1 / 22

Privacy Shield is Here – What You Need to Know - TRUSTe Webinar

"The new Privacy Shield Framework has been formally adopted after months of rigorous EU regulatory review and the Department of Commerce is expected to start taking submissions in August. What does this mean for companies looking to comply with the new Framework?<br>Register NOW to watch the full on-demand webinar - https://info.truste.com/privacy-shield-what-you-need-to-know-webinar.html<br>"<br>

truste
Download Presentation

Privacy Shield is Here – What You Need to Know - TRUSTe Webinar

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy Shield is Here: What You Need to Know July 21, 2016 v v Privacy Insight Series - truste.com/insightseries 1

  2. Today’s Speakers Caitlin Fennessy Senior Policy Advisor Data Flows and Privacy Team International Trade Administration U.S. Department of Commerce Chris Babel, CEO TRUSTe v Privacy Insight Series - truste.com/insightseries 2

  3. Today’s Agenda • Welcome & Introductions • Understanding the Differences between Safe Harbor & Privacy Shield • How the Department of Commerce will Operate the Program • Working with Third Party Verification & Dispute Resolution Providers • Looking Forward • Q&A v Privacy Insight Series - truste.com/insightseries 3

  4. Understanding the Differences between Safe Harbor & Privacy Shield Caitlin Fennessy, Senior Policy Advisor, Privacy & Data Flows Team, U.S. Department of Commerce v v Privacy Insight Series - truste.com/insightseries 4

  5. Understanding the Privacy Shield Framework What does the Privacy Shield contain? Privacy Shield Principles –Requirements to which U.S.-based organizations can make an enforceable commitment to receive data in compliance with EU data protection laws Letters Describing Oversight and Enforcement from: –Secretary of Commerce and Under Secretary for International Trade –Chairwoman of the Federal Trade Commission –Secretary of Transportation Government Access to Data −Letter from the Secretary of State on the new Privacy Shield Ombudsperson −Letter concerning safeguards and limitations from the Office of the Director of National Intelligence −Letter concerning safeguards and limitations from the Department of Justice Privacy Insight Series - truste.com/insightseries v 5 5

  6. Understanding the Privacy Shield Framework What should your company focus on to come into compliance? What’s new compared to Safe Harbor 1. New Privacy Protections Notice requirements Accountability for onward transfer Purpose limitation and data retention Note: Companies should review the Framework in its entirety. These slides are only meant to highlight certain aspects. v Privacy Insight Series - truste.com/insightseries 6 6

  7. Understanding the Privacy Shield Framework What should your company focus on to come into compliance? What’s new compared to Safe Harbor 2. Enhanced Complaint Resolution Response time to EU individuals Free dispute resolution Binding arbitration as last-resort option v Privacy Insight Series - truste.com/insightseries 7 7

  8. Understanding the Privacy Shield Framework What should your company focus on to come into compliance? What’s new compared to Safe Harbor 3. Improved Cooperation and Transparency Monitoring and dispute resolution requires cooperation with ITA Privacy Shield Team Ongoing requirements (if withdraw and maintain data) Publication of FTC compliance reports (if subject to enforcement action) v Privacy Insight Series - truste.com/insightseries 8 8

  9. How the Department of Commerce will Operate the Program Caitlin Fennessy, Senior Policy Advisor, Privacy & Data Flows Team, Department of Commerce v v Privacy Insight Series - truste.com/insightseries 9

  10. Joining the Privacy Shield Program How will a company join Privacy Shield? 1. Confirm Your Organization’s Eligibility to Participate 2. Develop a Compliant Privacy Policy 3. Establish an Independent Recourse Mechanism (IRM) 4. Ensure a Verification Mechanism is in place 5. Identify your Privacy Shield Point of Contact 6. Self-certify Using the Privacy Shield Website 7. Reaffirm Self-certification Annually 8. Reply to Inquiries from EU citizens, IRM, Commerce, and/or DPAs as Required v Privacy Insight Series - truste.com/insightseries 10 10

  11. Joining the Privacy Shield Program ITA Administration: What’s new that matters to you? Maintenance of the Privacy Shield Website Verification of Self-Certification Requirements Monitoring of Compliance Facilitating Resolution of Complaints Referred by EU DPAs v Privacy Insight Series - truste.com/insightseries 11 11

  12. Joining the Privacy Shield Program FTC Enforcement: What has changed (and what hasn’t)? Prioritization of DPA Referrals Enforcement Cooperation Investigatory Assistance Publication of FTC Compliance Reports v Privacy Insight Series - truste.com/insightseries 12 12

  13. Third Party Verification & Dispute Resolution Providers Chris Babel, CEO, TRUSTe v v Privacy Insight Series - truste.com/insightseries 13

  14. Privacy Practices Verification •Companies must take steps to verify assertions made around Privacy Shield compliance are true •Third party compliance reviews can be used to satisfy this requirement •Third party reviews must: –Verify privacy policies are being complied with –Consumers are informed of how they can file a compliant • Companies must be able to demonstrate an external review has been successfully completed annually –This can be provided by the external compliance review provider •Companies must retain records of their implementation of the Privacy Shield Principles and privacy policies –Records must be provided upon request in context of a Privacy Shield related investigation Privacy Insight Series - truste.com/insightseries v 14

  15. Dispute Resolution •Companies must respond to initial complaint within 45-days •Alternative mechanism must be in place to address Privacy Shield related complaints –Independent Dispute Resolution Provider (IDR) can be used for consumer data –DPAs must be used for employee data • Must be provided free of charge to individuals • Companies must provide information regarding their IDR Provider in their privacy notice – Name of the designated provider and how to contact them –Whether the provider is EU or U.S. based –That it is available free of charge •Binding arbitration is available after other mechanisms have been exhausted v Privacy Insight Series - truste.com/insightseries 15

  16. New requirements for IDR Providers • Make information available to consumers about Privacy Shield and the IDR Provider’s role under Privacy Shield –Needs to be accessible from IDR Provider’s website –Link to the DOC’s Privacy Shield site –Explanation of how to file a complaint, dispute resolution process and timeframes, and potential remedies •Report annually to the DOC regarding number, types, and outcomes of complaints received, and length of time to resolve. –Reporting in the aggregate • IDR Providers must notify DOC of companies that fail to resolve Privacy Shield related complaints. v Privacy Insight Series - truste.com/insightseries 16

  17. Impacts on Business Companies face stronger obligations for data transfers Increased risk stemming from 3rd party processors, partners, and vendors Privacy Shield language needs to be added to contracts, and be provided to the DOC upon request Companies must respond to disputes faster through additional channels Increased regulatory focus Companiesmust document, maintain records and deliver reports on their compliance efforts • • • • • • v Privacy Insight Series - truste.com/insightseries 17

  18. Levels of Third Party Assistance Dispute Resolution Verification Assessment Dispute Resolution mechanism (non HR) Dispute Resolution Seal/Button (non HR) Comprehensive Assessment – Customer and / or HR Data Online Asset Review and Scanning Findings Report Searchable Audit Trail DOC Registration Assistance Ongoing Guidance Remediation Assistance Verification Seal Verification Letter of Attestation ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Verification Listing for DOC ✔ v Privacy Insight Series - truste.com/insightseries 18 18

  19. Looking Forward Caitlin Fennessy, Senior Policy Advisor, Privacy & Data Flows Team, Department of Commerce v v Privacy Insight Series - truste.com/insightseries 19

  20. Looking Forward How was the Framework designed to remain durable? The GDPR European Court of Justice Cooperation with EU DPAs v Privacy Insight Series - truste.com/insightseries 20 20

  21. Contacts Chris Babel cbabel@truste.com v v Privacy Insight Series - truste.com/insightseries 21

  22. Thank You! Details of our 2016 Summer/Fall Webinar Series are now available. Register now for our next webinar on August 18 “Brazil & Beyond: Privacy Trends in Latin America” See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. v v Privacy Insight Series - truste.com/insightseries 22

More Related