As part of the TrustArc Privacy Insight Series, TrustArc SVP, Privacy Intelligence and General Counsel, Hilary Wandall, TrustArc Director, EU Policy & Strategy, Paul Breitbarth, and TrustArc SVP, Products and Engineering, Michael Lin presented the webinar “Assessing Risk: How Organizations Can Proactively Manage Privacy Risk” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.
As organizations begin to ramp up their privacy programs to encompass data processing and data management activities, risk management becomes an increasingly important topic. In this webinar, the panelists discussed:
Risk management relating to privacy for an organization and individual. Main organizational risks from a privacy perspective are; data security, changing legal frameworks, international data flows, and enforcement action and court cases. For individuals, privacy risks are centered on data processing sensitivity, such as the volume of data being processed and shared, the individuals involved in data processing, unnecessary data processing, unexpected secondary data uses, among other risks.
Third-party risks in today’s climate. With the global pandemic of COVID-19 that has forced many people to shelter in place, working from home is subjected to risk management. There is a need to understand risks from third-party technologies and third-party providers. How data privacy is maintained within a home environment such as how printed documents are handled, computer devices used while working, and data storage and clearing are additional third-party risks that need to be considered. Risk management has also ignited regulatory changes on data usage, cross-border data transfers, and video conferencing.
Focusing resources on highest areas of risk. There is an on-going balancing test between risk and consequences of that risk with severity and likelihood of that risk to occur. How to prioritize resources effectively is to identify the highest risk areas and tackle those immediately. Risks with high severity and high likelihood of occurring should be prioritized for prevention, protection and recovery measures.
Risk reporting to management and the board. Board of directors are responsible for risk oversight and governance, which is critical to organizational strategy. Key areas of risks for the board of directors are Governance Risks, Business Management Risks, Critical Enterprise Risks, Emerging Risks and Board Approval Risks. Specific privacy topics reported to the board of directors and management are data breaches, status of compliance with GDPR, privacy program key performance indicators, progress on privacy initiatives, privacy litigations, and more. Accountability is also important in risk reporting to demonstrate compliance, a structured review process, and detailed management reporting.
Tools and best practices to manage, automate and continuously monitor both company and third-party risk. Five key pillars in managing risks are Identify, Assess, Analyze, Remediate and Ongoing Monitoring. Other tools for consideration include being able to automate these processes wherever possible, drive a holistic view of the vendor, ease of use with a streamlined user experience, and managing services and consulting to build your program.
TrustArc Risk Profile empowers privacy leaders to identify high risk business activities, conduct the appropriate risk evaluation, and calculate the risk at the business activity level to understand risk across the organization. To learn more, click here.
Join us for the next webinar in the Privacy Insight Series: “EMEA Quarterly Update: Two Years Later” with TrustArc Director, EU Policy and Strategy, Paul Breitbarth, and TrustArc Senior Privacy Researcher, Jadene Young joined by Hunton Andrews Kurth LLP President, Centre for Information Policy Leadership, Bojana Bellamy on April 29th, 2020 at 7:00am PT. Register for the webinar here.
Privacy is historically underfunded when it comes to company budgets, even as “data privacy” has become a popular topic. Some stakeholders view regulations, like the GDPR or CCPA, as a one-time, check-the-box project, and therefore fail to fund appropriately. However, those handling privacy management on a day-to-day basis know this is not the case when dealing with numerous complex privacy regulations. Privacy compliance is an ongoing adventure and cannot be approached like a task that will be crossed off the list once compliance has been reached. Developing a mature privacy program is crucial to ongoing risk management and compliance. So how do you do this when there aren’t the proper resources available? Luckily, there’s several ways through which you can get your stakeholders on board the privacy train:
Presenting a Solid Case for Privacy
Be Persuasive. When presenting your case to the stakeholders, be ready to make a convincing argument as to why privacy resources are needed. Be prepared. Be firm. And be early – don’t wait until the last minute to figure your compliance plan when there’s an enforcement date quickly approaching.
Align Visions. Harmonize your privacy vision with the company vision and mission statement. If your company prides itself on its transparency, show that being transparent with your privacy policies and principles syncs with that vision of transparency.
Case Studies. Nothing gets the point across like cold hard facts. Pull together a list of examples that show the importance of investing in privacy, such a recent regulatory fines, data breaches, and any consumer backlash related to data handling. These tangible use cases will demonstrate the severe repercussions when privacy is not taken seriously.
Privacy as a Differentiator. Show your stakeholders how privacy will be an innovator and how privacy will set the company apart from its competitors. At CES 2019, Apple took out a large billboard stating “What happens on your iPhone, stays on your iPhone.” This marketing move focused in on Apple’s commitment to user privacy, and used that commitment as a competitive edge.
Know What’s at Stake. Business leaders need to know how much they have to lose. Regulations, such as the GDPR and the CCPA, come with significant penalties for non-compliance. GDPR fines can total up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher). Furthermore, stakeholders need to evaluate how potential loss of trust could negatively affect brand equity.
Set Goals and Targets
Program Maturity Level. Conduct assessments to understand your company’s maturity level. Explain to the stakeholders the maturity level of the current privacy program and discuss the resources needed and the values of achieving a higher maturity level.
Compliance Metrics. As mentioned before, cold hard facts get the point across. Compile metrics on where the company is at in terms of number of privacy incidents, number of data access requests, number of number of hours dedicated to employee training, for example. Or, conversely, point out that not knowing these key metrics suggests that your organization may be at risk if requested by a regulator, shareholders or prospective M&A partners. Review and analyze past privacy incidents to create qualitative metrics. Set goals for the future and explain what is needed to meet these goals.
Let Technology Help
Automate. Aim for consistency, repeatability and scalability by using technology to automate and operationalize your privacy processes. For risk assessments, use a tool to complete assessments and generate compliance reports, which saves time, increases accuracy, and improves record keeping. Move away from spreadsheets which are very difficult to update and keep current.
Simplification. Technology can simplify the complex world of privacy regulation and privacy management. Managing data privacy and compliance risk is nearly impossible without specialized technology to streamline the process. A data inventory and mapping solution makes it easy to standardize and operationalize the processes and creates a detailed, up to date inventory of data collected along with visual data flow maps of all business processes.
Visit our website to learn more about how TrustArc can simplify privacy management for the GDPR, CCPA and 500+ other global regulations with our comprehensive technology platform.
An influx of personal data collected by businesses puts businesses in a vulnerable situation. Lack of proper management of this data could result in fines if businesses are not measuring risk and establishing controls to mitigate potential risk. Furthermore, customers demand that their personal data be respected and managed with care. That’s why TrustArc built the Risk Profile.
Powered by the TrustArc Intelligence Engine, the Risk Profile automatically scores inherent and residual risk of various business activities. Privacy managers and business unit leaders can now access the risk information they need to know, when they need it, and in the right context.
Risk Profile capabilities include:
- Dashboard Widget: Using a simple scoring method, privacy managers and business leaders make a determination of how many risk factors are associated with any given business activity. With a high level view and an ability to dive deep into risk factors, users get greater visibility into risk across their business — straight from the dashboard.
- Risk Algorithm: The Risk Algorithm covers 40+ laws across the world. This intelligence helps companies identify high risk business activities, conduct the appropriate risk assessment, calculate the risk at the business activity level, and immediately understand overall organizational level risk.
- Risk Evaluation Heat Map: Privacy leaders have full control to go deeper within any business activity level to further investigate risk. With an easy-to-use heat map, users can indicate the perceived inherent risk of a particular business process. Ultimately, this risk evaluation measures and calculates the inherent risk.
- Dynamically Generated Impact Assessment Reports: Privacy owners can now manage privacy programs with the confidence that they have the right controls in place for risky business processes. By determining the number of risk factors associated with business activities, users are streamlined to an appropriate PIA. These assessments result in dynamic reports that can be used in executive meetings, audits, and other business reviews.
Use these benefits in closing:
- Save time by automatically calculating risk and streamlining evaluation of controls in place to mitigate such risk
- Easily view and control risk across your organization and within any IT system, business process, or record
- Communicate compliance needs to other leaders with dynamic reporting
In this age, companies being agile as they fight to keep up with consumer needs while also being responsible with the use of personal data. TrustArc is committed to helping businesses make business decisions faster, leveraging privacy intelligence to do so.
Want to learn more? We’d be happy to set you up with an expert.