- No category
Data Privacy Training Workshop: Operationalizing Your Program
advertisement
Data Privacy TRAINING WORKSHOP 201 Self Check 1 How would you measure the maturity of your organization's Privacy Program? Join at slido.com #1727 746 Data Privacy Training Workshop 201 Operationalizing Your Data Privacy Program Our Learning Objectives 1. 2. 3. EMPOWER DPOs to implement Data Protection Agreements (DPA). STRENGTHEN the current DPA implementation within organizations. IDENTIFY gaps in data protection maturity using a Project Management Maturity (PMP) checklist. CHAPTER 1 Privacy Management Program Privacy Management Program (PMP) The 10 pointers to “Substantial Compliance” 1. Organizational Governance 2. Conduct of a PIA of ALL processes and Data Processing Systems (DPS) 3. Creation of a Privacy Management Program 4. Implementation of a Central Privacy Manual 5. Registration of DPO, COP/s and DPS via NPC - RS 6. Creation of a Data Breach Response/Security Incident Management Team 7. Practicing reporting breaches and security incidents and submission of Annual Security Incident Reports (ASIRs) via NPC - DBNMS 8. Implementation of Organizational, Technical and Physical Security Measures 9. Creation of mechanisms for the exercise of the 8 Data Subject Rights 10. Adherence to the three privacy principles of Transparency, Legitimate Purpose and Proportionality Privacy Management Program (PMP) Privacy Vision provides the overarching direction and aspiration, while the Privacy Mission outlines the concrete steps and actions to realize that vision. Privacy Vision Privacy Mission PURPOSE To articulate the organization's long-term aspirations and commitment to data privacy. To define the specific actions and strategies the organization will undertake to achieve its privacy vision. SCOPE Broad and future-focused, outlining the principles and goals that guide the organization's overall approach to protecting personal data. Practical and action-oriented, detailing the day-to-day operations and initiatives aimed at ensuring data privacy. EXAMPLE "To be a trusted leader in safeguarding personal data, ensuring privacy for all our stakeholders." "To implement robust privacy policies, conduct regular training, and ensure compliance with all relevant data protection regulations." To foster a world where personal data is respected and protected as a fundamental human right To proactively safeguard personal data through continuous improvement of our privacy practices, comprehensive staff training, and strict adherence to global data protection standards Privacy Management Program (PMP) What is a Privacy Management Program? ❖ It is a holistic approach to implement and give effect to the privacy principles. ❖ It is a process intended to embed Data Privacy and Protection in: ➢ The Strategic Framework ➢ Daily Operations of a PIC/PIP. ❖ It establishes governance structure, implementing clear processes and procedures, and providing the necessary tools and mechanisms to ensure adherence and compliance Privacy Management Program (PMP) Main Components of PMP Element GOVERNANCE PROGRAM CONTROLS CONTINUITY AND ESTABLISHING A PRIVACY ECOSYSTEM OVERSIGHT AND REVIEW PLAN ASSESS AND REVISE PROGRAM CONTROLS Components 1. Management Buy-In Establish a governance framework 2. Appoint a Privacy Officer Reporting Mechanism 3. Define roles and responsibilities 1. Records of Processing Activities 2. Risk Assessment 3. Registration 4. Policies and Procedures 5. Data Security 6. Capacity Building – Training and Awareness 7. Breach Management 8. Notification 9. Third-Party Management 10. Communication Oversight and Review Plan Updates and Revision Privacy Management Program (PMP) Governance Structure Organizational Commitment ❖ Creating a Governance Structure ❖ The Board or head of the organization shall drive the urgency within the organization to comply with the DPA, its IRR and other relevant issuances. ❖ The commitment may be demonstrated by maintaining a PMP and allocating resources for its successful implementation Demonstrated by Top Management through: ● Appointment of a DPO ● Endorsement of the PMP ● Reporting to the Board or the Head of the Organization Privacy Management Program (PMP) Organization Structure GOVERNMENT SECTOR ● Centralized Organizational Structure for Data Privacy in the Organization (Circular 17-01) PRIVATE SECTOR ● Centralized ● Decentralized ● Hybrid Privacy Management Program (PMP) Sample Centralized Organizational Structure DPO COP - 1 Privacy Analyst COP - 2 Privacy Analyst Privacy Analyst Privacy Analyst Privacy Management Program (PMP) Sample of Simple Centralized Organizational Structure DPO DPA STAFF Privacy Management Program (PMP) Sample Decentralized Organizational Structure Group DPO/Chief Privacy Officer DPO Company A COP - 1 DPO Company B COP - 2 COP - 3 COP - 4 Privacy Management Program (PMP) Sample Hybrid Organizational Structure (Centralized + Decentralized) Global DPO/Chief Privacy Officer Regional DPO - 1 Regional DPO - 2 DPO Country A DPO Country A DPO Country A DPO Country A Privacy Program Manager Privacy Program Manager Privacy Program Manager Privacy Program Manager Privacy Program Analyst Privacy Program Analyst Privacy Program Analyst Privacy Program Analyst Self Check 2 Which organizational structure do you have? Join at slido.com #3655 098 Privacy Management Program (PMP) Data Protection Officer (DPO) What is DPO? ❖ An individual designated by the head of agency or organization to ensure compliance by the agency's compliance with R.A.10173. Why appoint a DPO? ❖ A PIC & PIP shall designate an individual or individuals who will ensure the organization's compliance with DPA. Legal Basis: ✔ DPA, Section 21(b) ✔ DPA IRR, Section 50(b) ✔ DPA IRR, Section 26(a) One of the first points of compliance by any organization Privacy Management Program (PMP) Data Protection Officer (DPO) General Qualifications ❖ Possess specialized knowledge and demonstrate reliability necessary for the performance of his or her duties and responsibilities. ❖ Expertise in relevant privacy or data protection policies and practices ❖ Have sufficient understanding of the processing operations being carried out by the PIC or PIP, including the latter's information systems, data security and/or data protection needs. ❖ Knowledge by the DPO of the sector or field of the PIC or PIP, and the latter's internal structure, policies, and processes Privacy Management Program (PMP) Data Protection Officer (DPO) DUTIES AND RESPONSIBILITIES 1. Monitor Compliance with DPA 2. Conduct Privacy Impact Assessments: Perform regular assessments to mitigate privacy risks. 3. Address Complaints and Ensure Data Subject Rights: Resolve complaints and uphold data subject rights. 4. Manage Data Breaches and Security Incidents: Develop procedures for reporting and mitigating breaches. 5. Promote Privacy Awareness: Conduct training and awareness programs on data privacy. 6. Advocate for Privacy by Design: Integrate privacy considerations into products and services. 7. Serve as Contact for Data Subjects and NPC: Act as the primary contact for data subjects and the NPC 8. Coordinate with NPC: Maintain communication and submit required reports to the NPC. Privacy Management Program (PMP) Data Protection Officer (DPO) DUTIES AND RESPONSIBILITIES 1. Monitor the PlC's or PlP's compliance with the DPA, its IRR, issuances by the NPC and other applicable laws and policies. For this purpose he/she may: a. b. c. d. e. collect information analyze and check the compliance inform, advise, and issue recommendations to the PIC or PIP; ascertain renewal of accreditations or certifications advice the PIC or PIP as regards the necessity of executing a Data Sharing Agreement Privacy Management Program (PMP) Data Protection Officer (DPO) DUTIES AND RESPONSIBILITIES 2. Ensure the conduct of Privacy Impact Assessments reIative to activities, measures, projects, programs, or systems of the PlC or PlP; 3. Advise the PlC or PlP regarding compIaints and/or the exercise by data subjects of their rights 4. Ensure proper data breach and security incident management by the PIC or PIP, including the latter's preparation and submission to the NPC of reports and other documentation concerning security incidents or data breaches within the prescribed period; Privacy Management Program (PMP) Data Protection Officer (DPO) DUTIES AND RESPONSIBILITIES 5. Inform and cultivate awareness on privacy and data protection within the organization of the PIC or PIP, including all relevant laws, rules and regulations and issuances of the NPC; 6. Advocate for the deveIopment, review and/or revision of poIicies, guideIines, projects and/or programs of the PlC or PlP reIating to privacy and data protection, by adopting a privacy by design approach; 7. Serve as the contact person of the PlC or PlP vis- à-vis data subjects, the NPC and other authorities in aII matters concerning data privacy or security issues or concerns and the PlC or PlP; Privacy Management Program (PMP) Data Protection Officer (DPO) DUTIES AND RESPONSIBILITIES 8. Cooperate, coordinate and seek advice of concerning data privacy and security; and 9. the NPC regarding matters Perform other duties and tasks that may be assigned by the PIC or PIP that will further the interest of data privacy and security and uphold the rights of the data subjects Privacy Management Program (PMP) Data Protection Officer (DPO) Position of the DPO ❖ Must be INDEPENDENT in the performance of his or her functions and should be accorded a significant degree of AUTONOMY ❖ DPO or COP, may perform (or be assigned to perform) other tasks or assume other functions that do not give rise to ANY CONFLICT OF INTEREST Privacy Management Program (PMP) Data Protection Officer (DPO) Position of the DPO ❖ must be a full-time, organic employee ❖ the position should be a regular or permanent position. ❖ In case it's based on a contract, the duration of the contract should be at least two (2) years. ❖ In case of vacancy, the PIC or PIP should provide for an appointment WITHIN REASONABLE TIME or the PIC / PIP to require that the incumbent be in a holdover capacity until an appointment or hiring of a new DPO or COP is made. Privacy Management Program (PMP) Data Protection Officer (DPO) Compliance Officer for Privacy (COP) ❖ An individual or individuals who perform some of the functions of a DPO in particular cases. ❖ The minimum qualifications for a COP shall be proportionate to his or her functions, as provided in NPC Advisory 2017-01. Privacy Management Program (PMP) Data Protection Officer (DPO) Group of Companies ❖ A group of related companies may appoint or designate the DPO of one of its members to be primarily accountable for ensuring the compliance of the entire group with all data protection policies. Where such common DPO is allowed by the NPC, the other members of the group must still have a COP, as defined in the Advisory. Example: A DPO in the holding company and a COP in each of its subsidiaries Privacy Management Program (PMP) Data Protection Officer (DPO) Outsourcing or Subcontracting of Functions ❖ Outsourcing or subcontracting is allowed. ❖ the DPO or COP must oversee the performance of his or her functions by the third-party service provider or providers. ❖ The DPO or COP shall also remain the contact person of the PIC or PIP vis-à-vis the NPC. Privacy Management Program (PMP) Data Protection Officer (DPO) PUBLICATION, COMMUNICATION OF DPO DETAILS To ensure easy communication with the DPO, the PIC or PIP must publish their contact details in at least ONE of the following medium: ❖ Website ❖ Privacy Policy ❖ Privacy Notice ❖ Privacy Manual / Privacy Guideline Privacy Management Program (PMP) Data Protection Officer (DPO) The Contact Details that SHOULD be included are: ● Title and Designation ● Postal Addresses ● Dedicated Telephone Number ● Dedicated Email Addresses ***The NAME of the DPO need not be mentioned but should be available upon request. Privacy Management Program (PMP) Data Protection Officer (DPO) OBLIGATIONS OF MANAGEMENT 1. 2. Communicate to its personnel the designation of the DPO or COP and his functions Involve the DPO or COP at the earliest stage possible in all issues relating to privacy and data protections 3. Provide sufficient time and resources necessary for the DPO or COP to keep himself updated with the developments in data privacy and security ad to carry out his or her tasks 4. Grant appropriate access to the personal data it is processing 5. Invite DPO to participate in meetings of senior or middle management to represent the interest of privacy 6. To promptly consult the DPO in the event of breach or security incident 7. DPO or COP is made part of all relevant working groups that deal with personal data processing Privacy Management Program (PMP) Data Protection Officer (DPO) PROTECTIONS The PIC or PIP should not directly or indirectly penalize or dismiss the DPO for performing his or her tasks. However, there's no stopping them from applying other legitimate penalties against the DPO such as those based on labor, administrative, civil or criminal laws. Privacy Management Program (PMP) Data Protection Officer (DPO) WEIGHT OF OPINION The PIC or PIP must give the opinion of the DPO due weight in its decision making. If they chose not to follow the advice of the DPO, it is recommended to document the reasons. ACCOUNTABILITY The responsibility of compliance with all privacyrelated legal obligations rests with the PIP or PIC. However the malfeasance, misfeasance or nonfeasance of the DPO in the discharge of their functions can be used as grounds for administrative, civil or criminal liability in accordance will all applicable laws. Privacy Management Program (PMP) Data Protection Officer (DPO) COMPLIANT vs NEGLIGENT WHAT COMPLIANCE LOOKS LIKE WHAT NEGLIGENCE LOOKS LIKE ✔ Notarized appointment or designation of a DPO, filed with the NPC ✔ Evidence of actions taken on basis of DPO recommendations ✔ Contact details on website (if any) ✔ Continuing education program × No formal appointment as a DPO × Lack of interaction between DPO and top management, between DPO and functional units × Inaction on complaints from data subjects × Non-reporting to NPC Privacy Management Program (PMP) Data Protection Officer (DPO) What makes a good DPO? CHAPTER 2 Program Controls – Privacy Manual THE PRIVACY MANUAL What is a Privacy Manual? What is Privacy Manual? Privacy Program Incidents & Breaches Privacy Program vs Privacy Manual/Policy Manual/Policy DPO Contract Management PIAs 3rd Party Management DPS Register / RoPA / Data Inventories T.O.P Controls What is a Privacy Manual? Privacy Policy VS Privacy Manual NPC Circular 2023-04 Guidelines on Consent ❖ Privacy Policy is a set of policies that governs a PIC’s/PIP’s personal data processing practices. ❖ It provides guidance to internal relevant parties (e.g., officers, employees) involved in any personal data processing activity ❖ It is also referred to as a “Privacy Manual”. * What is a Privacy Manual? Privacy Manual VS Privacy Policy Global Definition ❖ A Privacy Manual is an INTERNAL document. ➢ Meant to guide employees and contracted 3rd parties on personal data handling ❖ A Privacy Policy is an EXTERNAL document ➢ Meant to inform the public on an organization’s extent of personal data processing Note: It is important to set definitions within your organization so that you are aligned across departments and operating markets. What is a Privacy Manual? Privacy Statement VS Privacy Notice Privacy Statement: It is a general statement on a PIC’s personal data processing practices across the entire organization. Privacy Notice: It is a unilateral statement that contains essential information on a specific processing activity of a PIC that involves the data subject. *NPC Circular 2023-04 Guidelines on consent What is a Privacy Manual? Sample Privacy Statement The National Privacy Commission (NPC) is committed to fully protect your personal data privacy in compliance with Republic Act No. 10173, otherwise known as the Data Privacy Act of 2012 (DPA). We shall detail the manner in which we process your personal data and provide a separate privacy notice in an appropriate format and manner whenever we collect personal data through other channels (e.g., publicly facing data processing systems implemented, notice posted at the reception area of NPC during events where participants' personal data is collected through attendance sheets or registration forms when personal data is collected according to the NPC's mandate). In all instances, we assure you that processing your personal data will strictly follow the provisions of DPA, especially the general data privacy principles of Transparency, Legitimate Purpose, and Proportionality. https://privacy.gov.ph/npc-privacy-policy-2/ What is a Privacy Manual? Privacy Manual VS Privacy Statement VS Privacy Notice VS Privacy Policy Privacy Statement Privacy Notice External Privacy Policy Privacy Manual/ Internal Privacy Policy Self Check 3 Which of the following do you have in place? Join at slido.com #3469 826 What is Privacy Manual? What is the legal basis to have a Privacy Manual? ❖ DPA Implementing Rules and Regulations – Rule VI Security Measures for the protection of personal data ❖ Section 26-b: Organizational Security Measures: “Data Protection Policies. Any natural or juridical person or other body involved in the processing of personal data shall implement appropriate data protection policies that provide for organization, physical, and technical security measures, and, for such purpose, take into account the nature, scope, context and purposes of the processing, as well as the risks posed to the rights and freedoms of data subjects” What is Privacy Manual? What is the legal basis to have a Privacy Manual? ❖ DPA Implementing Rules and Regulations – Rule VI Security Measures for the protection of personal data ❖ Section 27-a: Physical Security Measures: “Policies and procedures shall be implemented to monitor and limit access to and activities in the room, workstation or facility, including guidelines that specify the proper use of and access to electronic media ” What is Privacy Manual? What is the legal basis to have a Privacy Manual? ❖ DPA Implementing Rules and Regulations – Rule VI Security Measures for the protection of personal data ❖ Section 28-a: Guidelines for Technical Security Measures: “a security policy with respect to the processing of personal” What is Privacy Manual? What is the legal basis to have a Privacy Manual? ❖ NPC Circular 2023-06 Security of personal data in the government and private sector ❖ Section 4E: General Obligations: “A PIC and its PIP shall fulfill the following responsibilities: E. Set a Privacy Management Program, taking into account the following: 2. Control framework for the development of privacy policies and implementation of data protection measures……” FAMILIARIZE ourselves with the Key Components of a good Privacy Manual Key components of a good Privacy Manual The Introduction ❖ This section lays down the basis of the Manual. ❖ Provides an overview of: ➢ The DPA its IRR and applicable NPC issuances ➢ Other regulations that affect the organization relative to processing personal data (e.g. Financial Products and Services Consumer Protection Act (FCPA) ➢ Industry/Sector practices *NPC Privacy Toolkit 3rd Edition ❖ Explains how your organization complies with the privacy principles and protects the rights of your data subjects Key components of a good Privacy Manual Definition of Terms ❖ Provides your organization with a uniform understanding of privacy related terminologies ❖ Introduces concepts and terminologies to your organization that are commonly used in the management of a Privacy Program TIP * Just derive the definitions itself from the DPA, its IRR and other NPC Issuances *NPC Privacy Toolkit 3rd Edition Key components of a good Privacy Manual Scope and Limitation Defines the implementation coverage of the manual and what it covers and what it doesn’t. Example: “This policy shall cover the organization’s processing of personal data for its clients, employees, third party representatives including those of its affiliates and subsidiaries…” *NPC Privacy Toolkit 3rd Edition Key components of a good Privacy Manual Processing of personal data This portion covers the specific practices that an organization performs at every stage of the personal data lifecycle, from collection to destruction. Example: COLLECTION *NPC Privacy Toolkit 3rd Edition “This company collects the basic contact information of clients and customers, including their full name, address, email address, contact number, together with the products that they would like to purchase. The sales representative attending to customers will collect such information through accomplished order forms” Key components of a good Privacy Manual Processing of personal data This portion covers the specific practices that an organization performs at every stage of the personal data lifecycle, from collection to destruction. Example: STORAGE, RETENTION & DESTRUCTION *NPC Privacy Toolkit 3rd Edition “This company ensures that personal data under its custody are protected against any accidental or unlawful destruction, alteration and disclosure as well as against any other unlawful processing. The company will implement appropriate security measures in storing collected personal information, depending on the nature of the information. All information gathered shall not be retained for a period longer than one (1) year. After one (1) year, all hard and soft copies of personal information shall be disposed and destroyed, through secured means..” Key components of a good Privacy Manual Processing of personal data This portion covers the specific practices that an organization performs at every stage of the personal data lifecycle, from collection to destruction. Example: ACCESS *NPC Privacy Toolkit 3rd Edition “Due to the sensitive and confidential nature of the personal data under the custody of the company, only the client and the authorized representative of the company shall be allowed to access such personal data, for any purpose, except for those contrary to law, public policy, public order or morals.” Key components of a good Privacy Manual Processing of personal data This portion covers the specific practices that an organization performs at every stage of the personal data lifecycle, from collection to destruction. Example: DISCLOSURE AND SHARING *NPC Privacy Toolkit 3rd Edition “All employees and personnel of the company shall maintain the confidentiality and secrecy of all personal data that come to their knowledge and possession, even after resignation, termination of contract, or other contractual relations. Personal data under the custody of the company shall be disclosed only pursuant to a lawful purpose, and to authorized recipients of such data.” Key components of a good Privacy Manual Security measures for personal data This portion details the specific control measures for personal data spread amongst the three (3) types of security measures: *NPC Privacy Toolkit 3rd Edition ORGANIZATIONAL MEASURES ✔ DPO and COPs appointment and qualification ✔ Conduct of PIAs ✔ Conduct of trainings and awareness ✔ Crafting of the Privacy Manual ✔ Data and processing activity inventories Key components of a good Privacy Manual Security measures for personal data This portion details the specific control measures for personal data spread amongst the three (3) types of security measures: *NPC Privacy Toolkit 3rd Edition PHYSICAL MEASURES ✔ Physical document storage ✔ Physical access control ✔ Document numbering and control ✔ Physical destruction of forms and documents ✔ CCTVs and security personnel placement Key components of a good Privacy Manual Security measures for personal data This portion details the specific control measures for personal data spread amongst the three (3) types of security measures: *NPC Privacy Toolkit 3rd Edition TECHNICAL MEASURES ✔ Security incident monitoring ✔ Data encryption ✔ Access authentication ✔ Vulnerability assessments and testing ✔ Software and application controls Key components of a good Privacy Manual Breach and security incidents ❖ This portion details the specific policies, procedures and guidelines covering the handling of security incidents and personal data breaches from discovery, resolution and monitoring. ❖ This may be separate from existing security incident policies and procedures which are normally maintained by the Information Security Office or equivalent. ❖ This portion normally covers the creation, composition and roles of a breach response team and notification procedures (NPC Circular 16-03) *NPC Privacy Toolkit 3rd Edition Key components of a good Privacy Manual Inquiries and complaints ❖ This portion details how an organization will respond to any data subject’s exercise of their rights. ❖ This portion may take reference on more specific handling procedures and guidelines provided for in NPC Advisory 2021-01 *NPC Privacy Toolkit 3rd Edition Key components of a good Privacy Manual Effectivity and updates ❖ Last but not the least is the time of effectivity of your Privacy Manual. ❖ Important to note here as well are the events, circumstances and regularity by which the manual will be updated. Factors that may trigger an update outside of a scheduled update are: ➢ Regulatory requirements ➢ Changes in organization strategy ➢ Updates to current privacy legislation or other related legislation *NPC Privacy Toolkit 3rd Edition IDENTIFY other key parts of a Privacy Manual Other key parts of a Privacy Manual The DPO and its accompanying office ❖ This normally tackles the specificity of appointing a DPO or COP and their qualifications. This may cover the following: ➢ Tenure and rank in the organization ➢ Organization of the DPO Office (personnel and resources needed) ➢ Specific qualification criteria and areas of expertise ➢ Succession and continuity of the DPO ➢ Placement in the organization of the DPO office (Organizational chart) Other key parts of a Privacy Manual Third Party Management (PIPs and PICs) ❖ A section of the manual may be dedicated for an organization’s dealings with PIPs for outsourced data processing and sharing with other controllers under a Data Sharing Agreement. ❖ Particular to the use of PIPs in conduct of business by the organization, some key points to note here are: ➢ Accreditation and screening of PIPs ➢ Right to audits and compliance checks ➢ Specific PIP personal data handling requirements Other key parts of a Privacy Manual Rights of a Data Subject ❖ Complementary or supplementary to the earlier section on inquiries and complaints, a section may be dedicated on the handling of Data Subjects Rights Requests (DSRRs) ❖ This section normally tackles the extent and limitations of the exercise of each of the eight (8) rights by the organization. To note here may be the following: ➢ Departments to handle or address DSRRs ➢ Escalation to the DPO ➢ Turn around times ➢ Appropriate fees and administrative costs (as deemed applicable and appropriate) Other key parts of a Privacy Manual Management participation ❖ Another important component of a Privacy Manual is the expected participation of other management stakeholders in an organization’s privacy program. ❖ Discussed here normally are: ➢ Approval of the manual by top management (e.g. BOD, Executive Committee) ➢ Ownership of the policy and responsibility for its implementation ➢ Supporting departments for the DPO and its office (e.g. Legal, compliance, data governance, IT, InfoSec) Other key parts of a Privacy Manual Reporting and regulatory affairs ❖ Important to include in the manual for governance and accountability are the regular reporting mechanisms with top management and with the NPC. ❖ Common areas covered here are: ➢ Regular reporting to a management level; committee or the Board of Directors of key activities and updates of your respective privacy offices ➢ Preparation and submission of the Annual Security Incident Report (ASIR) every Q1 Other key parts of a Privacy Manual SAMPLE PRIVACY MANUAL Other key parts of a Privacy Manual SAMPLE PRIVACY MANUAL Other key parts of a Privacy Manual SAMPLE PRIVACY MANUAL Other key parts of a Privacy Manual SAMPLE PRIVACY MANUAL Other key parts of a Privacy Manual SAMPLE PRIVACY MANUAL Other key parts of a Privacy Manual SAMPLE PRIVACY MANUAL Other key parts of a Privacy Manual SAMPLE PRIVACY MANUAL Other key parts of a Privacy Manual SAMPLE PRIVACY MANUAL CHAPTER 3 Third Party Risk Management Third Party Risk Management Data Processing / Outsourcing / Subcontracting Agreement (DP/OA) Cloud Service Provider Analytics Tools DPOA Data Subject Personal Information Controller (PIC) ➔ determines the purpose and means of processing of personal data ➔ may instruct to another entity (the PIP) to process personal data on its behalf Payroll Provider HMO CRM Platform Personal Information Processor (PIP) ➔ entity to whom the processing of personal data has been delegated or outsourced by the PIC ➔ processes personal data according to the instructions and standards of the PIC Third Party Risk Management Data Sharing Agreement (DSA) “Data sharing” is between PICs. DSA It is the sharing, disclosure, or transfer to a third party of personal data under the custody of a PIC to one or more other PIC/s. Note: The DSA can likewise be an annex or addendum to the main contract or partnership agreement. PIC 1 PIC 2 Third Party Risk Management Legal Framework: Outsourcing of Data Processing (PIC to PIP) DPA IRR, Sec. 44: “Processing by a [PIP] shall be governed by a contract or other legal act that binds the [PIP] to the [PIC].” ❖ PIC must ensure that the PIP implements appropriate technical and organizational measures to safeguard data processing and to observe data protection principles ❖ Use the PIA to determine the controls needed Third Party Risk Management Key Components of a DP/OA (Data Processing / Outsourcing Agreement) ❖ Subject-matter and duration of the processing ❖ Nature and purpose of the processing ❖ Type of personal data and categories of data subjects ❖ Geographic location of the processing under the subcontracting agreement ❖ Obligations and rights of the PIC ❖ Undertakings of the PIP Note: The DPOA can be an annex or addendum to the main contract or services agreement. Third Party Risk Management Key Components of a DP/OA (Data Processing / Outsourcing Agreement) ❖ Undertakings of the PIP 1. Follow the documented instructions of the PIC, including cross-border transfers of personal data 2. Impose an obligation of confidentiality on persons authorized to process the personal data 3. Implement appropriate security measures and comply with the DPA of 2012, the DPA IRR, and other issuances of the NPC; 4. Not engage another PIP without prior instruction from the PIC; any such arrangement shall ensure that the same obligations for data protection under the contract or legal act are implemented 5. Assist the PIC to fulfill the obligation to respond to data subject requests Third Party Risk Management Key Components of a DP/OA (Data Processing / Outsourcing Agreement) ❖ Undertakings of the PIP 6. Assist the PIC in ensuring compliance with the DPA of 2012, the DPA IRR, relevant laws, and other issuances of the NPC, taking into account the nature of processing and the information available to the PIP 7. At the choice of the PIC, delete or return all personal data to the PIC after the end of the provision of services 8. Make available to the PIC all information necessary to demonstrate compliance with the DPA of 2012, and allow for and contribute to audits, including inspections, conducted by the PIC or another auditor 9. Immediately inform the PIC if, in its opinion, an instruction infringes the DPA of 2012, the DPA IRR, or any other issuance of the NPC Third Party Risk Management Legal Framework: Data Sharing (PIC to PIC) ❖ DPA IRR, Sec. 20: “Data sharing for commercial purposes, including direct marketing, shall be covered by a data sharing agreement. [...] Data sharing between government agencies for the purpose of a public function or provision of a public service shall be covered a data sharing agreement.” ❖ Data subjects should be provided with either a Privacy Notice or a Consent Form, depending on the appropriate lawful basis relied upon, before personal data is shared or at the next practical opportunity. ○ If Consent is relied upon as the lawful basis, it is required even when the data will be shared with an affiliate. ❖ The DSA shall establish adequate safeguards for data privacy and security, and uphold rights of data subjects. ❖ Parties must maintain a record of DSAs, including proof of consent of the data subject (if consent is the lawful basis). Third Party Risk Management Key Components of a Data Sharing Agreement (DSA) ❖ Purpose and the lawful basis of the DSA ❖ Parties to the DSA ❖ Term or Duration of the DSA ❖ Operational details of the DSA, including the procedure the parties intend to observe in its implementation ❖ Description of the reasonable and appropriate organizational, physical, and technical security measures that the parties intend to adopt to ensure the protection of the shared data ❖ Rules for the retention of shared data and for the secure return, destruction, or disposal of the shared data ❖ Mechanism to exercise data subject mechanism ❖ Other stipulations, clauses, terms and conditions as the parties may deem appropriate that are not contrary to law, morals, public order, or public policy Third Party Risk Management SAMPLE DSA AND DPOA DSA: DPOA: DOH Template DSA https://ntp.doh.gov.ph/d ownload/dm2020-0344/ Sample GDPR DPOA https://www.sec.gov/Arc hives/edgar/data/90825 9/000149315220014446 /ex10-4.htm Self Check 4 Which of the following Privacy Agreement set-ups is correct? Join at slido.com #2707 097 CHAPTER 4 Implementation and Continuous Improvement Develop Oversight and Review Plan Committed organization. Consistent controls. Continuous improvement ❖ Regularly update the management on the organization’s compliance to the Data Privacy Act. Examples: Monthly report on data subject rights requests, training completion rate, annual scorecard report out ❖ Conduct a regular review and evaluation of the organization’s data privacy program thru: Self Evaluation Internal audit Third Party Assessors SAMPLE SCORECARD Implementation and Continuous Improvement Sample Scoring Guides NPC Privacy Toolkit 3rd Edition Rating Description / Qualifier 1.0 - 1.9 No documented evidence or in practice IAPP Privacy Program Management 3rd Edition Rating Ad hoc Procedures or processes are generally informal, incomplete, and inconsistently applied Repeatable Procedures and processes are in place, but they are not fully documented and do not cover all relevant aspects Defined Procedures and processes are fully documented, implemented, and cover all relevant aspects Managed Reviews are conducted to assess the effectiveness of the controls in place Optimized Regular review and feedback are used to ensure continual improvement toward optimization of a given process 2.0 - 2.9 No documented evidence but there is evidence of practice 3.0 - 3.9 Documented evidence is present, but inconsistent in practice 4.0 Evidence is documented and in practice Description / Qualifier Implementation and Continuous Improvement Sample Measurable areas per PMP Component - GOVERNANCE Component element Management Buy-In The PIC or PIP, through head of agency or board, resolves to acknowledge the need to comply with the Data Privacy Act and related issuances of the NPC, and to acknowledge its accountability for the protection of personal data under its control or custody. Expected actions/ Control measures in place ● Appoint or designate a Data Protection Officer(DPO) or Office and register with the NPC. ● Management endorses the organization’s compliance with the Data Privacy Act of 2012 by releasing a communication memorandum order on its target compliance within the organization. ● Evidence of supportive top management by providing all the necessary resources for privacy management. Implementation and Continuous Improvement Sample Measurable areas per PMP Component - GOVERNANCE Expected actions/ Control measures in place ● Appoint or designate a Data Protection Officer(DPO) or Office and register with the NPC. ● Management endorses the organization’s compliance with the Data Privacy Act of 2012 by releasing a communication memorandum order on its target compliance within the organization. ● Evidence of supportive top management by providing all the necessary resources for privacy management. Variant expected actions/ Control measures in place ● Inclusion of approval of DPO appointment and organization’s privacy policy in the BOD’s Agenda Evidence / Results Measure: ○ Copy of BOD MoM ○ Corporate Secretary’s Certificate for BOD Resolution ● Policy provision citing specific role and matters escalated to levels within top management and the BOD Evidence / Results Measure ○ Copy privacy policy citing the specific provisions on governance Implementation and Continuous Improvement Sample Measurable areas per PMP Component - PROGRAM CONTROLS Component element Records of Processing Activities There is an inventory of personal data and data processing systems, including its purpose, data flow, and measures taken Expected actions/ Control measures in place An inventory of personal information is produced which includes the data processing system that act on the personal data, its data flow, purpose of processing and its security measures. Risk Assessment ● Preliminary preparations for privacy impact assessments Privacy impact assessment conducted in accordance with a PIA plan. Process in place for regularly testing, assessing, and evaluating the effectiveness of security measures ● Conduct of privacy impact assessments on the process and systems listed in the inventory including new or upcoming projects. ● Develop proposals for mitigation and solutions based on the risks, threats and vulnerabilities that were identified from the privacy impact assessments. Implementation and Continuous Improvement Sample Measurable areas per PMP Component - PROGRAM CONTROLS Expected actions/ Control measures in place An inventory of personal information is produced which includes the data processing system that act on the personal data, its data flow, purpose of processing and its security measures. ● Preliminary preparations for privacy impact assessments ● Conduct of privacy impact assessments on the process and systems listed in the inventory including new or upcoming projects. Variant expected actions/ Control measures in place ● Existence of Data Processing Systems, Data Inventories and Personal Data Flows Evidence / Results Measure: ○ Last documented update of the DPS and Data Inventory ○ Copy of actual data inventory and data flow ○ % of Organization’s Data Processing Systems captured in the DPS Inventory ● Alignment of PIA components to industry standards or other recommended formats Evidence / Results Measure: ○ Gap analysis of PIA against ISO 29134 ● Timing of conduct of PIAs for all deployed systems and applications processing personal data. Evidence / Results Measure: ○ % of PIAs conducted before deployment or go-live Implementation and Continuous Improvement Sample Measurable areas per PMP Component CONTINUITY and ESTABLISHING a PRIVACY ECOSYSTEM OVERSIGHT and REVIEW PLAN Component element Develop Oversight and Review Plan The DPO should monitor data processing systems and ensure the conduct of PIAs when necessary. The organization must provide policies for documentation, regular review, evaluation and updating of the privacy and security practices in the organization. Expected actions/ Control measures in place Develop a policy plan that will ensure the documentation, regular review, evaluation, and updating of the privacy and security policies and practices in the organization. Implementation and Continuous Improvement Sample Measurable areas per PMP Component CONTINUITY and ESTABLISHING a PRIVACY ECOSYSTEM OVERSIGHT and REVIEW PLAN Expected actions/ Control measures in place Develop a policy plan that will ensure the documentation, regular review, evaluation, and updating of the privacy and security policies and practices in the organization. Variant expected actions/ Control measures in place ● Policy provision highlighting frequency and trigger for review of the privacy policy Evidence / Results Measure: ○ Copy of the privacy policy citing the provision ○ Date of last review and update of the privacy policy with supporting documentation (e.g. gap analysis document) Implementation and Continuous Improvement Sample Measurable areas per PMP Component - ASSESS and REVISE PROGRAM CONTROLS Component element Expected actions/ Control measures in place Update and Revision ● Periodically monitor the effectiveness of the program controls. The organization conducts and updates PIAs regularly – when there are new programs, projects and products, a change in law or regulation, or other changes within the organization. ● Privacy Management Program is regularly assessed and revised, considering the PIAs, effectiveness of the implementation, and data privacy best practices. The PMP must be regularly assessed and revised, considering PIAs, effectiveness of implementation, and data privacy best practices. ● The organization monitors emerging technologies, new threats and risks to data processing systems, international data protection standards, and the legal and ICT environment. The organization must monitor emerging technologies, new threats and risks to data processing systems, international data protection standards, and the legal and ICT environment. Implementation and Continuous Improvement Sample Measurable areas per PMP Component - ASSESS and REVISE PROGRAM CONTROLS Expected actions/ Control measures in place ● Periodically monitor the effectiveness of the program controls. ● Privacy Management Program is regularly assessed and revised, considering the PIAs, effectiveness of the implementation, and data privacy best practices. ● The organization monitors emerging technologies, new threats and risks to data processing systems, international data protection standards, and the legal and ICT environment. Variant expected actions/ Control measures in place ● Last audit period conducted for the PMP or the privacy office’s governance and functions (internal audit or 3rd party assessment) Evidence / Results Measure: ○ Copy of the audit report ○ Evidences to remediate or close-out audit findings ○ Overdue audit findings and causes of delay ● Access of the privacy office to compliance and legal resources (internal or external counsels) for regulatory and legal updates. Evidence / Results Measure: ○ Copy of service contract for 3rd party legal resources ○ Relevant industry reports provided or accessible to the privacy office (e.g. Verizon DBIR) ○ Gap analysis documentation for new legislation affecting privacy (e.g. FCPA) DP Training Workshops 201 Culminating Activity 10 COMPLIANCE POINTERS - SELF CHECK INSTRUCTIONS Read every compliance pointer and score your organization’s current position if either Yes, No or In progress per item. Each response to a compliance pointer will correspond to a point as follows: Yes = 3 points In progress = 2 points No = 1 point 1 - 6 points: Ad hoc Total all your points for all 10 compliance 7 - 12 points: Defined pointers and rate them as follows: 13 - 18 points Repeatable 19 – 24 points: Managed 25 - 30 points: For all the items that are marked as non-compliant (No), Optimized on a separate piece of paper, identify and list down as specific as you can, what is/are needed to bring these items to a compliant state Continuing from the items marked as non-compliant (No), identify which ones require the least amount of time and resources to bring to a compliant state, rank them from easiest to hardest to accomplish. 10 COMPLIANCE POINTERS - SELF CHECK INSTRUCTIONS Continuing from the items marked as partially compliant (In progress), identify what would hasten their accomplishment to bring them to a compliant state. Continuing from the items identified to complete the partially compliant (In progress), identify what items require the least amount of resources and time, rank them from easiest to hardest to accomplish Continuing from the items identified as compliant (Yes) items rank them accordingly from hardest to easiest to accomplish. Identify afterwards what factors made an item difficult or easy to accomplish At the bottom of the sheet, indicate what help would you need from your specific sector and from the NPC itself, be as specific as you can. Keep your scoring sheet and discuss with your team/management the results of this assessment and agree on a program to bring your organization to a better state of compliance DP Training Workshops 201 Culminating Activity Name: Organization: Position: Sector: 10 COMPLIANCE POINTERS - SELF CHECK Yes Does your organization already have a formalized Privacy Organizational Structure? Have you conducted a PIA on all your Data Processing Systems? Do you already have a documented Privacy Management Program? No In progress Target Date DP Training Workshops 201 Culminating Activity Yes Do you have a Privacy Manual in-place and cascaded to your organization? Have you registered your DPO, COP/s and DPS with the NPC via NPC-RS? Do you already have a Breach Response/Security Incident Mgt. Team? Have you practiced your breach reporting procedures and ASIR submission? Have you implemented the expected Organizational, Physical and Technical security measures? Do you have mechanisms to allow for the exercise of your data subjects’ rights? Do you have mechanisms to ensure adherence with the 3 Privacy Principles? No In progress Target Date DP Training Workshops 201 Culminating Activity What help do you specifically need from your respective Sector or the NPC? Training Workshop Feedback Survey
0
advertisement
Download
advertisement
Add this document to collection(s)
You can add this document to your study collection(s)
Sign in Available only to authorized usersAdd this document to saved
You can add this document to your saved list
Sign in Available only to authorized users