SCENARIO
Please use the following to answer the next QUESTION:
Liam is the newly appointed information technology (IT) compliance manager at Mesa, a US based outdoor clothing brand with a global E-commerce presence. During his second week, he is contacted by the company’s IT audit manager, who informs him that the auditing team will be conducting a review of Mesa’s privacy compliance risk in a month.
A bit nervous about the audit, Liam asks his boss what his predecessor had completed related to privacy compliance before leaving the company. Liam is told that a consent management tool had been added to the website and they commissioned a privacy risk evaluation from a small consulting firm last year that determined that their risk exposure was relatively low given their current control environment. After reading the consultant’s report, Liam realized that the scope of the assessment was limited to breach notification laws in the US and the Payment Card Industry’s Data Security Standard (PCI DSS).
Not wanting to let down his new team, Liam kept his concerns about the report to himself and figured he could try to put some additional controls into place before the audit. Having some privacy compliance experience in his last role, Liam thought he might start by having discussions with the E-commerce and marketing teams.
The E-commerce Director informed him that they were still using the cookie consent tool forcibly placed on the home screen by the CIO, but could not understand the point since their office was not located in California or Europe. The marketing director touted his department’s success with purchasing email lists and taking a shotgun approach to direct marketing. Both directors highlighted their tracking tools on the website to enhance customer experience while learning more about where else the customer had shopped. The more people Liam met with, the more it became apparent that privacy awareness and the general control environment at Mesa needed help.
With three weeks before the audit, Liam updated Mesa's Privacy Notice himself, which was taken and revised from a competitor’s website. He also wrote policies and procedures outlining the roles and responsibilities for privacy within Mesa and distributed the document to all departments he knew of with access to personal information.
During this time. Liam also filled the backlog of data subject requests for deletion that had been sent to him by the customer service manager. Liam worked with application owners to remove these individual's information and order history from the customer relationship management (CRM) tool, the enterprise resource planning (ERP). the data warehouse and the email server.
At the audit kick-off meeting. Liam explained to his boss and her team that there may still be some room for improvement, but he thought the risk had been mitigated to an appropriate level based on the work he had done thus far.
After the audit had been completed, the audit manager and Liam met to discuss her team’s findings, and much to his dismay. Liam was told that none of the work he had completed prior to the audit followed best practices for governance and risk mitigation. In fact, his actions only opened the company up to additional risk and scrutiny. Based on these findings. Liam worked with external counsel and an established privacy consultant to develop a remediation plan.
Given the feedback provided to Liam after the audit, what maturity level would the audit team most likely have assigned to Mesa’s privacy policies and procedures if they use the Privacy Maturity Model (PMM)?
