TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

The Privacy Advisor | Monitoring Your Privacy Program: Part Five Related reading: Monitoring Your Privacy Program: Risk Assessments and Documentation

rss_feed

""

This series has focused on best practices and recommendations from industry leaders on how to best monitor your privacy program. Organizations large and small and across industries face the challenge of determining what to monitor, how to monitor it and how to share the results of that monitoring to tell a story about compliance within the organization and its privacy program.

This chapter focuses on the telecom industry and draws advice from Maureen Cooney, CIPP/US, CIPP/G, head of privacy at Sprint Corporation. Prior to joining Sprint in 2010, Cooney served as chief privacy officer and vice president for public policy for TRUSTe, a third-party privacy certification firm and trust agent. She also served private sector clients as a consultant with The Federal Group and practiced law with the firm of Hunton & Williams, where she was recognized as among the Top 25 Privacy Advisors of 2007 in a survey of Fortune-ranked companies by Computerworld Magazine in 2007. She was also called a "leader in the field of privacy law" by Chambers USA in 2008. 

The Privacy Advisor: Why is developing a monitoring program important?

Cooney: The most important reason to monitor an organization’s privacy policies and practices, whether in developing and rolling out products and services, in marketing to consumers, sharing data with vendors or partners or in maintaining internal management tools and practices, is to make sure these efforts are consistent with enterprise values toward respecting customers and protecting customer data. A privacy program that incorporates monitoring can help privacy staff and other accountable executives understand the privacy landscape and better assess the organization’s risk and accountability profile.   

By example, highly regulated sectors, such as the telecom industry and others in the wireless ecosystem, need to stay up-to-date on federal, state and international privacy laws that are specific to our industry as well as accepted and emerging best practices in self-regulation. Clear policies, internal methods and procedures, IT architectures that reflect privacy requirements and contract provisions can assist compliance efforts. Assessing those protections and keeping track of privacy activities and counseling helps with an ongoing, iterative process of improvement. 

The Privacy Advisor: How should people determine what to monitor?

Cooney: It is important to target monitoring for areas which your sector is specifically regulated as a first priority.     

By example, in the telecom space, carriers are required by U.S. federal and state laws to protect not only personally identifiable information (PII) and personal health information (PHI) in particular circumstances but also customer proprietary network information (CPNI), which is data about the use of telecom services, including call detail records. In addition to PII breach notification requirements, there are specialized breach notification requirements around CPNI, even for unsubstantiated possible CPNI breaches. We have particular rules to follow regarding the use of consumer data for marketing purposes under the Telephone Consumer Privacy Protection Act (TCPA). In the mobile advertising area, Sprint was an early adopter of the Digital Advertising Alliance’s self-regulatory principles, as well as the first telecom to develop an opt-in-only targeted mobile advertising program for our customers. And carriers follow the wireless industry CTIA Guidelines and Best Practices on Location Data Services.  

So sector- or activity-specific law, self-regulation and internal policy, by example, are generally areas that should be prioritized. Other privacy issues may be monitored based upon enterprise risk and development goals. 

The Privacy Advisor: How should they document their monitoring programs and the results of any monitoring that they are performing?

Cooney: Privacy issues can be diverse and may differ in complexity, so monitoring your program efforts can be documented using different processes.

  • In some instances, mechanized documentation and reporting that may result in data access limitations based upon the monitoring results is helpful.  
  • In other areas, an online digital spreadsheet shared by a group may be reasonable.  
  • Formal written questions and answers, along with executive certifications across business units can provide a record of compliance monitoring that may be relied upon by decision-makers and for regulatory filings. 
  • Internal committees may review certain privacy activities and have their own record-keeping processes demonstrating a privacy and data security review, i.e., vendor reviews, changes in major IT systems collecting or holding PII, PHI, CPNI or other sensitive data, other regulated issues. These may, as needed, also include reports summarizing findings shared with business units and senior management.    
  • Vendor tools or manual record-keeping can assist in monitoring data breach incidents and, over a time horizon, catalogue changes in types of breach incidents, their size, causes and mitigation efforts, as well as progress with training, fraud management or security protocols to prevent breaches.
  • Tracking privacy activity by the privacy team and its partners, and periodic reporting to inform senior management, assists in demonstrating privacy as a value-add for innovation in consumer product and services rollouts. 

The Privacy Advisor: What are three key tips that you would give to someone developing a monitoring program?

Cooney: 

  • Just begin—perfection is not the goal; progress is the goal.  
  • Recruit and support key partnerships in the business to assist with monitoring and raising privacy and data security awareness.
  • Look for teachable moments, including thanking colleagues for their efforts while encouraging continued progress.

The Privacy Advisor: What are pitfalls to watch out for and how should those be addressed?

Cooney: Business-friendly processes are always more likely to succeed. So monitoring may include some trial and error in seeing what is possible, affordable and tolerable; be open to adjusting. Sensitive factual circumstances and legal compliance often should be reviewed while preserving attorney-client privilege and work product privilege, so be sure to engage appropriate legal counsel.      

In Summary

Cooney brings out several key points that can be beneficial and that are applicable across all industries.

Start with a focus on what is required by law, policy or contract, then progress the program into looking into high-risk areas and items related to the organization’s developmental goals. Developing and implementing a monitoring program puts you on the right track. You then can mature your monitoring program over time. The point of a monitoring program is to find issues and address them. Do not expect perfection at the beginning; progress to that over time. Always seek legal guidance and utilize attorney-client privilege and work product privilege to protect certain communications between the attorney and client and to keep those communications confidential. 

Use these helpful tips to drive your program to compliance and to uncover issues before they become larger problems. 

photo credit: Hard at Work in the Qantas Club via photopin (license)

Comments

If you want to comment on this post, you need to login.