NurudeenOdeshina

foreign [Music] crowdsource and find out yeah the guide for most people who are starting up in the organizations trying to socialize or set up establishing privacy program or for people already working on the foreign what's the problem what should we do how do we do about it and also what do we do now privacy about this important uh in all of privacy of lot of data protection is really focused about how do we protect humans right how do we protect people how to protect personal beliefs of people because it's really about humans and that's what I want this stuff to be about and that's why I hope that in our various organizations we are one of the hardest Personnel or even spiritual person else we are concerned about people and also our results okay um [Music] technology Services providers foreign policies uh which is probably Gathering just somewhere or Austin American history and people put three points in a while so it send it applies in the organization and it co-founders values and go for any crypto means here uh inside that you know what why not let's start up a privacy program and they are faced with three options the first one is Lord we just hired right which is very difficult so you go how these big names and they come into the office to establish a privacy program and the other is insiders not you don't really care about privacy right we're not going to do anything about the database and that's the case of the Oxford comma you take your privacy seriously right but they decide that you know what we are going to pick a privacy seriously I do not stop commander and excited to write a privacy officer and the Privacy also's name is Walter also another crypto me so Arthur Jones the organization right because the Privacy Personnel or the CPU for example the Chief privacy officer right because you need to tie this back to mid-side Paris program back to the organizations yes it's an organization that really doesn't care about people right it doesn't care about people's personal data it's going to reflect your privacy problems all right or you're basically trying to right sat down with having some boss and try to understand what's the mission of the organization what's their intent towards the use of personal data right and it would be different things right today we have organizations that use personality to increase the revenue you monetize personalities right there are so many organizations doing that today so you have two ads or all sorts of things uh for some organizations we are really concerned about their information assets right the applications infrastructure and some of those information assets which they use on a day-to-day basis and for some of them we are concerned about the brand right and how we expect that personalities and also how that effects affects the brand so this might be a number of reasons why organizations are concerned about institutionalizing or establishing privacy program well I think the most important part I want to leave us with these at some point in time within your organization right it shouldn't just be about compliance and this is also about security it shouldn't just be about I want to comply with standard I want to apply to this regulation it should really be about how do you identify you from that security program how we can provide you from the pregnancy program so Walter finds out and as part of this Mission too is Next Step as part of what program used to do is basically to go and Regulatory talk in terms of understanding what's the scope of the Privacy program what's the context which it is to deal with within the organization and also outside of the organization and also what are the requirements now it's not what this means in some jurisdictions right privacy program or privacy compliance is mandated as a result of 80 government regulation or it might also be sectorial regulations if you work in the health sector as a result of that you need to establish some privacy program within the organization right minor qualifrance program for me to have some activities that relates to privacy and this is basically what Walter needs to do it goes on laptop exploring the organization right uh trying to understand what's the context of the organization what does the organization do right what kind of personalities do you collect how do we process that personal data that's the first thing that needs to be a lot of money then also is to establish what role to get paid when it comes to data protection and also at the processor right or are they a joint controller and all these things are well established and also well defined I also mentioned at least to understand the type of personalities that the government should collects also what are the organizational needs or what are the stakeholders I've mentioned about the international stakeholders and also the external stakeholders what's their requirements what's the expectation when it comes to privacy of this application within the organization and we also need to consider what are they applicable laws for example in Canada right so we obviously Federal data protection uh apps right but in separate provinces they are also specific data protection after regulation and also even in sectors within each provinces they are also separate data protection regulations for example like I said if you want to leave your Etc so you need to determine which ones applicable to the organization based on what to do and that's what Walter did but while it's on this top it's also important that walls are tries to get by from the various stakeholders within the organization right so it's not basically just trying to establish the context of the organization he's also trying to evaluate people who need the organizations whether it's cheap marketing officers and uses that data or maybe it's the cro or the security of University College you can try to understand and also build relationship with them and it's also informally pitching a privacy program like you said the organization has some privacy practices but I mean it's not it's very programmed uh it's very much you know an adult privacy practices so it starts as much as possible in which privacy program so different people within the organization especially at a very similar levels then we used to also identify people who are going to support this cost right in terms of establishing privacy program right expecting that people would listen to him and also support them there's also the rabbit hole which you can actually get into and there are different kinds of people within the organization right they can actually push him down the level so um focus on establishing that for this program and these are basically just the summer 2015. uh you can have some of the crypto notices at least just you know let's just encrypt everything right and there's really nothing to worry about it right or yes uh anonymize all the data right and when you have in my personal data it doesn't come under the scope of data protection right because it's more personal data uh and also the people within the organization so what did World Service come up during this talk he discovered that as a result of the bridge there's been a big climb in customer satisfaction and also region of trust right there was a data between the organization and it didn't sort of this customer customers no longer trust them right because of that bridge we also noticed that there's been increased awareness 12 by the 2018 gdpr right uh when gdpr came out then everybody just went wild about data protection and privacy right uh the various jurisdictions people are coming up with different legislation very very close I'm sitting up to the GTR I'm building regulations and also art with respective data Protection Organization data protection so you also discovered that the center applies to country where it's working in their various regulations and what has been two months in now right and just been going on tours trying to understand the organization but Alice and Bob are beginning to ask him we need to see results which is quite common in organizations the German organization as a privacy program are the CEO or the chief security officer within their Montauk Zoo the CEO is actually asking for answers right especially when there's really Bridge they ask you what are you doing or you're still playing on the call trying to understand the context of the organization which is very very important to the success within the organization right but as a result of this all that decides that the next thing he needs to do really it's not just to jump into action right you need to understand that we need to build a program attribute program you need a framework right there's no difference in the middle you have so many framework these days which you can rely on so it begins to ask himself what framework should I use right so that's the next task for water and there are quite a number of them another challenge is quite a number of Frameworks so begins to practice we're going to decide what you know what what should I do here because there's so many different words depending on the industry depending on jurisdiction and also trending on the context of the organization and other rugby schools are very very mindful of which I've seen in some organizations is they get it too and decided up to fix all the problem right it happens in security it also happens within privacy so we need to very very mindful of that there's no silver bullets there's no one single tool that will fix all your privacy works the center will securism right so let's be very very mindful of that there are Frameworks which you can use you know uh best practice standards we're just going to use there are also solutions for those Solutions you need to address specific concerns which your Gap assessments are actually an impact I'm going to try to be very very small groups one of the things which I've done earlier on was to do analysis of some of the spring blocks right and these at least because example just an example of three of them there is there is 2.7 000 to something zero one which is called the peeps privacy commission management system there is also in this this was recently updated with specific privacy controls it's a very very helpful document uh which is quite good and there's also the evgdp right which I said most legislations today are basically just like a and I'm sorry to say that yeah more like a copy and paste some Excellence all right so one of the things that's very very important for you to know is really around what are the similarities between this program so between these Frameworks and standards and also what are the differences and also how relatable are they to the kind of organization where you find yourself so for some organization they are very small and evil right we don't have all the money in the world that might impact on kind of framework which you select within the organization and for some organizations we are very Global we have all the money to spend some are important implementation costs some organizations also like to sort of reflect what they've done with respect to privacy on their brand right so things around certification for example it's very very important for the modernization well at the end of the day I want to show I have a certificate that says I am implemented some privacy regulation of privacy program so those are some of things that's what considering when you selecting privacy uh framework of this for the standards and also more important Community is the timeline for some of his programs and I've just encouraged here that if you're trying to implement lists and pukr it's like it's continuous it's never ending right but for the pins for example within six don't have six organizations do this from starts to finish where we'll do an assessment related to teams and they get satisfied in about six months for some organizations being a year I've also said this ground in organization about three months right very small organization in the assessment implemented teams and Drug certifiers um water disaster is going to select anyone of this framework I don't have a restaurant I don't have an answer to which is the best framework all of them right so as an organization as a CTO Summit which is best for your organization and that's what workers examination is best for this organization and the next step really is what does the Privacy program look like right but before he jumps into it we need to develop a strategy which is what Harris and Bob are actually looking out for right like this is what I intend to do within my year or within a year or maybe three years as the Chief privacy officer as a privacy professional and this is basically just a very quick summary of what the strategy is like and this is all the strategy so he decides that in the first few months or the first quarter it's going to go around doing some privacy education awareness education I call it seat training education and awareness right so it's nice to think to do that and the next Big Blocks basically is around starting to implement the progressive program by itself and the Broad Street and the last app there is really around how to make sure you can continuously update and maintain and improve which is my importance the Privacy program and those are some of the key things which you need to start thinking about a couple program stage right so this is what Walter came up with as a strategy and also as a response to Alice and Bob asking if you've been here for two months what are you going to do right if you came up with a strategy and also plan and shared with small Temple let's take a look item right your ammunition assessment and compliance to selected crime with framework that's really crossed more implementing the Privacy program right so for Walter the next step after submitting that plan to Alice and go it's really around doing the Diagnostics assessments where what's the problem right it's like going to be keeping right and you say you know what just give me a drug the first person is going to ask is what's the problem right I'll need to test you that's the same thing that's all can be he needs to do with diagnostic assessment right there's been a bridge we have some policies here and there but I need to understand comprehensively what's the full score of the program related to privacy or later organization so it takes any one of those framework and it does the gap assessments see these are the requirements of the framework and this is where we are as an organization right across various layers and those are some of the areas which I've mentioned here right so for example the iuppc I can mentioned some of these areas the Privacy notes is data discovered in the map in opposed limitation on individual rights the Privacy Outlook is one of a beautiful documents by gapna uh it's very very exhaustive and those are some of the areas which are mentioned by government Carousel and yeah uh some of the information which I've seen over the Internet which relates to sort of kdpr we're also trying to constraint gdpr into about 10 blocks of category right under strategy policy cross Brothers across other data strategy transcribing exams get the life cycle privacy by Design security which is really surprising and also Incident Management so it looks across each one of these domains on those Gap assessments for the organization where do we stand right and for some of those framework the actual detailed questions of little questionnaires with respect to what are the questions which you need to ask right and this is what some of those things requires sorry I've sort of blocked this out because these are like proprietary materials right so after the assessment it's submitted beautiful reports right which is probably what what I might just pass this sorry Chris Rock the only person was taking the points and still continue to presents so Walter needs to be aware of this right he has a plan he has a strategy right and he also has a lower level plan in terms of what the gaps are and also what the recommendations are right so it takes this and it begins to walk and the next step really to walk up and everything which you have from after this page uh optional items are Walter needs to do in terms of implementing the Privacy program like I said earlier across from privacy program is really around data personal data so the first step really is around understanding what personal data you hold within the organization right what's the question I think personal data sensitive data and the outcome of that are some of the things which I mentioned in some of those data protection regulations the most important outcome from you adopting a data mapping or a data Discovery exercise which was called Europa the record of processing activities right I think this thing called Europa you also the GPR mentions that's um but it's one of the outcome or the artifact from you with a data analysis related to discover so you create a low power which is basically a record of personal activity it's taking a look at all the activities within the organization right what kind of data is required for those personal activities or what kind of data is generated as a result of those personal activities what's the imputes to the person activities and also what's the outcome right and you can also need to do what is called the data map right how does data flow within the organization and or the other thing is also to do the data life cycle all right so across the organization how do you create data right we use the staff data so there's that things have been stored you will share with the third party externally and also what we share with internally which are some of the key things we need to document as part of Europe so if a business unit for example say it creates data you also need to document a map so you come up with the life cycle of the data right and like I said one of the key outcomes from this is actually magnetically in some of the data protection regulations we need to argument of personal activities the next step and I'll spend a bit of time on this is conducting a Pia and different regulations call these different things you see that called the dpia data privacy impact assessment or data protection impact assessment and the reason why this is key is you start as a private situation now or the CPU the organization is going to continue to operate they are not going to wait for you to create your plan your strategy and follow through your plan of strategy definition will continue to operate as a theme recognization like a given the example we are building products right that consumers are going to use and we are going to be accelerations of those products or they are probably new products which the applicants have created for each one of those products we need to do what is called API the Privacy impact assessments right and that's another key steps and this is done not only for products it's also done for projects and also new processes you basically identify how each of those projects the processes or the products actually utilize data and also what's the impact to the customers or the consumers whose data are going to be used as a result of cloud process and project for the process and those are some of the things which are complicated within the Privacy Department assessments right uh you give an example of what description of the project what are the goals and time frame the personal information or personal data which is going to be used by by your products and you also identify what's in the race car I have some of those things are documented there right we will accesses the data who is the data being shared with how do you ensure you are crazy on the data how do you ensure that the data is actually secure so those are some of th