Lessons Learned While Building a Privacy Operations Center at Headspace Health

Shobhit Mehta

​

About me

• Security & Compliance Director at Headspace Health

​

• Held Security & GRC roles at PayPal, Fidelity Investments, Deutsche Bank, Credit Suisse, HSBC

​

• MS - Information Assurance & Cybersecurity, Northeastern University, Boston

​

• Interested in Healthcare Compliance, Privacy, Running, Writing

​

Goals

• Why build a dedicated POC?

​

​

• Considerations for building a POC.

​

​

• Guidance on initiating successful privacy programs and cross-functional projects between Engineering, Privacy, Product, and Legal teams.

​

​

​

Assumptions

• Some familiarity with Privacy laws such as GDPR, CPRA/CCPA and requirements of HIPAA.��
• Your role is at the intersection of Privacy, GRC, Product, Engineering.

�

• You have a dedicated Security/Privacy exec to garner the management support from other teams.

​

Why? (1/4)

Legal and regulatory requirements.

Why? (2/4)

Mandatory requirements from app stores.

Apple

Google

Why? (3/4)

Prevent financial and reputational loss.

Why? (4/4)

Ongoing media scrutiny.

Helps earn (or lose) trust.

But, most importantly…

​

​

​

Privacy is an existential risk.

​

​

Privacy is:

• a fundamental human right.

• a competitive advantage for organizations.

• make promises

• a foundation of trust.

• keep promises

Privacy is not:

• only security.

​

​

• solely an individual or organization’s responsibility.
• legal and regulatory framework
• industry best practices
• foster a culture of privacy awareness

• a zero-sum game.
• Privacy can and need to co-exist with innovation, efficiency, transparency, usability, and accountability.

Guiding Principles of Privacy (1/4)

1. Consent – Obtained through clear and specific language, record it, and provide members the right to withdraw at any time.�
2. Accuracy – Accurate, up-to-date, and members have the right to correct inaccuracies.�
3. Security – Implement reasonable security measures to protect against unauthorized access, disclosure, or use with physical, technical, and administrative safeguards.

Guiding Principles of Privacy (2/4)

• Accountability – Accountable for complying with data privacy laws and regulations. Provide members access to their information and a means to request deletion. �
• Transparency – Be transparent about data collection, use, and sharing practices. �
• Confidentiality – Maintain the confidentiality of personal information.

Guiding Principles of Privacy (3/4)

• Privacy by Design – Integrate privacy considerations into the design and implementation of the systems, products, and services. Conduct privacy impact assessments to identify and mitigate potential privacy risks.

​

• Breach Notification – Have policies, procedures and template notifications in place to detect and respond to data breaches. Notify affected individuals in a timely and transparent manner.

Guiding Principles of Privacy (4/4)

• Data minimization – Only collect the minimum amount of information necessary to achieve the stated purpose. Never collect additional information not needed or improve the member experience.�
• Data Retention – Establish policies and procedures for the retention and deletion of personal information. Only retain information for as long as it is needed for its stated purpose, and securely delete or anonymize when no longer needed.

What constitutes a POC?

Data Management v/s Data Governance

Governance & Management

Organize

Store

Protect

Maintain

Classification

Frameworks

Policies

Procedures

Stewardship

Strategic

Data Classification

Governance & Management

Highly Restricted

Restricted

Confidential

Public

Traditional data classification didn’t fit our requirements.

Headspace Health Data Classification

Governance & Management

Governance & Management

Classification is incomplete without inventory.

&

Complete data inventory is extremely hard.

Milestone for initial inventory

Governance & Management

This only covered the data that we already have.�{we’ll come back to this slide in a moment}

Data Subject Access Requests (DSAR) Tools

Governance & Management

• no one-size fits all.

• buy v/s build.

• whatever you choose - keep it live.

Milestone for initial inventory

Governance & Management

This only covered the data that we already have.

Privacy Impact Assessments

Partnerships

Legal team is your best friend. :)

Privacy & Security Review Procedure

Partnerships

Product

Engineering

Legal, Privacy, Security

Shifting Privacy Left & Right

Tools

Embed privacy tools as part of SDLC

​

​

​

​

Automated Data Classification & Labeling

​

​

​

​

Data Governance

Privacy Threat Modeling - Data Oriented

Security & Awareness

Minimize - Limit collection of personal data.

​

Abstract - Limit processing of personal data.

​

Separate - Separate the processing of personal data.

​

Hide - Protect personal data, or make it unlinkable or unobservable.

​

Source - Privacy Design Strategies

Privacy Threat Modeling - Process Oriented

Security & Awareness

Inform - Inform members about processing.

​

Control - Provide members control over the processing of their data.

​

Enforce - Enforce processing personal data in a privacy-friendly manner.

​

Demonstrate - Demonstrate processing personal data in a privacy friendly way manner.

​

Source - Privacy Design Strategies

Privacy Awareness

Security & Awareness

• Headspace Health specific HIPAA training�
• Monthly office hours�
• Dedicated Slack channels�
• Privacy intranet & form�
• Master Privacy FAQ

Summary

• Recognize that privacy is hard and the industry guidance is vague.

​

• There is always an opportunity to improve.

​

• When in doubt, ask yourself - ‘how this will look like on the front page of WSJ?’ to guide and influence your decisions.

​

​

​

​

Security enables Privacy.

​

#putmembersfirst

​

Building world’s most trusted mental health organization.

Resources

• CRISC Exam Handbook, Chapter 17, Information Security & Privacy Principles - Link
• Privacy conferences
• PEPR - https://www.usenix.org/conference/pepr22
• Rise of Privacy Tech - https://www.riseofprivacytech.com/
• A Taxonomy of Privacy - Link
• IAPP - iapp.org

​

​

​

​

​

​

shobhit@ginger.io

​

​

GRCMusings.com

�linkedin.com/in/shobhitmehta

​

shorturl.at/jkPV4