Hi and welcome back to the next section. My name's Ralph O'Brien and we're going to continue with the CIPM now by looking at key frameworks, key principles, key standards, ways you might want to basically base the privacy program upon. And there are a number of these, a great deal of number of these. The world has sort of exploded with frameworks over the last few years. So plenty to look at and review here. So why frameworks, first of all, why frameworks? Well, at the end of the day, they're going to provide you with a program structure. And I want to kind of separate this from policy, from procedure, from other things you might be doing. because the frameworks provide you with, well, exactly that, the framework, the roadmap, if you like, on what that program structure is going to be looked like. So creating policies and procedures is going to be one step in that framework. Equally so will be training. So we'll be establishing roles and responsibilities. So we'll be measuring and monitoring what you're doing. The idea of these frameworks is not so much that they are representing the law, but more that they're going to provide you with a map, a sort of a step-by-step approach to creating your privacy program as part of the organization. And there is a number of them, a real number of them. I mean, [COUGH] to just talk about a few of them here. I mean, you're going back in time, even you should be aware of some of these frameworks out there. So we could start by looking at the FIPs, the US Fair Information Practices. We could go back to the 1980 when we had the OECD guidelines on cross-border data transfer. It's where we get all the privacy principles, actually, that we use in nearly every privacy law today, and actually inspired the Council of Europe's Convention 108. So the OECD guidelines, you should really be familiar with that document. It predates nearly every privacy law that's inspired them all. You should be familiar with things like the GAPP, the Generally Accepted Privacy Principles, the Canadian Standards Association Privacy Code. Things like the APEC, that's the Asia-Pacific Economic and Cooperation Privacy Framework that looks at data transfers around the Pacific rim. ETSI, which is European Institute, looks at standards around IT, very similar to some of the US NIST, for example. In fact, actually NIST, the National Institute of Standards and Technology in the US, they too have got a huge amount of standards out there that relate to privacy. But I want to focus a little bit on ISO standards because we've talked quite a lot about the management system model, that plan, do, check, act model. And ISO standards, we've seen increasingly being used in the market at the moment to provide assurance in the supply chain. It's not necessarily that they're looking for you to comply with the law here. It's that one vendor will say to another, show us a badge, show us a badge that you have achieved a certain level. ISO 27001 is sort of an information security management system, not privacy, but security. In America, we start to see SOC 1 and SOC 2 used quite a lot. But in the rest of the world, it seems to be that ISO 27001 is the prevalent management system, doesn't necessarily tell you've actually got good security. What an ISO standard tells you is that you've got the building blocks to run a security management system. So again, using that plan, do, check, act methodology. So you plan out by doing your risk assessment to work out what your security risk is. You do your do phase by implementing security controls. You do your check phase by measuring and monitoring, looking at the documentation and the training and the implementation of all those controls. And the act phase to improve those controls. So it kind of provides you with some understanding that the organization has been formally assessed that they have invested in security management. And actually, I'm privileged to sit on the committee that writes the 27001 security standard. And very recently, we've now got the 27701. It's almost like an add-on to the security standard that then extends it to look at personal information, as well as just information security. And we've mapped that to the GDPR and other legal requirements as well. So you can actually get badged for these as well. So how does that badging work? Well, it's a process called accredited certification. And bear in mind, it's incredibly important that when you actually see a badge or a certificate, it's almost a case of who watches the watchers, who watches the watchers. It's enough for an organization to be certified. But I could give you a badge, I could give you a certification. Ralph O'Brien says that you're good at this, great. But who watches me? Who gives that any weight? Who makes sure that I haven't let you get away with murder? So what accredited certification is about? It's a way of, a, internationally achieving a framework whereby the standards are similar, and b, making sure that there's some weight behind that certification name that you get. So generally speaking, it's down to national governments. National governments, and this is the UK government, for example, will authorize a national accreditation body in the UK. This is UKAS. In America, it's ANAB, the American National Accreditation Board, for example. And then they watch or accredit a number of certification bodies. Here's just some examples, LRQA, BSI. There's a whole raft of certification bodies out there. And it's those certification bodies that will carry out the audit and inspection of your organization and give you the certificate. And in turn, they'll be audited by the national body, the accreditation body. So even though it's your organization that's the target of the certification, you're given a badge by the certification body. They're, in turn, given their own badge and sampled by the accreditation body to check they're doing their job properly. And in fact, all those national bodies, all those accreditation bodies have signed what they call a memorandum of understanding to recognize each other's accreditations. Therefore, UKAS and ANAB, for example, in America will recognize each other's certificates, meaning that they are truly international standards. There are a huge number of these frameworks, a real myriad of assessment templates and frameworks. And in fact, every vendor, every organization out there has created their own. But you have to be really careful with these. You have to be really careful with these because different vendors do things in different ways. And over the time, I found that there's a number of tips or things to look for. Again, we're trying to get away from legal compliance methodology here. We want to apply a privacy framework that applies no matter what the law is. So watch out for things that kind of give you a binary yes no answers. That's not what we're actually looking for here, because at the end of the day, we're looking for that continual improvement model. So yes or no, if you take yes, that doesn't actually encourage you to improve. What does a yes really mean? To give you an example on the principle based standard, let's take a GDPR, right? The GDPR has got principle that says, don't keep any data longer than necessary. Don't keep any personal data longer than is necessary for the purpose. Now I don't think there's an organization out there that can claim it hasn't got any personal data out there that's kept longer than for the purpose. Can you honestly claim that in every desk drawer and everybody's IT systems and everyone's personal drive, there isn't any one? You may well have set up a retention policy. You may well have secured disposal. You may well be getting rid of things, but can you really say yes to the fact that you comply with that statement, we've got no data longer than is necessary for the purpose? Probably, of course, you can't. No organization complies. Therefore, I tend to like those sort of standards and frameworks that look at a maturity scale. Yeah, look at those things that, instead of saying yes or no, give you some sort of level of maturity that you can try and achieve a maturity of those processes. So concentrate on things that don't just say yes or no, you comply, but things that encourage that continual improvement process. And you're not going to fix everything. You can't fix everything year one. There's no way you can turn around your management in year one of the privacy program and say, we've got it all sorted. We comply with the law everywhere. All you can really do is manage your risk. So be careful of ones that kind of give you those false promises and look for ones that give you that sort of more risk-based way of saying, we're sort of good here. We could be better here. And then set realistic expectations on that. When you're actually taking your framework to your management group, you're going to have to tell them this won't all be done in three months. There might be things that might take six, seven, eight, nine, ten years to sort out as previous systems that you bought that are non-compliant end up getting phased out, new systems get phased back in. So you'll have to accept some risk and set realistic expectations when you're defining your program framework. And the most important thing on that is to get buy-in from the management. We've talked a lot already about mobilizing your stakeholders, but the management have got to understand it's not a six-month project, and then everything is done. This is something they're going to live with, they've got to invest in. This management process has got to live within the organization for a number of years. So be aware that this framework is something that's got to adapt and grow. And if you can, use existing structures. Don't reinvent the wheel. What I mean by that is if you've already got a risk assessment framework within the organization, why would you introduce a new one? If you already got a meeting with the right stakeholders in it or a governance group or an audit committee, don't create a new one just for privacy. At the end of the day, we're trying to fit this into the way the organization works, not create a rod for our own back. No one likes to turn up to a new meeting. No one likes to have a duplicate of something in their organization. So really, the way privacy and data protection works I find is by fitting in with the rest of the organization, inserting itself to what the rest of the organization does as opposed to trying to create new structures. Now we've talked a lot about this plan, do, check, act. So here's a couple examples of frameworks. I've shown this one before, actually. This one is my own personal one where we've gotta split the organization into a strategic and a tactical way of looking at things. We've got these strategic things coming in from the top. And actually, in my framework that I used, each of these arrows contain sort of seven, eight, actually more like an average five because there was about 50 in all. And then what I do is I tend to score those 50 processes one to five in the majority, or in fact, naught to five for a not applicable. So then you get these 50 naught to five scores, and then you can generate them, not only what you are, but where you want to be in order to define that maturity process. And secondly, of course, we've got business units as well that we can then apply those management frameworks to and understand the maturity and the compliance needs of each one of those business processes. Interesting enough, I've also seen people try and use the law as a framework. Now this is fine. The law is good. This is an example of the GDPR, where you've gone through each article, looked at status and come up with some notes. So for example, here, Article 25, design in terms of default, partial, why? Because the privacy by design process needs updating. Or Article 8 is not relevant to us because we don't have children's data. This is great, but what the GDPR won't do using it as a framework is tell you, have I trained my staff? Have I written policies and procedures? Have I done audits? Have I done a management review? So actually, sometimes the law comes up. The law, whilst is very good at giving you requirements, doesn't give you the management system, doesn't give you the process around. So whilst the law can be used as a framework, actually for most organizations, they're going to be subject to multiple laws and multiple jurisdictions. And whilst we certainly want to comply with the law, a privacy management framework should be a bit wider, should be a bit wider. Here's an example from a vendor. This is a vendor TrustArc-Nymity. Other vendors are available, but a lot of people use the Nymity accountability framework out there. So I thought I'd mention it. So what TrustArc and Nymity have done is they've got this sort of build, implement, demonstrate pillars, almost like your plan, do, check, act here. Your build is your plan and your implement is your do and your demonstrate, I suppose, is your check and your act. You're monitoring assurance and improvement. So what you've got here is they've split it down into a number of categories, governance structure, risk assessment, resources, policies, processes and training. The implementation, which is the actual things you're going to be doing. This is the principles, your attention, your disposal, your disclosure, your legal basis or choice and consent, rights, security, transparency. And then how you demonstrate that, either by reporting, certification, monitoring and assurance. And this will go down to a number of different levels. So underneath these high levels, you'll get this sort of next level down. And I don't expect you to read this slide whatsoever, but it just kind of shows that each one of these sort of headings, if you like, has got a number of things to do underneath it. And they've even subdivided it even further. So you can actually within each of these ones have, it always tick off your list of things to do in privacy. So I recommend getting hold of one of these frameworks and using it to build your privacy program. Well, perhaps one of the most important sessions we do here, even though this is the IAPP to pass the CIPM, you're not going to be tested on specific programs. You're still going to have to understand the difference between privacy framework, sort of your guide, your roadmap. And other things within that framework, like your policies, your procedures, your training, things that you're going to be doing a little bit later on. So thank you very much for attending this session. The next session we're going to look at is going to be laws and regulations. So whilst it's going to be impossible for us to cover all 146 global privacy laws, it's worthwhile just doing a quick skip over some of the top top laws and the differences between them across the globe. And I look forward to seeing you in the next session.
