Privacy by Design Setting a new standard for privacy certification



Similar documents
Privacy by Design The 7 Foundational Principles Implementation and Mapping of Fair Information Practices

The 7 Foundational Principles. Implementation and Mapping of Fair Information Practices. Ann Cavoukian, Ph.D.

Managing the message. Businesses brace for new digital marketing compliance requirements

Have it all Protecting privacy in the age of analytics

The Ontario Health Study s Assessment Centres: A Case Study for Privacy by Design

Managing the message Canada s new anti-spam law sets a high bar

The Changing IT Risk Landscape Understanding and managing existing and emerging risks

Risk Considerations for Internal Audit

Maximize the Value of Your Data and the Ability to Protect Privacy, by Design

Strategies for optimizing your cash management

Report of the Information & Privacy Commissioner/Ontario. Review of the Canadian Institute for Health Information:

Privacy and Security Framework, February 2010

IT audit updates. Current hot topics and key considerations. IT risk assessment leading practices

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Breaking Down the Silos: A 21st Century Approach to Information Governance. May 2015

Privacy & Big Data: Enable Big Data Analytics with Privacy by Design. Datenschutz-Vereinigung von Luxemburg Ronald Koorn DRAFT VERSION 8 March 2014

From Chaos to Clarity: Embedding Security into the SDLC

An Executive Overview of GAPP. Generally Accepted Privacy Principles

How To Respond To The Nti'S Request For Comment On Big Data And Privacy

White Paper on Financial Institution Vendor Management

Cybersecurity in the States 2012: Priorities, Issues and Trends

Blind spot Banks are increasingly outsourcing more activities to third parties. But they can t outsource the risks.

How To Ensure Health Information Is Protected

Supplier Relationship Management (SRM) Redefining the value of strategic supplier collaboration

WHITE PAPER. Automated IT Asset Management Maximize Organizational Value Using Numara Track-It! p: f:

Introduction. By Santhosh Patil, Infogix Inc.

The Manitoba Child Care Association PRIVACY POLICY

Cyber security Building confidence in your digital future

Part of the Deloitte working capital series. Make your working capital work for you. Strategies for optimizing your accounts payable

Ann Cavoukian, Ph.D.

Accountability: Data Governance for the Evolving Digital Marketplace 1

White Paper Achieving GLBA Compliance through Security Information Management. White Paper / GLBA

Strategies for optimizing your inventory management

Advisory services. Services beyond the audit

U.S. CFO Program The Four Faces of the CFO Deloitte Touche Tohmatsu

3 rd Party Vendor Risk Management

Privacy Risk Assessments

Threat and Vulnerability Management (TVM) Protecting IT assets through a comprehensive program. Chicago IIA/ISACA

Ann Cavoukian, Ph.D.

IBM Internet Security Systems October FISMA Compliance A Holistic Approach to FISMA and Information Security

University of Michigan Medical School Data Governance Council Charter

Privacy by Design: Effective Privacy Management in the Victorian Public Sector

Privacy by Design Protecting privacy in the age of analytics

White Paper Achieving PCI Data Security Standard Compliance through Security Information Management. White Paper / PCI

Deloitte Analytics. Trusting big data: Perspective on data governance as a customer analytics investment

Privacy by Design. Ian Brown, Prof. of Information Security and Privacy Oxford Internet Institute, University of

Passenger Protect Program Transport Canada

FREQUENTLY ASKED QUESTIONS

The ROI of Data Governance: Seven Ways Your Data Governance Program Can Help You Save Money

What to do When Faced With a Privacy Breach: Guidelines for the Health Sector ANN CAVOUKIAN, PH.D. COMMISSIONER

IT risk management discussion 2013 PIAA Leadership Camp May 15, 2013

Privacy Governance and Compliance Framework Accountability

The CIPM certification is comprised of two domains: Privacy Program Governance (I) and Privacy Program Operational Life Cycle (II).

Release Management: Effective practices for IT delivery

ISO/IEC Information Security Management. Securing your information assets Product Guide

Generally Accepted Recordkeeping Principles

MISSION VALUES. The guide has been printed by:

Cloud Computing: Legal Risks and Best Practices

Medicaid Enterprise Data Governance Approach. MESConference August 21, 2012 Rashmi Menon, Deloitte Consulting LLP

2/9/ HIPAA Privacy and Security Audit Readiness. Table of contents

EMC CONSULTING SECURITY STANDARDS AND COMPLIANCE SERVICES

Leveraging a Maturity Model to Achieve Proactive Compliance

Investment Management: Rising to the Risk and Compliance Challenge kpmg.com

Compliance. Group Standard

Industrial Cyber Security Risk Manager. Proactively Monitor, Measure and Manage Cyber Security Risk

Infrastructure Information Security Assurance (ISA) Process

Question 2: Deloitte s Response:

Learning to drive your Ferrari

The Value of Vulnerability Management*

For Private circulation only Creative. Clear. Focused. Forensic Services

NCOE whitepaper Master Data Deployment and Management in a Global ERP Implementation

Information Protection Framework: Data Security Compliance and Today s Healthcare Industry

Domain 1 The Process of Auditing Information Systems

How to Avoid Abandoned Records: Guidelines on the Treatment of Personal Health Information, in the Event of a Change in Practice

Cybersecurity and internal audit. August 15, 2014

How To Protect Your Network From Attack From A Network Security Threat

Data Management: Considerations for Integrating Compliance Requirements At Home and Abroad. Toronto, Ontario June 14, 2005

How To Transform It Risk Management

Fujitsu Group s Information Security

Credit Union Board of Directors Introduction, Resolution and Code for the Protection of Personal Information

Cyber security: everybody s imperative. A guide for the C-suite and boards on guarding against cyber risks

Third Party Risk Management 12 April 2012

Software as a Service: Guiding Principles

WhiteHat Security White Paper. Evaluating the Total Cost of Ownership for Protecting Web Applications

Key Cyber Risks at the ERP Level

RSA ARCHER OPERATIONAL RISK MANAGEMENT

PCI DSS READINESS AND RESPONSE

Information Governance and Management Standards for the Health Identifiers Operator in Ireland

Transcription:

Privacy by Design Setting a new standard for privacy certification

Privacy by Design is a framework based on proactively embedding privacy into the design and operation of IT systems, networked infrastructure, and business practices. 2

Privacy by Design Framework Organizations understand the need to both innovate and safeguard the personal and confidential data of their customers, employees, and business partners. This has become increasingly challenging in the era of big data for several reasons: Protecting privacy while meeting the regulatory requirements for data protection around the world is becoming an increasingly challenging task. Taking a comprehensive, properly implemented risk-based approach where globally defined risks are anticipated and countermeasures are built into systems and operations, by design can be far more effective, and more likely to respond to the broad range of requirements in multiple jurisdictions. Dr. Ann Cavoukian, Executive Director of the Privacy and Big Data Institute at Ryerson University, Three-term Information and Privacy Commissioner of Ontario, Creator of Privacy by Design Globalization has fostered an environment where knowledge workers feel the need to share information more readily, exposing organizations to a higher likelihood of information security breaches Organizational boundaries are no longer static, making it difficult to track how, where, and by whom information is being stored, managed, and accessed Collaboration and social networking tools promise new possibilities, but also come with potentially serious vulnerabilities if not proactively managed In this complex electronic business environment, a check the box compliance model leads to a false sense of security. That s why a risk-based approach to identifying digital vulnerabilities and closing privacy gaps becomes a necessity. Once you ve done the work to proactively ensure that your controls are implemented and your information is secure, having your privacy practices certified against a global privacy standard can take your privacy and security posture to the next level. And when you put privacy risk prevention and certification together, you have Privacy by Design Certification. A demonstrated ability to secure and protect digital data both your own and your customers is increasingly being recognized as a business imperative that yields a competitive advantage. Privacy by Design Setting a new standard for privacy certification 1

7 Foundational Principles Privacy by Design means building privacy into the design, operation, and management of a given system, business process, or design specification; it is based on adherence with the 7 Foundational Principles of Privacy by Design: 1 2 3 4 5 6 7 Proactive not reactive preventative not remedial Anticipate, identify, and prevent invasive events before they happen; this means taking action before the fact, not afterward. Lead with privacy as the default setting Ensure personal data is automatically protected in all IT systems or business practices, with no added action required by any individual. Embed privacy into design Privacy measures should not be add-ons, but fully integrated components of the system. Retain full functionality (positive-sum, not zero-sum) Privacy by Design employs a win-win approach to all legitimate system design goals; that is, both privacy and security are important, and no unnecessary trade-offs need to be made to achieve both. Ensure end-to-end security Data lifecycle security means all data should be securely retained as needed and destroyed when no longer needed. Maintain visibility and transparency keep it open Assure stakeholders that business practices and technologies are operating according to objectives and subject to independent verification. Respect user privacy keep it user-centric Keep things user-centric; individual privacy interests must be supported by strong privacy defaults, appropriate notice, and user-friendly options. Any organization launching new services, products, or innovative technologies, or expanding into new geographies through mergers or acquisitions, can benefit immensely from privacy certification. 2

Benefits of Certification: Reap the rewards Ensuring privacy and security through every phase of the data lifecycle (e.g. collection, use, retention, storage, disposal or destruction) has become crucial to avoiding legal liability, maintaining regulatory compliance, protecting your brand, and preserving customer confidence. That s especially true for organizations that are increasingly subject to heightened scrutiny both internally by their boards and externally by their regulators and business partners. By taking a dynamic, proactive approach to privacy protection, Privacy by Design certification will give your organization the ability to: Cost of taking the reactive approach to privacy breaches: Class-action lawsuits Reactive Damage to one s brand Ensure compliance by getting ahead of the legislative curve and minimizing compliance risk Reduce the likelihood of fines and penalties, including financial losses and/or liability associated with privacy breaches Build your brand by fostering greater consumer confidence and trust thereby gaining a sustainable competitive advantage Loss of consumer confidence and trust Proactive Better manage post-breach incidents to regain consumer trust and confidence Maintain best practices by seeking independent testing of privacy and security controls rather than more self- reporting or testing Privacy by Design goes well beyond accepted fair information practices and privacy standards, virtually assuring regulatory compliance no matter where you operate. Privacy by Design Setting a new standard for privacy certification 3

Steps to Certification Implementing Privacy by Design: It starts with three steps Under our Privacy by Design framework, Ryerson University is responsible for certifying organizations that meet the necessary privacy criteria. To achieve certification, organizations must first undergo an initial assessment conducted by Deloitte. Using a set of well-defined assessment criteria, Deloitte s privacy and security professionals will test your product, service, or offering against the 7 Foundational Principles of Privacy by Design. We also assess the strength of your privacy practices relative to internationally recognized privacy principles, including privacy regulations, industry self-regulatory requirements, and industry best practices (e.g. FIPs, OECD, GAPP, CBR, and APEC Privacy Framework) using an assessment methodology based on harmonized privacy and security legal requirements. To this end, Deloitte operationalized the Privacy by Design framework by developing 30 measurable privacy criteria and 107 illustrative privacy controls that organizations will be assessed against, using a unique scorecard approach that maps back to each of the 7 Foundational Principles. Putting privacy front and centre: Deloitte relies on our global team of privacy and security experts who are Privacy by Design accredited, including a former privacy regulator, privacy lawyers, and IT and security specialists. Taking a holistic, risk-based approach, Deloitte will test your controls using a quantifiable scorecard technique to help provide the privacy certification your organization needs. 4

The upshot is a simple three-step process for certification: apply, assess, and certify: Step1: Apply Step 2: Assess Step 3: Certify Applicant Start Apply online via Ryerson s website Respond to assessment recommendations Certify Ryerson Refer to Deloitte Certify End Deloitte Refer prospects to Ryerson s website Conduct assessment; issue preliminary observations Finalize assessment report Step1: Notify Step 2: Attest Step 3: Renew Renew Applicant Attest to no significant changes Deloitte Start Notify applicant Renew annually, for up to 2 years End Organizations may pursue certification once the assessment is complete; any assessment rating below satisfactory will need to be addressed before receiving full certification. Privacy by Design Setting a new standard for privacy certification 5

Deloitte Assessment Approach Before you can be certified, you will be assessed according to this process: Scope We begin by working with you to identify the scope of your privacy review. The scope of your assessment can include: All types of personal information holdings and related business processes, including medical and employee information A defined part of the organization, line of business, function, system, or initiative Assess & Test Report Certify Our privacy and security professionals: Use a combination of manual reviews, sampling, and scorecard metrics to assess your current design controls and related information-handling practices Conduct company interviews, on-site visits (where required), and data discovery (where requested) to identify data collection and residency issues Evaluate whether a privacy or security control exists, and whether the privacy activities or controls have been properly designed Compare your solution architecture, related information-handling practices, and operational processes against control activities We deliver results in a restricted use, detailed Privacy Scorecard report that: Identifies any deficiencies or gaps in information system design, policies, and practices Includes an analysis of personal information and related privacy gaps across the data lifecycle Contains an analysis of your compliance requirements with all relevant policies, practices, laws, codes, and contracts Analyzes each element of your organization s privacy program, policies, and procedures Includes a gap analysis that highlights the gap between your desired state of risk management and the current as-is state Provides detailed observations and recommendations to management for closing identified privacy gaps As part of the certification process, Ryerson: Verifies that any gaps identified in your Privacy Scorecard have been addressed and closed Displays your company s name on its validation page to provide real-time verification that your certification is current and valid Once you receive certification, you can display your Privacy by Design certification on your website and/or product or offering, and share your assessment results and certification with your business partners. 6

Deloitte Data Protection and Privacy service catalogue Privacy by Design Certification is part of a full suite of Data Protection and Privacy (DPP) services offered by Deloitte: Privacy by Design Certification Privacy Internal Audits & Assurance CASL Compliance Assessments Data Discovery and Data Flow Mapping Privacy Controls Mapping Assess Advanced Privacy Monitoring GRC Privacy Management Privacy Incident Management Privacy Regulatory Affairs Privacy Staff Augmentation Sustain DPP Advise Cross-border Privacy Compliance Post-data Breach Response & Advisory Implement Design Data Leakage Prevention Data De-identification Privacy Programs & Frameworks Privacy Remediation Privacy Strategy & Program Design GLBA Risk Assessment Frameworks Breach Response & Handling Consent Frameworks Privacy & CASL Training BYOD Policies CPO Training Privacy by Design Setting a new standard for privacy certification 7

Contacts Sylvia Kingsmill, BA, LLB National Partner, Data Protection and Privacy Leader, Enterprise Risk skingsmill@deloitte.ca Dr. Ann Cavoukian, Ph.D. Executive Director, Privacy and Big Data Institute ann.cavoukian@ryerson.ca About Sylvia Kingsmill Sylvia Kingsmill, BA, LLB, leads the Data Protection and Privacy practice for Deloitte Canada. She has 15 years experience in providing strategic, risk-based compliance and privacy advisory services, serving a diverse global client base. Her specialty is in advising executive teams on the development and implementation of data-driven digital strategies to support major IT and business transformation and alignment with regulatory requirements. She often deals with regulators, including Privacy Commissioners, on behalf of her clients in remediating regulatory findings and optimizing data management and governance practices. Sylvia recently developed the Privacy by Design Certification Program with Ryerson s Big Data and Privacy Institute to help clients launch new, privacy-enhancing technologies. She advises on innovative and ethical uses of big data while protecting privacy to help her clients manage not only their regulatory risks but also their branding and marketing strategy as they expand their digital footprint. About Dr. Ann Cavoukian Dr. Ann Cavoukian is recognized as one of the world s leading privacy experts. She is presently the Executive Director of the Privacy and Big Data Institute at Ryerson University. Appointed as the Information and Privacy Commissioner of Ontario, Canada, in 1997, Dr. Cavoukian served an unprecedented three terms as Commissioner. There she created Privacy by Design, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure, and business practices, thereby achieving the strongest protection possible. In October 2010, regulators at the International Conference of Data Protection Authorities and Privacy Commissioners unanimously passed a Resolution recognizing Privacy by Design as an essential component of fundamental privacy protection. Since then, Privacy by Design has been translated into 37 languages. About Deloitte s National Data Protection and Privacy Practice Deloitte s national Data Protection and Privacy practice is comprised of multi-disciplinary professionals specializing in technology, policy, security, law, information governance and management, project management, communications, and privacy regulatory affairs. The practice has helped clients in both the public and private sectors, many of whom must manage sensitive financial, personal, and medical information in accordance with a myriad of regional and international standards and regulations. About Ryerson University and the Privacy and Big Data Institute Ryerson is Canada s leader in innovative, career-focused education. It is a distinctly urban university with a focus on innovation and entrepreneurship. Ryerson has a mission to serve societal need and a long-standing commitment to engaging its community. The Privacy and Big Data Institute at Ryerson was created to serve as a hub for Ryerson faculty, staff, and students engaged in data-driven research, innovation, and education. The Institute s mission is to pursue and promote collaborations with industry to address privacy, security, and/or data analytics challenges. Privacy by Design Certification is being offered by the Privacy and Big Data Institute at Ryerson University; it is not affiliated with the Information and Privacy Commissioner of Ontario nor does it signify compliance with Ontario s privacy laws.

This page has been intentionally left blank. Privacy by Design Setting a new standard for privacy certification 9

www.deloitte.ca Deloitte, one of Canada s leading professional services firms, provides audit, tax, consulting, and financial advisory services. Deloitte LLP, an Ontario limited liability partnership, is the Canadian member firm of Deloitte Touche Tohmatsu Limited. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms. Deloitte LLP and affiliated entities. Designed and produced by the Deloitte Design Studio, Canada. 15-2971H

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information