Dale Skivington Executive Director, Global Compliance; Chief Privacy Officer October 2014

Transcription

Dale Skivington Executive Director, Global Compliance; Chief Privacy Officer October 2014
Dale Skivington
Executive Director, Global
Compliance; Chief Privacy Officer
October 2014
Compliance by Design Overview
• Based on Privacy by Design, the governance
model is about organizations taking
responsibility & holding themselves
accountable & building protections into their
products & services design work streams.
• At Dell we plan to use this model across the
compliance portfolio to provide effective
governance & controls to ensure we meet these
responsibilities.
• Our plan is to provide the framework to
strategically move the needle to the highest
maturity level for each component of the
programs.
2
Dell Compliance Governance Framework
Audit Committee
Global Risk and Compliance Council
(GRCC)
GC
CFO
SVP,
HR
(2)
SVP,
BU*
VP,
Sec
VP,
Audit
CAO
CCO
* 2 Yr. Rotating
Member
CPO/
Exec Dir.
Complianc
e
3
Global Compliance Forum
• Leader, Product
Compliance
• Leader, Trade Compliance
• Leader, EH&S
• Leader, Information
Security Compliance
• Leader, Dell Financial
Services Compliance
• Leader, Anti-trust
Compliance
• Leader, Labor &
Employment Compliance
• Leader, HIPAA Compliance
• Leader Privacy
• Leader Anti-Corruption
• Etc.
Compliance Program Maturity Model
Policy
Governance
Risk
management
1
Ad hoc
2
Initial
3
Formal
4
Validated
5
Monitored
None written
Limited distribution
& understanding
Formal but may be
inconsistent
Globally consistent
& enforceable
Regularly reviewed
& updated
None established
Discrete, informal,
& limited
Corporate oversight
& exec level
Management
involvement
at all levels
Scorecard
reporting
Incomplete &
inconsistent
Risk assessment,
not management
Risk assessment &
management
Cross-functional,
executive validation
Component
of ERM
Subject to
self-assessment &
audit
Exception reporting
& resolution
Procedures &
controls
None written
Limited coverage
Consistent & global
3rd party
management
No standards
Some standards
May be inconsistent
Consistent,
cross-functional
coordination
Proactive
monitoring &
self-assessment
Independent
external audits
Compliance &
monitoring
None established
Informal & limited
Audit-driven,
remedial actions
endorsed
Analytics
technology;
cross-functional
Accountability-drive
n, extends beyond
enterprise
Incident
management
Ad hoc &
inconsistent
Some consistency
Little analysis
Root cause analysis,
global standards
Issue tracking
Technology in place
Effectiveness &
efficiency metrics
None
General, infrequent,
single media
Custom-tailored,
recurring,
multi-media
Role-specific
awareness; 3rd
parties
Ongoing awareness
Training &
awareness
4
Controls are Key to a Mature Program
Anti-Corruption
Globally Consistent
Key Controls
• Contract Clauses
• Third Party Vetting
• Rebate
Management
• Payable/Disbursem
ent Controls
• Deal Governance
Review
• Third Party Training
5
Privacy
Globally
Consistent Key
Controls
• Secure Workplace
Assessments
• Privacy Impact
Assessments
• Annual Payment
Card Industry (PCI)
Assessment
• Information Privacy
Security Addendum
(IPSA)
Examples of
Privacy Controls
with Required
Regional Variations
• Data Subject
Access
• Breach/Incident
Requirement
• International Data
Transfer
• Customer
Preference
Management
• Online Behavioral
Marketing OBA
• Online Cookie
Program
• Healthcare /HIPAA
Microscope vs. Telescope
. Standard
requirements drives
common controls;
allowing for
streamlined resource
usage and greater
customer protection.