In the first part of the Skills Assignment, you drafted a policy statement. In this second part, you will write procedures to implement that policy statement.

 

Assignment

• Procedures
  • Write the procedures for implementing the policy statement that you wrote in the first part.
  • Include relevant headings - e.g.,
    • Overview and Purpose
    • Definition of Terms (if appropriate)
    • Supporting Documents - e.g., relevant statutes, regulations, etc.
    • Scope
    • Policy - with relevant sections and subsections, if applicable
      • Note: See theSample Policy: Acceptable Use Policy, SANS Institute andPhilippa X. Girling, Operational Risk Management : A Complete Guide to a Successful Operational Risk Framework (John Wiley & Sons, 2013) for an example of headings.
  • Keep in mind the following guidelines:
    • Substance
      • Think about the purpose of your procedural document: it is to include the steps necessary to comply with thepolicy that you drafted. Make sure that the written procedures actually accomplish the purpose of your policystatement.
      • Your procedures should cover all of the information discussed in the module lectures with respect to procedures (Module 4 in particular), such as
        • Step-by-step instructions
          • Enumerate your steps so the reader is guided through the process in the correct order.
          • The procedures should be clear and concise, but include sufficient detail so that the reader can comply.
        • Who (position or department) has oversight for ensuring compliance with the procedures.
    • Form: Clarity and Comprehension
      • Readers of the procedures must be able to quickly and completely understand what the procedures are designed to accomplish.
        • They should be able to do so without having to read the title of the procedures or the policy statement.
  • The procedures should also be understandable to someone who is not part of the industry in question.
• Do not use examples or information that may quickly become outdated.
• Be sure to spell out the words the first time when using an acronym.
• You may consider incorporating a Definitions section to clearly define key terms and concepts.
• Evaluation and Perspective
  • Evaluate the procedures from the perspective of all relevant stakeholders.
  • Put on your regulator hat and review your procedural document to determine whether it adequately complies with any legal and/ or regulatory requirements.
  • Assume that you are an employee who must comply with the procedures. Are the procedures easy to understand and follow.

 

Part 1 Assignment- Written Response

Part I- Background Memorandum to the Board of Directors

1. Choose the regulatory compliance area or topic and explain why you choose that area or topic.

• Regulatory compliance area or topic: Data Privacy

I chose data privacy because its laws are becoming increasingly complex and important in the digital age. We are seeing businesses are frequently and rapidly capturing, achieving, and utilizing personal data from their clients and investors. There is a massive and continuing need for businesses to protect customers' personal data while complying with the privacy laws to avoid adverse consequences (e.g., lawsuits).

1. Regulatory Compliance Context and Factual Background

• Describe the relevant business and risk management context and facts about the organization or industry necessary to understand the policy that your will be drafting.

Businesses are collecting and utilizing customers' data on a grand scale. This means that businesses are operating in different countries and sharing such personal data globally. Yet, these business organizations have to comply with myriad data privacy laws. Furthermore, there are additional privacy laws for businesses for to acquire and process data from third parties.

• Identify the relevant statues, regulations, or other formal or informal organizational or industry rules:

Businesses need to comply with many different data privacy laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

• Provide any citation necessary for the board to be able to identify the relevant statue and/or rules:
• General Data Protection Regulation (GDPR): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data with the processing and the free movement thereof.
• California Consumer Privacy Act (CCPA): California Civil Code Section 1798.100 et. seq.
• Include the statue and/or rules as an Appendix to your policy statement.
  1. Draft a policy statement that incorporate the elements discussed in the Module 4 lecture and the readings for this assignment.

Appendix attached.

Part II- Policy Statement

• Overview and Purpose

To ensure that business organizations adhere to and comply with all relevant data privacy laws, including the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA. This policy provides an outline of the organizations' obligations and responsibilities for personal-data capturing, achieving, and processing.

• Definition of Terms (if appropriate)

Data- information related to an identified or identifiable person.

Personal data- information related to an identified or identifiable person that is collected, achieved, and processed (utilized) by business organizations.

• Supporting Documents- e.g., relevant statues, regulations, etc.

The statues and rules listed in the Appendix

• Scope

This policy applies to all employees, contractors, and other personnel of the business organization who are involved in capturing/collecting, achieving, and processing of personal data.

• Policy

1. Collecting and Using of Personal Data
   1. The business organization will only collect personal data that is legally needed for business practices and activities.
   2. The business organization will only use personal data lawfully, fairly, and transparently.
   3. The business organization will not utilize or process personal data any differently than from what was initially stated to the subject individual(s).
   4. The business organization will oversee personal data accuracy and updates.
      1. Storage and Security of Personal Data
         1. The business organization will implement necessary secure measures to protect personal data from invasion, leakage, manipulations, and expungement.
         2. The business organization will make sure that no unauthorized access to personal data with secured storage and archiving (i.e., access only by authorized personnel).
      2. Processing of Personal Data
         1. The business organization will process personal data according to applicable data privacy laws.
2. The business organization will obtain written consent from subject individual before transmitting or sharing personal data with third-party processor.
3. The business organization will ensure that third-party processor will also take on the responsibility of complying with applicable data privacy laws while processing such personal data.
4. The business organization will have a contract in place with third-party processor on complying with applicable data privacy laws.
   1. Rights of Data Subjects
      1. The business organization will provide subject individuals with access to their own personal data upon request.
      2. The business organization will allow subject individuals to correct, expunge, or limit the processing or sharing of their personal data upon request.
      3. The business organization will allow subject individuals to cancel or object to the processing, utilizing, or sharing (in part or whole) of their personal data upon request.
      4. The business organization will allow subject individuals to accept or object to the transferring their personal data upon request.

Commentary:

Data privacy has become a hot topic of debate lately as the internet has made it readily for businesses to capture/collect, archive, and/or process personal data as well as transmit such data on a global scale. Therefore, the need for data privacy laws has been at its height than ever before to really protect such personal data as well as enforce data privacy among business organizations.

Data privacy laws include General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). These are in place to protect personal data from being leaked, tempered with, or illegally used. They are also there to ensure that businesses are using/processing personal data legally, fairly, transparently and only by authorized personnel. Subject individuals whose personal data is being collected have the right to be informed as well as to cancel or limit the use of such data.

Lastly, but most importantly, policy must be developed and held in place to make sure the business organizations adhere and comply with data privacy laws. The policy section would include an overview, a purpose, a definition of terms, a scope, and the policy itself.

Conclusion:

Data privacy law is much needed in today's world of telecommunication and internet. Thus, data privacy policy must be in places for businesses to adhere to and comply with in order to avoid leakage, mishandling, and unlawful processing of personal data. The policy must lay out the business's responsibilities and obligations in collecting or capturing, achieving, handling, and processing of personal data. Specifically, the policy should include sections on collection and usage of personal data, storage and security of personal data, processing of personal data, and the rights of subject individuals whose data is being collected and utilized. The policy must also include relevant statues and regulations that are applicable to the policy.

Appendix: statues and/or rules

1. General Data Protection Regulation (GDPR)
2. California Consumer Privacy Act (CCPA)