With the increase in legal requirements around the world, organisations are facing stiffer penalties for security breaches involving personal information and non-compliance. This upward trend of tightening rules saw Singapore’s PDPC taking enforcement action against 11 firms for data privacy breaches in April this year. Further, companies processing personal data of European residents will have to take heed of the new European General Data Protection Regulation (GDPR) to avoid penalties of 4% of their global revenues or €20 million, whichever is greater.
To avoid missteps, organisations must adopt suitable frameworks and standards built on sound privacy principles to develop and maintain a data security and privacy management programme. This endeavour is the responsibility of a team made up of information security, privacy and compliance professionals with the responsibility to architect and implement the most effective set of security and privacy practices for their organisation.
ISACA’s Privacy Principles and Program Management Guide
In 2013, ISACA convened the International Privacy Guidance Task Force to:
Identify current privacy issues throughout the world;
Identify currently used privacy principles, standards and frameworks;
Determine the best actions to take to help ISACA members to create and manage a privacy management program; and
Develop practical guidance and tools address privacy risks and requirements.
One of the Task Force activities was reviewing existing privacy principles, standards and frameworks that are used throughout the world, and then identifying the elements considered generally common among all of them, as well as being most applicable to the diverse ISACA membership. The Task Force also identified important privacy issues that were missing from those existing documents.
Some of the major privacy principles, standards and frameworks that were considered within this effort for harmonisation include:
The result was the ISACA set of 14 Privacy Principles that harmonise the widely accepted privacy standards, principles, frameworks and good practices, as well as fills the gaps in privacy topics that exist among frameworks.
The ISACA Privacy Principles establish a uniform set of practical principles using existing principles from around the world, as well as additional new principles to fill gaps and to supply guidance on planning, implementing and maintaining a comprehensive privacy management programme the context of the wide range of enterprises represented within the ISACA membership.
The 14 Privacy Principles are as follows:
Principle 1: Choice and Consent
Principle 2: Legitimate Purpose Specification and Use Limitation
Principle 3: Personal information and Sensitive Information Life Cycle
Principle 4: Accuracy and Quality
Principle 5: Openness, Transparency and Notice
Principle 6: Individual Participation
Principle 7: Accountability
Principle 8: Security Safeguards
Principle 9: Monitoring, Measuring and Reporting
Principle 10: Preventing Harm
Principle 11: Third Party / Vendor Management
Principle 12: Breach Management
Principle 13: Security and Privacy by Design
Principle 14: Free flow of information and legitimate restriction
A soon-to-be published two-volume ISACA Privacy Principles and Program Management Guide* will provide details of the principles, examples, mappings to COBIT 5, world-wide data protection law listings and resources, and other privacy-related topics. The guide will help organisations learn how to use the 14 Privacy Principles to build, evaluate and maintain a privacy program.
Get the eBook and recorded webinar
TheeBook includes excerpts and descriptions of each of the 14 Privacy Principles from the upcoming ISACA Privacy Principles and Program Management Guide. To help readers understand each of the principles, the eBook gave examples and actions organisations could take to support the principles.
Rebecca, in collaboration with Data Privacy Asia conducted a complimentary webinar on Using ISACA’s Privacy Principles to Create an Effective Privacy Program. During the webinar, Rebecca provided an overview of the 14 Privacy Principles and explained the importance for each business, in any country.
* Volume 1 of the ISACA Privacy Principles and Program Management Guide is scheduled to be published in Q4 2016. Volume 2 will be published within six months following the publication of Volume 1.