Information about http://www.ehcca.com/presentations/privacysymposium1/gray.pdf
Managing the Privacy Function at a Large Company Kimberly S.…
Tags: attitude survey, centralized model, chief privacy officer, compliance departments, compliance monitoring, customer service sales, decentralized model, executive steering committee, external collaboration, interdepartmental collaboration, legal compliance, management hierarchy, management level, officer management, privacy breach, project oversight, regulatory obligations, subject matter expertise, subject matter experts, train the trainer,Pages: 10
Language: english
Created: Sun Aug 19 11:06:01 2007
Display cached document
Page 1
Page 2
Page 3
Page 4
Page 5
Page 6
Page 7
Page 8
Page 9
Page 10
Managing the Privacy
Function at a Large Company
Kimberly S. Gray, Esq., CIPP
Chief Privacy Officer
Highmark Inc.
Privacy Program
· Organizational structure
· Staffing
· Policy and procedure development and
implementation
· Interdepartmental collaboration
· External collaboration
· Subsidiaries/affiliates
· Privacy breach investigations and incident
response
· Culture
Organizational Structure
· Centralized Model
Accountability and oversight known to all
Management hierarchy allows issues to be resolved
quickly
Better able to match strategic direction with corporate
mission and value statement
· Decentralized Model
Everyone accountable for his/her own actions
Compliance more embedded in minds of individuals
and more part of overall corporate culture
Staffing
· Chief Privacy Officer
Management level (executive, senior management recommended)
Visible
Attorney?
Information security accountability?
· Subject matter experts
Legal compliance
Information security
Customer service
Sales, marketing?
Other?
· Operational staffing
Ability to communicate well with others
Ability to lead projects
Some subject matter expertise
Policy & Procedure
Development and Implementation
· Legislative review and comment
· Identification of regulatory obligations and risk
management posture
· Consumer attitude survey review
· Provide analysis and requirements to affected business
units
· Oversight of business unit compliance or direct project
oversight
· Executive steering committee?
· Training and communication of new
policy/procedure/process (multi-channel) to all or to
management (train the trainer)
· Compliance monitoring, assessment, enforcement
Interdepartmental Collaboration
· Legal
· Other compliance departments
· Internal audit
· Customer-focused business units
· Physical security and safety
· Information security
· Sales and marketing
· Public relations, media relations
· Informatics and reporting
· Information systems
· Government/regulatory affairs
· eCommerce
· Human resources/employee relations
· Risk management
External collaboration
· Federal and state government and regulatory
bodies
· Customers
· Media
· Vendors
· Outside counsel
· Business partners
· Data protection authorities (global)
· Law enforcement
· Professional organizations
Subsidiaries and Affiliates
· Reporting relationships
· Oversight and accountability
· Ownership and status designation
· Committees
· Differing business needs
· Differing regulatory requirements
· Global versus domestic
Privacy Breach Investigations and
Incident Response
· Fact gathering, interviews, forensics
· Corrective action plan
· Mitigation of damages
· Employee discipline
· Security incident per state or federal law?
· Notifications
· Post-incident reporting to management (Compliance Committee)
· Privacy incident response team
Privacy Officer
Information Security Officer
Safety and Security Officer
Legal
Corporate communications, media relations
Affected party
Affected business unit
Culture
· Legal compliance requirements
· Risk management posture
· Consumer attitude considerations
· Ethics ("doing the right thing")
· Treating the confidential information as if it
were your own