Embed Size (px)
Citation preview
Implementing and Managing a Multinational Privacy Program For Compliant Collection, Use and Transfer of Data Internationally
ACI’s 9th National Advanced Forum on
Privacy and Security of Consumer & Employee Information
Michael Spadea
Head of Privacy, Barclays Wealth
27 January 2010
2
Disclaimer (otherwise knows as the exciting stuff)
The statements and contents of this presentation are my own and do not necessarily represent Barclays Wealth’s positions, strategies or opinions.
Barclays Wealth is the wealth management division of Barclays and operates through Barclays Bank PLC and its subsidiaries. Barclays Bank PLC. is registered in England and authorised by the Financial Services Authority (registered no. 1026167). Registered Office: 1 Churchill Place, London, E14 5HP, United Kingdom.
The availability of products and services may be limited by the applicable laws and regulations in certain jurisdictions.
No part of this presentation constitutes legal or tax advice.
3
Global Compliance
Ensuring compliance with external regulations and internal policies. Key Takeaway Point 1: Know the standards you are held to, where you are
in relation to those standards, what you need to do to get there.
Potential business risks and the strategies to help overcome these risks. Key Takeaway Point 2: If you can’t measure it, you can’t manage it.
Risk Vs. Cost: What is the best strategy for your business? Key Takeaway Point 3: Point 1 must be BAU.
4
Why we ran a Global Privacy Change Program
We made a mistake (or two) Undertaking with the ICO on disposal of confidential waste. Undertaking with the ICO on marketing to suppressed customers.
What we did Obtained the legal requirements in every jurisdiction in which we operate. Developed a tool to identify where our data is and what we do with/to it. Developed a tool to identify the gaps between where the law says you
must be and where you actually are. Developed remediation plans with actions, owners, and deadlines. Developed a tool to assess vendor compliance Program Oversight and Accountability
5
Stating the Obvious:
Ensuring compliance is not easy Thousands of employees. Variety of business lines. Huge volumes. International presence. Significant IT and process change programmes running continually. Increasing dependencies on third parties.
To successfully run a privacy change program, you need: Senior management support. Funding. Clear understanding of BUSINESS AS USUAL end result. Clear definition of the baseline requirements for your organization;
comprehensively covers the legal/regulatory obligations; usable by the business.
Make sure you have the right people with the right skills. Stakeholder involvement & pilots. Divide into manageable segments & a flexible approach.
6
Where do you start? What are your risks? Prioritize . . . Detail is important:
What are your risks? Some factors
Types of data. Volumes of data. Geography. Internal or external.
Segment the programme and business to pinpoint accountability.
Tools Data capture sheets. Questionnaires - for the business and for vendors.
Questions mapped to local legal requirements mapped to baseline. Gap analysis with actions and owners and dates.
Captures everything - ongoing risks and one-off fixes.
7
Data Capture Sheet
Data Stream Sub-Data Stream
Data Capture Questions
Ref. Number Brief Description
Data Capture Sheet QuestionsData Stream (Team)Sub-Data Stream (Streams within the Team)Reference NumberBrief descriptionIs data collected at this point or used?Corporate confidential data?Personal Data?Sensitive Personal Data?Employee data?
IT Organisation and ManagementCollected from or available on the Internet?Collected from or available on the intranet?Data used for marketing?Transferred or accessed in another country?Data transferred or accessible by a third party?Name of third party Do you have any data that requires special consideration?
Approximate volumes Where is data received from? Where is data sent?Which jurisdiction is data stored in?What format?Name of systemBusiness contact nameTechnology contact nameCaptured by CCTV?
8
Privacy QuestionnaireBaseline Baseline
Requirement
Equivalent Local Law
Brief Description of Local Law
Questions
UK DPA \ Principle 1UK DPA \ Principle 2UK DPA \ Schedule 2Dir 95/46/EC \ Article 6.1aDir 95/46/EC \ Article 6.1bDir 95/46/EC \ Article 7
For processing of personal data to be fair and lawful, legitimate reasons for processing the data must be identified. In the UK, these are set out in Schedule 2 of the DP Act (Dir 95/46/EC Article 7)
HKDPOPrinciple 1 ver 1
Personal data shall not be collected unless: (a) the data are collected for a lawful directly related to a function or activity of the entity who will be using the data; (b) the collection is necessary for or directly related to that purpose; and (c) the data is not excessive in relation to that purpose. Personal data shall be collected by means which are lawful and fair.
(-) Have you identified on what basis you are able to lawfully process the personal data? (+) When you collect personal data, do you disclose the purpose of use to the data subject?
UK DPA \ Principle 1UK DPA \ Principle 2UK DPA \ Schedule 3Dir 95/46/EC \ Article 6.1aDir 95/46/EC \ Article 6.1bDir 95/46/EC \ Article 8
If sensitive personal data is processed, further conditions must be met to do this, for example obtaining explicit consent for the processing
In the UK a Data Protection Act Schedule 2 and 3 condition is required to process sensitive personal data (Dir 95/46 EC Article 8)
N/A Under the HKPO there is no separate concept of "Sensitive Personal Data".
(-) Are you processing sensitive personal data? Defined as personal data relating to:(a) the racial or ethnic origin of the data subject, (b) his political opinions, (c) his religious beliefs or other beliefs of a similar nature, (d) whether he is a member of a trade union, (e) his physical or mental health or condition, (f) his sexual life, (g) the commission or alleged commission by him of any offence, or (h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
9
BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU BAU Operating model- Don’t get hung-up on the detail.
Think buckets. Country retention schedules. Records Retention and Privacy Policies RMCs / DPCs
Each jurisdiction and or each business. Barclays:
UK - one in each business line. Outside the UK - one in each jurisdiction.
Incident Management Policy Escalation criteria, communications plan Incident Management Committee for the big ones (Legal, PR, Compliance, HR, IT Security, Risk)
Litigation hold committee (technology, risk, accountable executive, internal and external counsel)
Annually refresh Legal requirements. Policy Risk and Control Assessments (we will visit this soon)- Risk Based Approach. MI
Retention schedule for each jurisdiction. Push out to each business line and jurisdiction through the RMCs. Train your RMC and DPCs so they are the front line for the basic queries. Training and Awareness - all staff get the basics (tie into your gaps, key
themes).
10
Selection of Privacy Risks
Failure to inform individuals about the collection and use of their information.
Privacy registration requirements are not complied.
Failure to have a lawful basis for processing personal information.
Privacy is not incorporated into the expansion into new markets and jurisdictions or the acquisition of new entities.
Personal information transferred to and processed by vendors is not adequately protected.
The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures.
Responsibilities and accountabilities for the management of privacy are not appropriately defined, agreed, or implemented.
Incidents, including those originating with third party suppliers, are not effectively identified and reported or managed and resolved in a manner that protects both the individual and Wealth.
11
Putting it together
(Principle) Risk
Control Risk Owner (Local v. Central)
Overall Risk RAG Rating
Evidence Remediation Actions
Remediation RAG Rating
The privacy risk control framework is not adequately defined, embedded, monitored or enforced, nor capable of delivering privacy risk assessments to inform the development of policies and procedures.
Conformance testing is conducted on a regular basis to ensure that personal information is processed in accordance with the Wealth Privacy Policy and all controls are operating effectively.
Boba Fett Amber Identify area of testing.
Green
Develop and implement.
Green
Analyse results. Amber
Remediation plan.
Red
MI is reported regularly and reviewed and challenged to ensure that it reflects the activity and status of privacy controls and to evaluate privacy risk.
The Emperor
Green Obtain. Green
Use Jedi mind trick.
Amber
Receive update. Green
Execute under-performers.
Green
RCAs are embedded in the day-to-day risk management process of the business and act as a management self assessment tool to proactively identify and address key control issues.
Darth Vader
Amber Inspect the stormtroopers.
Amber
Check they are using the RCA to inspire fear.
Amber
Validate results with the locals.
Amber
12
Dashboard mock-up
Not Real Data
13
Records Management audit report issued in draft with a Satisfactory Rating for Wealth and 2 Medium audit points
Phase one of the RM/DP Assessment/Remediation project now complete with all high risk teams action plans QA’d and remediation underway with the assistance of project staff.
Current State Assessment action closure increasing following active chasing by IRM – 58% closed at end June.
IRM RM SME fully engaged with USA PIM business to embed Wealth RM policies
BAU Schedule for RM management activities in place.
Management of RM/DP project actions integrated with existing CSA action management system.
Focus: Records Management – June 2009
Current State Residual RiskCommentary
1,217 Current State Assessment actions were given a default due date of end Apr 2009. IRM actively chasing owners for the newly overdue actions to establish expected due dates.
Activities to date have reduced the overdue actions with further focus being applied in July.
RM/DP Remediation actions are increasing as the project team are completing team reviews - expectation is for a high volume of identified actions as the project progresses.
Exception Commentary
Cumulative Achievements
Improved BU team refresh process to be proposed and implemented if agreed
Continued engagement with RM audit action owners to ensure coherent plans and funding are in place to address.
Refresh Retention Schedules in conjunction with Group and Legal.
Launch phase two of the assessment programme beginning with Jersey and Guernsey
Major Activities next month
RM SME resource departed mid June
Technology resource for shared drive analysis/remediation no longer exists in Wealth – conversations underway with BarCap to acquire resource.
Risks Identified to DateNot Real Data
14
Lessons we have learned
There is a global shortage of privacy/records management professionals so the approach had to work with project managers and business analysis without a technical privacy/records management background.
Quality assurance of the ouput is vital and should be integral to the process.
Training should be little and often. Link in with key stakeholders, e.g., internal audit, compliance, IT,
internal comms, financial crime, etc. Awareness & training is a long-term exercise and cannot be fixed
overnight. Too much detail on some of the question sets.
Awareness Material
Awareness Material
Awareness Material
Awareness Material
19
Help with Training & Awareness
Some of the Training & Awareness materials developed will be available on the ICO website for use on 28 January 10.
Private Consortium Multiple industries. For a fee you can access all material developed. Newly created material must be made available to other members. Currently administered by Barclays, but expectation is that other group
will take over in the near future. If you are interested, please contact me.
20
It works! Barclays won the 2009 IAPP Award for Privacy Innovation by a large
organisation (toot toot)! Data viewed as an asset. Significant increase in
Compliance;
Engagement of the privacy and records management SMEs at early project stages;
Employee and vendor awareness; and
Number of breaches reported.
Measuring compliance and awareness. Inventory of processing and data. Identification and remediation of supplier contract and processing
gaps. Reduction of reputation and fines risks. Improved regulatory relationships. Change in culture. Global Operating Models.
21
The End
Michael SpadeaBarclays Wealth1 Churchill PlaceLondon, E14 5HP
(Email me for a copy of this presentation and a sample questionnaire.)
