1 / 29

[GDPR Webinar Slides] Preparing for the GDPR - the Compliance Countdown Begins

To watch the full on-demand webinar recording please visit: https://info.truste.com/WB-2016-04-14-Insight-Series-Preparing-for-the-GDPR---the-Compliance-Countdown-Begins_RegPage-OnDemand.html<br><br>The introduction of the European General Data Protection Regulation (GDPR) has been heralded as the most significant change in global privacy regulations for the last 20 years. But now the talking is over and the legislation is agreed, the compliance countdown begins. What does this mean for your business? Where should you start? <br><br>This webinar will review the final text of the GDPR and explain the key things you need to know to comply including:<br>• EU-wide data breach notification requirements<br>• New responsibilities for data processors<br>• Compulsory PIAs for certain types of processing<br>• Difference between GDPR & new Privacy Shield<br><br>Register to watch the On-Demand Webinar now to get a clear roadmap for GDPR compliance within your organization! Please visit: https://info.truste.com/WB-2016-04-14-Insight-Series-Preparing-for-the-GDPR---the-Compliance-Countdown-Begins_RegPage-OnDemand.html

truste
Download Presentation

[GDPR Webinar Slides] Preparing for the GDPR - the Compliance Countdown Begins

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Preparing for the GDPR – the Compliance Countdown Begins April 14, 2016 v v Privacy Insight Series - truste.com/insightseries 1

  2. Today’s Speakers Ralph T O’Brien, Principal Consultant EU, TRUSTe Paul Lanois Counsel, Cross-border Legal Credit Suisse Barbara Mangan Sondag, Privacy Counsel, North America, eBay Inc v Privacy Insight Series - truste.com/insightseries 2

  3. The GDPR – Story so Far Ralph T O’Brien, Principal Consultant EU, TRUSTe v v Privacy Insight Series - truste.com/insightseries 3

  4. Why and what is the GDPR? • GOAL: One single law for the EU • Previous Directive of 1995 and national laws to be repealed • Member scope needs enabling legislation (with some ability to vary) • 50/99 articles have scope for variance. • Interpreted nationally by “supervisory authorities” • Consistency brought by a European Data Protection Board (EDPB) • Organizations have a lead authority… • …based on the organizations “main establishment” (EU HQ) v Privacy Insight Series - truste.com/insightseries 4

  5. Applicability • Applicability now extra territorial • Based on “residency of individuals in EU” • Offering goods or services • Monitoring of behavior (such as internet tracking and profiling) • Where the organization is processing personal data • Data that relates to an individual who can be identified from it (or other data you have) • Regardless of format (digital, paper, audio, video etc) • Doesn’t have to be names (ID by picture, IP addresses, devices IDs, Cookies etc) • Sets up Consistency Mechanisms and EDPB • Supports Codes of Conduct, Seals and Certifications as evidence of compliance v Privacy Insight Series - truste.com/insightseries 5

  6. Timeline • Political agreement reached between Council and Parliament December 2015 • Final text 6 April 2016 from Technical drafting committees • The text of the regulation will be sent to the European Parliament where it will first be approved by the Civil Liberties, Justice and Home Affairs (LIBE) committee in an extraordinary session • It has been adopted in plenary on 14 April 2016 (Today!) • It will then be published in the Official Journal of the European Union (OJEU) • Exactly two years after the date of publication in the OJEU, the Regulation will enter into force (April/May 2018?) v Privacy Insight Series - truste.com/insightseries 6

  7. Privacy under the EU Model European Data Protection Board (consistency mechanism) National Courts EU Courts Data Protection Authority (supervising authority, based on main establishment) Advisory and Enforcement Complain? Duties Security? Data Data Controller (organisations) Data Subject (individuals) Processor Rights Inform? Disclosure? Guarantees? Third Countries Third Parties v Privacy Insight Series - truste.com/insightseries 7

  8. Key Requirements Increased Individual Rights Increased Obligations •Consent harder to obtain/prove •Access to data •Privacy notices more detailed/clearer •Remedy from supervisory body/court •Proactively Demonstrate Compliance •Compensation for Damage •Compensation for Distress •Breach Notification (72 hours) •Rectification (NEW) -To individual and regulator •Objection •Appointment of Data Protection Officer (250+, or high risk processing) –Absolute for direct marketing •Erasure (NEW) •Data Portability (NEW) •Privacy by Design •Restrict processing (put on hold) •Privacy Impact Assessments •Automated decisions and profiling •More obligations for Processors (Joint Controllership) v Privacy Insight Series - truste.com/insightseries 8

  9. Privacy Principles Remain consistent • Lawful basis • Fair processing • Specify Purposes • (Limitation) • Adequate, relevant, not excessive • (Minimization) • Accuracy • Retention • Rights of Individuals • Appropriate Security • International Transfer adequacy v Privacy Insight Series - truste.com/insightseries 9

  10. Key Privacy Risks • National Laws may set up additional penalties (enforced audit, reprimand, criminal sanctions) • Fines • Increased Consumer awareness • Increased activism • Courts now finding for individual more often (courts as activists) • Greater “visibility” of privacy in the media • Ethical business practices (“creepiness”) • Reputational harm • Decreased Consumer Trust v Privacy Insight Series - truste.com/insightseries 10

  11. Fines Up to 10m EUR or 2% world annual turnover of last FY Up to 20m EUR or 4% world annual turnover of last FY v Privacy Insight Series - truste.com/insightseries 11

  12. POLL: •How prepared is your organization with the European Union's upcoming General Data Protection Regulation (the "GDPR")? 1. Sorry, GDPR? Any connection with the Gross Domestic Product? 2. We are already prepared, ready and waiting. Bring it on! 3. We have already begun work and expect to be in time. 4. We are not sure we will be ready by the deadline. 5. We have not started anything yet. v Privacy Insight Series - truste.com/insightseries 12

  13. GDPR: what you can do now to prepare yourself Paul Lanois Legal Counsel, Cross-border Legal, Credit Suisse Note: the views expressed are mine alone and do not necessarily reflect the views of my employer. v v Privacy Insight Series - truste.com/insightseries 13

  14. Scope The scope of application of the GDPR is broader than the EU current data protection regime: • Under the current regime, organizations are in scope if they are located within the EU or make use of (automated) equipment located within the EU. • With the GDPR, the legislation extends to all organizations offering goods or services to EU citizens, irrespective of whether connected to a payment and organizations that monitor (online) behavior of EU citizens, in so far as the behavior takes place in the EU. Even if your organization does not have any branches or processing equipment in the EU, it could still fall within the scope of the GDPR! Any entity holding or using European personal data will be impacted. v Privacy Insight Series - truste.com/insightseries 14

  15. Start building awareness now Change is coming… and your staff needs to know about it sooner rather than later! But an implementation timeframe of 2 years is plenty of time, right? • French “DigitalRepublic” bill anticipating the GDPR. • Some obligations are new and will take time to implement, for example: o Subject access requests: Processes may need to be created to be able to respond to requests from individuals without undue delay and at the latest within one month. o Data Portability: GDPR gives individuals the right to receive their personal data in a structured, commonly-used and machine- readable format. Individuals may also request, where technically feasible, that the controller send the personal data to another controller. o Privacy by Design: embed privacy into the design specifications of technologies, business practices, and physical infrastructures. v Privacy Insight Series - truste.com/insightseries 15

  16. How to raise awareness Right to compensation: “Any person who has suffered material or non- material damage as a result of an infringement of the Regulation has the right to receive compensation for the damage suffered.” Sanctions : fines can amount to EUR 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. • • o This is a big and serious change from the current regime. o "Data protection will be the new anti-trust" - Giovanni Butarelli, European Data Protection Supervisor. Ensure that decision makers and key people in your organization are now aware that the law is changing so that they can start identifying the areas that will have the biggest impact on them. v Privacy Insight Series - truste.com/insightseries 16

  17. Some less known points to consider With the GDPR, additional points must be covered in the privacy notice: for example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain if they think there is a problem with the way you are handling their data. Information must be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” Restrictions surrounding automated data processing and decisions based upon such processing (i.e. profiling). Parental consent will be needed to process personal data of children under 16 (Member States may bring this down to 13). • • • • v Privacy Insight Series - truste.com/insightseries 17

  18. GDPR: Privacy Impact Assessments Barbara Mangan Sondag, Privacy Counsel, North America, eBay Note: the views expressed are mine alone and do not necessarily reflect the views of my employer. v v Privacy Insight Series - truste.com/insightseries 18

  19. Privacy Impact Assessments (PIAs) at a glance Privacy Impact Assessment a.k.a. Data Protection Impact Assessment (DPIA) • No definition in GDPR text • Regarded as a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimizing or eliminating that impact. • Plays an important role in the overall risk management and planning processes of a company PIAs can assist businesses with: • Describing how personal information flows in a project • Analyzing the possible impacts on individuals’ privacy • Identifying and recommending options for avoiding, minimizing or mitigating negative privacy impacts • Building privacy considerations into the design of a project • Achieving the project’s goals while minimizing the negative and enhancing the positive privacy impacts. v Privacy Insight Series - truste.com/insightseries 19

  20. Privacy Impact Assessments (PIAs) at a glance Benefits of PIAs: • demonstrating that a project is compliant with privacy laws • reducing future costs in management time, legal expenses and potential negative publicity by considering privacy issues early in a project • identifying strategies to achieve the project’s goals without impacting on privacy • promoting awareness and understanding of privacy issues inside the organization or agency • contributing to broader organizational or agency risk management processes. Risks of not undertaking a PIA include: • non-compliance with the letter or the spirit of relevant privacy laws, potentially leading to a privacy breach and/or negative publicity • loss of credibility by the entity through lack of transparency in response to public concern about handling personal information • damage to an entity’s reputation if the project fails to meet expectations about how personal information will be protected • identification of privacy risks at a late stage in the project development or implementation, resulting in unnecessary costs or inadequate solutions. v Privacy Insight Series - truste.com/insightseries 20

  21. GDPR Requirements Applicable GDPR Text Obligations Data Protection Impact Assessments (DPIAs) (Sect. 3, Art. 35) The supervisory authority shall establish and make public a list of the types of processing operations that require a DPIA. They may also establish and make public a list of the types of processing operations that do not require a DPIA. Lists shall be communicated to EUDPB. Penalty, Art. 83: Administrative fines up to 10,000,000 EUR, or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher DPIAs are required for any processing that may result in “high risk”, and for: • Systematic and extensive automated processing, including profiling, if the decisions produce legal effects or significantly affect the individual Example: Making predictions based on a person’s behavior, economic situation, health, location • Processing special categories of data (ie. genetic or biometric data) or criminal records on a large scale • Systematic monitoring of a publicly accessible area on a large scale • As indicated by the DPAs or EUDPB Each DPIA shall contain at least: • A systematic description of the processing operations and the purposes of the processing, including where applicable the legitimate interest of the controller • An assessment of the necessity and proportionality of the processing operations in relation to the purposes; • An assessment of the risks to the rights and freedoms of data subjects, and • The measures needed address the risks, including safeguards, security measures and mechanisms to demonstrate compliance v Privacy Insight Series - truste.com/insightseries 21

  22. GDPR Requirements Implementation Considerations Evaluate existing PIA processes against PIA requirements, particularly events that may constitute high risk: • Conversion of records from paper-based to electronic form; • Conversion of information from anonymous to identifiable form; • System management changes involving significant new uses and/or application of new technologies; • Significant merging, matching or other manipulation of multiple databases containing personal data; • Incorporation into existing databases of personal data obtained from commercial or public sources; • Alteration of a business process resulting in significant new collection, use and/or disclosure of personal data Consider risk definitions and evaluation criteria used within the business • • A single DPIA may address a set of processing operations that present similar high risks. • Where appropriate, seek the views of data subjects on the intended processing. • Conduct audits to verify that processing is performed in compliance with the DPIA, at least when there is a change of the risk represented by the processing operations. • Where a DPIA indicates high risk: If the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing. v Privacy Insight Series - truste.com/insightseries 22

  23. Practical Points for PIAs Build, implement and be able to document a robust PIA process Your company’s core business drivers influences the content of a PIA (for example, eBay’s PIA would likely look very different from American Express’ PIA because of the products/services they offer). • • • A single assessment may involve many people in multiple geographies. It can cross various business units and be reviewed by several internal and external stakeholders. Systematically evaluate how personally identifiable information is collected, used, shared and maintained by your organization in the context of business change What areas of your program should you address? At what level? Privacy Notice? Large-scale strategic projects? Individual use cases? • • v Privacy Insight Series - truste.com/insightseries 23

  24. Practical Points for PIAs (2) Consider a bifurcated PIA process, with traditional PIAs for all projects and EU DPIAs for projects that trigger these rules Documentation requirements may impose a burden on development teams using agile and similar methods – additional resources may have to be added to manage recordkeeping Consider advantages and risks of maintaining DPIA records with records of processing activities required by Art. 30. Where possible, automate parts of the PIA, standardize reviews, and obtain metrics on PIAs. Your Information Security Team is a great partner! PIAs should be an integral part of the project planning process, not an afterthought. • • • • • • Privacy Insight Series - truste.com/insightseries v 24

  25. Case Study: eBay Vendor Assessments Global Privacy partnered with Information Security team to build out a ticketing system for vendor security assessments Security + Privacy questions to comprehensively assess risk Share body of knowledge in one system; align resources between teams; quickly prompt the preparation of the right type of Data Protection Requirements Addendum (DPRA) Business notified of if further information required Executed DPRA attached to ticket for future reference Save time for Business, Legal, Privacy and Information Security  One time ticket completion, Business can communicate project details to InfoSec and Privacy simultaneously.  Everyone wins – save time for future lookup  The project details and assessment are documented in ticketing system, not in emails. • • • • • • v Privacy Insight Series - truste.com/insightseries 25

  26. Sample v Privacy Insight Series - truste.com/insightseries 26

  27. Questions? v v Privacy Insight Series - truste.com/insightseries 27

  28. Contacts Ralph T O’Brien Barbara Mangan Sondag Paul Lanois robrien@truste.com bmangan@ebay.com planois@alumni.law.upenn.edu v v Privacy Insight Series - truste.com/insightseries 28

  29. Thank You! Don’t miss the next webinar in the Series –“Global Privacy Enforcement Priorities” on May 19 featuring Chris Hoofnagle, Adjunct Full Professor, University of California, Berkeley See http://www.truste.com/insightseries for details of our 2016 Privacy Insight Series and past webinar recordings. v v Privacy Insight Series - truste.com/insightseries 29

More Related