data privacy –affecting all areas of the business€¦ · a personal data breach = 'a breach...
TRANSCRIPT
1
Data Privacy – Affecting all
areas of the business
NYC Regional Compliance and Ethics Conference
October 7, 2016
2 © 2016 CA. ALL RIGHTS RESERVED.
Agenda
Overview of a few key privacy laws
How privacy differs from EU to US
Types of data protected
How Privacy affects the whole business
GDPR and Privacy Shield Overview
2
3 © 2016 CA. ALL RIGHTS RESERVED.
What Is “Privacy?”
The ability of individuals or a group to
seclude themselves, or information
about themselves, and thereby express
themselves selectively. The boundaries
and content of what is considered
private differ among cultures and
individuals, but share common themes.”
define privacy
4 © 2016 CA. ALL RIGHTS RESERVED.
Major Data Protection Laws – US and EU
US EU
50+ state/territory breach notification laws GDPR (replacing the EU Directive)
HIPAA (health care data – but now includes
business associates
ePrivacy Directive (telcos and ISPs)
Gramm-Leach-Bliley (financial institutions) NIS Directive (operators of essential services
and digital service providers)
CAN-SPAM (commercial email) eCookie Directive
COPPA (children on-line) Member states have own laws
Do-Not-Call Registry (telemarketing)
FCRA/FACTA (credit reports)
3
5 © 2016 CA. ALL RIGHTS RESERVED.
What must be protected???
IN THE UNITED STATES
Social Security Numbers
Credit Cards
Bank Accounts
Passport Numbers
Driver’s License Number
Date of Birth
Health-Related Data
User ID/Passwords
Mother’s Maiden Name
Biometric Data
IN EUROPE
Race
Religion
Political Opinion
Criminal offenses
Sexual Lifestyle
Trade Union Membership
Oh – plus ALL Personal Data!!
6 © 2016 CA. ALL RIGHTS RESERVED.
Aside from the law….What’s important to YOUR
company – Your Crown Jewels?
Strategic Plans/Initiatives
Merger and Acquisition Plans
Source code
Undisclosed financial results
Pending litigation matters
Your company’s secret sauce
Your customers’ information
4
7 © 2016 CA. ALL RIGHTS RESERVED.
All
Employees
Marketing
Procurement
Human Resources
Product Development
Board/Senior Management
IT Department
Internal Touch Points
8 © 2016 CA. ALL RIGHTS RESERVED.
Third Parties
Business Partners
Cloud Providers
Marketing partners
Employee benefits provider
External Touch Points
8
5
9 © 2016 CA. ALL RIGHTS RESERVED.
Company Reputation
Employee Satisfaction
Breach of Contract
Customer Satisfaction
Not just a compliance issue
9
10 © 2016 CA. ALL RIGHTS RESERVED.
Data Privacy at CA TechnologiesPublic Breaches
6
11 © 2016 CA. ALL RIGHTS RESERVED.
Laptop Encryption
Data Loss Prevention
Employee Training– Privacy and Security Awareness
Supplier Risk Management Program
IT Security (firewalls, multifactor auth, spam filters, etc.)
Incident response team/plan
Some ways to prevent/address breaches?
12 © 2016 CA. ALL RIGHTS RESERVED.
Employee Training
Collect the minimum necessary
Use the data only for the purpose collected
Keep it accurate and up-to-date
Keep it secured – only in approved systems/servers
Don’t transfer to 3d party unless approved and documented
Delete data when no longer needed
Don’t transfer outside the region or country without approval
Escalate security incidents promptly!
7
13 © 2016 CA. ALL RIGHTS RESERVED.
Make sure it’s clear to the employees
Personal Data
Personal Data
14 © 2016 CA. ALL RIGHTS RESERVED.
EU Data Privacy PrinciplesThis applies at anything that identifies a person
Notice
Choice
Access
Purpose Limitation
Data Integrity
Security
Enforcement
Transfer outside of EEA
8
15 © 2016 CA. ALL RIGHTS RESERVED.
GDPR – replaces the EU DirectiveNew/Expanded Concepts
Extraterritorial reachPutting people in
control of their data
Accountability –demonstrate compliance
One single law for the EU
Applicability based on "residency" of
individuals
Huge fines
• up to 20 million euro or
• up to 4% of the total worldwide annual turnover
15
16 © 2016 CA. ALL RIGHTS RESERVED.
GDPR - Accountability
Data protection policies
Data protection by design and by default
Record keeping obligations (controllers & processors)
Co-operation with DPAs (controllers & processors)
Data protection impact assessments (where required)
Mandatory DPOs for public sector and Big Data
Security and notification of breaches (controllers & processors)
9
17 © 2016 CA. ALL RIGHTS RESERVED.
GDPR - People in control of their information
Right to access personal data
Right to object to the processing of personal data
Right to erasure of personal data
Right to object to automated decision-making
Privacy Notice: Controller must notify clearly about purpose of collection, how data is used, with whom it’s shared and why
17
18 © 2016 CA. ALL RIGHTS RESERVED.
GDPR - Consent
Silence, pre-ticked boxes or inactivity may not constitute consent (still unclear)
This could include
Ticking a box when visiting an
internet websiteChoosing technical settings
A statement or conduct clearly
indicating acceptance of the proposed processing.
Consent must be:
Freely given Specific Informed Unambiguous Easy to withdraw
10
19 © 2016 CA. ALL RIGHTS RESERVED.
Breach Notification – new to the EU
Controllers to notify regulator and data subjects if the personal data breach is likely to result in a high risk to the rights and freedoms of individuals.
A personal data breach = 'a breach of security leading to the accidental or
unlawful destruction, loss, alternation, unauthorized disclosure of, or access to,
personal data.
Notice to regulator: without undue delay and, where feasible, not later than 72
hours after having become aware of the personal data breach
Notice to data subject – “without undue delay.”
20 © 2016 CA. ALL RIGHTS RESERVED.
Exceptions to notice requirement
Notification to the data subjects not
required if:
• the data is unintelligible (e.g., encrypted)
• the high risk is negated by measures taken: where the controller takes actions subsequent to the personal data breach to 'ensure that the high risk for the rights and freedoms of data subjects' is unlikely to materialize; or
• Public notice OK if it would involve disproportionate effort to notify each one
11
21 © 2016 CA. ALL RIGHTS RESERVED.
Data transfer mechanisms
Consent
• Difficult to get
• Not accepted by all regulators
• Presumed to be coerced
Binding Corporate Rules
• Expensive
• Take a long time
Standard Contractual Clauses (Model
Clauses)
• Not easy to manage Safe Harbor/
Privacy Shield
• Only EU to US
• P.S. still new but looks good!
22 © 2016 CA. ALL RIGHTS RESERVED.
Safe Harbor: born in 2000; died in 2015
U.S. was not deemed adequate for the transfer of data
Safe Harbor agreement formed in 2000 - permitted transfer of PII from EEA to US
Over 4000 companies certified
All was good for 15 years, until….
12
23 © 2016 CA. ALL RIGHTS RESERVED.
Remember these two?
24 © 2016 CA. ALL RIGHTS RESERVED.
Safe Harbor Invalid – How it happened?
June 2013: Snowden revelations about NSA
mass surveillance.
November 2013 – October, 2015:
Discussions between EU Commission and US Dept of
Commerce about revising Safe Harbor to make it more acceptable to the EU.
2014: Max Schrems sues Facebook in Ireland for
transferring his data to the U.S.
6 October 2015: Schrems case against Facebook goes
up to highest court in Europe - SAFE HARBOR
DECLARED INVALID
13
25 © 2016 CA. ALL RIGHTS RESERVED.
Privacy Shield
U.S. Department of Commerce and European Commission reach agreement in July - the Privacy Shield is born
Lots of changes made in order to appease the European regulators
Representations from US re: government surveillance
Companies must address issues promptly and provide recourse for EU residents
DPAs still not 100% sold, but will give it a year
26 © 2016 CA. ALL RIGHTS RESERVED.
Dept of Commerce Website Went Live August 1
14
27 © 2016 CA. ALL RIGHTS RESERVED.
What are the Privacy Shield Principles?
Notice
Choice
Accountability for onward transfer
Security
Data Integrity and purpose limitation
Access
Recourse, Enforcement and Liability
28 © 2016 CA. ALL RIGHTS RESERVED.
Informing individuals about data processing
Commitment
• commitment to comply with the Privacy Shield Principles
Dispute Resolution
• Link to Department of Commerce’s Privacy Shield website; and
• Link to independent recourse mechanism
Notice to individuals of:
• their rights to access personal data
• Company’s requirement to disclose personal information in response to lawful request by public authorities
• enforcement authority with jurisdiction over compliance
• company’s liability in cases of onward transfer
Privacy Notice Must Contain:
15
29 © 2016 CA. ALL RIGHTS RESERVED.
Providing free and accessible dispute resolution
Individuals bring complaint to Privacy Shield participant; participant must respond within 45 days
Arrange for independent recourse mechanism to address complaints and disputes
DoC commits to review complaints to DPA; use best efforts to resolve and respond to DPA within 90 days
Participants must commit to binding arbitration at the request of the individual to address unresolved complaints
30 © 2016 CA. ALL RIGHTS RESERVED.
What you need to do to comply with the Shield
Modify Privacy Notice
Select independent recourse mechanism to investigate complaints
Establish verification program – self-assessment or 3rd party assessment
Review/modify third party contracts (onward transfer)
Train employees
16
31 © 2016 CA. ALL RIGHTS RESERVED.
Questions
?