
• Product-focused
• PbD & PIA
What’s Changed
• Enabling or driving innovation
• Promoting digital trust
everywhere
• Data at the center of every
discussion
• Robust analytics machine
learning A.I.
• Platforms and distributed
services
• Demonstrating (and
documenting) compliance
Eco-
systems
Privacy in products
and services
Data governance and
privacy across product
ecosystems
Products
11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Making it Operational
12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Putting Policies and Standards into Practice
We often hear from privacy professionals that are starting up
a program or looking to take it to the next stage that they
find it difficult to translate legal opinions and the letter of
laws and regulations into effective, sustainable practices
within their organizations.
1. How have you addressed this challenge in your career?
2. Are there any best practices that you would recommend?
3. Do you have any insights for SMEs?
13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Addressing the GDPR’s DPO
Requirements
14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
According to IAPP-EY Annual Privacy Governance Report 2016
15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Compliance and Accountability: EU GDPR DPO Role
Controllers and
Processors are
Required to
Appoint If:
• The organization’s core activities consist of processing on a large scale of sensitive
data (e.g., health, race, ethnicity, biometric, religion) or criminal data
• The organization’s core activities consist of processing that requires regular and
systematic monitoring of individuals on a large scale
• Processing is carried out by a public authority or body
• Mandated by EU country law (e.g., Germany)
DPO
Competencies
• Expertise in data protection law
• Professional qualities (e.g., leadership, communications, program management,
business acumen, understanding of technology, strategic thinking, influence)
Role and
Responsibilities
• Governance: employee or contractor, single appointee for corporate group as long
as readily accessible from any location of the organization
• Transparency: DPO contact details published and communicated to DPAs
• Professional responsibility: independent decisions, reports to senior
management, no conflicts, protected from dismissal, duty of confidentiality
• Training and awareness of staff
• Monitoring and assurance: advice to staff on obligations and assurance of
implementation, risk assessment, consultation and monitoring on DPIAs, auditing
• Complaint handling: individuals can raise concerns and exercise rights with DPO
• Regulatory liaison: primary contact to DPAs, cooperation with DPAs on
complaints, investigations, demonstration of organizational accountability, prior
consultation on DPIAs and breaches
• Organizational support and resources: organizations must ensure timely and
proper involvement of the DPO in all data protection-related issues, as well as to
provide proper resources for DPO to fulfill responsibilities and maintain expertise
16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
According to IAPP-EY Annual Privacy Governance Report 2016
17 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Questions?
18 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Hilary Wandall [email protected]
Scott Taylor [email protected]
Barb Lawler [email protected]
Contacts
19 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Details of our 2016 Summer/Fall Webinar Series are now available. Register
now for our next webinar on October 21 “Building a Privacy Governance
Program”
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
Thank You!