logging in or signing up chris farkus Amateur Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 28 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 27, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: Privacy Policy from the Business Perspective February 14, 2002 Chris Farkas ENSURING THAT YOUR ORGANIZATION IS ‘PRIVACY COMPLIANT’: ENSURING THAT YOUR ORGANIZATION IS ‘PRIVACY COMPLIANT’ Personal Information Privacy and the various legislation, regulations and guidance thereon raise complex issues. This presentation is designed to provide a general overview of some of the issues in ensuring organizations are 'privacy compliant'. It is not intended to provide legal advice. Participants should obtain professional advice for specific issues. Neither the sponsor, Deloitte andamp; Touche LLP or the presenter can accept responsibility for reliance on the contents of this presentation. AGENDA: AGENDA Privacy: What’s all the fuss about? The Privacy Tool Kit Some Observations from the 'Field' Suggestions for the Road Ahead PRIVACY: PRIVACY WHAT’S ALL THE FUSS ABOUT? Why Worry Now…: Why Worry Now… 'People are willing to feign outrage on command, until they see the benefits of relinquishing their privacy…People are not going to worry much about privacy – unless some really horrible things are done, which I don’t think corporations are stupid enough to do.' Interview with Michael Lewis, author of Next, July 18, 2001, with host Katherine Mieszkowski, 'Thank God for the Internet,' Salon (magazine). SOME HORROR STORIES: SOME HORROR STORIES A telecommunications company donated computer printouts to local day care centres as drawing paper. The issue: On one occasion, the printouts included customers’ names and card numbers. The cost: $500 000 (forced to recall and reissue the calling cards); significant public embarrassment. A funeral home contacted a woman to offer her its services shortly after she was diagnosed with terminal cancer. The issue: A member of the hospital staff provided the funeral home with details of the woman’s illness. The cost: Serious distress on the part of the woman and her family; lawsuit against the funeral home and the hospital; case was widely reported in the media (reputational damage). SOME HORROR STORIES: SOME HORROR STORIES A company employed visitor-tracking software in order to gain an understanding of which of its web pages received the most visitors. The issue: In effect, the software installed acted as a ‘web bug’ capable of tracking and profiling surfers without their permission, without their knowledge and without using a cookie. The cost: Severe damage to credibility- future impact? While millions of Americans watched the Super Bowl on February 3rd, 2002, TIVO was watching subscribers. eCOMMERCE: eCOMMERCE 46% of online consumers are extremely or very concerned about the privacy of their personal information. Only 40% believe that companies will honour their posted privacy policies. (Gallup, Jan 16 2001) APPROACHING PRIVACY COMPLIANCE: APPROACHING PRIVACY COMPLIANCE A TOOL KIT Slide10: ASSESSING: ASSESSING DESIGNING: DESIGNING DESIGNING: DESIGNING IMPLEMENTING: IMPLEMENTING Slide15: ASSURING Establish organizational procedures to: Monitor Establish privacy metrics and specific criteria (when, timeliness) for compliance Establish management processes to monitor the performance of the organization’s privacy activities Monitor complaints and inquiries MONITORING AND REPORTING: management processes to ensure compliance with organizational privacy policies and procedures as well as internal and external independent reviews and audits to ensure compliance with legislation and regulations. COMPLYING WITH THE OBLIGATIONS: IMPLEMENT MANAGEMENT AND TECHNOLOGY SOLUTIONS: COMPLYING WITH THE OBLIGATIONS: IMPLEMENT MANAGEMENT AND TECHNOLOGY SOLUTIONS COMPLAINTS REQUESTS CONTRACT NEGOTIATION CAPTURING CONSENT AUDIT TRAILS ESCALATION OF ISSUES SECURITY HUMAN RESOURCES RETENTION DESTRUCTION PHYSICAL ORGANIZATIONAL TECHNOLOGICAL Some Observations from the “Field”: Some Observations from the 'Field' Some Observations from the “Field”: Some Observations from the 'Field' Striking the balance between appropriate disclosure and providing too much information Privacy initiatives highlight many gaps and projects in which privacy needs to be addressed. When is due diligence achieved? 'Give Us a Policy' requests from clients Looking for templates Too far removed from realities of the organizations own internal processes Consequences: Policy is shelved, or organization tries to redesign internal processes to 'fit' the policy. Some Observations from the “Field”: Some Observations from the 'Field' 'Operationalizing' Privacy is a challenge How do I tailor this to my environment? Wide variety of practices in business Guidance? 'In the evolving, jumbled world of e-commerce and individual preferences, the government’s role is not to dictate the terms of privacy contracts ahead of time, but to enforce privacy contracts that companies have made with consumers…bad privacy agreements are deceptive trade practices' Jonathon Bick, author of '10 Things You Need to Know about Internet Law', interview by Doug Isenberg of GigaLaw.com Some Observations from the “Field”: Some Observations from the 'Field' How to manage consent? What should the appropriate standards be? What should the consent look like? How do you manage consent once it is captured? Especially in the US, addressing privacy in a multi-regulated environment is complex. Local vs. Federal vs. Global – Which takes precedence? Some Observations from the “Field”: Some Observations from the 'Field' Misperceptions in Business: Paper vs. Data: Privacy is an online issue Privacy = Network and Database Security If organizations fail to conduct an inventory of their personal information and data flows, they will likely create a policy which does not accurately reflect their business. Policies fail to reflect organizations’ actual systems capabilities and practices Privacy policies often fail to contemplate third party relationships and data flows Some Observations from the “Field”: Some Observations from the 'Field' Technology Related Systems management is increasingly complex, making information and data flows harder to manage. Privacy risks multiply when organizations grow quickly or if mergers and acquisitions occur. Company technical infrastructure may be incapable of incorporating policies and controls required to comply with privacy principles such as consent and safeguards. There is a general lack of understanding by companies of what the technology that they have implemented does, and has the potential to do. Some Observations from the “Field”: Some Observations from the 'Field' Tools: P3P – we’re helping clients understand it – although many have not yet implemented. This may be risky given IE dominance. Automated Policy Generators Have not employed these with clients Good guidance, but highly dependent on the knowledge of the individual answering the questions. In Summary: In Summary Companies want to: Comply with regulations Enhance brand Leverage data Provide a better user experience However companies: Are hampered by legacy systems Confused by the distinctions between security and privacy Have a lack of understanding and knowledge about their technology Do not have a clear guidance Are too focused on 'perfunctory policies' Suggestions for the Road Ahead…: Suggestions for the Road Ahead… Privacy compliance initiatives should begin with: Inventory of information (data and paper) Documentation of data flows and information management Gap assessment in relation to the 10 Principles and industry (or other) best practices and standards Develop policies specific to the organization Privacy should be incorporated into brand management. ANY QUESTIONS?: ANY QUESTIONS? FOR FURTHER INFORMATION, PLEASE CONTACT:: FOR FURTHER INFORMATION, PLEASE CONTACT: CHRIS FARKAS cfarkas@deloitte.ca (604) 640 3149 Four Bentall Centre Suite 2100 - 1055 Dunsmuir Street Vancouver, BC V7X 1P4 Canada You do not have the permission to view this presentation. In order to view it, please contact the author of the presentation.
chris farkus Amateur Download Post to : URL : Related Presentations : Share Add to Flag Embed Email Send to Blogs and Networks Add to Channel Uploaded from authorPOINT Insert YouTube videos in PowerPont slides with aS Desktop Copy embed code: (To copy code, click on the text box) Embed: URL: Thumbnail: WordPress Embed Customize Embed The presentation is successfully added In Your Favorites. Views: 28 Category: News & Reports.. License: All Rights Reserved Like it (0) Dislike it (0) Added: August 27, 2007 This Presentation is Public Favorites: 0 Presentation Description No description available. Comments Posting comment... Premium member Presentation Transcript Slide1: Privacy Policy from the Business Perspective February 14, 2002 Chris Farkas ENSURING THAT YOUR ORGANIZATION IS ‘PRIVACY COMPLIANT’: ENSURING THAT YOUR ORGANIZATION IS ‘PRIVACY COMPLIANT’ Personal Information Privacy and the various legislation, regulations and guidance thereon raise complex issues. This presentation is designed to provide a general overview of some of the issues in ensuring organizations are 'privacy compliant'. It is not intended to provide legal advice. Participants should obtain professional advice for specific issues. Neither the sponsor, Deloitte andamp; Touche LLP or the presenter can accept responsibility for reliance on the contents of this presentation. AGENDA: AGENDA Privacy: What’s all the fuss about? The Privacy Tool Kit Some Observations from the 'Field' Suggestions for the Road Ahead PRIVACY: PRIVACY WHAT’S ALL THE FUSS ABOUT? Why Worry Now…: Why Worry Now… 'People are willing to feign outrage on command, until they see the benefits of relinquishing their privacy…People are not going to worry much about privacy – unless some really horrible things are done, which I don’t think corporations are stupid enough to do.' Interview with Michael Lewis, author of Next, July 18, 2001, with host Katherine Mieszkowski, 'Thank God for the Internet,' Salon (magazine). SOME HORROR STORIES: SOME HORROR STORIES A telecommunications company donated computer printouts to local day care centres as drawing paper. The issue: On one occasion, the printouts included customers’ names and card numbers. The cost: $500 000 (forced to recall and reissue the calling cards); significant public embarrassment. A funeral home contacted a woman to offer her its services shortly after she was diagnosed with terminal cancer. The issue: A member of the hospital staff provided the funeral home with details of the woman’s illness. The cost: Serious distress on the part of the woman and her family; lawsuit against the funeral home and the hospital; case was widely reported in the media (reputational damage). SOME HORROR STORIES: SOME HORROR STORIES A company employed visitor-tracking software in order to gain an understanding of which of its web pages received the most visitors. The issue: In effect, the software installed acted as a ‘web bug’ capable of tracking and profiling surfers without their permission, without their knowledge and without using a cookie. The cost: Severe damage to credibility- future impact? While millions of Americans watched the Super Bowl on February 3rd, 2002, TIVO was watching subscribers. eCOMMERCE: eCOMMERCE 46% of online consumers are extremely or very concerned about the privacy of their personal information. Only 40% believe that companies will honour their posted privacy policies. (Gallup, Jan 16 2001) APPROACHING PRIVACY COMPLIANCE: APPROACHING PRIVACY COMPLIANCE A TOOL KIT Slide10: ASSESSING: ASSESSING DESIGNING: DESIGNING DESIGNING: DESIGNING IMPLEMENTING: IMPLEMENTING Slide15: ASSURING Establish organizational procedures to: Monitor Establish privacy metrics and specific criteria (when, timeliness) for compliance Establish management processes to monitor the performance of the organization’s privacy activities Monitor complaints and inquiries MONITORING AND REPORTING: management processes to ensure compliance with organizational privacy policies and procedures as well as internal and external independent reviews and audits to ensure compliance with legislation and regulations. COMPLYING WITH THE OBLIGATIONS: IMPLEMENT MANAGEMENT AND TECHNOLOGY SOLUTIONS: COMPLYING WITH THE OBLIGATIONS: IMPLEMENT MANAGEMENT AND TECHNOLOGY SOLUTIONS COMPLAINTS REQUESTS CONTRACT NEGOTIATION CAPTURING CONSENT AUDIT TRAILS ESCALATION OF ISSUES SECURITY HUMAN RESOURCES RETENTION DESTRUCTION PHYSICAL ORGANIZATIONAL TECHNOLOGICAL Some Observations from the “Field”: Some Observations from the 'Field' Some Observations from the “Field”: Some Observations from the 'Field' Striking the balance between appropriate disclosure and providing too much information Privacy initiatives highlight many gaps and projects in which privacy needs to be addressed. When is due diligence achieved? 'Give Us a Policy' requests from clients Looking for templates Too far removed from realities of the organizations own internal processes Consequences: Policy is shelved, or organization tries to redesign internal processes to 'fit' the policy. Some Observations from the “Field”: Some Observations from the 'Field' 'Operationalizing' Privacy is a challenge How do I tailor this to my environment? Wide variety of practices in business Guidance? 'In the evolving, jumbled world of e-commerce and individual preferences, the government’s role is not to dictate the terms of privacy contracts ahead of time, but to enforce privacy contracts that companies have made with consumers…bad privacy agreements are deceptive trade practices' Jonathon Bick, author of '10 Things You Need to Know about Internet Law', interview by Doug Isenberg of GigaLaw.com Some Observations from the “Field”: Some Observations from the 'Field' How to manage consent? What should the appropriate standards be? What should the consent look like? How do you manage consent once it is captured? Especially in the US, addressing privacy in a multi-regulated environment is complex. Local vs. Federal vs. Global – Which takes precedence? Some Observations from the “Field”: Some Observations from the 'Field' Misperceptions in Business: Paper vs. Data: Privacy is an online issue Privacy = Network and Database Security If organizations fail to conduct an inventory of their personal information and data flows, they will likely create a policy which does not accurately reflect their business. Policies fail to reflect organizations’ actual systems capabilities and practices Privacy policies often fail to contemplate third party relationships and data flows Some Observations from the “Field”: Some Observations from the 'Field' Technology Related Systems management is increasingly complex, making information and data flows harder to manage. Privacy risks multiply when organizations grow quickly or if mergers and acquisitions occur. Company technical infrastructure may be incapable of incorporating policies and controls required to comply with privacy principles such as consent and safeguards. There is a general lack of understanding by companies of what the technology that they have implemented does, and has the potential to do. Some Observations from the “Field”: Some Observations from the 'Field' Tools: P3P – we’re helping clients understand it – although many have not yet implemented. This may be risky given IE dominance. Automated Policy Generators Have not employed these with clients Good guidance, but highly dependent on the knowledge of the individual answering the questions. In Summary: In Summary Companies want to: Comply with regulations Enhance brand Leverage data Provide a better user experience However companies: Are hampered by legacy systems Confused by the distinctions between security and privacy Have a lack of understanding and knowledge about their technology Do not have a clear guidance Are too focused on 'perfunctory policies' Suggestions for the Road Ahead…: Suggestions for the Road Ahead… Privacy compliance initiatives should begin with: Inventory of information (data and paper) Documentation of data flows and information management Gap assessment in relation to the 10 Principles and industry (or other) best practices and standards Develop policies specific to the organization Privacy should be incorporated into brand management. ANY QUESTIONS?: ANY QUESTIONS? FOR FURTHER INFORMATION, PLEASE CONTACT:: FOR FURTHER INFORMATION, PLEASE CONTACT: CHRIS FARKAS cfarkas@deloitte.ca (604) 640 3149 Four Bentall Centre Suite 2100 - 1055 Dunsmuir Street Vancouver, BC V7X 1P4 Canada