Roles of privacy professional
- Alert org to varying perspectives about privacy, risk and compliance. Can be divergent.
- help org manage risks from processing, consistent with org’s mission, growth, profitability, and other goals.
- Identify where compliance difficult in practice,
- Design policies to close gaps between policies and operations.
- Develop privacy notices and privacy program.
Risks of Using PI Improperly
- Legal risks - laws, contracts, committments.
- Reputational risks -
- Operational risks - administratively efficient privacy program, so as not to be too heavy handed and inhibit beneficial uses.
- Investment risks - ROR on investments in information, IT and processing.
4 Basic Steps for Information Management
- Discover - identify issues, self-assessment, determine practices.
- Build - Procedure development and verification, full implementation.
- Communicate - Document, train/educate
- Evolve - affirmation, monitoring/enforcement, adaptation.
Phase 1 - Discover
- Applicable laws?
- Risk tolerance?
- Competition’s approach?
- Business partners approach?
From these questions, develop policy goals as foundation.
Get broad participation across org.
Phase 2 - Build
- Determine how to meet policy goals by facilitating and restricting data flows.
- Close coordination across org.
Phase 3 - Communicate
- Train individuals who need to know it.
- Assign accountability.
- Broader, high level communication to senior leaders and externally
- Written policies, notice.
Phase 4 - Evolve
- Process for review and update
- Enforce it as well (TL)
Data Inventory
- Customer data and employee data
- Document data flows and location, means of sharing and with whom and why.
- Review and update periodically.
Data Classification
- levels of sensitivity
- clearances of who can handle.
- baseline level of protection.
- data segregation as necessary/appropriate.
- Helps org in compliance audits, respond to discovery requests, and use storage in cost-effective manner.
Determining Data Accountability
- Where, how and for what length of time is the data stored?
- How sensitive is the information? Confidential, proprietary, sensitive, restricted, and public are common categories.
- Should the info be encrypted?
- Will info be transferred to or from other countries and if so, how?
- Who determines the rules that apply to the information?
- How is the information to be processed, and how will these processes be maintained?
- Is the use of such data dependent upon other systems?
-
Communication of Privacy Notice
- Make accessible online. Make accessible in place of business. - Provide updates and revisions. - Ensure appropriate personnel are knowledgeable about the policy (like customer service reps). -
Privacy Laws Requiring Opt-In Consent, and Circumstances Where Opt-In is Appropriate
COPPA - consent of parent before collecting PI of children under 13
HIPAA - consent before PHI disclosed to 3rd parties, subject to exceptions.
FCRA - consent before consumer’s credit report provided to employer, lender or other authorized recipient.
FTC believes opt-in consent should ocurr before PI collected under one privacy notice is processed under a materially changed privacy notice.
Industry segments may require double opt-in - where opt in and then confirm (email marketing, eg).
- Opt-in preferred as best practice for geo-location data
- GDPR requires opt-in for marketing to occur.
No choice / no option cases
- Implied authority to process PI in some cases.
- Online order - shared with shipping company, CC processor, and fulfillment.
- Internal operations, such as improving services offered, fraud prevention, legal compliance, and first party marketing.
- 2012 FTC report noted no consent if processing consistent with context of transaction, company’s relationship with consumer, or required by or specifically authorized by law.
Opt-Out
- GLBA requires opt-out before transferring PI of customer of fin. institution to an unafilliated 3rd party for 3rd party’s own use.
- Video Privacy Protection Act requires opt-out before covered movie / other rental data provided to 3rd party.
- CAN-SPAM requires email marketers to provide an opt-o eut.
- Do Not Call rules provide opt-out of telemarketing calls, both in general and company by company.
- Data & Marketing Association operates opt-out system for consumers not wanting commercial mail sent to their home.
- Ditto for online advertising orgs like The Network Advertising Initiative, TrustArc, and Digital Advertising Alliance.
Managing User Preferences - Challenges
- Scope of an opt-out or opt-in. By channel (email vs. phone, eg),
- Mechanism for providing user preference. Generally, channel for marketing is required channel for user preference (don’t require you to mail in your email preferences).
- Linking. Good practice is to implement opt-out or other user preference across channels and platforms.
- Time period for implementing user prefs. - How soon become operational. CAN-SPAM and Telemarketing Sales Rules mandate specific time periods.
- 3rd party vendors - these should honor the customer preferences.
Customer Access and Redress
Refer to APEC access/redress principles from Chapter 1.
Vendor Contracts
- Confidentiality provision
- No further use of shared information - only for purposes contracted.
- Use of subs - flow down obligations.
- Requirement to notify and disclose breach
- Infosec provisions.
Vendor Due Diligence Standards
- Reputation
- Financial condition and insurance.
- Info sec controls.
- Point of transfer - secure transfer.
- Disposal of info.
6 Employee training and user awareness. - Vendor incident response.
- Audit rights.
Key New Provisions in GDPR
(1) notification of security breaches,
(2) new requirements for processors (contractors who act on behalf of data controllers),
(3) designation of data protection officers,
(4) accountability obligations,
(5) rules for international transfers and
(6) sanctions of up to four percent of worldwide revenues.
