How To Develop a Global Privacy Compliance Strategy and Implementation Program

Thursday, February 12

Rebecca Whitener, EDS Fellow(919) 645-1902 rebecca.whitener@eds.com

How To Develop a Global Privacy Compliance Strategy and Implementation Program

Thursday, February 12

Rebecca Whitener, EDS Fellow(919) 645-1902 rebecca.whitener@eds.com

Security & PrivacyFriends, Foes or Partners?

2

In the electronic age, no company can afford to ignore privacy and securityIn the electronic age, no company can afford to ignore privacy and security

• There are estimates that security, privacy and the legal issues of digital signature together constitute over half of the quantifiable barriers to electronic commerce

• A recent Gartner report states that "through 2005, enterprises failing to…address the variable risk factors of their business systems within the first two years of launch will reach only 60% of their Web business objectives because of trading-partner distrust and the compromise of sensitive information.”

“Trust is essential to make e-commerce and cyber collaboration work…... We believe that this most human notion is inhibiting the growth of cyber communities while offering an enormous opportunity for vendors to innovate and a competitive advantage for corporations which get it right.” IDC Newsletter #W23796 -December 2000

3

How to create this trusted relationship is a major challenge for companiesHow to create this trusted relationship is a major challenge for companies

What do our stakeholders (customers, employees, stockholders, regulators, auditors) expect?

How do we assess the “trust” readiness components of our organizational structure, culture, environment?

What types of training and awareness programs can enhance our corporate “trust” readiness?

Can we have effective privacy programs AND aggressive marketing initiatives?

What should we be budgeting for effective “trust” programs?How do we find the right resources to direct and manage the

“trust” initiatives?How do we ensure our “trust” practices are consistently

applied enterprise-wide on a global basis?How effective are the administrative and technical safeguards

to prevent a “trust” fiasco?Do we have an adequate communication plan in place?

4

Many of the efforts to address the risks associated with “Trust” have often been narrow in scopeMany of the efforts to address the risks associated with “Trust” have often been narrow in scope

• Developing website privacy statements • Assigning Chief Privacy Officers • Focusing on compliance with regulatory and/or

auditing and accrediting bodies• Enhancing security awareness• Trying to avoid negative media attention

Often the parties responsible for the various components of a trusted environment (legal, security, privacy, risk management, web applications, communications, training, human resources, marketing, etc.) have not engaged in a unified strategy or approach.

5

REALITY: There are revenue opportunities from Information sharing and aggressive marketingREALITY: There are revenue opportunities from Information sharing and aggressive marketing

Highly competitive, dynamic and shifting markets are driving companies towards:– Opening up their internal business processes and data to

an ever-increasing array of partners, suppliers, and customers

– Protecting copyrights and other intellectual property with digital rights management (DRM) technologies

– Focusing on delivery of personalized services (knowing the customer, life-time value calculations, retention)

– Creative marketing approaches

Enterprises are searching for ways to squeeze the maximum returns (enhancement of revenues and reductions in costs)

6

One challenging truism is “Consumers say one thing while doing another”One challenging truism is “Consumers say one thing while doing another”

Although 70 % of online consumers say they are worried about online privacy, the study found just:– 40% read Web site privacy

statements– 82 % would give personal

information to new shopping sites in exchange for a chance to win $100 in a sweepstakes

Jupiter Research (2003) found that customers barely lifted a finger to protect individual privacy online, but fretted outwardly about the possible abuses of personal information

7

CEO’s are in a struggle for “balance”CEO’s are in a struggle for “balance”

• Establishing and adhering to standards for information collection and use– With the need to maximize the value of

the information sharing• Increased monitoring and surveillance for

security – With the preservation of safeguards for

privacy of individuals• Serving the “public good”

– With the right to make profits• Satisfying the often diverse expectations of

key stakeholders – While meeting demands and avoiding

law suits

Privacy Other Values

8

Customer Issue: Global company operating in regions with varying data protection/privacy regulationsCustomer Issue: Global company operating in regions with varying data protection/privacy regulations

Requirement: Develop comprehensive trust program combining security, audit, marketing, legal, strategy, and privacy to ensure

comprehensive coverage of the global regulatory environment

Supporting activities:Examine vulnerabilities across every aspect of

the organization -Internet-exposed systems -Remote access -Affiliates -Employees -Wireless -Databases -Call centers -Off shoreLink privacy initiatives to enterprise business

risk Assess technologies being deployed: Identity

management, authentication and access control, digital assets protection

9

A global privacy strategy begins with understanding privacy fundamentals derived from OECD principles A global privacy strategy begins with understanding privacy fundamentals derived from OECD principles

1. Notice and Awareness

2. Choice and Consent

3. Individual Participation and Access

4. Security, Information Quality, and Integrity

5. Enforcement, Accountability, Recourse

Account-ability

Individual participa-

tionOpenness

SecurityUse limitation

Purpose specifi-cation

Data qualityCollection limitation

Organization for Economic Cooperation and Development, 1980

10

These five privacy principles form the foundation of a company’s privacy policy and programThese five privacy principles form the foundation of a company’s privacy policy and program

• What information and information types are collected, stored, used, shared, and retained?

• What are the relevant industry standards, laws and regulations

• What do our stakeholders expect?• What choices are available?• What controls ensure compliance with

preferences?• What access to information is provided and

controlled?• How secure is the information?• How is misuse of information handled?

11

Where to start?Where to start?

12

Tools are helpful when performing a baseline assessmentTools are helpful when performing a baseline assessment

Security Assessment Tool

56.7%

42.6%31.5%

21.1% 25.3%

34.0% 32.9% 41.4%

22.5%16.7%

35.0%

0.0%10.0%20.0%30.0%40.0%50.0%60.0%70.0%80.0%90.0%

100.0%

Risk Assessment Process Security Policy

Security Organization Asset Classification and Control

Personnel Security Physical and Environmental Security

Comm and Ops Management Access Control

System Development Business Continuity

Compliance

13

A privacy assessment tool should:A privacy assessment tool should:

• Incorporate best practices, standards and regulatory requirements from global legislation

• Be tailored to specific industries, countries and regulatory and self-regulatory environments

• Comprehensively address strategy and policies as well as operational, audit and legal requirements

• Be adaptable to changing technical, regulatory or legal needs

• Be flexible enough to allow clients to ‘drill down’ to address specific areas of concern while still conducting a thorough review of security and privacy needs

14

The privacy assessment should focus on key areasThe privacy assessment should focus on key areas

50.0%44.1%

16.7%

41.2%73.8%

100.0%90.0%80.0%70.0%60.0%50.0%40.0%30.0%20.0%10.0%0.0%

Directives Operations Audit Compliance Legal

15

Privacy Program - Directive ComponentsPrivacy Program - Directive Components

75.0% 77.9% 71.8% 77.9%

50.0%

77.8% 83.3%

50.0%

16.7%

100.0%

80.0%

60.0%

40.0%

20.0%

0.0%

Infrastructure Customer Strategy Business Strategy

Privacy Strategy Security Strategy Internal Privacy Policy

External PrivacyStatement

Guidelines Procedures

16

Privacy Program - Operations ComponentsPrivacy Program - Operations Components

50.1%

33.3%40.7%

23.5% 26.7%16.7% 13.9%

0.0%

PI Management CP Management Communication Participation & Access Information Security Recourse &

EnforcementPractices

100.0%

90.0%

80.0%

70.0%

60.0%

50.0%

40.0%

30.0%

20.0%

10.0%

17

Privacy Program – Personal Information Management ComponentsPrivacy Program – Personal Information Management Components

46.1%66.7%

33.3% 33.3%

66.3% 66.7%

33.3%

100.0%

90.0%

80.0%

70.0%

60.0%

50.0%

40.0%

30.0%

20.0%

10.0%

0.0%

PI ValidationPI Categorization PI Collection

PI Storage PI Usage PI DisseminationPI Retirement

18

Privacy Program – Customer Preference Management ComponentsPrivacy Program – Customer Preference Management Components

66.7%

40.0%

16.7% 16.7% 16.7% 16.7% 16.7%

0.0%

10.0%

20.0%

30.0%

40.0%

50.0%

60.0%

70.0%

80.0%

90.0%

100.0%

CP Categorization CP Collection CP ValidationCP Storage CP Usage CP DisseminationCP Retirement

19

Privacy Program Communications ComponentsPrivacy Program Communications Components

35.5%

78.1%

22.9%

100.0%

90.0%

80.0%

70.0%

60.0%

50.0%

40.0%

30.0%

20.0%

10.0%

0.0%

Customer External Internal

20

All components of the Privacy Program must then be implementedAll components of the Privacy Program must then be implemented

– Strategy

– Policy

– Guidelines

– Information use and flow

– Communications

– Customer preferences

– Individual participation and access

– Customer Recourse

– Information Security

– Personnel privacy

– Training and education

– Privacy controls

– Regulatory oversight

– Audit

21

The results should resonate across multiple audiencesThe results should resonate across multiple audiences

• Business Community…– Ties privacy to the business opportunities

and risks– Clearly defines the risk and mitigation

strategy– Connects costs to benefits– Answers the question “how do we stand

against best practices?”• Information technology ….

– Comprehensively defines privacy action items to the business community

– Allows for a reasonable and cost effective phased approach

– Is architecturally sound– Is actionable

22

The challenge for companies today is to lead through exampleThe challenge for companies today is to lead through example

• Build TRUST into the culture• Implement effective administrative and

technical safeguards for managing security, privacy and fraud risks

• Be Pro-active in anticipating emerging problems

• Put good rules and good practices into wide use and publicize

• Educate employees and customers about the policies and issues

• Protect customer’s interests while continuing to provide value and benefits

• Avoid being a “bad actor”

Thank You!