Managing
Local Needs
in a Global
Program
International Congress
Bogota
Merck Privacy Framework
DEMONSTRATION
EFFECTIVE APPROACH
OVERSIGHT
Key components of a comprehensive, global program
Identify Risks and Opportunities
Commitment
• Solid policies aligned to
external criteria
• Management commitment
• Full transparency
Integrated Governance
Implementation
• Mechanisms to ensure
policies and commitments
are put into effect with
employees
Validation
• Monitoring and assurance
programs that validate both
coverage and effectiveness
of implementation
Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board)
Demonstrate capacity to external stakeholders (Trust Agents, Regulators)
Demonstrate capacity to individual data subjects
Merck Privacy Framework
DEMONSTRATION
EFFECTIVE APPROACH
OVERSIGHT
When thinking about managing local requirements within a globally
consistent program, we focus on Commitment and Implementation
Identify Risks and Opportunities
Commitment
• Solid policies aligned to
external criteria
• Management commitment
• Full transparency
Global
Policy
Integrated Governance
Implementation
• Mechanisms to ensure
policies and commitments
are put into effect with
employees
Rulebook
Validation
• Monitoring and assurance
programs that validate both
coverage and effectiveness
of implementation
Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board)
Demonstrate capacity to external stakeholders (Trust Agents, Regulators)
Demonstrate capacity to individual data subjects
Privacy Global Policy & Rulebook
Continually updated content as requirements change
Everything starts with external requirements. Global Policies are
created to align to 90+% and implementation standards and specific
uses cases are defined within a Rulebook (How To Manual)
Laws and regulatory
requirements
Privacy Policy
Exceeds legal minimums
Rulebook
Standards and Specifications
Ongoing regulatory scanning
Merck Privacy Framework
DEMONSTRATION
EFFECTIVE APPROACH
OVERSIGHT
The Rulebook (Contextual Implementation Specifications) are where
any additional country-specific requirements are documented.
Identify Risks and Opportunities
Commitment
• Solid policies aligned to
external criteria
• Management commitment
• Full transparency
Integrated Governance
Implementation
• Mechanisms to ensure
policies and commitments
are put into effect with
employees
Rulebook
Validation
• Monitoring and assurance
programs that validate both
coverage and effectiveness
of implementation
Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board)
Demonstrate capacity to external stakeholders (Trust Agents, Regulators)
Demonstrate capacity to individual data subjects
Privacy Rulebook
Structure – Defined Standards with Contextual Specifications
Standard
Standard
Specifications
Standard
Specifications
Standard
Specifications
Specifications
Standard
Specifications
Privacy Rulebook
Structure
Privacy Rulebook
Privacy Rulebook – Global Standards
Global requirements are
documented in this section.
Privacy Rulebook
Privacy Rulebook – Principles within the Global Standards
Individual privacy principles can be called
out in the Standards and Specifications.
Privacy Rulebook
Privacy Rulebook – Country Specific “Additional” Requirements
Country/Region requirements are
documented in this section to the degree
that they are different/more stringent that
the global requirements.
Privacy Rulebook
Privacy Rulebook – Revision Controls
Rulebook Standards and Specifications are
controlled documents. Revision history is
maintained.
Privacy and Data Protection
Division/Function/Country SOPs - Recipe for Privacy Compliance
Merck Privacy
Policy
Merck Privacy
Rulebook
Privacy SOP
Stewards
Note: Privacy Staff & Stewards are
provided consistent tools and
processes to manage these
responsibilities.
GDPR Requirements
Named Individuals
Assist Guidance / Assessments
PbD / PIA
Awareness
PII Inventory
Data Processing – Data Flow
Risk Assessment/Management
Third Party
PDPB
Merck Privacy Framework
DEMONSTRATION
EFFECTIVE APPROACH
OVERSIGHT
When designing Guidance or Privacy by Design Tools, the Rulebook
serves as the Knowledgebase for a tool to provide specific guidance.
Identify Risks and Opportunities
Commitment
• Solid policies aligned to
external criteria
• Management commitment
• Full transparency
Integrated Governance
Implementation
• Mechanisms to ensure
policies and commitments
are put into effect with
employees
Rulebook
Validation
• Monitoring and assurance
programs that validate both
coverage and effectiveness
of implementation
Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board)
Demonstrate capacity to external stakeholders (Trust Agents, Regulators)
Demonstrate capacity to individual data subjects
Privacy Framework – Privacy Advisor Tool
EFFECTIVE APPROACH
OVERSIGHT
A Guidance Tool can facilitate contextual compliance and provide for
demonstration and validation that implementation is effective.
High
Identify Risks and Opportunities
Commitment
DEMONSTRATION
• Solid policiesContextual,
aligned to
Medium external criteria
Dynamic
• ManagementQuestions
commitment
Low • Full transparency
Integrated Governance
Implementation
• Mechanisms
to ensure
Specific, Actionable
policies
and commitments
Education
& Guidance
are put into effect with
employees
Validation
Automatedand
Workflow,
• Monitoring
assurance
Resolution,
programs that validate both
Documentation
coverage
and effectiveness
of implementation
Demonstrate capacity to internal stakeholders (Management, Internal Audit, Board)
Demonstrate capacity to external stakeholders (Trust Agents, Regulators)
Demonstrate capacity to individual data subjects