You can edit text on your website by double clicking on a text box on your website. Alternatively, when you select a text box a settings menu will appear. Selecting 'Edit Text' from this menu will also allow you to edit the text within this text box. Remember to keep your wording friendly, approachable and easy to understand as if you were talking to your customer

Heading 3

Contact us
We Care about your
Data needs

Data Privacy Management - Service Set up and alignment with Governance

Data Privacy
Most organizations have grown in-organically over the past few years with mergers and acquisitions where planning for data, lacked the focus. Moreover, there is no account of the growing private information that is collected or was collected from customers, employees and third parties.

Most of this personal information is vulnerable to threats and events of malicious theft, accidental disclosure, failure inappropriate usage, non-compliance with regulations. This increasingly is a concern to the regulators and organizations equally. An outcome of the current privacy environment is the General Data Protection Regulation (GDPR) in EU, where individuals would want organizations to respect their privacy.

The regulations are evolving and organizations with global operations must adopt globally to the highest regulatory requirements, from a region that can be leveraged as preparedness in other regions.
Protecting an organization’s reputation is the most significant risk management challenge today. Reputational risk is regarded as the greatest threat to a company's commercial value of the business. The potential that negative publicity to an institution will cause a decline in the customer base, reduce revenue and lead to costly litigation.

Most of the privacy challenges can be addressed by Data Management and Governance divisions along with risk management functions. Privacy is defined in Generally Accepted Privacy Principles as “the rights and obligations of individuals and organizations with respect to the collection, use, retention, disclosure, and disposal of personal information”. This can be a name, email address, Government identification number, a tax return to name a few. Let us look at integrating Data Management and Governance end to end with the ten generally accepted privacy principles –

The organization defines documents, communicates, and assigns accountability for its privacy policies and procedures.

Manage Privacy Policy
Organizations create data privacy policy to ensure enforcement of compliance with mandatory regulatory, internal compliance, best practices, legal and ethical requirements along with the need for managing risk. These requirements are embedded in the policy and privacy statements to provide guidance to personnel on their accountabilities and responsibilities. This assists the personnel in carrying out any activity that includes Private and confidential information. This helps manage the risks in operations thus aligning with risk appetite and tolerance levels. The privacy statements also provide the need for capturing private information along with the rights that the customers enjoy in relation to the same. The guidance further is supported by the procedures and guidelines.

Strategy and Requirements for Data Privacy and Security Management
Data Management Strategy must be developed, updated to include the Data Privacy management aspects. Data Management Strategy and Data Privacy Management must be aligned with Organizational objectives. In addition, describe the target structure and organizational structure for Data Privacy and Security Management.

Formally establish Governance oversight
Further, Roles and responsibilities are defined, communicated and enabled. The data governance division takes the responsibility of drafting policy, having reviews performed, publication and communication to the grassroots of an enterprise. Further, Policy and standards are ensured to be reviewed and approved by risk function, senior executive
governing bodies and governing councils.

Classification Standards
The working groups are commissioned by Data Management to draft and publish the standards to classify data, in view of privacy and confidentiality.

Operational risk planning
Operational Risk Governance Structure and processes are in place and are operational. A risk assessment process is commissioned every year 
by the second line of defense using the Risk Control Self-Assessment procedures, to identify new risks, understand the impact of events, and frequency of occurrence including the risk scores. Information from existing historical loss events is considered for response
options. The response options include the procedures to record, assess impact, escalate, notify responsible internal and external parties,
commission root cause analysis and changes to control environment. Awareness is taken forth through a communication strategy and learning programs to strengthen the first line of defense in the enterprise. In-Flight risks are recorded by the first line of defense that will be taken through the Risk Governance, Risk Analysis, Response, and closure.

The organization provides notice about its privacy policies and procedures and identifies the purposes for which personal information is collected, used, retained, and disclosed. The privacy notice describes

  1. Personal information collected
  2. The purpose for which it will be used
  3. An indication of legal requirement, if any for collection
  4. The consequence of not accepting to provide personal information
  5. If the information will be disclosed and under what scenarios, to which parties
  6. The retention, security, quality and monitoring aspects
  7. The entities, geographies, jurisdictions, types and sources of information.

Governance Oversight
This will be through the evaluation of the notices provided to customers, employees along with completeness and currency of “dates of consent” from the parties. Escalation and Notification procedures are embraced by the Data Privacy and Security Management division in-
case of in
-complete or in-consistent notices.

Choice and Consent.
The organization describes the choices available to the individual and obtains implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
It is to be ensured that the choices of individuals are captured with accuracy and the same is ensured with consistency wherever the consent, Opt-Insand Opt-Outs are trickled along the data lifecycle. The data domain and datasets associated with customer preferences, processes or functions for which the customer opted in/out, last updated dates and other data elements must be actively managed.
Data Privacy management ensures that the policy and procedures capture the 
receival of customer’s consent when Private information is being used for a new purpose.

The organization collects personal information only for the purposes identified in the notice.
The Data Privacy Management must ensure alignment of the privacy policies with regulators across jurisdictions. This would necessitate that Cross-organizational enterprise data governance is aligned with Compliance and Legal functions to ensure registration of the organization with the regulatory bodies.
The collection of data from a customer is related to the Obtain phase of the POSMAD where data is obtained from the customer. The organization might acquire Financial information, tax information and demographic information to quote an example. The data that is obtained, must be well defined in the metadata repositories to remove ambiguity in its application for 
the purpose

When data is being acquired regarding a customer from third parties, Data Governance function should ensure oversight over procedures for establishing engagement, communication, recording agreements for data quality and data transfer. The data privacy management should ensure that not only the data acquired from the customer but also the data that is derived like the customer purchasing behavior is adequately classified for risk and managed in accordance to policy and guidelines. The division should also record in the metadata repository, the processes or functions that each data element is being acquired in. Further, the systems, people who are acquiring the data must also be recorded. This simplifies the data landscape in
the scope of Privacy.

Use, Retention and Disposal.

The Organization limits the use of personal information to the purposes identified in the notice and for which the individual has provided implicit or explicit consent.
The organization retains personal information for only as long as necessary to fulfill the stated purposes or as required by law or regulations and 
thereafter appropriately disposes of such information. The Data privacy and security division should define an adequate framework for defining entitlements.

Download GDPR toolkit!