IBM Global Privacy Assessment

1. IBM’s Global Privacy Assessment (GPA) - background

2. Considerations in designing the latest version of the GPA

3. The structure of GPA self assessment – 5 stage process

4. Designing & developing the GPA

5. Making it mandatory

6. What went well / further evolution

5 stage self-assessment

Visual progress / status

Creating a global privacy impact assessment process in Barclays

1. Why develop a single, global approach to privacy impact

assessment?

2. The process of development - recognising different

business requirements and jurisdictional differences

3. The risk assessment process

4. Next steps – automation and fully global role out

Barclays – screening questions

Barclays – the assessment

LexisNexis – two different approaches

• Risk Solutions: PIA for new product

• Legal: online compliance questions

LexisNexis Risk Solutions small-scale local PIA process

What are the risks?

What are the solutions?

Privacy issue Individual risk Corporate risk Compliance risk (DPA)

Risk Solution(s) Risk eliminated, reduced or accepted Evaluation: is the final impact on

individuals after implementing

each solution a justified,

compliant and proportionate

response to the aims of the

project?

LexisNexis Risk Solutions small-scale local PIA process

Sign off and record the outcomes

Integrate outcomes into action plan

Risk Approved solution Approved by

Action point Date for completion and progress Responsibility

LexisNexis Legal online compliance questions

Links and resources

• ICO PIA guidance: https://ico.org.uk/media/for-organisations/documents/1595/pia-code-of-practice.pdf

• NIST privacy harms: http://www.nist.gov/itl/csd/privacy-engineering-workshop-september-15-16-2014.cfm