Monitoring and Review

00:02

Welcome to less than 3.4 govern monitoring and review.

00:07

So in this video we're going to cover the govern function monitoring. Review and look at how to ensure monitoring and review of your privacy program.

00:18

So in this category of the government function is focusing on the policies, processes and procedures for ongoing review of your organization's privacy posture are understood and inform the management of privacy risk. So really the focus of this category is

00:35

continuous review.

00:37

Excuse me of the controls and the program that you've put in place for privacy risk management. So that means established. Excuse me establishing um uh ongoing basis. And as key factors including the organization's business environment, um governance

00:56

and data processing and systems. Products and services change.

01:00

So you want to make sure that you're looking and monitoring the change that's occurring um within various aspects of your enterprise, making sure that privacy values, policies and training are continuously reviewed and that when you do update these things that they are communicated to the enterprise, that changes have been made,

01:19

um You want to ensure that policies, processes and procedures that assess compliance with legal requirements and privacy policies that those processes are established in place. So that's something that you're working on with your legal department, especially from a standpoint of dealing with your third parties,

01:40

that you're continuously reviewing the contract at the phase of um getting into business with your vendor as well as that the renegotiation phase to make sure that you're continually updating the legal requirements uh that your partners may need to adhere to

01:59

as well as looking at policies, processes, procedures for communicating progress. I'm managing privacy risks are established are in place. Um So whether you have a policy um that details how this gets communicated, um not just to your staff, but if there are things that need to be communicated um to any partners,

02:20

um that you have processes in place for how that's handled,

02:23

as well as looking at policies, processes and procedures and making sure they're established in place for how you receive, analyze and respond to problematic data actions and how you disclose that to the organization from internal and external sources. So whether that's from internal discovery, privacy, researchers or professional events

02:43

that you have that in place um for how you're dealing with that,

02:46

and then how you also incorporate lessons learned from problematic data actions. That could be something that's included in your incident management policy, that you include that as a step within your procedure. Um That once you've finished investigating an incident that you will record your lessons learned

03:06

to make sure that you update policies, processes and procedures

03:09

on what you're learning from those incidents, as well as establishing policies, processes and procedures for how you're receiving, tracking, responding to complaints, concerns and questions from individuals whose personal data you're processing. Um So whether that you have a data subject access request procedure in place

03:30

for how you're handling those requests when they come in from individuals

03:35

as well as if someone files a complaint um for how that process was managed um that you're retaining the records you need to in order to respond to those complaints or questions that are asked from individuals, making sure that you include in your privacy policy,

03:51

the data you're collecting, how you're using it, how long you keep it

03:54

and giving them the resources they need um from emails or phone numbers of how they contact your organization. Should they have questions.

04:05

So as I said, this particular category is really focused on monitoring review of your privacy practices. So there are numerous tools or ways that you can monitor and review your privacy program to make sure that's working effectively and you're continually updating your policies, processes and procedures that are governing your privacy risk management program.

04:28

Um So we've mentioned before and other

04:31

functions of categories about having a risk register. So as you identify new privacy risks, continuously adding those and updating your risk register because that's not a static document is something that will continue to get updated. Um possibly as you create new product, um you create a new division within your enterprise. You're going to want to

04:54

look at the privacy risks associated with that, ensure that they're located on your risk register so that in the event you have something that may rate as a high risk if you're trying to mitigate that, then going back in to update it, say that you are able to bring it down to a moderate level risk.

05:10

Um So a risk register is definitely something good to have for your privacy risk management program

05:15

as well as as I mentioned before in the previous slide, uh continuous review of your policies and training that as new laws or regulations come out if there's something that you need to update the policy based on a regulation or contractual obligation that you're doing that and continuously updating the training that you're providing to your staff at a senior executive level or workforce level or even those that are handling uh the privacy risk management program and it's their dedicated responsibility, you just want to make sure that you're providing the most up to date training that you can.

05:50

Um So following privacy newsletters, what whether that's something that's provided through the International Association of Privacy Professionals. I PP. Has some really good news letters to follow. And they have some regions specific ones that can get very helpful whether you're in Canada or a pack or the Emir region um or even in the U. S. Um They really do break it down to give region specific information

06:15

as well as a lot of times law firms that have um dedicated privacy sections within their law firms. Um A lot of times have great blogs to follow um where they're letting you know possibly about new legislation coming down the pipeline or even case law or cases that are going on based on

06:34

a different privacy regulations, especially with the California Consumer privacy Act

06:39

now that it's been implemented. Um They're definitely cases coming where uh different individuals or organizations are bringing lawsuits based on that.

06:49

Um And we mentioned before in the previous slide about making sure that you're incorporating lessons learned from privacy incidents back into your policies and procedures so that you're continuing to have an effective program. And you don't keep seeing the same lessons popping up in your incidents but that you're actually addressing those.

07:08

And then finally having a privacy hotline or email address

07:11

or individuals whose personal data you're processing can reach out to someone in your company and make a data subject access request if you're subject to the G. D. P. R. Or they have a question based on your privacy policy or the information that you're keeping on them or want to have their data deleted that they have a way they know if you're required to have a data privacy officer that you're stating who that is, that there's email address provided, whether that's for your privacy department um and or a number that they can call to get the information that they're looking for. Whether that's to make a request or ask a question or file a complaint.

07:49

Um So these are just a few of the monitoring and review practices that you can put in place to make sure that your program is continuously evolving. Um but there are others out there um feel free to google and you will come across several articles that provide different mechanisms to continuously monitor your program.

08:13

So let's do a quick quiz question. So what's a good way to continue to monitor and review your privacy program? One newsletters and blogs to a privacy hotline three. A risk register or for all of the above.

08:31

So the answer here is all of the above all of these are good ways to continue to monitor your privacy program and makes making sure that you're continuously updating your policies, processes and procedures.

08:43

Excuse me to align with new legislation or regulations that may be coming down the pipeline or contractual obligations that you may have, or just to follow trends

08:52

within the privacy landscape like that. All these are great answers and it's not an exhaustive list of things that you can do uh, to monitor and continuously review your program, but just some of the um

09:07

mechanisms that are used by quite a few enterprises to do so.