1

Tips and Tools for Conducting Effective PIAs in Today’s Complex Privacy Landscape

TRUSTe Webinar SeriesOctober 21, 2014

2

• A Roadmap for Privacy Impact Assessments– Ray Everett,

Director of Product Compliance Solutions, TRUSTe

• Implementing PIAs in Large Scale & Medium Enterprises– Dennis Dayman,

Chief Privacy & Security Officer, Return Path

• Automating Privacy Impact Assessments– Tony Berman,

Senior Product Manager, TRUSTe

• Summary / Q&A

Agenda – Tips & Tools for Conducting Effective PIAs

3

Roadmap for Privacy Impact Assessments

Ray Everett, Director of Product Compliance Solutions, TRUSTe

4

• UK’s Information Commissioner’s Office (ICO) document: “Conducting privacy impact assessments: code of practice” (Version 1.0, published February 25, 2014).

“Privacy impact assessments (PIAs) are a tool which can help organisations identify the most effective way to comply with their data protection obligations and meet individuals’ expectations of privacy. An effective PIA will allow organisations to identify and fix problems at an early stage, reducing the associated costs and damage to reputation which might otherwise occur. PIAs are an integral part of taking a privacy by design approach.” (p.4)

UK ICO shows the way

5

• Identify the need for a PIA

• Describe information flows

• Identify privacy and related risks

• Identify and evaluate solutions (remediation options)

• Sign off and record PIA outcomes

• Integrate PIA outcomes back into the project plan

Six elements of the PIA

6

• Articulating the need for a PIA helps you to scope the inquiry

• “Threshold” assessment enhances efficiency

• Basic questions:

– What PII and other data (e.g., cookies) will be captured?

– How/where will the data be stored?

– What countries/markets will this product serve?

– What will your relationship be to the data?

– What are your obligations vis-à-vis the data subjects?

– Are there third parties involved and what is their relationship to the data?

– What changes will be required to contracts, user-facing privacy policies, and internal policies?

1. Identify the need for a PIA

7

• A “data map” exercise scoped to the specify inquiry

• Elements of the data flows:

– What data is being collected?

– What is the business purpose behind this collection?

– Where will it be stored?

– Who will have access internally?

– Who will have access externally?

2. Describe the information flows

8

• Where do risks arise? How are they categorized?

– Risk rises with, and relative to, the type of data being collected

– Risk can arise from “required” (vs. optional) data

– Risk arises from storing unnecessary data, especially if it’s sensitive

– Risk can arise from inadequate policies, improperly set expectations

– Risk arises as you move from a processor to a controller

• Articulate the risk factors to all stakeholders to help them drive the risk assessment process

3. Identify privacy and related risks

9

• Identify gaps and create a remediation plan

– Driven by risk factors and overall risk tolerance

– Create a Plan of Record, identifying stakeholders, issues and responsibilities

– For large projects, convene regular meetings and appoint a “rapporteur”

4. Identify and evaluate solutions (remediation)

10

• This is your Gap Analysis + Remediation Plan

• Document! Document! Document!

• ...except when you don’t want to document.

• Keep your Plan of Record in a System of Record

5. Sign-off and record PIA outcomes

11

• Document how your gaps were remedied

• Translate learnings into relevant policy/procedural changes

• Learn from the process for next time

– Yes, there will always be a next time

6. Integrate the PIA outcomes back into the plan

12

Implementing PIAs in Large Scale & Medium Enterprises

Dennis Dayman, Chief Privacy & Security Officer, Return Path

13

2.5 quintillion bytes of data

14

Privacy in Advertising and Marketing

• According to a report from Advertising Standards Canada:

– 89% agreed with the statement, “people share far too much personal information online these days;;”

– 72% responded that they were worried about the erosion of personal privacy;

– 73% said they were aware that businesses were tracking people's activities on the Web in order to understand their interests.

• Give consumers choice, control on personal data, advertisers

http://www.theglobeandmail.com/report-on-business/give-consumers-choice-control-on-personal-data-advertisers-urged/article5461959/

15

• FTC vs.

– Facebook

o Facebook changed the way it told users it promised them it would protect them and how they would use their information or limit access to it.

o The proposed settlement requires Facebook to take several steps to make sure it lives up to its promises in the future and report to the FTC for the next 20 years on those processes.

– Google (Buzz)

o Used deceptive tactics and violated its own privacy promises to consumers when it launched its social network

o The proposed settlement bars the company from future privacy misrepresentations and 20 years of reporting

– Path.com

o It was discovered that Path's app automatically uploaded smartphone users' entire address books from 3,000 children to its servers without clear permission from parents.

o “From a developer's perspective, we understand the tendency to focus all attention on the process of building amazing new things”

o “It wasn't until we gave our account verification system a second look that we realized there was a problem. We hope our experience can help others as a reminder to be cautious and diligent”

o Path had to pay $800,000 to settle privacy issues with FTC

o Established a "comprehensive privacy program" and obtain independent privacy assessments every other year for the next 20 years

Privacy Issues Today

16

These can be part of a customers personae.

1. Names

2. Postal Addresses

3. Telephone numbers

4. Social Security Numbers

5. Account Numbers

6. Driver Licenses Numbers

7. Financial Account Numbers – Credit Cards, Checking

8. Logins and Passwords

9. Habits of any sort or Personal preferences

10. Email addresses

17

Where do you get this information typically?

1. Webinars. Attendee information

2. Fishbowls. Business cards

3. Website forms Email capture

4. Tracking mechanism. Website cookies

5. Social media. LIKES!

6. Mobile device tracking. Geo-location

7. Buying of data. Email list buying

8. Email campaigns tracking. Open and clicks

9. Online surveys

10. Preference centre’s

11. Customer accounting

12. ETC

18

Protecting Privacy: Fair Information Practices

1. Consent

2. Accountability

3. Identifying Purposes

4. Collection Limitation

5. Use, Retention and Disclosure Limitation

6. Accuracy

7. Security

8. Openness

9. Access

10. Compliance

19

• Team should consist off– Executive Sponsor

– Privacy office as leader

o Legal office

– Security team

– Production managers

– IT managers

– HR department

– Marketing

– 3rd consultants

o TRUSTe

– Anyone that is over systems that contains PII

The PIA Team

20

• Identify the team

– Needs to identify outsiders

• Agreed upon a budget

– This is in effect for time spend, man hours, system use, and who’s budget

• Time frame for completion

– Grab a PM if needed

– Buy in and approval from all on getting their part done

– Regular status meetings

• Does the project comply with regulatory requirements

– If it doesn’t then that is a red flag BEFORE the PIA

• Describing the project to assessed

– This can be used for the PIA report AND briefing papers for consulting stakeholders

What else is needed to support PIA

21

• what information is to be collected (e.g., nature and source);

• why the information is being collected (e.g., to determine eligibility);

• intended use of the information (e.g., to verify existing data);

• with whom the information will be shared (e.g., another agency for a specified programmatic purpose);

• what opportunities individuals have to decline to provide information (i.e., where providing information is voluntary) or to consent to particular uses of the information (other than required or authorized uses), and how individuals can grant consent;

• how the information will be secured (e.g., administrative and technological controls)

PIAs must analyze and describe

22

• What are the sources of the information in the system?

• How was it given?

– Freely given

– Email, Social, Mobile, HR, websites, etc

– Commercial or publicly available data

– Territorial considerations

• How will the information be checked for accuracy and timeliness?

– Will it be deleted soon? If not effective?

– Will it past muster and not be processed if not?

– How information in the system will or may be used

• Is the system using technologies in ways that the company has not previously employed (e.g., monitoring software, Smart Cards, etc.)?

• What law or regulation permits the collection of this information?

• Confirm that all uses of the data are both relevant and necessary

• Which external entities will have access to the information?

• How do consumers control their PII

Questions to ask for PIA

23

• Do Privacy Impact Assessments for every part of your business & ask advocates (not lawyers) for advice

• Generally, if the development and deployment of a new project (or technology, service, etc.) impacts upon privacy, the project manager should undertake a PIA.

• Significant System Management Changes

– When new uses of an existing IT system, including application of new technologies, significantly change how information in identifiable form is managed in the system

• Significant Merging

– When companies adopt or alter business processes so that company databases holding information in identifiable form are merged, centralized, matched with other databases or otherwise significantly manipulated

• No PIA is required where information relates to internal operations, has been previously assessed under an evaluation similar to a PIA, or where privacy issues are unchanged

• Annually update or review a PIA to ensure no changes have occurred

Advice

24

Automating Privacy Impact Assessments

Tony Berman, Senior Product Manager, TRUSTe

25

Lots Of Tools and Point Solutions Exist…

Surveys

Spreadsheets

Data Maps

Regulatory Guides

Scanning Tools

But are they sufficient to get your job done?

Consultants

Privacy Files

26

• Centralized management via single enterprise dashboard and alerts

• Extensive privacy assessment template library and controls database

• Online Assessment & workflows

• Gap analysis outlining required changes

• Enterprise policies and assessment templates

• Vendor management

• Integrated website data collection discovery service

TRUSTe Assessment Manager

Automate the end-to-end privacy assessment process

27

Assessment Manager Demo

28

Questions?