Internal Privacy Program

00:02

welcome everyone to lessen 8.2 as we will review how to develop and deploy an internal privacy program.

00:09

This is the meat and potatoes of privacy compliance efforts.

00:13

I'm sure you've heard about this and work and via emails, and we will discuss all of that. In this lesson.

00:19

Cyber Re does have other content that relates to developing an internal privacy program.

00:24

This lesson will review some of that content,

00:26

but it will tailor it and put it through the lens of CCP, a compliance

00:31

this by no means over rules anything you have seen elsewhere.

00:35

But we're going to try to tailor some of the internal privacy program aspects to the obligations that the CCP a. Established

00:43

then item number two. The way I always learn.

00:46

By focusing on riel world examples,

00:48

we will go through some common use cases of how to develop an internal privacy program.

00:54

Let's jump right into it.

00:57

There are several key components that make up an internal privacy program.

01:00

If you are responsible for privacy at your organization, or maybe you are one day hoping to be,

01:06

I highly recommend pausing this video and making a list of the four items you see on your screen. Now

01:11

you need to have all four of these deployed and regularly updated at your organization in order to even have a shot at maintaining privacy compliance,

01:19

particularly the substantive obligations that the CCP requires of your business.

01:26

We already reviewed the notice and transparency obligations.

01:30

Those are usually contained in the privacy policy

01:34

privacy impact assessments.

01:37

We'll get to that in a moment, but that's basically when you review the internal data handling processes and how that impacts the privacy of the individuals whose information you collect.

01:48

Data mapping.

01:49

We've talked about that as well,

01:52

where information sits within your organization,

01:55

then an incident response plan.

01:57

How to address potential security incidents

02:00

and which stakeholders within your organization need to be included as you respond. And, of course,

02:07

your window of responding to the actual incident before actually notifying regulators and potential victims.

02:14

This is by no means an exhaustive list,

02:15

but please keep an eye out on these four requirements.

02:20

Previously in Module four, specifically in less than 4.2, we reviewed the specific language that needs to be in a privacy policy as established by the C C p A

02:30

do not forget. Privacy policies are your public way of representing two individuals. How your organization collects, uses stores and shares personal information.

02:40

Think of it in many ways, as an advertisement or part of your corporate marketing or corporate information sharing activities.

02:47

It is fundamental to how the business operates.

02:51

I strongly recommend as a consequence of that

02:53

you regularly review your privacy policy and make sure that it contains whatever necessary updates.

03:01

The laws in the space are always changing.

03:04

Just because the CCP is on the books now

03:07

does not mean there won't be further amendments and further changes to the way that the law is enforced.

03:12

Every time that happens, I strongly recommend going back to the privacy policy and seeing if there needs to be any updates or changes to the wording that you're putting out there to the public.

03:22

Please be aware of the language You include.

03:25

Privacy impact assessment.

03:28

This is something we haven't really discussed yet,

03:30

Pius. I'll just use the acronym are actually required by the GDP are and other privacy laws,

03:38

in fact, and we'll get to this module nine.

03:39

If you're collecting sensitive personal information relating to religious or ethnic backgrounds, sexual orientation, trade union membership, Stuff like that,

03:49

the GDP are actually requires you to perform a more robust privacy impact assessment called the D. P I. A.

03:57

In any event, privacy impact assessments for now under the CCP A are still the best practice. But they are fundamental to actually deploying an internal privacy program that's going to help you secure the way information is being collected.

04:12

In other words,

04:13

in order for the left hand to be talking to the right hand

04:15

in order for your marketing team to understand what the service lines are doing and vice versa,

04:20

you do need to have these privacy impact assessments drafted.

04:25

There's nothing mawr as you look at item number two than an internal document that captures the scope of personal information that will be collected

04:31

with whom it will be shared and any other potential privacy compliance risks that stem from that.

04:38

If there's ever a group of individuals at your company, or if there's a service line that wants to perform some type of function, some type of new activity, we strongly recommend you complete a P I A. Before that happens.

04:49

At minimum,

04:50

you are memorializing what type of information is going to be completed and collected and shared and stored, and for how long that activity should actually occur.

05:00

I'll speak for myself at Reliant.

05:03

I spend at least once a week performing and supporting a P a from one of my clients,

05:09

the point being there. This is something that needs to be done regularly.

05:13

If you don't complete thes,

05:14

you will likely have data processing activities that your company that you are unaware of.

05:18

If anything, it just makes people honest. And consider the privacy implications of what happens at your place of work.

05:26

I strongly recommend that this also be driven by the Privacy Office as well as I previously used the term privacy ambassador.

05:33

Make sure that there is someone at the service lines or the other internal offices that support the company, writ large

05:41

for how these P A s need to be completed.

05:43

This should not be exclusively driven by the privacy office.

05:46

If you do that on Lee, it will be a one man show

05:50

your likelihood of genuine success

05:53

we'll go down

05:55

that more or less covers FIA's.

05:57

I strongly recommend you research more on them

06:00

we will get to more of that in module eight as we progress.

06:05

Previously, I mentioned the importance of data mapping

06:09

item number two here.

06:10

Remember, it is critical to ensuring the successful completion of consumer requests.

06:15

That's the next lesson coming up here.

06:17

But why?

06:18

Because you can never allow individuals to either access or delete their information or opt out of the sale of their information if you don't know where the information is to begin with,

06:30

This is an internal exercise that you need to absolutely do.

06:34

Companies like mine help others perform these data mapping exercises

06:40

before we always arrive at a company. They typically have done some of these efforts on their own.

06:45

I strongly recommend you take a pen and paper and start identifying which key systems store information

06:53

the crown jewels. Item number three here.

06:56

That's the sensitive information, the stuff that if it were to be breached or leaked,

07:00

it would result in a mission critical failure for your organization.

07:04

Try to figure out where that information sits. If you do not know that answer now, I challenge you to find out that answer by the end of the week,

07:12

that is really something that you should be aware of.

07:15

Remember,

07:15

information does not sit exclusively, either internally or externally.

07:20

On the right side of your screen. You'll see some of the SAS vendors and other cloud offerings in the market that are very popular.

07:27

Some of them may, for example, zoo want on bottom, right?

07:30

That is a software that's frequently used at conferences. They tend to keep information into perpetuity.

07:36

You might very well be responsible for the information that's being collected there.

07:41

Keep an eye on your external recipients and the external vendors you're using to store information

07:46

on the left side of your screen.

07:47

I have found that companies are traditionally more aware of information. Sits if it's on the hard drives or anything that's being saved on Prem. But keep an eye on your external vendors.

07:59

Incident Response plan.

08:01

This serves as an internal playbook for the organization.

08:03

How it should identify how you go through the security potential security incidents.

08:09

I strongly recommend you get your information security team and privacy team to coordinate ahead of time.

08:15

Please keep in mind the general rule in the United States is that you need to notify the state regulators within 30 days of a breach Butt heads up under the GDP are it's 72 hours

08:28

in summary item number one,

08:30

the documents you need to have developed in order to deploy a robust privacy program.

08:35

We talked about the Incidents Response plan.

08:37

You need to make sure that your data mapping is established. Your pia's

08:41

also make sure that the privacy policy is regularly updated

08:45

above all else.

08:46

Please make sure you identify where personal information sits within your business.

08:52

I'll see you in the next video less than 8.3.

08:54

As we discussed the Consumer Request Channel,