Implementation Tiers

00:00

Welcome to module eight of 10 and this privacy framework implementation tears.

00:06

So on. The course outline we've completed the introduction, we've gone through module one, the overview of the MS privacy framework and we've completed modules two through six which cover the miss privacy framework core identify governed control, communicate and protect. And we've now completed module seven in this privacy framework profiles which leads us now into module aid for the MS privacy framework implementation tears.

00:31

So welcome to less than 8.1 implementation tears.

00:37

So in this video we'll cover the implementation tears and elements a breakdown of the implementation tears and the implementation to your facts.

00:48

So in understanding how you arrive at the implementation two years, you really have to look at two sources and that's understanding your privacy risks and resources and processes um and understand your privacy risk. You remember in earlier function that you're you do a risk assessment um to know what

01:04

The privacy risks are. two individuals

01:07

um whose personal data you are processing and how that impacts the organization. So you're really looking at um what are the privacy risk you need to manage as an organization? And then also really looking at what resources and processes do you have in place to manage these risks? Um and so that you could be looking at your workforce. Do you have dedicated privacy personnel

01:30

um to manage these privacy risks or do you have people um that are doing this as part time job in relation to their full time job? Um You know what tools you have in place? How big is your budget to deal with your privacy risk management program? So all of these feed into these implementation tears

01:49

um that are really determining um you know what

01:53

level of maturity your program is in for the current profile as well as where you're looking to mature it to for your target profile. And these implementation tears are one partial to risk informed. Three repeatable and for adaptive.

02:10

So for each implementation to your um you're really looking at the same four elements to really determine. Help you determine um which one is the best fit for your organization for each function category, subcategory that you're looking at. And those elementary privacy risk management process,

02:29

the integrated privacy risk management program,

02:31

your data processing, ecosystem relationships and finally the workforce.

02:38

So on this slide, I've really kind of created a matrix for each of the four implementation tears and then looking at the elements for each of those tears and what each element means at each level. So for instance, if you're looking at the privacy risk management process from a tier one partial perspective.

02:58

It really means that your organs, that your organization's privacy risk management process

03:02

is not formalized and that your risk is managed in an ad hoc a reactive manner.

03:08

Whereas if you're a T or to risk informed, your P. R. M. Is approved by management, but it's not an organ wide policy. Whereas at tier three repeatable, you have a formally approved um expressed as policy versus tier four adaptive, where your P. R. M. Is based on lessons learned

03:27

from privacy events and idea of new privacy risks.

03:30

So you see each one is at a different level of maturity for. Um and this is what you're going to be using as you start to pull functions categories and uh and subcategories for your current and target profiles. You're looking at each one of those to determine what is the maturity level um

03:49

in your organization for the current profile,

03:52

as well as where you want it to be in the target profile. And there's nothing saying that you have to strive to be a tear for for everything because you have to remember that this is still based on um what privacy risks. There are two individuals that impact your organization as well as the resources that you have in place.

04:11

You're only going to be able to do so much if you don't have dedicated privacy personnel,

04:15

so if you already know that you may only strive to get to a risk informed level or maybe uh repeatable level um whereas if you know possibly that you intend to hire dedicated privacy personnel in the future or spring for um, you know, the best privacy tool out there,

04:32

then um you may strive to be in a tear for,

04:36

so it's really gonna be dependent on your organization. Um so this is something that definitely keep in mind and utilize um have with you when you are building those current and target profiles

04:49

so some facts to remember when you're looking at the implementation tears, remember the implementation maybe non sequential simultaneous or iterative? It could depend on the S. D. L. C. Stage, your status of your privacy program, the scale of your workforce

05:06

or the role of your organization and the data processing ecosystem.

05:10

So your implementation uh tier is going to be informed by different things. Um So it's something to keep in mind that you want to look at those facts. Um more so when you're building that target profile, um it's much easier to determine your implementation to your in the current state because you already know where you are. But it's really looking at these facts when you're trying to target,

05:31

trying to determine where you want to be, um what maturity level you're striving to get to.

05:38

Um So something else to remember also is that organizations that Tier one will benefit from moving to a tier two. So don't think that you have to mature and leaps and bounds. You don't have to jump from a tier one to tier four. Sometimes just getting it to a more risk informed state from having nothing

05:56

is um, you know, a good step

05:59

all on its own. And there's nothing saying that every organization is going to be striving to be a tier three or tier two or tier four for every function category subcategory that they're choosing in that target profile. So there may be some areas where you're fine being at a tier two and maybe others that you're striving to be at a tier three,

06:18

there's no right or wrong process for this. So just remember that

06:23

each organization is unique, um how your workforce is structured, How your privacy program is structured is going to be unique to your organization. So it means that the tears you're choosing or are going to be unique as well. Um and what, how you're choosing to mature your program

06:40

and also remember that successful implementation of a privacy framework is based on achieving the outcomes in your target profile. It's not based upon your tier determination. That's just helping you determine um what level of maturity would like to get to. But the real goal is that actually implement your action plan. So really

07:00

putting into play um what you've determined are the gaps in your program

07:04

and writing those policies, processes and procedures, putting them into play and then continuing to monitor them. So that is really what the goal is. It's not in um you know, determining what tier you're at.

07:19

So quiz question, which is not an implementation to your for the next privacy framework, one adaptive to repetitive. Three risk informed.

07:31

So the answer here is repetitive. If you remember correctly, the four tiers are one partial to risk informed, three repeatable and for adaptive, so it's not repetitive, it's repeatable.