BackgroundYou are a manager in the audit division at Miller Yates Howarth (MYH), an accounting firm withoffices throughout the major regional centres of NSW and Queensland. Although a medium sized...

Student Name
Course Name
University Name
28
th
-August-2017
Morgan Fertilisers Pty Limited is one of MYH’s most significant and long standing clients
with operations in both Tamworth and Bathurst in NSW and Toowoomba in Queensland.
During the annual audit of Morgan Fertilisers for the financial year ended 30 June 2017,
Jacqui notices the company had recently changed its contractor for waste management to
Dumparound Ltd. Jacqui happens to know, through her community activities, that
Dumparound is being investigated by the local council for the level of toxic waste at one of
its sites. The waste management contract between Dumparound and Morgan Fertilisers does
not specify damages and has not been signed by Dumparound. The contract is for a
substantial amount and is valid for 3 years, and Jacqui is concerned about the implications.
Key Challenges
Privacy management programs are:
 Sporadically implemented effectively, holistically and across the organization. The
main causes include inconsistent use of definitions and a lack of board support
fo
awareness of the program.
 Skewed, being treated as a legal-only issue yet are missing from corporate
governance.
 Cutting across organization disciplines in ways that often lead to overlap and
differences in detail with existing programs and initiatives (such as security and
customer relationships).
 Often insufficiently maintained to account for an evolving technological landscape
and different applicable regulatory requirements. This leads to obscurity and
confusion on the work floor, which results in compliance gaps and potential privacy
isks.
Recommendations
Security and risk management leaders implementing their corporate privacy management
program should:
 Target scope and overlap between separate plans and strategies of business units,
stakeholders and budgets by creating and communicating a common vision while
aligning the various objectives.
 Foster adherence to and support for the program from all business stakeholders by
translating privacy requirements in the program to function as a business enabler.
 Make employees conversant with policies by establishing clear responsibilities, and
focus awareness campaigns and training on employees' respective duties.
 Implement a high-frequency reiteration process for the program by allowing the
output from continuous risk assessments to be accounted for in the program's
subsequent procedures.
Privacy protection is critical to consumer and employee trust. Moreover, evolving privacy
legislation creates a new business case for compliance with regulatory requirements. Privacy
management programs include requirements directing IT operations and personal data
protection throughout the entire data life cycle. Good privacy protection requires awareness
of consumers' and employees' concerns (such as, "Is my personal data secure?" and "Will it
not be used out of the expected context?"). Effective privacy management programs include
efficient data
each prevention and response, and integration of privacy-by-design principles
in all business processes. Therefore, a privacy management program, sometimes described in
the form of a standard,
1
has to have a holistic view for the entire organization.
https:
www.gartner.com/document/3791067?ref=solrAll&refval=189849691&qid=0155f34f2c9e80032c8e1e7750beab94#dv_1_isoiec_291002011
Privacy management programs are, in most cases, carefully planned and developed.
However, they are often sporadically implemented effectively, holistically and across the
organization. Primary and frequent causes include lack of senior management support,
inconsistent terminology definition and a lack of employee awareness of the program. The
scope of a privacy management program affects the entire organization. Having all
stakeholders equally understand the intention, goal and definition of the program is a
prerequisite to actively support, facilitate and socialize the program and ca
y out the content.
Don't
Craft a program in silo. A distant approach, without proper consultation of all stakeholders
from various departments and functions, will ensure insufficient support and lead to
insufficient effectiveness. Not incorporating all international regulatory requirements under
which the organization operates may result in partial or noncompliance leading to penalties. It
would be even worse to take an IT-only approach by trying to achieve privacy solely through
the use of technology. Similarly, pushing a privacy program from the IT department into the
est of the organization is ill-advised. Rather, information security is a subset of privacy
protection. It must be among the business responsibilities to instruct IT and security teams to
adjust and align matters, following the privacy risk previously assessed.
Ultimately, the business process owners know and understand the strengths and weaknesses
of their respective areas of operation. Effective implementation requires uniform definition
use in a language relevant to all business units. The objectives — and requirements to achieve
them — must be based on a common vision throughout the organization. Moreover, adequate
protection may impact many components of an organization, and may just as much be
achieved by business process re-engineering and organizational changes as by deployment of
technological controls.
Do
Enable a common vision of the program among...