As organizations analyze how to best monitor their privacy programs, we are examining the ways that top leaders across industries implement monitoring. This series takes a look at monitoring programs in the healthcare, IT, finance, government and the telecom industries. In this edition, Zoe Strickland, CIPP/G, CIPP/US, CIPT, managing director and global chief privacy officer (CPO) at JPMorgan Chase, gives her perspective on monitoring from the financial industry spectrum.
Stickland has many years of experience as a leader in the privacy realm and previously served as CPO for UnitedHealth Group and Walmart, respectively, prior to moving to JP Morgan Chase. While Strickland speaks below about the financial industry specifically, her advice could easily apply across industries.
The Privacy Advisor: Why is developing a monitoring program important?
Strickland: As financial institutions expand the scope, complexity and global nature of their business activities, privacy programs are increasingly expected to deliver more service to an organization. The program should provide governance for managing privacy risks throughout the life cycle of data, whether the data is managed internally or externally. It’s difficult to respond to the question about “What keeps you up at night?” or, better, “How do you sleep at night?” without building monitoring functions into your program. Although a privacy program can be located in different parts of an organization and its function may vary to meet the organization’s culture, the basic parameters are the same. The program should focus on:
- Driving accountability through functional roles, oversight forums and escalation channels;
- Identifying and assessing applicable laws and regulations; developing and administering policies and standards;
- Creating controls/procedures to mitigate privacy risks;
- Embedding privacy in the design of new products, services, processes and technologies;
- Participating in or driving risk assessments;
- Overseeing privacy tests/reviews, and
- Raising awareness through various mechanisms such as training and education.
Monitoring is typically considered as related to testing of existing processes to see how well they work but, frankly, is relevant to all the above activities. The good news is that you can often find sister functions in your organization that can help as you consider how to best integrate monitoring into your program.
The Privacy Advisor: How should people determine what to monitor?
Strickland: This deserves as much attention as the need to scope monitoring into your overall program design. We all know privacy can be a 24-7 operation, and an effective program needs to deploy resources effectively. At its heart, a privacy program must consider how the organization properly collects, uses, safeguards and discloses information. Financial institutions should implement a risk assessment process, or processes, to assist in identifying and addressing privacy risks. From there, a program can evaluate what needs to be monitored, what is the most effective path to doing so and who should conduct them. It may not be the same approach depending on the type and size of risk. Even without a full risk assessment, privacy experts know where risks lie. Consider building out monitoring in those areas.
The Privacy Advisor: How should they document their monitoring program and the results of any monitoring that they are performing?
Strickland: Monitoring programs and results should be documented in official repositories, provided to appropriate leadership for review/approval and tracked to completion for action items. This is an example where the devil is in the details. Confer with stakeholders, including the legal department, about the reporting part of your monitoring program and who has access to what. Additionally, periodic reporting, which integrates monitoring components, should be developed and provided to key stakeholders and oversight forums. Lastly, an annual plan should be developed to report on the execution of the program and include useful information such as strategic priorities. All reporting must of course be tailored appropriately to the audience.
The Privacy Advisor: What are three key tips that you would give to someone developing a monitoring program?
Strickland: First, per above, put real thought into what and how to monitor.
Second, understand your firm’s existing processes and culture. How does it monitor other activities? What is the right language and approach that will be effective for your company? Where you can, and where it makes sense, build privacy monitoring into existing processes. Understand how privacy fits into the culture, its messaging and the tone from the top.
Third, make sure your monitoring program produces meaningful and actionable information. This information can be used to improve processes in your company, feed into appropriate messaging and enable the continued evolution of your privacy program.
The Privacy Advisor: What are pitfalls to watch out for, and how should those be addressed?
Strickland: Program gaps: A common concern is how to avoid simply chasing the last problem identified and to instead run a comprehensive, proactive program that seeks to capture all key risks. It can be the sleeper issue that can cause the next real problem. Paradoxically, this may be an even more important issue for mature programs that have well-established processes and routines. Consider completing a gap assessment from authoritative sources, through policies, standards or procedures or through the monitoring and testing environment. Do not make assumptions that privacy requirements are fully addressed in line-of-business procedures, even if there was a prior issue identified. When evaluating a program, project, product or what have you, I often ask, “What are we missing?”
Failure to properly execute: Understand the bandwidth of your resources and other stakeholders who may support the program. A risk-based approach is often helpful. If you are in a large organization, and probably in small ones too, beware of “telephone,” where the privacy SMEs may be a few layers from the frontline personnel who actually interface with clients, customers and employees. What do they hear and understand? Is it really clear and fit for their operation?
Failure to engage stakeholders: A privacy program must engage the key disciplines across the organization, such as legal, information technology, security, operations, risk, controls, etc. If they don’t understand what you are trying to achieve, and how your respective functions can assist each other, the overall firm effort will be ineffective at best and combative at worst. Remember that privacy is a horizontal function; we are used to understanding other functions’ goals and needs and that other groups have different functional personalities. Help them help you, as part of your service to them.
photo credit: Hard at Work in the Qantas Club via photopin