FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment...
Transcript of FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment...
![Page 1: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/1.jpg)
CHANGE MANAGEMENT
FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY
12 December 2013
15:00 – 16:00
Leer
![Page 2: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/2.jpg)
THE MANDATE OF THE CPO
Purpose
Responsible for addressing key data protection compliance risks by providing in-depth expertise, guiding the business on how to adequately mitigate these risks and increase compliance maturity levels with regards to these risks.
Key Functions
Provide specialist guidance
Provide specialist risk assessments and assurance views
Key Accountabilities
Global risk exposure assessment including new or changes to regulations
Provide global expertise in key risks to improve compliance risk understanding and mitigation
Support in development and maintenance of policies & training
Support in risk assessments performed by the business in relation to key data protection compliance risks Leer
![Page 3: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/3.jpg)
THE CPO'S BALANCING ACT
Enabling
Controlling
Chief Privacy Officer
Leer
![Page 4: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/4.jpg)
THE DILEMMA OF THE CPO
Filings
Trainings
Privacy Impact Assessment
Register
IT-Security
International Projects Audits
![Page 5: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/5.jpg)
“COMPLIANCE IS EITHER A STATE OF BEING IN ACCORDANCE WITH ESTABLISHED GUIDELINES, SPECIFICATIONS, OR LEGISLATION OR
THE PROCESS OF BECOMING SO”
Compliance Non-Compliance
![Page 6: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/6.jpg)
CONSEQUENCE:
MORE PAPER THAN PRIVACY!
![Page 7: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/7.jpg)
INSTEAD: STRATEGY
Military Strategy: “The utilization during both peace and war, of all of the nation's forces, through large scale, long-range planning and development, to ensure security and victory“ (Random House Dictionary)
A strategy is a long term plan of action designed to achieve a particular goal.
Business strategy: The art and science of enabling an organization to achieve its objective
![Page 8: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/8.jpg)
WHAT TO DO
![Page 9: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/9.jpg)
GLOBAL PRIVACY COMPLIANCE PROGRAM
STRATEGIC DEVELOPMENT
STAGE 1
STAGE 2
STAGE 3
Global Approach - best-in-class - mutually recognized - globally binding
Risk-based Approach - competitive - needs to protect - business-oriented
Compliance Approach - action-oriented - minimum requirements - legal focus
• Laws and Regulations • Identified Business Risks • Binding Corporate Rules
Degre
e o
f busin
ess involv
em
ent
Achieving a higher degree of compliance effectiveness while responding more efficiently
Leer
![Page 10: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/10.jpg)
RIGHT BALANCE OF „COMPLIANCE“ AND NEW TOPICS
Operational „hygiene“ Strategic development
Innovative
Repetitive
Co
mp
lexit
y o
f th
e t
ask
Importance of the task
Investment focus of data privacy „pros“
Investment focus of data privacy „newbies“
Business Enabler
Compliance & Duties
Necessity?
Management „basis“
Initiative 1
Initiative 2
Initiative 3
Initiative 4
Initiative 5
Initiative 6
Initiative 7
![Page 11: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/11.jpg)
STRATEGIC ROADMAP FOR THE DEVELOPMENT OF A DATA PRIVACY MANAGEMENT SYSTEM
Org
an
izati
on
& G
overn
an
ce
Technology Processes
Management System
2013 2014 2015
Target Operating Model (TOM)
Introduction BCR
International Governance-Model
KPI System / Reporting
Programme for Training and Awareness
Data Privacy Strategy
Automation / Tool Support
Concept of Deletion
Procedure of anonymizing data
Data Privacy-Audits/ PIA
Center of Excellence (CoE) & Projektbegleitung
Privacy by Design / ReDesign
Process Manual
Regularly Risk Assessments
Management
of Complaints and Incidents
Effective Prior Checking
![Page 12: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/12.jpg)
DESIGN OF A PRIVACY MANAGEMENT PROCESS
Establishment
Implementation Optimization
Monitoring
Plan
Do
Check
Act
Guidelines & Policies
Vision & Strategy
Risk assessment / PIA
Organization & Controls
Targeting of data privacy-risks
Operations & Ressources
Incident management
KPI System & Reporting
Communication
On-going improvement
Regular audits
Monitoring & Reviews
Check of the efficiency
![Page 13: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/13.jpg)
KPI SYSTEM AND REPORTING
ESSENTIAL FOR DATA PRIVACY MANAGEMENT
Num-ber
Metrics Based on privacy risk impact Performance Levels
Legal / Regula-tory
Financial Reputa-tional
Overall rating
Target Tolerance (global)
Tolerance (BU)
1 Notice and consent - % of websites compliant with notice and consent processes (for commercial consumer information) Commercial activities only
M L M M 100% 80% 80%
2 Number of privacy audit issues open and % of privacy audit issues overdue (measured against total number of privacy issues open)
M M H H 0 5 5
3 Increasing number of self-reported issues (measured by BU; more self-reporting is encouraged and positive)
H M H H 20% 80% 80%
4 Number of data privacy compliants (excluding data privacy breaches) escalated to the Privacy Office and % of complaints not resolved (measured against total number of compliants received) in a resonable amount of time
H M H H 0 10 2
5 Number of privacy related government or regulatory authority findings requiring intervention
H H H H 0 10 2
6 Number of data privacy breaches by seventy (Seventy refers -> L1/L2/L3 as defined by Company A policy)
H H H H 0 5 2
7 Number of data privacy breaches by source (Source indicates -> Laptop, data cards)
M L L L 0 5 2
8 Number of data privacy breaches by reported by source (Reported by indicates -> 3rd party, Company A employee)
M L M M 0 5 2
9 % of targeted employees trained in general privacy training within set timescales
M L H M 100% 95% 95%
10 % of targeted employees trained in BCR training within set timescales
H M H H 100% 95% 95%
![Page 14: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/14.jpg)
HOW TO DO IT
![Page 15: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/15.jpg)
Management + Change
=Change Management
YES …
WE CAN!
![Page 16: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/16.jpg)
ELEMENTS OF CHANGE MANGEMENT
Integrate all levels Involve the top level
Use variety of media Win the individual
CHANGE MANAGEMENT
Raise a sense of responsibility
Communicate consistently Dynamic trainings
Target „human aspects“ (Rewards)
![Page 17: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/17.jpg)
CHANGE MANAGEMENT
• Articulate a convincing business need for change
• Tools & techniques supporting management
• Workshops
• Sensitize employees upfront
• Create awareness
• Create a vision
Make it essential
• Assure and install DP responsibility for specific processes
• Create desire
• Make it individual
• Pride
• Responsibility
Make it ready
• Involvement in processes
• Assure DP culture
• Create involvement by knowledge
• Tools
• Regular use
Make it happen
• Line out positive results and further potential
• Acknowledge every progress
• Demonstrate persistency
• Reward self-reporting of issues
• Have audits in place to monitor
Make it stick
![Page 18: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/18.jpg)
ROPI – RETURN ON PRIVACY INVESTEMENT
NUMBER BASED ARGUMENTS
Protection-
Perspective
Enabling
Perspective
![Page 19: FROM MERE PRIVACY COMPLIANCE TO BUSINESS STRATEGY · 2013-12-04 · Global risk exposure assessment including new or changes to regulations ... ensure security and victory“ (Random](https://reader034.fdocuments.in/reader034/viewer/2022042118/5e977eab5379055893356c47/html5/thumbnails/19.jpg)
CONTACT DETAILS
Dr. Stefan Weiss Global Data Protection Officer, Director, Legal & Compliance
Telefon +41 43 285 4448 Telefax +41 43 282 4448 Mobil +41 79 207 3142 Email [email protected]
Swiss Reinsurance Company Ltd Mythenquai 50 / 60 8022 Zürich Schweiz
Dr. Peter Katko Partner, Head of IP/IT Law
Telefon +49 89 14331 25951 Telefax +49 181 3943 25951 Mobil +49 160 939 25951 Email [email protected]
Ernst & Young Law GmbH Arnulfstrasse 59 80636 München