NurudeenOdeshina

foreign

[Music]

crowdsource and find out yeah the guide for most people who are starting up in the organizations trying to socialize or set up establishing privacy program or for people already working on the foreign

what's the problem what should we do how do we do about it and also what do we do now privacy about this important uh in all of privacy of lot of data protection is really focused about how do we protect humans right how do we protect people how to protect personal beliefs of people because it's really about humans and that's what I want this stuff to be about and that's why I hope that in our various organizations we are one of the hardest Personnel or even spiritual person else we are concerned about people and also our results okay um

[Music] technology Services providers

foreign

policies uh which is probably Gathering just somewhere or Austin American history and people put three points in a while so it send it applies in the organization and it co-founders values and go for any crypto means here uh inside that you know what why not let's start up a privacy program and they are faced with three options the first one is Lord we just hired right which is very difficult so you go how these big names and they come into the office to establish a privacy program and the other is insiders not you don't really care about privacy right we're not going to do anything about the database and that's the case of the Oxford comma

you take your privacy seriously right but they decide that you know what we are going to pick a privacy seriously I do not stop commander and excited to write a privacy officer and the Privacy also's name is Walter also another crypto me so Arthur Jones the organization right because the Privacy Personnel or the CPU for example the Chief privacy officer

right because you need to tie this back to mid-side Paris program back to the organizations yes it's an organization that really doesn't care about people right it doesn't care about people's personal data it's going to reflect your privacy problems all right or you're basically trying to

right sat down with having some boss and try to understand what's the mission of the organization what's their intent towards the use of personal data right and it would be different things right today we have organizations that use personality to increase the revenue you monetize personalities right there are so many organizations doing that today so you have two ads or all sorts of things uh for some organizations we are really concerned about their information assets right the applications infrastructure and some of those information assets which they use on a day-to-day basis and for some of them we are concerned about the brand right and how we expect that personalities and also how that effects affects the brand

so this might be a number of reasons why organizations are concerned about institutionalizing or establishing privacy program well I think the most important part I want to leave us with these at some point in time within your organization right it shouldn't just be about compliance and this is also about security it shouldn't just be about I want to comply with standard I want to apply to this regulation it should really be about how do you identify you from that security program how we can provide you from the pregnancy program so Walter finds out and as part of this Mission too is Next Step as part of what program used to do is basically to go and Regulatory talk

in terms of understanding what's the scope of the Privacy program what's the context which it is to deal with within the organization and also outside of the organization and also what are the requirements now it's not what this means in some jurisdictions right privacy program or privacy compliance is mandated as a result of 80 government regulation or it might also be sectorial regulations if you work in the health sector as a result of that you need to establish some privacy program within the organization right minor qualifrance program for me to have some activities that relates to privacy and this is basically what Walter needs to do it goes on laptop exploring the organization right uh trying to understand what's the

context of the organization what does the organization do right what kind of personalities do you collect how do we process that personal data that's the first thing that needs to be a lot of money then also is to establish what role to get paid when it comes to data protection and also at the processor right or are they a joint controller and all these things are well established and also well defined I also mentioned at least to understand the type of personalities that the government should collects also what are the organizational needs or what are the stakeholders I've mentioned about the international stakeholders and also the external stakeholders what's their requirements what's the expectation when

it comes to privacy of this application within the organization and we also need to consider what are they applicable laws for example in Canada right so we obviously Federal data protection uh apps right but in separate provinces they are also specific data protection after regulation and also even in sectors within each provinces they are also separate data protection regulations for example like I said if you want to leave your Etc so you need to determine which ones applicable to the organization based on what to do and that's what Walter did but while it's on this top it's also important that walls are tries to get by from the various stakeholders within the organization right so it's not basically

just trying to establish the context of the organization he's also trying to evaluate people who need the organizations whether it's cheap marketing officers and uses that data or maybe it's the cro or the security of University College you can try to understand and also build relationship with them and it's also informally pitching a privacy program like you said the organization has some privacy practices but I mean it's not it's very programmed uh it's very much you know an adult privacy practices so it starts as much as possible in which privacy program so different people within the organization especially at a very similar levels then we used to also identify people who are going to support this cost right in

terms of establishing privacy program right expecting that people would listen to him and also support them there's also the rabbit hole which you can actually get into and there are different kinds of people within the organization right they can actually push him down the level so um focus on establishing that for this program and these are basically just the summer 2015. uh you can have some of the crypto notices at least just you know let's just encrypt everything right and there's really nothing to worry about it right or yes uh anonymize all the data right and when you have in my personal data it doesn't come under the scope of data protection right because it's more personal data

uh and also the people within the organization so what did World Service come up during this talk he discovered that as a result of the bridge there's been a big climb in customer satisfaction and also region of trust right there was a data between the organization and it didn't sort of this customer customers no longer trust them right because of that bridge we also noticed that there's been increased awareness 12 by the 2018 gdpr right uh when gdpr came out then everybody just went wild about data protection and privacy right uh the various jurisdictions people are coming up with different legislation very very close I'm sitting up to the GTR I'm building regulations and also

art with respective data Protection Organization data protection so you also discovered that the center applies to country where it's working in their various regulations and what has been two months in now right and just been going on tours trying to understand the organization but Alice and Bob are beginning to ask him we need to see results which is quite common in organizations the German organization as a privacy program are the CEO or the chief security officer within their Montauk Zoo the CEO is actually asking for answers right especially when there's really Bridge they ask you what are you doing or you're still playing on the call trying to understand the context of the organization which is very very

important to the success within the organization right but as a result of this all that decides that the next thing he needs to do really it's not just to jump into action right you need to understand that we need to build a program attribute program you need a framework right there's no difference in the middle you have so many framework these days which you can rely on so it begins to ask himself what framework should I use right so that's the next task for water and there are quite a number of them another challenge is quite a number of Frameworks so begins to practice we're going to decide what you know what what should I

do here because there's so many different words depending on the industry depending on jurisdiction and also trending on the context of the organization and other rugby schools are very very mindful of which I've seen in some organizations is they get it too and decided up to fix all the problem right it happens in security it also happens within privacy so we need to very very mindful of that there's no silver bullets there's no one single tool that will fix all your privacy works the center will securism right so let's be very very mindful of that there are Frameworks which you can use you know uh best practice standards we're just going to use there are also solutions

for those Solutions you need to address specific concerns which your Gap assessments are actually an impact I'm going to try to be very very small groups one of the things which I've done earlier on was to do analysis of some of the spring blocks right and these at least because example just an example of three of them there is there is 2.7 000 to something zero one which is called the peeps privacy commission management system there is also in this this was recently updated with specific privacy controls it's a very very helpful document uh which is quite good and there's also the evgdp right which I said most legislations today are basically just like a

and I'm sorry to say that yeah more like a copy and paste some Excellence all right so one of the things that's very very important for you to know is really around what are the similarities between this program so between these Frameworks and standards and also what are the differences and also how relatable are they to the kind of organization where you find yourself so for some organization they are very small and evil right we don't have all the money in the world that might impact on kind of framework which you select within the organization and for some organizations we are very Global we have all the money to spend some are important implementation costs

some organizations also like to sort of reflect what they've done with respect to privacy on their brand right so things around certification for example it's very very important for the modernization well at the end of the day I want to show I have a certificate that says I am implemented some privacy regulation of privacy program so those are some of things that's what considering when you selecting privacy uh framework of this for the standards and also more important Community is the timeline for some of his programs and I've just encouraged here that if you're trying to implement lists and pukr it's like it's continuous it's never ending right but for the pins for example within six don't have six

organizations do this from starts to finish where we'll do an assessment related to teams and they get satisfied in about six months for some organizations being a year I've also said this ground in organization about three months right very small organization in the assessment implemented teams and Drug certifiers

um water disaster is going to select anyone of this framework I don't have a restaurant I don't have an answer to which is the best framework all of them right so as an organization as a CTO Summit which is best for your organization and that's what workers examination is best for this organization and the next step really is what does the Privacy program look like right but before he jumps into it we need to develop a strategy which is what Harris and Bob are actually looking out for right like this is what I intend to do within my year or within a year or maybe three years as the Chief privacy officer as a privacy professional

and this is basically just a very quick summary of what the strategy is like and this is all the strategy so he decides that in the first few months or the first quarter it's going to go around doing some privacy education awareness education I call it seat training education and awareness right so it's nice to think to do that and the next Big Blocks basically is around starting to implement the progressive program by itself and the Broad Street and the last app there is really around how to make sure you can continuously update and maintain and improve which is my importance the Privacy program and those are some of the key things which you need to start

thinking about a couple program stage right so this is what Walter came up with as a strategy and also as a response to Alice and Bob asking if you've been here for two months what are you going to do right if you came up with a strategy and also plan and shared with small Temple let's take a look item right your ammunition assessment and compliance to selected crime with framework that's really crossed more implementing the Privacy program right so for Walter the next step after submitting that plan to Alice and go it's really around doing the Diagnostics assessments where what's the problem right it's like going to be keeping right and you say you know

what just give me a drug the first person is going to ask is what's the problem right I'll need to test you that's the same thing that's all can be he needs to do with diagnostic assessment right there's been a bridge we have some policies here and there but I need to understand comprehensively what's the full score of the program related to privacy or later organization so it takes any one of those framework and it does the gap assessments see these are the requirements of the framework and this is where we are as an organization right across various layers and those are some of the areas which I've mentioned here right so for example the iuppc I can mentioned some of these

areas the Privacy notes is data discovered in the map in opposed limitation on individual rights the Privacy Outlook is one of a beautiful documents by gapna uh it's very very exhaustive and those are some of the areas which are mentioned by government Carousel and yeah uh some of the information which I've seen over the Internet which relates to sort of kdpr we're also trying to constraint gdpr into about 10 blocks of category right under strategy policy cross Brothers across other data strategy transcribing exams get the life cycle privacy by Design security which is really surprising and also Incident Management so it looks across each one of these domains on those Gap assessments for the organization where

do we stand right and for some of those framework the actual detailed questions of little questionnaires with respect to what are the questions which you need to ask right

and this is what some of those things requires sorry I've sort of blocked this out because these are like proprietary materials right so after the assessment it's submitted beautiful reports right which is probably what what

I might just pass this

sorry Chris Rock the only person was taking the points and still continue to presents so Walter needs to be aware of this right he has a plan he has a strategy right and he also has a lower level plan in terms of what the gaps are and also what the recommendations are right so it takes this and it begins to walk and the next step really to walk up and everything which you have from after this page uh optional items are Walter needs to do in terms of implementing the Privacy program like I said earlier across from privacy program is really around data personal data so the first step really is around understanding what personal data you

hold within the organization right what's the question I think personal data sensitive data and the outcome of that are some of the things which I mentioned in some of those data protection regulations the most important outcome from you adopting a data mapping or a data Discovery exercise which was called Europa the record of processing activities right I think this thing called Europa you also the GPR mentions that's um but it's one of the outcome or the artifact from you with a data analysis related to discover so you create a low power which is basically a record of personal activity it's taking a look at all the activities within the organization right what kind of data is

required for those personal activities or what kind of data is generated as a result of those personal activities what's the imputes to the person activities and also what's the outcome right and you can also need to do what is called the data map right how does data flow within the organization and or the other thing is also to do the data life cycle all right so across the organization how do you create data right we use the staff data so there's that things have been stored you will share with the third party externally and also what we share with internally which are some of the key things we need to document as part of Europe

so if a business unit for example say it creates data you also need to document a map

so you come up with the life cycle of the data right and like I said one of the key outcomes from this is actually magnetically in some of the data protection regulations we need to argument of personal activities the next step and I'll spend a bit of time on this is conducting a Pia and different regulations call these different things you see that called the dpia data privacy impact assessment or data protection impact assessment and the reason why this is key is you start as a private situation now or the CPU the organization is going to continue to operate they are not going to wait for you to create your plan your strategy and follow through your plan of

strategy definition will continue to operate as a theme recognization like a given the example we are building products right that consumers are going to use and we are going to be accelerations of those products or they are probably new products which the applicants have created for each one of those products we need to do what is called API the Privacy impact assessments right and that's another key steps and this is done not only for products it's also done for projects and also new processes you basically identify how each of those projects the processes or the products actually utilize data and also what's the impact to the customers or the consumers whose data are going to be used as a result of

cloud process and project for the process and those are some of the things which are complicated within the Privacy Department assessments right uh you give an example of what description of the project what are the goals and time frame the personal information or personal data which is going to be used by by your products and you also identify what's in the race car I have some of those things are documented there right we will accesses the data who is the data being shared with how do you ensure you are crazy on the data how do you ensure that the data is actually secure so those are some of the key questions which you need to answer and for

Security Professionals like myself API is basically just risk assessments the same way we do is assessment and security where you identify the assets they're environment vulnerabilities are identifying the threats identify the impacts and probability you identify the risk then you can solidify what's the controls are right the word recommendation it's basically very very similar highest portion of sites call it a PIV because it's really risk assessment and in terms of this or the goal of this of the Pia just like the goal of the risk assessment is going to find what controls and helping me to get to risk for the PID the intent release around and then find the controls that helps you manage the risk associated to

personal data we're not talking about information assets here we are focused on personal data how do you ensure that the risk to individuals who owns that data instead of minimized right so you'd also want to have things like your threshold where you have like which is called like Risk appetite insecurity where you want to ensure that for every risk that's identified from the Pia you want to sort of mitigate it to really a medium or you know based on your list appetite and your risk acceptance criteria thank you the reason why I didn't put policy first right which most people will probably do is in some organizations the first starting point is really around policy right we would

say developing policy first but I feel like it's important for you to understand the kind of data you process before you document your policy without that your policy will not be comprehensive I will not be rich or will not address what the concerns are an application policy and those is here basically to differentiate two different things I'm sure that private portion also get a joke it's not called the privacy policy it's called the Privacy notice it is an external facing documents and here's an officer document is called the privacy policy right so all those things you see on websites privacy Personnel should say no don't call it policy call it a private stymosis because really the intent of it

is to provide Fair information professing notice to the customers to tell them how we are going to use their data right and how you're going to protect it they are not really enforced anything on them which is what policy is about right policies around statements of stock management intent and Direction has really enforced on people within the organization you can't enforce anything with your customers because they are basically using your personal data so it's your application when you tell them how you're going to use their data and how you're going to protect it and how you reach Securities so for the external facing document is link of privacy projects and for internal documentary public privacy policy

the other thing that goes into that is like I said from the standard data we can process first before you create your policy and your privacy notice the other aspect of this is a cookie policy or a cookie notice which also is always documented as part of your website and for the cookie notes you need to explain what cookies are actually embedded on your websites right so if you not understand what cookies you use how are you going to create diabetes right and a team which is not documented here is there's a beautiful docket there's a beautiful website it's called Web call data script data speed it basically analyzes your website and tells you what cookies are

actually running on your websites and for privacy policy the best option out there is what's called zero privacy notice it's the best world rating and the most beautiful privacy emotions which I've actually seen exactly open source so you can actually go and download it and use it for the organization zero privacy what is and also web call data school for analyzing some information on your websites and you could also use Wikipedia which tells you what those cookies are and what they do right so you have to identified cookies so all those information goes into your privacy policy sorry those it's your privacy roses and also your cookie policy right we have third parties right then you

also need to begin to worry about agreement with those stock prices which are also mandated by regulations right standard contractual policies VCRs and all other agreements that's next step if you need to do so you've got the guys to make out and say you know what which must have been done as part of the Gap assessment let me see the agreements does it cover us our privacy points on you and there are resources out there today the EU gdpr or EC Europa has standard contractual policies which will actually download and sent to the legal team and you can incorporate some of the Privacy requirements or privacy process into for your legal contract especially those are

involved controllers and also processor relationship right uh the other thing to worry about CSV is adequation decisions I've seen this video on some jurisdictions we are intense and data to some other countries or you have to localize data right you can send consensusive data out of the country so those are some of the events which you need to worry about or you cannot do all these things you need to know what's the data do you owe about an organization which is very very important for choice of questions there's a YouTube video called C and CM contents it's a very very beautiful video that tells you what consent means right uh it's on YouTube but what I've seen and also part of my

reading uh I thank God for this is we are beginning to move into or the idea right now is that I'm moving into what is called privacy self-south right and what that means really is like yeah giving control back to the users so that we can self-serve themselves when it comes to data protection and privacy in that sense the user is not sending it this out right it's not sending you a subject it's subject access request you can go to your website and also self-south and say you know what I want to see all the data that misconfidence

they're about to send it to them why don't you give that power back to the user right it reduces original costs and also reduces the turnaround time mandated by regulations where you need to respond to a Visa request right and these are requested subject access requests where the user sends an email to you and say I want to know all the data you have about me and you have to actually apply it and provide that information according to those regulations privacy us right so today when you go to those websites it will tell you uh what kind of cookie do you want to enable right uh strictly necessary and also all these other names those are parts of the

idea behind privacy Works us right and also some technicians around what concentrate means ah then you work with your team right because across screeners function people are collecting personal data HR connected collects personal data for employees markets personal data for customers we go Center as a fintech organization people are calling you right living with Canada information with their names they also record that data right if you need to understand how those things are being managed or you can't do it by itself so you need to work with the various team members to understand the data and also compute processes within those various things and how they are used to continue to manage data and also how to how to

process the data foreign

you have policies in place to regular awareness people understand the importance of security protecting personal data but where they are doubts to say let's ask the Privacy Obsession that's really what success really means there are some other things which you need to do as an as a privacy of some data protection by design by default some of these things that you need to look embed them into established processes so for organizations today especially I.T organizations they have things around track more than like that was just being talked about in the last factors they do try to modulate today right as part of Security based practice for we learn how to new processes or new products right you can actually Advance

some of your private sequence tools into that threat movement exercise and I give an example within the last organization I worked with before we left a new feature to do the threat movement which is basically focused on security but we also started doing the data import assessments for each one of those products or for each one of those future it was just a single process it wasn't called security and privacy just a single process where you do the dpia and also the thread code and risk assessment before really a new feature or new products and that yes it is for some of these controls ensuring that you embed security into the design of a new

feature new processes or a new products and also to ensure that by default we are not collecting personal data which you don't need I thought these things are actually much more detailed when you talk with reference materials some a quick explanation as we get on the controls which you need to put in place when it comes to personal data right I've talked about randomization there which like I said is totally anonymizing the data right and when you're minimize the data it when does its non-personal data right it's not one that is called as data protection regulation

and the reason why I'm pointing it out here is that people make the mistake of pseudonymizing and signing it as anonymizing the data right both times are actually mentioned on that J APR and also some data protection resolutions one is anonymized data truly anonymized there's really nothing to worry about because you've sort of identify the data people cannot pick out an individual with the residual of that data so for example my name is audition right and I thought about anonymize that completely and I call myself exit and it's only as X is somewhere really doesn't make any sense to anybody but if I say head home this but someone can still sort of infer for

me that yeah maybe that's my name right it's two different things anonymizing and also civilianization most data protection regulation also talks about encryption right which is quite different from anonymization on studentization right uh I'm gonna have to talk about that in the next few slides and this is what's really the encryption really is all about right so that you're using PTI we have selected encryption or using semantic character we're using just a single key to encrypt and decrypt or using two different sets of keys to encrypt on the tricks and you also have the normal reaction and the funny funny example happened right in one of the organizations we have worked with we outsourced some processes to the top

part right and the top particles Bridge right their database was printed and the first question we ask them is look the database that we've reached fortunately has no other one is all encrypted no problem no one's worried we are the encryption keys that's the next question while the encryption key is also compromised if that happens then there's really no limits that makes no sense anymore right because the guys who reach the organization also as an encryption keys so those are the kinds of questions you also want to ask when it comes to impression so what we've reached we're just here oh it's all encrypted data don't stop that go the next step right we have the keys on each one

[Music] and a friend of mine used to say this all right my security incident is not going to be a data bridge and also the bridge is not always engage average right so Bridge means different things it's always good to put in the scope you could have to preach on the network and there's no data there's no situation I'm used to do this I was lost all right so we also need to put things in on the context so I'm immediate example the media is very very important and possible all New Year's media is there has been a bridge and everybody just starts worrying oh my data is out there but maybe it's not a

data position all right maybe no data has been accelerated or maybe those data was lost right or maybe it's encrypted data without thinking right one of the key principles of data protection and I'll spend some time on this is around accountability right and that's the essence of the Privacy program by itself right today organizations cannot do without personal data if that's the scenario then they need to be accountable and being accountable really is around ensuring that you have a privacy program and I say to people if there's no data there can be no Bridge but if you collect data you need to ensure that you actually protect that yourself but that's what's accountable means as an organization and also as a

privacy I'm wrapping up real quick I think that a privacy or data protection presentation can never be complete without talking about some of the principles of data protection and there are key principles which you need to embed at every phase within your privacy program or within the life cycle of your beautiful products the first one lawfulness fearless and transparency and really that is what has been preached in every religion today right treat your neighbor just like you treat yourself and that's what lawfulness CNS means roughness basically means that means that lawful ways is not legal you have the lawful basis to actually process the data and legal is just one of those lawful basis there can be other

local basis for you to possessive data right uh purpose limitation ensuring that the reason why you've collected the data is the reason their use is what we're using the data for right so the guys in IIT collects employees data right when you write when you start playing General organization right sort of collect some of the real data it's used to create your active directory accounts or your identity and access management information

we wanted to conduct a survey so your survey is not conducted inside the organizations conducted by third party um we decided that the thought policy is the need everybody's first name last name and also email address it was a difficult case right uh we asked ourselves privacy questions right employees you're okay with this in terms of we sharing their data how to talk party name firstly email address and some other sensitive information

when we're collecting that data initially to say the data is for setting up to user accounts now we're using that visa for something else right so we need to think about some of these conversations we ended up doing that but we didn't share out email address data minimization don't collect data which you don't need right a good example of that is most websites today you'll ask people in the information right uh maybe we just need your A3 for example in between 20 and 25 one between 18 and 20. 795 so that's really around what data minimization means and the reason why it is migration is very very important is it sort of reduces the extent of data which you

know this optimization it produces with data is this and each of the control Force reduces the amount of storage which you need to permission from uncomfortable storage you also need to worry about accuracy keeping the data up to date as much as possible to storage computation when I talked about that earlier on leaving the storage of the data when data is no longer required just projects there's no point in two minutes of confidentiality like I said Securities is when it comes to privacy and future production for all the controls we talked about today it's really as a result of that insect of when it comes to data production integrity and confidentiality and that is why as a privacy professional you

absolutely need your information Security Professionals you cannot protect the data we need the Security Professionals to advise you on our best to actually protect the data right so all these controls I mentioned are minimization pseudonymization encryption you are not going to be the one doing another surprise personnel we need the advice of your information security team to advise you on our best to actually protect the data to store the data and also things around granted access to the data which is why privacy and security they are very very much very much hand in hand right and lastly I think I talked about accountability some of the other things which you need to do or what you need to

worry about uh private version was Walter as privacy uh key prices around the view servers right the subjects are such a cost people would write you and say what creates a deal about me right you mean so it's the process to actually respond to that right which leads on board don't forget to do your Pia for those vendors too right your privacy Department assessment because we are going against sharing data with them so you need to understand what their process is when it comes to data and you know how do they protect the data when did reach happens I said going not if when the bridge happens we need to also ensure you have processes replaced or to respond to that

bridge training education and awareness team just like to take a cup of tea every morning or maybe coffee make sure that regular body you also have previous vision and awareness you need to respond to what it does based on for registration I refers to know this community and ensure that you measure the success of your privacy program as much as possible and that's the only revolver the streets there and here out has actually improving the Privacy program regulation and standards we need to track them and also at some point inside not to meet so I've talked about tools all through right but lastly we are talking about tools I'm a big believer I mean something small amount of processes then

automates and you're ready to listen and also some guidance and the last one is it's just this right on a regular basis

potentially the privacy officer it really is around how can I help people come to your questions about new products new processes new features and your day-to-day read other than everything which I've mentioned is around providing advisory guidance and also support when it comes to data protection and that's really what your day is summarize give us at least five things data protections about people keep it human as much as possible personal data is not the new oil you say it up all the time right oil is exploiting it's quite oil and get some materials from this don't think about personal data like that right because that would mean like exploiting units which is not a very good thing it

doesn't sound right right I think that's something very very important keep it human and also try to protect the people that you own these personal reasons always remember the seven goal principles right accountability and also the learning schools putting security controls in place that's what's called appropriate technical measure and also as much as possible any bet you can be and also collaborates with everybody and if there any questions after this I don't have answers to it because I have to answer in data protection really starts with defense thank you very much guys [Applause]