Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tips on Privacy Audits and Assessments Insurance Consumer Affairs Exchange October 2, 2005 Kirk Herath, CPO & Associate General Counsel, Nationwide Insurance.

Published byLars Ellingsen Modified over 6 years ago

Similar presentations

Presentation on theme: "Tips on Privacy Audits and Assessments Insurance Consumer Affairs Exchange October 2, 2005 Kirk Herath, CPO & Associate General Counsel, Nationwide Insurance."— Presentation transcript:

1 Tips on Privacy Audits and Assessments Insurance Consumer Affairs Exchange October 2, 2005 Kirk Herath, CPO & Associate General Counsel, Nationwide Insurance Companies 1/17/2019 Attorny-Client Work Product -- Priviledged and Confidential

2 Compliance Monitoring
Compliance Monitoring can take many forms: Audits Market Conduct Exams Self assessments Third party assessments 1/17/2019

3 Critical Success Factor
Critical Success Factor to meet compliance monitoring is a fully and formally documented Privacy Program to include all: Policies Procedures Controls 1/17/2019

4 AICPA Privacy Framework as a Model
We used the AICPA Privacy Framework as our model. Ten Principles of a sound Privacy Program: Privacy Management Notice Choice & Consent Collection Use & Retention Access Security Monitoring & Enforcement 1/17/2019

5 Know Your Business Units
Know your Business Units via SAP’s (Singularly Accountable Person) in the business and functional Units. Conduct BU Privacy Self Assessments to gain granular insight in privacy practices and target those BU’s that use PII. Meet regularly with BU SAPs. Form a Virtual Privacy Office. 1/17/2019

6 Have a Broad Reach Have a Broad Reach.
Form Partnerships with Internal Audits, Security, Compliance, Customers Relations. Leverage each others work and knowledge of business 1/17/2019

7 Internal Audits A partnership with Internal Audits is valuable particularly in the IT and Security Areas. However, Internal Audits may not have a comprehensive and in depth knowledge of regulatory and statutory rules nor knowledge of internationally recognized privacy principles. A privacy subject matter expert imbedded in audits may not be cost effective. If Internal Audits does request a review or, in fact, you ask for a review, be certain the audit plan, scope and objectives are clearly and concisely defined. (You can not be responsible for controls and practices you do not have authority to implement i.e. encryption.) 1/17/2019

8 Be pro-active in inviting audits, assessments and reviews.
Supports ongoing updates and “currency” to policies, procedures and controls, due diligence and transparency. 1/17/2019

9 Third Party Assessment
Consider an external third party assessment. Many firms have expertise in the privacy space and experience in auditing privacy programs. 1/17/2019

10 See an audit or assessment as a risk management opportunity.
One that can affirm your approach is reasonable and robust. Or provide you with insight as to how to reduce your risk. 1/17/2019

11 If you fear an audit you very well may have reason to be afraid.
Be Prepared. 1/17/2019

Download ppt "Tips on Privacy Audits and Assessments Insurance Consumer Affairs Exchange October 2, 2005 Kirk Herath, CPO & Associate General Counsel, Nationwide Insurance."

Similar presentations

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.

29e CONFÉRENCE INTERNATIONALE DES COMMISSAIRES À LA PROTECTION DES DONNÉES ET DE LA VIE PRIVÉE 29 th INTERNATIONAL CONFERENCE OF DATA PROTECTION AND PRIVACY.
International partnership of law companies Customs & Corporate Lawyers, based on the principles of observance of high professional standards, mutual trust,

International partnership of law companies Customs & Corporate Lawyers, based on the principles of observance of high professional standards, mutual trust,
Regulators’ Code July 2014. Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.

Regulators’ Code July Regulators’ Code A statutory Code Came into effect in April 2014, replacing the Regulators’ Compliance Code All local authorities.
Auditing, Assurance and Governance in Local Government

Auditing, Assurance and Governance in Local Government
STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)

STRATEGIC PLANNING FOR Post-Clearance Audit (PCA)
Developing a Records & Information Retention & Disposition Program:

Developing a Records & Information Retention & Disposition Program:
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.

CSE 4482, 2009 Session 21 Personal Information Protection and Electronic Documents Act Payment Card Industry standard Web Trust Sys Trust.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.

Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
Purpose of the Standards

Purpose of the Standards
Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.

Outsourcing Policy & Procedures An Overview for Staff Prepared by MSM Compliance Services Pty Ltd.
E XAMINATION AND E NFORCEMENT I SSUES : B EYOND T HE P ILLARS The AMLA Third Annual Full Day BSA/AML Conference October 4, 2013 Presented by: John M. Geiringer.

E XAMINATION AND E NFORCEMENT I SSUES : B EYOND T HE P ILLARS The AMLA Third Annual Full Day BSA/AML Conference October 4, 2013 Presented by: John M. Geiringer.
Vendor Risk: Effective Management is Essential

Vendor Risk: Effective Management is Essential
Service Organization Control (SOC) Reporting Options and Information

Service Organization Control (SOC) Reporting Options and Information
Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.

Managing the Privacy Function at a Large Company Kimberly S. Gray, Esq., CIPP Chief Privacy Officer Highmark Inc.
Advanced Program in Auditing and Accounting Regulation Module 12 Enhancing Statutory Audit Quality from a Financial Regulator’s Perspective Presenter:

Advanced Program in Auditing and Accounting Regulation Module 12 Enhancing Statutory Audit Quality from a Financial Regulator’s Perspective Presenter:
IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.

IBT - Electronic Commerce Privacy Concerns Victor H. Bouganim WCL, American University.
HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.

HIT Policy Committee Privacy & Security Workgroup Update Deven McGraw Center for Democracy & Technology Rachel Block Office of Health Information Technology.
LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.

LeToia Crozier, Esq., CHC Vice President, Compliance & Regulatory Affairs Corey Wilson Director of Technical Services & Security Officer Interactive Think.
Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.

Conducting Clinical Risk Assessments And Implementing Compliance Practices Jane L. Stratton Chiron Corporation VP/Associate General Counsel Chief Compliance.

Similar presentations

Ads by Google