At the request of subscribers, Compliance Week offers a Remediation Center, in which readers can submit questions—anonymously—to securities and accounting experts. Compliance Week’s editors will review all questions and then submit them—confidentially, of course—to specialists who can address the issues. The questions and responses will then be reprinted in a future edition of Compliance Week. Below is one of the Q&As; ask your own questions by clicking here.
DETAILS
Wood
David Wood is a senior managing consultant within the IBM business process delivery organization. Wood is a member of the Data Privacy and Security Office and is responsible for leading privacy and IT security assessments in delivery centers around the world. He has more than 28 years experience with IBM.
E-mail David Wood at davdwood@us.ibm.com.
Remediation Center
Click Here to Return to the Remediation Center
Submit a Question to the Remediation Center
Warning, Disclosure
Compliance Week’s Remediation Center is an information service only. Answers to questions should not be construed to be legal guidance. Consult with your auditors, internal counsel, external counsel, and/or other securities experts on all critical compliance and governance matters.
Specialists are solicited by the editor to answer Remediation Center questions based on their knowledge of the subject matter and their ability to provide commentary in their particular area of expertise. In some cases, the experts who answer questions in the Remediation Center may also be Compliance Week subscribers, or may work at firms that advertise in Compliance Week.
Related Coverage
PCAOB Proposes Risk-Assessment Standards (April 8, 2008)
ERM vs. Risk Assessment: An Analysis (March 18, 2008)
Related Column
Tips, Tactics, and Tools for Managing Disclosure Risk (May 12, 2009)
QUESTION
I’m the internal auditor at a large global company, and I’ve just been charged with conducting our first privacy-risk assessment. I’m sure we have access to sensitive personal information, and we do business in Europe and North America, but I don’t have true, complete knowledge of the enterprise. Any advice on where to start? How should I structure my assessment so that when I start looking, I know I’m not missing or forgetting anything?
ANSWER
Designing a privacy assessment is no different than designing a computer program your company might need. The key phases include: project planning, defining the requirements, design, development, testing, and implementation. All of these steps are important. If you skip a phase like project planning, for example, you fail to obtain proper executive support to conduct such a project. Skip the design phase and you will only cause the developer of the privacy assessment more difficulty, as he or she won’t have a clear understanding of what’s necessary to get the assessment accomplished.
That’s merely the framework of how you get a privacy assessment created. The assessment itself typically has four main components: instructions, organizational identification, personal information inventory, and detailed questions. I’ll walk you through each one in turn.
Instructions
First, you should explain how the receiver is to complete the privacy assessment. If you’re using an automated tool, for example, you should give instructions on where to locate the tool and how to get started. If you’re using a spreadsheet, you should explain how to complete the various cells in the worksheet, and who to send it to when completed.
You might also include words from your executive sponsor, such as:
The purpose of the privacy assessment is to identify the levels of access to personal and sensitive personal information in our company. A representative of each department must complete the assessment semi-annually. Answers are a combination of yes/no, fill-in, and drop down options. Once completed, submit it to the privacy office at PrivacyOffice@OurCompany.com. Your prompt attention is appreciated.
Sincerely,Cathy Doe, Chief Privacy Officer, OurCompany
Organizational Identification
Once all of your departments have completed the assessment, you’ll want to do a trending analysis of the data to look for areas where your internal controls might need improvement. So in this section, you will ask the department representative to enter in his or her name, department number, city, country, date completed, etc. Your particular environment will dictate what type of information to include.
Personal Information Inventory
At least in my experience, this is the most important part of a privacy assessment. It’s crucial that your company has an accurate inventory of all personal information and sensitive personal information accessed by your employees, vendors, distributors, and other third parties (if any).
You will want the person completing the assessment to enter a “yes” or “no” if he has access to the type of information listed in each particular field. In addition, you may want to ask how he uses that type of information in his department. Individuals should only reply by stating what type of data is accessible, not by sending any real examples or screen shots.
Fields you’ll want to include (at minimum):
name, home address, home phone number, gender, marital status, nationality, Social Security number (or national identity number), credit or debit card number, bank account numbers, financial credit reports, sexual orientation, criminal history, and personal health information.
Detailed Questions
By now you should have the attention of the person completing the assessment, so you might as well ask some key questions about privacy within your company. Here are a few examples of questions that I have asked in our privacy assessment:
Have all team members completed the corporate and divisional data privacy education?
Do you have any “live” personal data stored on your department’s testing or development systems?
Do you have to comply with industry or regulatory requirements such as HIPAA, Basel II, FERC, and so forth? If so, which ones?
What is the process for reporting breaches of data privacy?
Does your team have access to personal or sensitive personal information for residents of the state of Massachusetts?
Questions that can be answered with a yes/no can easily be graphed for use in presentations. Fill-in-the-blank answers tend not to lend themselves to charts, but the answers are still important to understand. And you should have a policy regarding how long to save the completed assessments and the security classification of the document.
One last idea: By doing Internet searches on privacy assessments, you’ll find plenty of examples that you can tailor to meet your requirements.
No comments yet