• No results found

PRIVACY MANAGEMENT ACTIVITIES

N/A
N/A
Protected

Academic year: 2021

Share "PRIVACY MANAGEMENT ACTIVITIES"

Copied!
16
0
0

Loading.... (view fulltext now)

Full text

(1)

PRIVACY MANAGEMENT ACTIVITIES

Designed for the privacy office to take privacy management to the next level,

Nymity Templates™ offers a wide range of downloadable resources.

(2)

Copyright © 2014 Nymity Inc. All Rights Reserved.

Conduct a Privacy Risk Assessment

 Audit Risk Analysis Toolkit

 Real World Examples and Supporting References  Sample Privacy Risk Assessment Plan

 Sample Self-Assessment Questions

 Steps for Implementation and Management of the Privacy Risk Assessment

-

Maintain a Privacy Strategy

 Frameworks for Maturing the Privacy Program  List of Measures to Meet the Privacy Strategy  Steps for Implementation and Maintenance  Supporting References

 Types of Privacy Strategies

-

Maintain a privacy program charter/mission statement

 Real World Samples

 Topics to Include in a Privacy Mission Statement

-

Maintain job descriptions for individuals responsible for data privacy (e.g. data protection officers)

 Nymity Privacy Job Description Template

 Real World Sample Job Description for Data Protection Manager  Real World Sample Job Description for Information Authority DPO  Real World Sample Job Description for DPO and Information

Officer

-

Assign accountability for data privacy at a senior level

 Accountability Check List  References that Support the PMA

-

Allocate resources to adequately implement and support the privacy program (e.g. budget, personnel)

 Assign Resources Checklist  Privacy Office Budget Template

 Real World Samples and Supporting References

-

Assign responsibility for data privacy

 Checklist of Steps and Considerations for Assigning Responsibility for Privacy

 Example Organizational Chart of a Hybrid Privacy Function

-

Appoint a representative in member states where the organization does not maintain a physical presence

 Chart of Representatives

 References that Support this Privacy Management Activity  Sample Language for Processor Agreements to Appoint a Data

Processor as a Representative

 Steps to Implement and Maintain Appointing Representatives

-

Conduct regular communication between individuals accountable and responsible for data privacy

 Sample Privacy Committee Meeting Minutes - Alternative

 Sample Privacy Committee Meeting Minutes

 Steps to Implement and Maintain Regular Communication  Template Agenda

-

Consult with stakeholders throughout the organization on data privacy matters

 Ad Hoc Communication Protocols

 Checklist for Fostering Ad Hoc Communication  Steps for Implementation and Maintenance

-

Report, on a scheduled basis, on the status of the privacy program (e.g. board of directors, management board)

 Potential Reporting Elements and Metrics  Reporting Content Template

 Sample Board Report Presentation

 Steps for Reporting on the Status of the Privacy Program

-

Integrate data privacy into business risk assessment/reporting

 Checklist of Privacy Risks to Include in a Business Risk Assessment  Steps to Implement and Maintain Privacy as part of Business Risk

Assessments

-

Maintain a Code of Conduct

 Checklist for Integrating Data Privacy into Code of Conduct  Real World Sample Privacy Phrases for the Corporate Code of

Conduct

 References to Support the PMA

 Steps to Implement and Maintain Privacy as Part of a Code of Conduct

-

Maintain ethics guidelines

 Real World Examples of Ethics Guidelines

 Steps for Implementing and Maintaining Data Privacy as Part of Ethics Guidelines

 Top Considerations when Writing Ethics Guidelines for Data Privacy

-

Maintain a strategy to align Activities with legal requirements (e.g., address conflicts, differences in standards, creating rationalized rule sets)

 N/A

-

Require employees to acknowledge and agree to adhere to the data privacy policies

 Real World Samples and Supporting References  Sample Data Privacy Acknowledgement Wording  Steps for Implementation and Maintenance

-

Report periodically on the status of the privacy program to external stakeholders, as appropriate (e.g. annual reports, third parties, clients)

 Potential Reporting Elements and Metrics

 Steps for Reporting on the Status of the Privacy Program  Template for Reporting Status

1. Maintain Governance Structure

Ensure that there are individuals responsible for data privacy, accountable

management, and management reporting procedures

(3)

Maintain an inventory of key personal data holdings (what personal data is held and where)

 Real World Samples and Supporting References  Sample Questionnaire about Personal Data Holdings  Steps for Implementation and Maintenance  Template Personal Data Holdings Inventory

Classify personal data holdings by type (e.g. sensitive, confidential, public)

 Data Classification Template

 Real World Samples and Supporting References  Sample Protective Marking Table

 Steps for Implementation and Maintenance

Obtain approval for data processing (where prior approval is required)

 Checklist for Seeking DPA Approval

 List of Data Protection Authority Contact Details by Country

Register databases with data protection authority (where registration is required)

 Real World Samples and Supporting References  Spreadsheet of Registration Details

 Steps for Implementation and Maintenance  Table of Registration Details per Country

Maintain documentation for all cross-border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities)

 Log of Cross-Border Transfer Details

Maintain flow charts for key data flows (e.g. between systems, between processes, between countries)

 Data Flow Worksheet

 Real World Samples and Supporting References  Steps for Maintaining Flow Charts for Key Data Flows

Use Binding Corporate Rules as a Data transfer mechanism  Article 29 Working Party BCR Application Form for Controllers  Article 29 Working Party BCR Application Form for Processors  Article 29 Working Party Framework of Elements for BCRs and

Application Form for Data Controllers

 Article 29 Working Party Framework of Elements for BCRs and Application Form for Data Processors

 Nymity BCR Readiness Assessment Template  Dealing with a Lead Authority

 Nymity BCR Cost Benefit Webinar  Nymity BCR Rule Source  Nymity BCR Tool

 Real World Samples and Supporting References  Webinar on BCR Implementation Accompanying Slides  Webinar on BCR Implementation at Johnson Controls - a Case

Study

-

Use Standard Contractual Rules as a data transfer mechanism

 EC Decision 2001-497-EC - Clauses Between Data Controllers - Establishes Joint and Several Liability to the Data Subject  EC Decision 2004-915-EC - Clauses between Data Controllers -

Limits Liability

 EC Decision 2010-87-EU - Clauses between a Processor and Subcontractor

 European Commission Decision 2010-87-EU - Clauses Between a Controller and a Processor

 Real World Samples for Standard Contractual Clauses  Steps for Implementation and Maintenance of Model Clauses  Supporting References for Standard Contractual Clauses

-

Use Cross-Border Privacy Rules as a data transfer mechanism

 CBPR Data Privacy Accountability Scorecard Template  CBPR Intake Questionnaire

 Checklist of Documentation for Accountability Agent Approval  Supporting References

-

Use the Safe Harbor framework as a data transfer mechanism

 Nymity Safe Harbor Tool

 Real World Samples and Supporting References

 Nymity Safe Harbor Data Privacy Accountability Scorecard Template

 Steps for Implementation and Maintenance of Safe Harbor Certification

-

Use Data Protection Authority approval as a data transfer mechanism

 Checklist for Seeking DPA Approval for Data Transfers  References that Support this How to Guide

-

Use adequacy or one of the derogations from adequacy as a data transfer mechanism

 Checklist of Adequate Countries and Derogations  Log of Derogations Relied on

 References that Support this How To Guide

2. Maintain Personal Data Inventory

Maintain an inventory of the location of key personal data storage or personal data

flows with defined classes of personal data

(4)

Copyright © 2014 Nymity Inc. All Rights Reserved.

Maintain a data privacy policy

 Annotated Privacy Policy  Privacy Policy Content Checklist  Privacy Policy Lifecycle  Real World Samples

Maintain a separate employee data privacy policy  Annotated Employee Privacy Policy

 Employee Privacy Policy Creation and Maintenance Checklist

 Real World Samples and Supporting References  Steps to Implement and Maintain Employee Privacy

Policies

Obtain board approval for data privacy policy

 Privacy Policy Approval Checklist and Template Presentation

 Boardroom Guidance

Document legal basis for processing personal data

 Guidance and Checklist for Documenting Legal Basis for Processing

 Log of the Legal Basis for Processing Personal Data  Supporting References for Documenting Legal Basis for

Processing

Document guiding principles for consent

 Considerations for Documenting Guiding Principles of Consent

 Supporting References

3. Maintain Data Privacy Policy

Maintain a data privacy policy that meets legal requirements and addresses

operational risk

(5)

Maintain policies/procedures for collection and use of sensitive personal data (including biometric data)

 Checklist of Considerations for Processing Sensitive Personal Data

 Do’s and Don’ts of Handling Sensitive Personal Data  Real World Samples and Supporting References  Real world Samples of Policy Language  Sample Protective Marking Table

-

Maintain policies/procedures for maintaining data quality

 Real World Examples of Data Quality Comics and Posters  Real World Samples and Supporting References  Sample Data Quality Policy

 Maintain policies procedures for pseudonymization anonymization of personal data

-

Maintain policies/procedures for

pseudonymization/anonymization of personal data

 Checklist for Anonymizing or Pseudonymizing personal data  Real World Samples and Supporting References

 Steps to Implement and Maintain Anonymization Policies

-

Maintain policies/procedures to review processing conducted wholly or partially by automated means

 N/A

-

Maintain policies/procedures for secondary uses of personal data

 Sample Consents for Secondary Uses  Sample Real World Secondary Use Policy  Supporting References

 White Paper on Secondary Uses of Personal Data

-

Maintain policies/procedures for collecting consent preferences

 Log of Consents

 Real World Samples and Supporting References  Sample Consent Form

 Sample Third-Party Authorization Form

 Steps for Implementation and Maintenance of Consent Preferences

-

Maintain policies procedures for secure destruction of personal data

 Data Destruction Checklist  Data Destruction Log Template

 Real World Samples and Supporting References  Sample Destruction Policy and Procedure  Steps for Implementation and Maintenance

-

Integrate data privacy into use of cookies and tracking mechanisms

 Checklist to Integrate Data Privacy into Online Tracking  Real World Samples and References that support the template  Steps for Implementation and Management

-

Integrate data privacy into records retention practices

 Checklist for Incorporating Privacy into Retention Practices  European Document Retention Guide 2013 by Iron Mountain  Real World Samples and Supporting References

 Steps to Implement and Maintain Retention Schedules

-

Integrate data privacy into direct marketing practices

 Buying a marketing list- what you should be asking  Checklist for Direct Marketing

 Direct Marketing Privacy Overview

 Hybrid Direct Marketing and Online Behavioral Advertising Cases

-

Integrate data privacy into direct marketing practices

 Buying a marketing list- what you should be asking  Checklist for Direct Marketing

 Direct Marketing Privacy Overview

 Hybrid Direct Marketing and Online Behavioral Advertising Cases

-

Integrate data privacy into email marketing practices

 Buying a marketing list - what you should be asking  Consent and Unsubscribe Options for Email Marketing  Practice Tips for Email Marketing

 Real World Samples and Supporting References for E-mail Marketing

 White Paper on E-mail Marketing

-

Integrate data privacy into telemarketing practices

 N/A

-

Integrate data privacy into behavioural advertising practices

 Consumer Control of Targeted Advertising

 Hybrid Direct Marketing and Online Behavioral Advertising Cases

 Online Behavioral Advertising Privacy Considerations Checklist  Supporting References

 White Paper on Privacy and Behavioral Advertising

-

Integrate data privacy into hiring practices

 Data Privacy Hiring Do’s and Don’ts

 Hiring Practice Steps to Implement and Maintain this PMA  HR example of HR forms that collect personal data in a

privacy-protective manner

 HR example of privacy-protective job descriptions  Real World Examples of Hiring Practices

 Sample interview questions framed in a privacy-protective manner

 Sample reference checking questions that are framed in a privacy-protective manner

 Supporting References

4. Embed Data Privacy Into Operations

Maintain operational policies and procedures consistent with the data privacy policy,

legal requirements, and operational risk management objectives

(6)

Copyright © 2014 Nymity Inc. All Rights Reserved.

-

Integrate data privacy into employee background check practices

 Checklist for Integrating Data Privacy into Background Checking Procedures.docm

 Real World Samples

-

Integrate data privacy into social media practices

 Real World Samples for Social Media Policies  Sample Social Media Policy Topics and Language  Steps to Integrate Data Privacy into Social Media Practices  Supporting References for Social Media

 Template Privacy Impact Assessment for Use of Social Media

-

Integrate data privacy into Bring Your Own Device (BYOD) policies/procedures

 Checklist for Considerations in Mobile Device Policy Development

 Supporting References

-

Integrate data privacy into health and safety practices

 Health and Safety Policy and Practice Checklist  Real World Samples and Supporting References

-

Integrate data privacy into interactions with works councils

 Checklist for working with Works Councils

 Steps to Implement and Maintain Work with Works Councils

-

Integrate data privacy into practices for monitoring employees

 Checklist for Integrating Privacy into Employee Monitoring Processes

 Real World Samples and Supporting References

-

Integrate data privacy into email monitoring practices

 Checklist for Integrating Privacy into E-mail Monitoring  Real World Samples and Supporting References

-

Integrate data privacy into use of CCTV/video surveillance

 Checklist for Use of CCTV in General  Checklist for use of CCTV in the Workplace

 Real World Samples and References that support the Template  Steps for Implementation and Management

-

Integrate data privacy into use of geo-location (tracking and or location) devices

 Geolocation Whitepaper and Checklist

 Real World Samples and Supporting References for Geolocation

 Steps for Implementing the Template

-

Integrate data privacy into delegate access to employees' company e-mail accounts (e.g. vacation, LOA, termination)

 Checklist of Considerations for Delegate Access to E-mail  E-mail Access Log

 Real World Samples and Supporting References  Sample Delegate Authorization

 Sample E-mail Access Request Form

-

Integrate data privacy into ediscovery practices

 N/A

-

Integrate data privacy into conducting internal investigations

 Internal Investigation Process Overview  Real World Samples of Investigation Policies  Sample Internal Investigations Policy

 Steps to Implement and Maintain Privacy in Conducting Internal Investigations

 Supporting References for Conducting Internal Investigations

-

Integrate data privacy into practices for disclosure to and for law enforcement purposes

 Considerations for Law Enforcement Requests  Law Enforcement Request Policy

 Law Enforcement Request Procedure  Real world samples and supporting references

-

Integrate data privacy into customer patient citizen facing practices

 N/A

-

Integrate data privacy into back office/administrative procedures (e.g. facilities management)

 Examples of Product Life Cycle Processes and Procedures  Key Considerations

 Steps for Integrating Privacy into Back Office Procedures  Supporting References

-

Integrate data privacy into financial operations (e.g. credit, billing, processing transactions)

 N/A

-

Integrate data privacy into research practices

(7)

Conduct data privacy training needs analysis by position job responsibilities

 References that Support the Template

 Steps for Implementation and Maintenance of Training Needs Assessment

 Training Needs Assessment Template  Training Needs Inventory Spreadsheet Template

Maintain a core training program for all employees

 Checklist of Considerations for Training Programs  List of Training Providers and Materials Websites  Real World Samples and Supporting References

 Steps for Implementation and Maintenance of Core Training

Conduct training for newly appointed employees upon assignment to privacy-sensitive positions

 Checklist of Considerations for Training Programs  Flow Chart for Training Requirements on New Assignments  Steps for Implementation and Maintenance of Training for Privacy

Sensitive Positions

Maintain a second level training program reflecting job specific content

 Second Level Privacy Training Guidance

 Steps for Implementation and Maintenance of Second Level Training

Conduct regular refresher training to reflect new developments

 Checklist for Conducting Refresher Training  Refresher Training Resources

 Steps for Implementing Privacy Refresher Training

Integrate data privacy into other training programs such as HR security call centre retain operations training

 N/A

Measure participation in data privacy training activities (e.g. numbers of participants, scoring)

 Certificate of Training

 Data Privacy Training Feedback Form  Data Privacy Training Sign-in Sheet  Manager Attestation re Training Completion

 Steps for Implementing and Maintaining Measurements of Training Participation

Require completion of data privacy training as part of performance reviews

 Options for Integrating Privacy Training into Performance Reviews  Steps for Implementing Privacy Training as Part of Performance

Reviews

Deliver a privacy newsletter, or incorporate privacy into existing corporate communications

 Newsletter Generator

 Privacy Newsletter Guidance and Checklist  Sample Corporate Newsletter that Includes Privacy  Sample Privacy-Specific Newsletter

 Steps for Generating and Delivering Privacy Newsletters

Maintain ongoing awareness material ( e.g. posters, intranet, and videos)

 Real World Samples and Supporting References  Steps for Implementation and Maintenance of Awareness

Materials

Maintain an internal data privacy intranet privacy log or repository of privacy FAQs and information

 Case Study - Maintaining an Internal Data Privacy Intranet  Steps for Implementing and Maintaining a Privacy Intranet  Types of Content for a Privacy Intranet

Hold an annual data privacy day/week

 Possible Data Privacy Day or Week Events and Activities  Real World Samples and Supporting References

 Steps for Implementing and Holding a Data Privacy Day or Week

Measure comprehension of data privacy concepts using exams

 Guidance for Measuring Comprehension of Data Privacy Concepts  Real World Samples and Supporting References

 Steps for Implementing and Maintaining Measurements of Privacy Training Comprehension

Provide data privacy information on system logon screens

 Real World Samples and Supporting References  Sample Data Privacy Logon Screen Banner Wording  Steps for Implementation and Maintenance

Maintain certification for individuals responsible for data privacy including continuing professional education

 Privacy and Security Qualifications and Certification Programs  Sample Continuing Professional Education Policy

 Steps for Implementation and Maintenance of Privacy Certifications

 Template Continuing Privacy Education Log

Conduct one-off one-time tactical training and communication dealing with specific highly relevant issues topics

 Checklist for One-Off and One-Time Tactical Training  Example of a One-Time Tactical Training Message

 Steps for Implementation and Maintenance of One-Time Tactical Data Privacy Training

Provide ongoing education and training for the privacy office (e.g. conferences, webinars, guest speakers)

 In House Conference and Event Benefits

 Steps for Implementation and Maintenance of Privacy Office Education and Training

5. Maintain Training and Awareness Program

Provide ongoing training and awareness to promote compliance with the data privacy

policy and to mitigate operational risk

(8)

Copyright © 2014 Nymity Inc. All Rights Reserved.

Conduct a security risk assessment which considers data privacy risk

 Overview of the Security Risk Assessment Process for the Privacy Office

 Sample Security Risk Assessment Plan  Supporting References

Maintain an information security policy

 Security Policy Review Checklist

Maintain technical security measures (e.g. intrusion detection, firewalls, monitoring)

 Checklist of Common Ways to Mitigate Common Threats  Common Technical Security Considerations

Maintain administrative and technical measures to encrypt personal data in transmission and at rest including removable media

 Checklist of Privacy Considerations for Encryption  Generic Use of Encryption Policy

 Glossary of Commonly Used Encryption Terminology  Real World Samples Relating to Encryption  Supporting References for Encryption

Maintain procedures to restrict access to personal information (e.g. role based access, segregation duties)

 Privacy Considerations in Restricting User Access

Maintain a corporate security policy (protection of physical premises and hard assets)

 Common Physical Security Considerations

Maintain human resource security measures (e.g. pre-screening, performance appraisals)

 Processes to Vet Applicants for Privacy-Sensitive Roles  Real World Samples and Supporting References  Sample Behavioral Interview Questions

Maintain backup and business continuity plans

 Business Continuity Plan Checklist

 Real World Samples and References for Business Continuity Plans

 Steps for Implementation of Maintaining Back Up and Business Continuity Plans

Maintain a data loss prevention strategy

 Checklist of Common DLP Considerations  Steps to Implement and Maintain a DLP Solution

Maintain procedures to update security profile based on system updates and bug fixes

 Checklist for Integrating Privacy into System Updates and Bug Fixes

 Supporting References

Conduct regular testing of data security posture

 Checklist for Integrating Privacy into Security Testing

Maintain a security verification

 N/A

6. Manage Information Security Risk

Maintain an information security program based on legal requirements and ongoing

risk assessments

(9)

Maintain data privacy requirements for third parties (e.g., vendors, processors, affiliates)

 Draft Clauses used by the United States Federal Government  Real World Samples and References that support the

Template

 Sample Data Privacy and Security Clauses

 Sample Requirements that a Vendor has for its Clients  Sample Vendor Agreement Privacy Clauses

 Steps to Ensure Privacy Language is included in All Appropriate Contracts

-

Maintain procedures to execute contracts or agreements with all processors

 Considerations for a Procedure for Executing Contracts

-

Maintain a vendor data privacy risk assessment process

 Invasion of Privacy Test

 Outsourcing Contract Risk Assessment Checklist  Real World Samples and Supporting References  Steps to Implement and Maintain a Vendor Privacy Risk

Assessment Process

-

Conduct due diligence around the data privacy and security posture of potential vendors/processors

 10 Steps to Take when Outsourcing Personal Data Processing

 Checklist of Screening Questions for Potential Vendors and Processors

 Privacy Questionnaire for Outsourcing Personal Data Processing

 Supporting References for the PMA  Vendor Privacy Risk Assessment Scorecard

-

Maintain a policy governing use of cloud providers

 Factors in Creating a Cloud Computing Policy  Sample Cloud Computing Policy

 Supporting References

-

Maintain procedures to address instances of non-compliance with contracts and agreements

 Procedures for Addressing Non-Compliance with Contracts

-

Conduct ongoing due diligence around the data privacy and security posture of vendors/processors based on a risk assessment

 10 Steps to Take when Outsourcing Personal Data Processing

 Checklist of Screening Questions for Potential Vendors and Processors

 Privacy Questionnaire for Outsourcing Data Processing  Supporting References for the PMA

-

Review long term contracts for new or evolving data protection risks

 Catalogue Change Log

 Checklist for Reviewing Long-term Contracts for New Risks

7. Manage Third-Party Risk

Maintain contracts and agreements with third-parties and affiliates consistent with the

data privacy policy, legal requirements, and operational risk tolerance

(10)

Copyright © 2014 Nymity Inc. All Rights Reserved.

Maintain a data privacy notice that details the organization’s personal data handling policies

 Annotated Privacy Notice

 Checklist for Data Privacy Notice considerations  Real World Samples and Supporting References  Sample condensed notice

 Sample just in time notice  Sample privacy notice in table form  Sample short notice

 Steps for Implementation and Maintenance of Privacy Notices

 Withdrawal of Consent Form

-

Provide data privacy notice at all points where personal data is collected

 Acknowledgement of Notice

 Checklist for Providing a Data Privacy Notice

 References that support this Privacy Management Activity  Sample Notice Distribution Log

 Steps for Implementation and Maintenance of Privacy Notices

-

Provide notice by means of on-location signage, posters

 HIPAA Notice of Privacy Practices - Sample Notice American Medical Association

 Physical Notice and Signage Guidance and Checklist  Sample CCTV Sign

 Sample Notice Brochure

 Steps for Implementation and Maintenance of On-location signage and posters

 Supporting References for On-location Notice

-

Provide notice in marketing communications (e.g. emails, flyers, offers)

 Checklist for Providing a Data Privacy Notice  References that support this How to Guide  Sample Privacy Disclosure or Opt-Out Language  Steps for Implementation and Maintenance of Privacy

Notices

-

Provide notice in all forms, contracts, and terms

 Checklist for Privacy Notices in Forms Contracts and Terms  Real World Samples for Privacy Notices in Forms and

Contracts

 Steps for Implementing and Maintaining Privacy Notices in Forms and Contracts

 Supporting References for Privacy Notices in Forms and Contracts

-

Maintain scripts for use by employees to provide the data privacy notice

 Checklist for Maintaining Scripts to provide Notice  Sample Phrasing for Privacy Notice Scripts

-

Maintain a data privacy notice for employees (processing of employee personal data)

 Annotated Privacy Notice

 Employee Privacy Notice Creation and Maintenance Checklist

 Real World Samples

 Steps for Implementation and Maintenance of Employee Privacy Notices

-

Maintain a privacy seal or trustmark to increase customer trust

 Key Considerations for Adopting a Seal or Trustmark  Potential Privacy or Trust Seals or Trustmarks

 Steps for Implementation and Maintenance of a Privacy Seal or Trustmark

 Supporting References

-

Provide data privacy education to individuals (e.g. preventing identity theft)

 Checklist on Providing Data Privacy Education  Real World Samples for Data Privacy Education

8. Maintain Notices

Maintain notices to individuals consistent with the data privacy policy, legal

requirements, and operational risk tolerance

(11)

Maintain procedures to address complaints

 Complaint Log

 Complaint Mechanism Checklist

 Real World Samples and Supporting References  Sample Complaint Procedure

 Sample Complaint Response Letter

 Steps for Implementation and Maintenance of Addressing Privacy Complaints

 Tracking Individual Complaints or Requests

Maintain procedures to respond to access requests

 Access Request Checklist

 Acknowledgement of Request Letter  Log of all Access Requests

 Real World Samples and Supporting Guidance  Sample Access Request Form

 Sample Access Request Procedure  Sample Response Letter

 Steps for Implementation and Maintenance of Access Requests

 Tracking Individual Requests Form

-

Maintain procedures to respond to requests to update or revise personal data

 Acknowledgement of Request

 Correction or Rectification Request Checklist  Correction or Rectification Request Log  Real World Samples

 Sample Rectification Procedure  Sample Response Letter

 Steps for Implementation and Maintenance of Correction Requests

 Tracking Individual Requests Form

Maintain procedures to respond to requests to opt out

 Real World Samples and Supporting References  Sample Opt-Out form

 Sample Opt-Out Procedures

 Steps for Implementation and Maintenance of Opt-Out Requests

Maintain procedures to respond to requests for information

 Checklist for Responding to Requests for Information  Information Request Log Template

 Sample Information Request Procedure  Sample Request Tracking Form  Sample Response Letter

Maintain customer Frequently Asked Questions

 A List of Potential FAQs and Sample Text by Category  A Sample Departmental Survey to Identify Potential FAQs  Real World Samples and Supporting References  Steps for Developing and Maintaining Privacy FAQs

Maintain escalation procedures for serious complaints or complex access requests

 Checklist and Procedure for Escalating Serious Complaints  Real World Samples and Supporting References

 Steps for Implementation and Maintenance of an Escalation Process

Maintain procedures to investigate root causes of data protection complaints

 Sample Questions to Assist Identify Root Cause

 Steps for Implementation and Maintenance of Identifying Root Causes

Maintain metrics for data protection complaints (e.g. number, root cause)

 Example of How to Generate Metrics  Privacy Complaint Log

 Privacy Complaints Metrics Checklist

 Real World Samples and Supporting References

9. Maintain Procedures for Inquiries and Complaints

(12)

Copyright © 2014 Nymity Inc. All Rights Reserved.

Maintain a Privacy by Design framework for all system and product development

 GSMA Privacy Design Guidelines for Mobile Application Development

 OASIS Making Privacy Operational - Introduction to the Privacy Management Reference Model

 Privacy by Design Interview - A Systems Architect Engineer and Designer Tool

 Privacy Management Reference Model and Methodology Version 1.0. 26 March 2012 - OASIS Committee Specification Draft 01

 Supporting References for a PbD Framework

-

Maintain Privacy Impact Assessment guidelines and templates

 PIA Checklist  PIA Template

 Real World Samples and Supporting References

-

Conduct PIAs for new programs systems processes

 Checklist on When to Conduct a PIA

 Real World Samples and Supporting References

 Steps for Implementation and Maintenance of Conducting PIAs

 Template Privacy Threshold Analysis

-

Maintain a procedure to address data protection issues identified during PIAs

 Checklist for Addressing Issues Identified in a PIA  References that support this How to Guide

 Sample Privacy Risk Mitigation Table

-

Maintain a product sign-off procedure that involves the privacy office

 Examples of Product Sign-off Procedures

 Key Considerations for Maintaining a Product Sign-off Procedure

 Steps for Implementation and Maintenance of a Product Sign-off Procedure

-

Maintain a product life cycle process to address privacy impacts of changes to existing programs, systems, or processes

 Product Life Cycle Process Examples

 Steps for Implementation and Maintenance of a Product Lifecycle Process

 Supporting References

-

Maintain metrics for PIAs (e.g. number completed, turnaround time)

 List of Privacy Impact Assessment Metrics

 Steps for Implementation and Maintenance of PIA Metrics  Supporting References

10. Monitor for New Operational Practices

Monitor organizational practices to identify new processes or material changes to

existing processes and ensure the implementation of Privacy by Design principles

(13)

Maintain a documented data privacy incident/breach response protocol

 Anticipated Questions from Law Enforcement and Regulators

 Checklist for Breach Response Protocol considerations  Contact List for Response Team to use

 First 24 Hours Checklist  Real World Samples

 References that Support this Template  Steps for Implementation and Management

-

Maintain a breach notification (to affected individuals) and reporting (to regulators, credit agencies, law enforcement) and protocol

 Checklist for Notification Considerations  Real-World Samples

 Steps for Implementation and Maintenance of Breach Notifications

 Supporting References

-

Maintain a breach incident log to track nature/type of all breaches

 Breach Log Checklist  Breach Log Template

 Real World Samples and Supporting References

 Steps for Implementation and Maintenance of a Breach Log

-

Maintain data privacy incident/breach metrics (e.g. nature of breach, risk, root cause)

 Example Creation of a Breach Metric  Privacy Breach Metrics Checklist

 Real World Samples and Supporting References

-

Conduct periodic testing of breach protocol and document findings and changes made

 Issues Capture Workbook

 Real World Samples and Supporting References

 Steps to Implement and Maintain a Breach Testing Protocol

-

Engage a breach response remediation provider

 N/A

-

Engage a forensic investigation team

 Checklist for Engaging a Forensic Investigation Team  Steps for Implementation and Management of Engaging

Forensics Teams  Supporting References

-

Obtain data privacy breach insurance coverage

 Cyber Insurance Checklist

-

Maintain a record preservation protocol to protect relevant log history

 N/A

7. Manage Third-Party Risk

Maintain contracts and agreements with third-parties and affiliates consistent with the

data privacy policy, legal requirements, and operational risk tolerance

11. Maintain Data Privacy Breach Management Program

Maintain an effective data privacy incident and breach management program

(14)

Copyright © 2014 Nymity Inc. All Rights Reserved.

Conduct self-assessments managed by the privacy office

 Audit Risk Analysis Toolkit

 Data Privacy Accountability Scorecard Template with example  Real World Samples of Privacy Self-Assessments and Supporting

References

 Sample Self-Assessment Questions  Scorecard Webinar

 Steps for Implementation and Maintenance of Privacy Self-Assessments

 The Privacy Office Guide to Demonstrating Accountability

-

Conduct ad-hoc audits/assessments based on complaints/inquiries/breaches

 Audit Phases and How to Conduct an Audit  Real World Samples and Supporting References  Sample Audit Questions

 Sample Error Classification Schedule

-

Conduct audits/assessments of the privacy program outside of the privacy office (e.g. internal audit)

 Example Audit Initiation Letter issued under Privilege  Internal Auditing Approach to Privacy Audits and Assessments  Privacy Office Role with Internal Auditing

 Top 10 Things Privacy can do to Support Internal Audit

-

Benchmark results of audits/assessments (e.g. comparison to previous audit, comparison to other business units)

 Privacy Management Activity Framework  Privacy Planning and Benchmarking Methodology

-

Conduct ad-hoc walk-throughs

 Audit Risk Analysis Toolkit  Error Classification Schedule  Sample Audit Questions

 Steps for Conducting Ad Hoc Privacy Walk-throughs  Supporting References

-

Conduct assessments through use of an accountability agent or third-party verification

 Accountability Agents Approach to Privacy Assessments  The Privacy Offices Role with Accountability Agent or Third Party

Verification

 Third-Party Service Providers Approach to Privacy Assessments  Top Ten Things the Privacy Office Can Do to Support the Use of

an Accountability Agent or Third-Party Verification

-

Maintain privacy program metrics

 Potential Metrics for Reporting the Privacy Program Status  Privacy Metrics Templates and Real Life Examples

 Steps for Implementing and Maintaining Privacy Program Metrics  Supporting References

12. Monitor Data Handling Practices

Verify operational practices comply with the data privacy policy and operational

policies and procedures

(15)

Conduct ongoing research on developments in law

 Considerations for How to Conduct Research

-

Maintain subscription to compliance reporting service/law firm updates to stay informed on new developments

 List of Potential Compliance Reporting Services and Law Firms  Steps for Implementation and Maintenance of the PMA

-

Maintain records or evidence that alerts are read and actions are taken (e.g. read daily and forwarded to key individuals as required)

 Advanced User Features of Nymity References

 Checklist around Evidence that Alerts are Read and Actions Taken

 Template for a Log of Actions

-

Attend/participate in privacy conferences, industry associations, or think-tank events

 List of Privacy Conferences Industry Association and Think-Tank Events

 Steps for Implementation and Maintenance of the PMA

-

Record/report on the tracking of new Rule Sources or amendments to Rule Sources

 Reporting on the Tracking of New Rule Sources  Sample Records for Tracking Rule Sources

-

Seek legal opinions regarding recent developments in law

 Considerations for Seeking Legal Opinions

-

Document that new requirements have been implemented (also document where a decision is made to not implement any changes, including reason)

 Checklist for Documenting that Requirements were Implemented

 Sample Change Request Form  Sample Document Revision History  Sample Project Implementation Plan  Template for a Log of Actions

-

Review or participate in studies related to best practices in data privacy management

 Potential Studies related to best practices in data privacy management

 Steps for Implementation and Maintenance of Reviewing or participating in Privacy Studies

13. Track External Criteria

Track new compliance requirements, expectations, and best practices

(16)

Copyright © 2014 Nymity Inc. All Rights Reserved.

Copyright © 2014 by Nymity Inc. All rights reserved. All text, images, logos, trademarks and information contained in

this document are the intellectual property of Nymity Inc. unless otherwise indicated. Reproduction, modification,

transmission, use, or quotation of any content, including text, images, photographs etc., requires the prior written

permission of Nymity Inc. Requests may be sent to research@nymity.com.

Privacy Management Accountability Framework

The Nymity Privacy Management Accountability Framework (“Framework”) is a comprehensive listing of over 150

privacy management activities identified through Nymity’s global data privacy accountability research. The privacy

management activities are structured in 13 privacy management processes, and are jurisdiction and industry neutral.

References

Related documents

The expression pat- terns of AmSesTPS1 and AmGuaiS1 throughout the time course after drill wounding were monitored and com- pared between S1 and S2 samples, both were from

Singaporeans enjoy universal healthcare – meaning the public health system is funded by the government and patients can access care with ease.. As described in William

To ascertain which factors were likely to contribute the most to the final climate change vul- nerability in the region, the mean experts score for all indicators across the species

However, for foreign workers who are presently working in Canada and hold an employer-specific work permit, a change of conditions work permit application and, often, a new

Integrating the findings of the three latter studies with those concerning self-criticism, in the present study, we explored the relationships between brooding, reflection,

Society for Medical Decision Making International Health Economics Association American Public Health Association.. South-South Initiative for Infectious Diseases

Moringa oleifera plants grown in sites with lowest rainfall regime may have their higher soluble proteins and carotenoids accumulation as a physiological adaptation to

The neighbor is acutally a masterof Legendaryskill (Rank 10) who has fallen on hard times. Record the skill in the SKILLS section of the worksheet. Through the hobby, he makes friends