Blogpost

Compliance Program Presents That Keep On Giving in 2016

In my house, the boys are getting excited anticipating the presents that are going to be under the Christmas tree. My figurative presents under the tree are some thoughts from the 2015 Privacy. Security. Risk. (P.S.R.) conference presented by the International Association of Privacy Professionals (IAPP) and the Cloud Security Alliance (CSA). When you open these presents, you’ll find thoughts from Lockheed Martin, Microsoft, Acxiom and Hewlett-Packard to help improve your compliance program in 2016.

APPLYING RISK MANAGEMENT TECHNIQUES TO MANAGING PRIVACY
Jim Byrne, Chief Privacy Officer (CPO) and Associate General Counsel at Lockheed Martin; Brendon Lynch, CPO at Microsoft

At Lockheed Martin, Mr. Byrne takes a dual perspective on assessing risk, first examining risk from the customer’s perspective and then from the business perspective. This approach requires an intentional approach to compliance strategy, understanding and leveraging organizational structure and accountability, policy development, incident management, and privacy reviews. Specific components of privacy reviews that were highlighted were what constitutes a privacy review, the type of review an initiative needs, and how exceptions to the review process are handled.

The framework Lockheed Martin uses can be described as follows:

Governance

  • Corporate strategy and direction
  • Executive leadership aligned with corporate approach
  • Champions within business units ensuring operational alignment

Compliance

  • Approach to cross-border data transfers
  • Incident and breach management
  • Policy development and communication
  • Oversight

    • Privacy Impact Assessments
    • Application reviews
    • Process change management

    Integration

    • Vendor evaluation processes – Request for Proposals
    • Supply chain management
    • Outside counsel management and involvement
    • Mergers & Acquisitions

    Workforce Excellence

      Training and Awareness

    Mr. Lynch outlined Microsoft’s methodology to managing privacy. That approach is to score the likelihood of a risk having an organizational impact on a 1 to 5 scale and the potential impact of the risk on a 1 to 5 scale and multiplying them together to determine “inherent risk” on a 1 to 25 scale. This is then compared to the perceived level of control effectiveness that mitigates, monitors, and manages the risk. Each risk can then be plotted in an X-Y coordinate graph, with risks treatments as follows:

    • Tolerate: Inherent Risk score <10, Control Effectiveness <3
    • Operate: Inherent Risk score <10, Control Effectiveness >3
    • Monitor: Inherent Risk score >10, Control Effectiveness >3
    • Improve: Inherent Risk score >10, Control Effectiveness <3

    PRIVACY IMPACT ASSESSMENTS: SPEAKING THE BUSINESS LANGUAGE
    Sheila Colclasure, Privacy Officer at Acxiom; Scott Taylor, VP and CPO at Hewlett-Packard

    Ms. Colclasure and Mr. Taylor outlined a process by which compliance teams can increase the impact of their assessments of compliance risk. The foundation of this was as follows:

    Understand the Business Values

    • Corporate values as they relate to compliance
    • How the company wants to be seen to the public
    • Start with industry best practices
    • Comply with the law and align with company values
    • Base the assessment on the business model, not an off-the-shelf model
    • Understand the Privacy Office Objectives
  • Brand protection
  • Compliance
  • Sustainability of the privacy program
  • Understand the Business Objectives

    • Brand protection
    • Mitigating complexities
    • Simple
    • Fast
    • Easy and accessible

    Your assessment process and program need to serve as a business enabler for your operational teams to achieve their goals. The process needs to get to “Yes” in a timely manner, provide guidance that can be used to reach objectives, and deliver what the operational teams need to be effective. The process needs to invert the traditional perspective that compliance teams take and put business enablement ahead of pure compliance.

    FOUR AREAS TO EVALUATE TO SEE IF YOUR COMPLIANCE TEAM IS DRIVING THE IDENTIFIED VALUES:

    • Has the compliance team identified, socialized, and realized the business value of the assessment process?
    • Is the compliance team playing offense – proactively reaching out, espousing the benefits of using the process and the negative consequences of not using it – or playing defense?
    • Is the assessment process effectively positioned in the minds of the operational stakeholders?
    • Has your organization bought into the process, and is it effectively participating?

    These sessions reinforced for me the importance of a compliance team engaging productively with its partners within the business. In the New Year, you can evaluate the relationship they have with each other in your institution. Your input and leadership can help them find more effective ways to collaborate and be more effective. The increased strength of your compliance program from these efforts will be the present that keeps on giving throughout 2016.

    Brad Reimer, CIPP/US, is Manager, Privacy and Marketing Compliance at Deluxe Corporation. Brad has worked in privacy area as a compliance subject matter expert in operational, legal, IT, and governance roles, developing policies, procedures, tools, and governance structures to ensure efficient and effective operational alignment with regulatory requirements, industry best practices, and corporate policies. Connect with Brad on LinkedIn.

    Reposted with permission from Deluxe Blogs