Building an Effective Data Privacy Program – 6 Steps from TRUSTe

1. Building an Effective Privacy Program – Six Practical Steps September 24, 2015 v v Privacy Insight Series 1

2. Today’s Speakers Beth Sipula, CIPP/US Senior Consultant, TRUSTe Paola Zeni Director Global Privacy, Ethics and Compliance Symantec Corporation v Privacy Insight Series 2

3. Six Practical Steps Framework Development and Management Risk Mgmt Vendor & Third Parties Privacy by Design Incident Response v Privacy Insight Series 3

4. Poll Question #1 – What level on the maturity scale is your organization? Staged Maturity Levels Level 5 Optimized Process Measured & Controlled Process Characterized & Understood Level 4 Quantitatively Managed Level 3 Defined Process in Place & Proactive Continuous Improvement Level 2 Managed Process Unpredictable Level 1 Initial v Privacy Insight Series 4

5. Step 1 - Create the Framework Create the Framework (based on the requirements for your organization) • Analysis of regulatory/contractual requirements • Review legislative requirements/Geos • Develop a budget and a roadmap • Privacy Committee/Privacy Champions v Privacy Insight Series 5

6. Poll Question #2 What team or business unit is primarily responsible for managing privacy risks in your organization? • Legal/Compliance • IT/Security • Internal Audit • Product/Development • Other v Privacy Insight Series 6

7. Step 2 - Risk Management Develop a Risk Management Process • Data discovery and data inventory • Comprehensive risk assessment process • Risk Management Committee to rank ongoing risks • Executive sponsor and champion v Privacy Insight Series 7

8. Step 3 - Privacy by Design Build in Privacy • PIAs • Create tools and processes for product/development teams • Identify risks and analysis of impacts • Leverage existing development processes where possible • Training v Privacy Insight Series 8

9. Incident Response Develop an Incident Response Plan • Process, plan and toolkit • RACI charts • Responsible/accountable/consulted/informed • Privilege • Crisis communications plan (internal/external) • Test plan regularly and update • Tabletop exercises • Common scenarios v Privacy Insight Series 9

10. Step 5 - Vendor and Third Party Management Develop a Comprehensive Approach • Understand who has access to sensitive data, purpose, access and data transfers • Documentation • Contractual requirements • Partner with Procurement v Privacy Insight Series 10

11. Step 6 - Program Development and Ongoing Monitoring How do you keep moving forward once you have the basics in place? • Monitor regulatory changes • Establish metrics to measure your program effectiveness • Reporting on program effectiveness • Ongoing training and communication • Building privacy champions • Employee training • Privacy sensitive culture v Privacy Insight Series 11

12. Key Take-Aways v v Privacy Insight Series 12

13. Key Take-Aways • Start with a roadmap and implement the basics • Manage risks • Partner with other areas of the organization • Utilize tools and automate whenever possible • Prioritize training and communicate privacy • Building blocks of a privacy centric culture v Privacy Insight Series 13

14. Moving Forward Framework Development and Management Risk Mgmt Vendor & Third Parties Privacy by Design Incident Response v Privacy Insight Series 14

15. Questions? v v Privacy Insight Series 15

16. Contacts Beth Sipula Paola Zeni bsipula@truste.com paola.zeni@veritas.com v v Privacy Insight Series 16

17. Thank You! Don’t miss the next webinar in the Series –“ Top 5 Things the CISO Needs to Know about Data Privacy” on October 15th See http://www.truste.com/insightseries for details of future webinars and recordings. v v Privacy Insight Series 17