Dale Skivington Executive Director, Global Compliance; Chief Privacy Officer October 2014
Transcription
Dale Skivington Executive Director, Global Compliance; Chief Privacy Officer October 2014
Dale Skivington Executive Director, Global Compliance; Chief Privacy Officer October 2014 Compliance by Design Overview • Based on Privacy by Design, the governance model is about organizations taking responsibility & holding themselves accountable & building protections into their products & services design work streams. • At Dell we plan to use this model across the compliance portfolio to provide effective governance & controls to ensure we meet these responsibilities. • Our plan is to provide the framework to strategically move the needle to the highest maturity level for each component of the programs. 2 Dell Compliance Governance Framework Audit Committee Global Risk and Compliance Council (GRCC) GC CFO SVP, HR (2) SVP, BU* VP, Sec VP, Audit CAO CCO * 2 Yr. Rotating Member CPO/ Exec Dir. Complianc e 3 Global Compliance Forum • Leader, Product Compliance • Leader, Trade Compliance • Leader, EH&S • Leader, Information Security Compliance • Leader, Dell Financial Services Compliance • Leader, Anti-trust Compliance • Leader, Labor & Employment Compliance • Leader, HIPAA Compliance • Leader Privacy • Leader Anti-Corruption • Etc. Compliance Program Maturity Model Policy Governance Risk management 1 Ad hoc 2 Initial 3 Formal 4 Validated 5 Monitored None written Limited distribution & understanding Formal but may be inconsistent Globally consistent & enforceable Regularly reviewed & updated None established Discrete, informal, & limited Corporate oversight & exec level Management involvement at all levels Scorecard reporting Incomplete & inconsistent Risk assessment, not management Risk assessment & management Cross-functional, executive validation Component of ERM Subject to self-assessment & audit Exception reporting & resolution Procedures & controls None written Limited coverage Consistent & global 3rd party management No standards Some standards May be inconsistent Consistent, cross-functional coordination Proactive monitoring & self-assessment Independent external audits Compliance & monitoring None established Informal & limited Audit-driven, remedial actions endorsed Analytics technology; cross-functional Accountability-drive n, extends beyond enterprise Incident management Ad hoc & inconsistent Some consistency Little analysis Root cause analysis, global standards Issue tracking Technology in place Effectiveness & efficiency metrics None General, infrequent, single media Custom-tailored, recurring, multi-media Role-specific awareness; 3rd parties Ongoing awareness Training & awareness 4 Controls are Key to a Mature Program Anti-Corruption Globally Consistent Key Controls • Contract Clauses • Third Party Vetting • Rebate Management • Payable/Disbursem ent Controls • Deal Governance Review • Third Party Training 5 Privacy Globally Consistent Key Controls • Secure Workplace Assessments • Privacy Impact Assessments • Annual Payment Card Industry (PCI) Assessment • Information Privacy Security Addendum (IPSA) Examples of Privacy Controls with Required Regional Variations • Data Subject Access • Breach/Incident Requirement • International Data Transfer • Customer Preference Management • Online Behavioral Marketing OBA • Online Cookie Program • Healthcare /HIPAA Microscope vs. Telescope . Standard requirements drives common controls; allowing for streamlined resource usage and greater customer protection.