Learn actionable steps to provide a high-level plan for implementing a privacy program in conjunction with your existing organizational RIM/IG program(s).
Want to follow along with the webinar replay? Download it here for FREE: https://info.aiim.org/data-privacy-for-the-im-practitioner-practical-advice-for-preparedness-and-prevention
Gen AI in Business - Global Trends Report 2024.pdf
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for Preparedness and Prevention
1. Underwritten by:
#AIIMYour Digital Transformation Begins with
Intelligent Information Management
Data Privacy for the IM Practitioner:
Practical Advice for
Preparedness and Prevention
Presented February 26, 2020
Note – the art of this
cover slide will change.
Data Privacy for the IM Practitioner:
Practical Advice for Preparedness and Prevention
An AIIM Webinar presented February 26, 2020
2. Underwritten by:
Today’s Speakers
Kevin Craine
Content Strategist, AIIM
Host of AIIM On Air
John Montaña, J.D., FIIM, FAI
VP, Information Governance at Access
CEO, Montaña & Associates an Access Company
Host: Theresa Resek, CIP
VP, Market Intelligence
AIIM
4. Underwritten by:
Driving Demand for Data Privacy
• Data privacy is on the mind of
C-Suite leaders in all industries.
• No organization is safe from
potential cyber theft and intrusion.
• In 2019, 2.7 billion identity records
were exposed by hackers and
placed for sale on the internet.
• Legislation worldwide has become
increasingly strict.
• Expectations are ever-evolving.
• Perception is everything in the eyes
of the market.
6. Underwritten by:
Volume, Velocity, and Variety
• Organizations anticipate the volume of information
will grow from X to 4.5X in the coming year.
• Over 60% of that information sprawl is
unstructured.
• Organizations are embracing technologies and
approaches that automate governance and
compliance.
• According to AIIM research, 51% of organizations
say that they are planning to spend “more” or “a
lot more” on information governance over the next
18-24 months.
7. Underwritten by:
Inevitable and Costly
• Experts tell us that the question is
not IF it will happen, but WHEN.
• The chances of being struck by
lightning = one in a million.
• The chances of organizations getting
hacked this year = one in four.
• The average total cost of a single
data breach is estimated at nearly $4
million.
• That calculation can certainly be
much higher – legal expense, fines,
and penalties; the loss of goodwill in
the market.
8. Underwritten by:
Recommendations
Implement a formal approach.
Have a plan and stick to it.
Regularly (annually) review, evaluate, and update your plan as
needed.
Place the privacy and security of information on the front burner of
strategic concerns.
9. Underwritten by:
John Montaña, J.D., FIIM, FAI
VP, Information Governance at Access
CEO, Montaña & Associates an Access Company
Introducing our Speaker
10. Underwritten by:
You say that Legislators
don't understand how
large companies work.
What do you mean by
that?
11. Underwritten by:
Legislation is Created in a Silo
Just knowing
what’s there – it’s
a lot of law, in a
lot of places
Outright conflicts – minimum
retention requirements versus
maximum permissible retention
Interpreting
dated or
vague laws
IT configuration – how to
make it all work in a big IT
environment
Administrative complexity – how
to manage dozens or hundreds of
unique requirements
12. Underwritten by:
What are some of the
considerations that IIM
pros must deal with that
legislators miss in the mix?
13. Underwritten by:
Considerations for Applying Privacy Legislation
Applying Legislation to Today… Taking into Account Yesterday…
Legislation was written without consideration for:
• Back file of old IT systems and physical boxes of records
• Most IT systems available when the laws were written are not capable of applying
law
• Even if capable, they are often not configured in a manner that supports being
compliant
• Non-compliant implementations are difficult to undo
14. Underwritten by:
Let’s talk about specific steps
to build an effective privacy
plan. You say it’s important
to start with a thorough
understanding of the current
capabilities within the
enterprise. Isn’t that just
more “analysis paralysis?”
15. Underwritten by:
Utilize Project Management Principles
1 2 3
4 5
Develop a clearly written
initial project scope /
charter / documentation
Develop a high-level project
roadmap / framework
• What industry / data types you are trying to
apply “privacy” to
• What is the information life-cycle for PII / SI?
• Establish a timeline with realistic milestones
• Regularly adjust / incorporate PIA findings
Clearly establish roles /
responsibilities – decision
rights
• Chief Privacy Officer (CPO) / Data
Protection Officer (DPO)
• Privacy Office (PO)
Develop a communication /
marketing plan
Prepare a budget
16. Underwritten by:
Now that I’ve surveyed
the technical
environment...
what’s next?
What are some steps
to build a meaningful
project plan?
17. Underwritten by:
Building the Privacy Program
Core Components Review
Create inventory
of Personal
Information Banks
(PIBs)
Develop staff
education and
awareness training and
collateral and
Communication plan
Post Privacy Policy and
Principles on the
organization’s website
Develop Privacy Notice
signage and arrange
for posting in relevant
areas (such as those
with video capture)
Actually apply the
retention schedule and
purge data that is not
needed
Do not collect
unnecessary data
that is not required
or contains PII
18. Underwritten by:
Once I have a plan, I’ve
got to sell it...not only to
company executives, but
also other stakeholders
(regulatory boards). Can
you outline some success
tips for gaining support
and buy-in?
19. Underwritten by:
Building Relationships with Stakeholders
Stakeholders are - ALL Staff / Third Parties / Customers that contribute, come in contact with or are affected by PII / SI
• Customers
• Shareholders
• Steering CommitteeAssurance Groups – Legal, Audit,
Compliance, Risk HR
Operations – Sales, Marketing, R&D,
Field Workers etc.
Chief Privacy Officer (CPO) / Data Protection Officer (DPO) Third-Parties / Contractors
Regulatory Agencies
Privacy Office (PO)
Board of Directors / Executive Team
IT
20. Underwritten by:
What about getting
front-line workers
onboard to adapt and
use new and changed
systems and policies?
21. Underwritten by:
Privacy Training
Appropriately Train ALL staff
and Third-Parties
Types of training
Do not overcomplicate
Market your privacy program
• Train the trainer
• Executives are not exempt
• CBT
• Live / In-person
• Manuals / Guides
• Workshops
• Keep language simple/ keep
cultural differences in mind
• Recognize top performers
Frequency of the training
• Annual
• New Hire
• Incident Based
• Third party / Contractor
Test the Privacy Incident
Response Plan
• Send out mock phishing emails
• Where is more training needed
• Log results – training & testing
Everyone who belongs to, or works with, an organization is responsible to
protect the PII / SI of the company and associated stakeholders!
22. Underwritten by:
One thing that is certain,
the rate of change is not
going to slow down. How
can we design our privacy
programs so that they will
be flexible and adapt to
changes in regulations,
technologies and market
expectations?
24. Underwritten by:
How Organizations Can Successfully Move Forward
Level Set
Expectations
Understand Current
Capabilities
Make Your Case
Change Is Your Only
Constant
28. Underwritten by:
#AIIMYour Digital Transformation Begins with
Intelligent Information ManagementYour Digital Transformation begins with
Intelligent Information Management