Privacy: A definition \ In the most general terms, privacy is the ability to control how you are identified, contacted, and located “Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personally identifiable information” | - AICPA | NFTJX (US) What Happened: Hackers exploited: weakness in retail wireless network to capture over 45M credit card records What Impact: Over $200M and growing in direct costs, plus a $40M payment to Visa for the failure to control credit card data UK HM Revenue & Customs (UK) ‘What Happened: 2 CDs containing 25M records of child benefits receivers was lost in the mail What Impact: immediate investigations, immediate risk assessments and inventories of data transfer, calls for tougher sanctions on all organizations for data breaches. ‘Emerging impacts expected Tais! International Bank (Taiwan) What Happened: Breach of credit card information What Impact Modest fine by Financial Supervisory Commission coupled with 1-month suspension of issuing new cards (approx M revenue loss) Zepplin Television (Spain) What Happened: Hackers accessed 7,000 records of applicants to the Gran Hermano TV show. An inspection by the data protection authority revealed failures to provide notice, get consent, and adequately contract with third parties. What Impact: Fine of $1.5M. Privacy Breaches - Some Events Nationwide Bi ing Society (UK) What Happened: Stolen laptop containing customer information. No protection provided ner ae What Impact: Nearly $2M fine for negligent protection by the UK Financial Services Athan ee 2, ChoicePoint (US) What Happened: Fraudulent use by improperly credentialed customer results in breach of over 140K consumer records, What Impact: Known exploitation of 700+ affected persons. $15M fines by Federal Trade Commission, coupled with significant share price drop that has taken 3 years to recover (26% of $28 market capil n lost), other significant direct costs. Citigroup (Japan) What Happened: A series of compliance failures led to a regulatory, audit of the private wealth management unit. The loss of account holder information served as one of the last straws afterwards. What Impact: Lost the charter in Japan for this unit. CVS Caremark (US) What Happened: The Federal Trade Commission and Health & Human Services settled with CVS related to the disposal of pharmacy customer information. What Impact: Fine of $2.5M and 20 years of audit. S /)Privacy — Areas of Interest Information Lifecycle Common Processes Human resource management Finance and accounting vv vw YYW. Z i 3 2 5 Manual Processes » Face-to-face interaction > Forms and data entry Systems » Devices and user equipment » Front office Third Parties > Customer interfacing » Infrastructure > Business partnerPrivacy — What could go wrong Common Challenges > Lostor stolen media > Over-sharing of personal information » Good intentions but misused data >» Third party service provider weaknesses > OW akage > > > > Hackers {inside and outside) Unwanted marketing communications Fraudulent trans Social engineering, including phishing ephone, email) neft (customers, employees, business partners) and reputation damage 3 Pillars — the focus area to overcome the challenges re ©} Calendar -... 7) Gupta, Ank.. %¥ Setti P® Cloud Com... ?™ Chapter 5... P” Genpact D.. “~The Privacy Eco SystemData Privacy and DSR: An overview Data Subject Rights (DSR) encompasses the rights and o uals and the organization (Infosys) with respect to the collection, use, disclosure, and retention of Personally Identifiable Information (PII) A Data Subjec dual who is the subject of certain personal information for e.a. Employee, Customer, Vendor, Job candidate, Individual downloading information from web portals after providing personal information, etc. eae ELC) Fair, lawful and transparent iC ee processing yt poo ee Consent 1 * — Original purpose ! * Modification / Withdrawal of consent People Process Data minimization wena ereeaaee arama | Right to Data Access Accuracy ' * What data is processed? How? Why? 4 * — Access to data and details ¢ Data inventory and Pll tagging Technology =m :--------- "oceans Security Right to be forgotten 7 inne > a * Delete individual's data within legal Accountability | constraints ptr C6 cle tla % Settings P Cloud Com. ?” Chapter 5 .. P® Genpact_D..Data Subjects are People | Data Subject A data subject is an individual who is the subject of certain personal information. Data subjects can be: + Credit card holder + Insurance holder + Multiple contract employees + Retirement plan participants + Patients + Consumers and customers + Prospective clients + Employees (current, former, retired) + Contractors + Vendors/consuttants + Dependents and beneficiaries + Investors + Professionals related to the industry + Business contacts, service providers, agents, contractors, and suppliers + Market research participants + Opinion leaders (influential scientists, academics, leading industry players, public officials, etc.) + VisitorsData Subjects are People (Data Controller Data controller means a person or Organization who (either alone, or jointly, or in common with others) decides how and why any personal information is to be processed. Data Processor Data Processor is a person or organization (other than an employee of the data controller) who processes the data on behalf of the data controller. Processing Processing means obtaining, recording or holding the data or carrying out any operation or set of operations on that data. Processing includes the following activities: | Organizing, amending, consulting, using, disclosing, erasing, destroying, storing. ‘Note: You do not need to notify if you are a data processor. Data processors only process personal information in-line with instructions from data controllers. However, the Data Processor needs to inform the Data Controller before disclosing the Ne /Types of informationInformation about people Personal Information Personal information is any information relating to an identified or identifiable individual. Z For example, a name alone cannot identify an individual, but name coupled with address, phone number, passport number, etc. can identify an individual and then this becomes a personal information. Personal = Information || Non- Personal Information (Variations) (Variations) ~ Sensitive information » Non-personally identifiable information (non-Pil) — (eg — first or last | » Personally identifiable information (Pll) (US-centric term) name alone, country or state of residence, etc.) | |» Protected health information (PHI) and electronic PHI (ePHI) (US- ~ De-identified or anonymized information — (eg —'a 25 vear old white \ centric term) woman work in ABC company) semi ( Sensitive Personal in Europe, sensitve personal information is caled special categories | . f data. This refers to racial or ethnic origin, political opinions, | Information jious or philosophical beliets, trade-union membership, data concerning health or sex life, and data relating to offenses, or | ~ Some personal information elements are considered more sensitive criminal convictions. than others. The definition of what is considered sensitive may vary ~ Inthe US, Social Security numbers and financial information are depending on jurisdiction and particular regulations. commonly treated as sensitive, as are drivers license numbers and ~ In general, sensitive data elements will require additional privacy and. fical records security limitations, as it applies to their collection, use, and ~ Health infarmation is considered sensitive everywhere. disclosure. , )Personal information: Data elements Personal information data elements types General Information ~ Name » Gender » Age and date of birth » Marital status * Citizenship » Nationality » Languages spoken » Veteran status » Disabled status » Business and personal address » Business and personal phone number ~ Business and personal email address ~ Intemal identification numbers © Governmentissued identification numbers «Identity verification information Employee Related Other Personal Information i Information . Enigloymont Tusny * Job tory. . Rie gee Nee | Ehaoeaohs vee eore = Compensation/remuneration related matters ~ Payroll * Relocation information + Expatriate information Background investigation reports | ~ Cerificates and licenses » Benefits * Demographic » Contacts | » Health » Education and training g Latror relat = Racial or ethic origin ~ Political opinions | —— ~ Religious beliets * Criminal hist Customer Related ene Information » Habits = Personal communications © Account numbers + Biometric » Personal financial information ~ Genetic * Credit score ~ Compliance records | » Transaction ~ Intemet and email use, including IP | * Income addresses » Assets ~ Community and charitable services | © Credit information SSIllustrative Org Structure Program oversight Report implementation Governance Automation Reporting Workflows Audits PIA triggers DSR processes Data governance (based on PIAs)GDPR: implications and opportunities GDPR — Main Implications : GDPR — Main Opportunities COCCCUUUUUUUI E000 eee eee UO #1 Improve client satisfaction through increased transparency and New rights for data Pera iteaaee Wa control over personal data subjects Protection Officer (DPO} FEZ. Expand the business in an easier way due to obstacle reductions in commercial exchanges between borders Data breaches have to $3 Reduce costs related to legal counseling asa result of the legal be reported in 72h certainty | Generate innovation, brought on by the new methods and HA business ideas that the “privacy by design” will require in order to guarantee compliance | $5 __ Sain market share through the data portability between service providers Explicit, unambiguous and ungrouped consents eet cro tend Cred s “ SoData Privacy laws : comparison Ss Me XM Al VE a ee Se ne van Xo ee ¥ Ezz i HE PE ER EE SE ate Pe ae! EA ot a VV ve ee See ee [aes XO OIE Se ee A et EEa 0 AOS Pex eee eee ea ee ie ‘acto Vo A i Se ye Be eva an ae ise 2 ate HRT NW Em Y Viv vee x ee eo ee Wh NA wR es why yey ee Wa EME ML A home ln ey fac tae ee Gag . = Maaco — Prieity?— Prkaty 2 Quick Win= Moactlon Quik Win aich Win Quick Win QukWin— Quick wan cate Se ene ee ees Seana een ol Key GOR meets local legal requirements °Y -sign deviation between GOPR and local legistaton X -GOPR does not meet local legal requirements: XC -Furtner investigation required to confirm gap