c running a successful privacy function

0 comments 4.658 views

Synopsis:
Clients can outsource the setting up of the privacy program to CyTRAP Labs, ensuring that all the necessary policies, functions and processes are set up in an appropriate, effective and cost efficient manner.
Policies and regulations must be administered effectively while violations must be documented. Annual or more frequent audit reports should help the firm in improving privacy protection
Privacy assurance is critical to protect the firm’s reputation and retain clients’ trust.

What is needed to operate a well-structured privacy program or office?

Demonstrating accountability, managing customer interactions, and managing internal privacy initiatives require a structured privacy program. Standard forms, documents and procedures are needed to accomplish such as:

– compliance audits
– customer access requests
– compliance management and reporting
– ongoing education programs
– consent change management
– monitoring of third parties
– privacy consultations and conflict resolutions

Reviewing policies

Corporate privacy policies are created either as a guideline for the business units or for customer consumption, or both. It is general and legal in nature, with a subset of the policy becoming the privacy statement on the firm’s website.

Business units may create specific policies, based on the corporate guidelines, to reflect the unique nature of their business. Each business unit tracks specific policies for every customer data repository (e.g., the enterprise resource planning system also called ERP database) and, in some cases, for every data element, such as:

– purpose,
– use,
– disclosure,
– consent,
– archiving and/or retention,
– access polices for ‘personal data’ (e.g., customer’s name, phone number, credit card info).

Globalization is making regulatory compliance ever more complex. For instance, a Swiss Holding company might have to comply with the Realignment of the Swiss OR – Art 727 OR: (Art 728a Para 1 Nr. 3 OR) and privacy regulation and, due to its international activities, also with the European Union regulations, and so on.

An enterprise’s overall privacy policy may have to serve as a template for subsidiaries while national regulations may require slight adjustments. However, the better the corporate template the less likely a local subsidiary will have to adjust the policy. Put differently, privacy policy that integrates German, Canadian, U.S. and European Union regulation is unlikely to require much local modification if any. In fact, it may exceed most local requirements. Hence, the policy will work in more than one jurisdiction. Having a policy that works across the organization is far more effective than running multiple policies across the enterprise.

Conducting periodic audits

The privacy officer is usually required by regulation to provide at least one annual audit in writing. A synopsis of this report may be published on the web for clients to see while the complete report may be available from the privacy office.

Generally, the audit aims to:

– ensure accountability by taking periodic external, independent and impartial evaluations of current IT security and risk management efforts;
– ensure corporate compliance with state regulation, baselines, standards, codes and industry requirements; and
– disclose the results of the external audit to the principal stakeholders, like customers, investors, executives, government inspectors and auditors, in a transparent and timely manner.

Eduction programs

Education programs are a key component of the successful implementation of privacy policies. They are also a regulatory requirement.

Hence the privacy officer designs and conducts or supports the delivery of training to staff regarding privacy rules, regulations, policies and practical issues (what to do when… how).

For more information, contact us directly