2. 2
Security vs. Privacy
Security Privacy
Protects
individual’s
ability to
control use
of their
personal
information
Protects
systems
& data
3. 3
What data is privacy-related?
Protected Health Data
(PHI, ePHI)
Personally Identifiable
Information (PII)
Financial Data, Credit
Card Data
4. 4
PERSONAL INFORMATION
What data is privacy-related?
Protected Health Data
(PHI, ePHI)
Personally Identifiable
Information (PII)
Financial Data, Credit
Card Data
And more!
5. 5
• Risk management & compliance (avoid fines)?
• Reputational risk avoidance?
• Brand differentiator?
• Enhance sales of products & services?
Why do I need a privacy program?
“Our mission is comply with
privacy regulations to which we
are subject, to inform
stakeholders about how we
manage and protect their
personal information, and to
provide assistance to our
customers’ privacy compliance
programs as required.”
6. 6
What regulations apply? So many to choose from…
US Privacy Regulations
• California Consumer Privacy Act
• HIPAA
• Gramm-Leach Bliley Act
• Children’s Online Privacy Protection Act
International Privacy Laws
• EU General Data Protection Regulation
• Mexican Federal Law on Protection of Personal Data
• Australian Privacy Directive
Self-Regulatory Privacy Standards
• PCI DSS
• Direct Marketing Association Privacy Promise
• VeriSign or TRUSTe
7. 7
Who are the stakeholders and why?
•Data subjects
(employees, customers, suppliers, partners)
How you will use my data?
•Business units
(HR, Marketing, Finance/Accounting,
Product Development, Training, Support)
How will the program impact my
department? What changes are
required? What info do you need?
•Partners, Third-party processors
(B2C and B2B)
What do you need me to do to
comply?
•Resellers, Customers, Regulators
(B2C and B2B)
Prove to me that you comply.
8. 8
Create a data inventory
What needs to be in the inventory?
Purpose of the processing
(e.g., time and attendance)
Categories of “data subjects”
(e.g., employees)
Categories of personal information
(e.g., work personal information, pay
code, personal phone number)
How the data is collected
Data retention period or calculation
(e.g., 7 years after termination)
What data needs to be protected?
Who has access to the data:
• HR: Full access
• Managers: access to staff
• Employees: their own information
• Third-parties
• SaaS processor staff!
Where the data is stored and processed (e.g.,
SaaS provider’s US data center)
If the data is transferred to a third country
(e.g., from Spain to the US)
Security controls in place to protect the data
9. 9
Where are you today, where do you need to be?
• Take a regulation and turn it into a checklist
• Apply the checklist against each business area
• Work on the easy wins (privacy notices)
• Work through the gaps in order of risk
Perform a gap assessment
12. 12
Example: GDPR
You can collect personal data only if one of these applies:
1. The data is necessary for the performance of a contract with
the employee (i.e., employment agreement) or
2. The data is required by another regulation to which the you
are subject (i.e., employment regulations, tax calculations, etc.) or
3. You have a legitimate reason for collecting the data
(i.e., to measure job performance) or
4. The employee gives explicit, freely-given consent
» Employer-employee relationship: can consent be freely given?
» Employees can withdraw consent or
5. additional options…
Are we collecting personal information lawfully?
13. 13
GDPR
You CAN’T collect this information:*
Race or ethnic origin
Political opinions
Religious or philosophical beliefs
Trade union membership
Genetic data
Biometric data
Health data
Sex life or sexual orientation
Criminal convictions & offenses
Watch out for “Special Categories” of personal information
*Unless:
The employee have given explicit consent
It’s necessary to carry out obligations to the employee
It’s necessary to assess the working capacity of an employee
…a few other exceptions
Illinois Biometric Privacy Act:
• You can’t collect biometric information without
consent and proper & full notice
• Must securely store
• Must destroy in a timely manner
14. 14
• DPIA (Data Protection Impact Assessments)
What’s the risk to the data subject?
How do I comply with the regulation?
Example template under “Resources”
• Risk treatment plans
How do I address the risk?
• Privacy by design, privacy by default
Think about privacy during the initiation of new projects/processes
Designs should protect data/rights from the very beginning
Manage risk
16. 16
“An internal statement that
governs an organization or
entity’s handling practices of
personal information. It is
directed at the users of the
personal information. A privacy
policy instructs employees on the
collection and the use of the
data, as well as any specific rights
the data subjects may have.”
Privacy policy vs. privacy notices
Privacy Policy Privacy Notice
“A statement made to a data
subject that describes how the
organization collects, uses,
retains and discloses personal
information. A privacy notice is
sometimes referred to as a
privacy statement, a fair
processing statement or
sometimes a privacy policy.”
Source: IAPP glossary
17. 17
Write privacy notices
The Privacy Notice must be:
• Concise, transparent, intelligible and easily accessible
• Written in clear and plain language
• Free of charge
• Must be provide at the time data is collected!
Use-specific Privacy Notices:
• Recruiting notice
• Employee notice
• Customer notice
• Partner notice
• Product notice
18. 18
1. Contact details of the data owner.
2. Contact details of Data Protection Officer
3. Reason for collection the data.
4. Legal basis of processing.
5. Who will have access to the personal
information.
6. If personal information will be transferred out of
the EU.
7. Legal basis for transferring the data out of the EU
» Adequacy decision
» Privacy Shield
» Binding Corporate Rules
» Standard Data Protection Clauses
What needs to be in a privacy notice? (GDPR example)
7. Where to obtain a copy of the legal basis
for transferring data.
8. Retention period for the data.
9. Personal rights of the employee
(see next slide)
10. If automated processing or profiling is
used.
11. If data is contractually required and the
impact of not providing that data.
19. 19
What needs to be in a privacy notice?
Personal rights of an individual:
• Right of access
• Right to rectification
• Right of erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Right to human intervention around automated
processing activities
Example:
https://www.workforcesoftware.com/privacy-policy/
21. 21
Create processes around the personal rights of individuals:
• Right of access
• Right to rectification
• Right of erasure
• Right to restrict processing
• Right to data portability
• Right to object
• Right to human intervention around automated processing activities
Embed data privacy into business operations
Privacy Processes
22. 22
Process needs to include:
1. How to determine if the person making the request is actually
authorized to make the request
2. How to decide if the request must be fulfilled or can be denied
3. How to find all the locations of the data
4. How to actually delete the data
5. How to track the request and its final disposition
6. How to communicate with the data subject
7. How fast to respond and fulfill the request
Example: The process to erase data upon request
23. 23
Process needs to include:
1. How to determine if the person making the request is actually
authorized to make the request
2. How to decide if the request must be fulfilled or can be denied
3. How to find all the locations of the data
4. How to actually delete the data
5. How to track the request and its final disposition
6. How to communicate with the data subject
7. How fast to respond and fulfill the request
Example: The process to erase data upon request
Data inventory!
Can you actually
delete data for an
individual?
24. 24
Showing proof of compliance
Documented processes
Must prove compliance, so keep a log!
Document your processes; log your actions
26. 26
Controller Processor Sub-Processor
Controller – Processor Relationship
Determines how
data is processed
Processes data on behalf of the
Data Controller, following
instructions of Data Controller
Processes data on behalf of the
Data Controller, following
instructions of Data Controller
/ Processor
27. 27
Controller Processor Sub-Processor
Controller – Processor Relationship
Determines how
data is processed
Processes data on behalf of the
Data Controller, following
instructions of Data Controller
Processes data on behalf of the
Data Controller, following
instructions of Data Controller
/ Processor
You SaaS Provider
Vendors used by
SaaS Provier
28. 28
• You’re responsible for your data, no matter who has it!
• Third-party management
What third parties process personal data?
» Store, transfer, process, view, edit, organize…
Data processing agreements in place?
Legal means of transferring data?
Risk assessments
Process to information/ask permission to use new third parties?
Processors and Sub-processors
29. 29
Controller & processor responsibilities
Protect
your data
Ensure
confidentiality
Provide evidence
of compliance
• Appropriate security controls
• Data protection impact assessments
• Vulnerability management
• Internal audit
• Confidentiality agreements in place (employees & processors)
• Annual required security and privacy training
• Penetration tests
• Internal IT & external audits (ISO 27001, SOC 2, etc.)
• Evidence the privacy processes work
30. 30
Controller & processor responsibilities
Limited use of data
Permission to use
sub-processors
Data protections flow
down to Processors
• Only collect necessary data
• Delete it when it’s not needed
• Only use data as defined in Privacy Notices
• Processor can only use data per your instructions
• Permission required by processor to use a partner
• Can request information about existing use of partners
• Processors & subprocessor must have data protections
in place
31. 31
Controller & processor responsibilities
Ensure lawful transfers
of data out of country
Data deletion
• Applies to you, processors & sub-processors
• Adequacy, Standard Contractual Clauses, Privacy
Shield, Binding Corporate Rules
• Data retention policies
• Ability to actually delete data!
• Contracts: Return data in a industry-standard format
• Delete all data from all systems, including backups
Breach Notification
• All 50 states have breach notification laws
• GDPR requires notifying Supervisory Authority within
24 hours of a breach
33. 33
• Executive team
Need for program
Consequences of not having a program
Advantages of having a program
• Department heads
What is the impact on a specific department?
How does it affect the department head?
Selling privacy and your privacy program
34. 34
CEO signs “Privacy Policy”
• Communicates objectives of privacy program
• Need to continuous improvement
• Commitment of privacy compliance
• Sets roles and responsibilities
Leadership
35. 35
SKILLSETS
1. Legal knowledge
2. Technical background
3. Operational experience
4. Communication skills
5. Credibility
Data Privacy Officer
37. 37
SKILLSETS
1. Legal knowledge
2. Technical background
3. Operational experience
4. Communication skills
5. Credibility
Data Privacy Officer
LIKELY SUSPECTS…
1. In-house attorney
Can understand the law; not tech-savvy, lack
operations background
2. Someone from IT or Security
Tech savvy, ops experience; doesn’t know the law
3. Internal audit / Compliance
Know the law; conflict of interest in defining rules &
checking compliance
4. Human resources or marketing
Could see business opportunity; lacks overall
corporate scope
38. 38
Centralized vs decentralized vs hybrid?
Centralized
De-
Centralized
De-
Centralized
De-
Centralized
Centralized
De-
Centralized
De-
Centralized
De-
Centralized
• Based in one country
• Subject to limited set of
privacy regulations
• Other processes are
centralize
• Many countries
• Subject to different
privacy regulations
• Other processes are
decentralized
• Many countries
• Subject to same & unique
privacy regulations
• Many local variations
39. 39
• Create policies, standards, procedures
• Log (to prove compliance)
Opt-in / Opt-out
Time to respond to privacy requests
Breach notification
• Get training for privacy professionals
• Create privacy awareness & role-based training
• Communicate! Especially successes!
Privacy operations
40. 40
• DA Piper Data Protection Laws of the World
Compare data protection laws around the world.
https://www.dlapiperdataprotection.com/index.html
• EU General Data Protection Regulation table of contents
Table of contents, cross-references, emphases
http://www.privacy-regulation.eu/en/index.htm
• BS 10012:2017
Data Protection – Specification for a personal information management system
https://www.bsigroup.com/en-GB/BS-10012-Personal-information-management/
• NIST Privacy Framework
(under development)
https://www.nist.gov/privacy-framework
Resources
41. 41
• States Breach Notification Laws
Summarizes states laws regarding breach notification
https://www.perkinscoie.com/en/news-insights/security-breach-notification-chart.html
• Data Privacy Impact Assessment template
Mainly GDPR, but could be adapted
https://www.mikemuha.com/2017/09/how-to-perform-data-protection-impact.html
• International Association of Privacy Professionals
Wealth of privacy related webinars, news, software, training, certifications, best
practices
https://iapp.org/
Resources, 2nd page
42. 42
1. Get buy in from management
2. Document where personal data resides and is transferred
3. Know how it’s protected, both legally and from a security
perspective
4. Mind the gap
5. Ensure you have (documented) privacy processes
6. Make sure you have compliant privacy notices
7. Delete personal data if there’s no reason to keep it around
8. Keep records that show your compliance
Key takeaways
43. 43
Thanks!
Michael J. Muha, Ph.D., CISSP, CRISC, CISM, CIPP/E, CIPM, Certified GDPR Practitioner
mmuha@WorkForceSoftware.com
workforcesoftware.com
Notas do Editor
Provide transparent notice to employee
We can provide required details
Biometrics! Trade unions!
Right of access
Controller process for providing access. PI may require intervention on HR person.
Right to rectification
Can be done by employee & manager (timesheet); PI driven from HR system of record
Right of erasure
Retention period per SaaS Agreement
Currently a manual process that must be done by WFS
In process of automating
Individual right to be forgotten
Manual process that must be done by WFS
In process of automating
Payroll and legal retention period issues
Right to restrict processing (i.e., only store the data) if
Inaccurate PI, unlawful processing, PI not needed for processing but required for legal claims (e.g., data subject doesn’t want the data erased), subject rights potentially override legitimate interests of controller.
Old timesheets are locked – can’t be processes
Right to data portability
Currently a manual process that must be done by WFS
Right to object if
Public-interest task or legitimate interests of controller/processor, direct marketing, scientific or historical uses
Old timesheets are locked
Right to human intervention around automated processing activities
HR should develop process to provide personal data from system