One 、GRC brief introduction

GRC Governance 、 Risk management and compliance , By addressing uncertainty and acting with integrity , The ability set to ensure that the enterprise can reliably achieve its goals , It is a framework model of enterprise risk governance .

government （G） The main work of this project includes ：

● Establish strategies and boundaries .
● Organizational structure and division of rights and responsibilities .
● Policy formulation and process control .
● Performance monitoring .

Risk management （R） The main work of this project includes ：

● The classification of risks .
● Risk assessment method .
● Risk management .
● Risk reporting mechanism .

compliance （C） The main work of this project includes ：

● Documentation of various non-compliance risks .
● Define and document compliance control points in the process .
● Evaluate the effectiveness of control points .
● Solve the compliance problems found .

Two 、 Introduction to privacy protection governance

If the enterprise faces greater compliance pressure , We can learn from the relevant practices of data security management and compliance requirements , Build a management system for privacy protection , Include ：

● Establish the general outline of privacy protection policy , And reach a consensus in the management .
● Establish organizations and teams for privacy protection 、 Division of responsibilities , Be responsible for privacy protection supervision 、 Audit and communication with regulators .
● Establish policies and frameworks for privacy protection （ Establish a document system and apply it to practice ）.
● Determine the list of applicable laws and regulations , And convert it into internal documents .
● Establish a Privacy Impact Assessment （PIA） Or data protection impact assessment （DPIA） Methodology and operation process .
● Management and implementation of privacy lifecycle （ Such as privacy statement 、 collect 、 The data subject agrees 、 Circulation approval process 、 Validity management and data cleaning ）.
● Establish data directory and privacy operation support system , Used to measure privacy risk , Support the routine implementation of privacy protection , It can also be used to prove its compliance to regulators .
● Establish relevant processes and systems for data subject requests （ Used to support user queries 、 modify 、 Delete 、 Withdrawal of consent, etc ）.
● Response and reporting mechanism for privacy data leakage events .

3、 ... and 、 Data protection governance GRC practice

Here we will GRC Integration of risk governance methodology PDCA Loop to discuss specific practices of privacy compliance .

3.1、 plan （P）

The main tasks in the planning stage include ：

G： Set a goal 、 Organizational responsibility and Accountability Policy 、 Formulate overall policies .
R： Risk identification .
C： Determine compliance requirements , Decomposition and reorganization , Establish internal compliance benchmarks .

3.2、 perform （D）

The main tasks of the implementation phase include ：

G： Refine the policy 、 supervise .
R： risk assessment 、 Risk control matrix 、 Integrate into the process 、 Risk management .
C： The internal compliance benchmark is transformed into a compliance control matrix 、 establish / Integrate into the process 、 Compliance improvement 、 Establish compliance records .

3.3、 Check （C）

The main tasks of the inspection phase include ：

G： For the results of the team's efforts 、 The process 、 Attitude to performance appraisal .
R： Measurement of risk , It is to quantify risks with data , It can be used for comparison among business teams , Commend the advanced .
C： Inspection of compliance effectiveness 、 Inspection of compliance records ; Effectiveness here , Including but not limited to whether the privacy statement has been self checked 、 Whether there are data flow approval records 、 Whether there are due diligence records of suppliers 、 Whether the data subject request has been processed .

3.4、 Handle （A）

The main tasks of the processing phase include ：

G： According to the results of compliance inspection 、 The result of risk measurement 、 Results of performance measurement , Implement decision-making and accountability .
R： Risk summary , Residual risks continue to move to the next round PDCA loop .
C： Compliance summary , The remaining non-compliance issues continue to move to the next round PDCA loop .

Four 、 Maturity of privacy protection capability

The commonly used capability maturity evaluation model in the field of privacy protection is AICPA/CICA PMM, It is from American and Canadian Institute of accountants To formulate the , Is based on GAPP（ Accepted privacy guidelines ） and CMM（ Capability Maturity Model ） And the developed privacy maturity model , It can be used to evaluate the current level of enterprise privacy protection system .

But in practice , It is generally not recommended to directly use external specifications , We need to transform it internally . In the process of internal transformation , Generally, the selected indicators need not be complete （ Indicators that do well in all businesses can be removed , Only include indicators with high risks ）, The main purpose is to drive the compliance improvement of each business line . The result after transformation is Internal capability maturity model .

The following are general recommendations , In practice , It should be formulated according to the actual situation of its own enterprise .

Capability maturity standard reference ：

Internal capability maturity reference ：