1

Data Privacy – Affecting all

areas of the business

NYC Regional Compliance and Ethics Conference

October 7, 2016

2 © 2016 CA. ALL RIGHTS RESERVED.

Agenda

Overview of a few key privacy laws

How privacy differs from EU to US

Types of data protected

How Privacy affects the whole business

GDPR and Privacy Shield Overview

2

3 © 2016 CA. ALL RIGHTS RESERVED.

What Is “Privacy?”

The ability of individuals or a group to

seclude themselves, or information

about themselves, and thereby express

themselves selectively. The boundaries

and content of what is considered

private differ among cultures and

individuals, but share common themes.”

define privacy

4 © 2016 CA. ALL RIGHTS RESERVED.

Major Data Protection Laws – US and EU

US EU

50+ state/territory breach notification laws GDPR (replacing the EU Directive)

HIPAA (health care data – but now includes

business associates

ePrivacy Directive (telcos and ISPs)

Gramm-Leach-Bliley (financial institutions) NIS Directive (operators of essential services

and digital service providers)

CAN-SPAM (commercial email) eCookie Directive

COPPA (children on-line) Member states have own laws

Do-Not-Call Registry (telemarketing)

FCRA/FACTA (credit reports)

3

5 © 2016 CA. ALL RIGHTS RESERVED.

What must be protected???

IN THE UNITED STATES

Social Security Numbers

Credit Cards

Bank Accounts

Passport Numbers

Driver’s License Number

Date of Birth

Health-Related Data

User ID/Passwords

Mother’s Maiden Name

Biometric Data

IN EUROPE

Race

Religion

Political Opinion

Criminal offenses

Sexual Lifestyle

Trade Union Membership

Oh – plus ALL Personal Data!!

6 © 2016 CA. ALL RIGHTS RESERVED.

Aside from the law….What’s important to YOUR

company – Your Crown Jewels?

Strategic Plans/Initiatives

Merger and Acquisition Plans

Source code

Undisclosed financial results

Pending litigation matters

Your company’s secret sauce

Your customers’ information

4

7 © 2016 CA. ALL RIGHTS RESERVED.

All

Employees

Marketing

Procurement

Human Resources

Product Development

Board/Senior Management

IT Department

Internal Touch Points

8 © 2016 CA. ALL RIGHTS RESERVED.

Third Parties

Business Partners

Cloud Providers

Marketing partners

Employee benefits provider

External Touch Points

8

5

9 © 2016 CA. ALL RIGHTS RESERVED.

Company Reputation

Employee Satisfaction

Breach of Contract

Customer Satisfaction

Not just a compliance issue

9

10 © 2016 CA. ALL RIGHTS RESERVED.

Data Privacy at CA TechnologiesPublic Breaches

6

11 © 2016 CA. ALL RIGHTS RESERVED.

Laptop Encryption

Data Loss Prevention

Employee Training– Privacy and Security Awareness

Supplier Risk Management Program

IT Security (firewalls, multifactor auth, spam filters, etc.)

Incident response team/plan

Some ways to prevent/address breaches?

12 © 2016 CA. ALL RIGHTS RESERVED.

Employee Training

Collect the minimum necessary

Use the data only for the purpose collected

Keep it accurate and up-to-date

Keep it secured – only in approved systems/servers

Don’t transfer to 3d party unless approved and documented

Delete data when no longer needed

Don’t transfer outside the region or country without approval

Escalate security incidents promptly!

7

13 © 2016 CA. ALL RIGHTS RESERVED.

Make sure it’s clear to the employees

Personal Data

Personal Data

14 © 2016 CA. ALL RIGHTS RESERVED.

EU Data Privacy PrinciplesThis applies at anything that identifies a person

Notice

Choice

Access

Purpose Limitation

Data Integrity

Security

Enforcement

Transfer outside of EEA

8

15 © 2016 CA. ALL RIGHTS RESERVED.

GDPR – replaces the EU DirectiveNew/Expanded Concepts

Extraterritorial reachPutting people in

control of their data

Accountability –demonstrate compliance

One single law for the EU

Applicability based on "residency" of

individuals

Huge fines

• up to 20 million euro or

• up to 4% of the total worldwide annual turnover

15

16 © 2016 CA. ALL RIGHTS RESERVED.

GDPR - Accountability

Data protection policies

Data protection by design and by default

Record keeping obligations (controllers & processors)

Co-operation with DPAs (controllers & processors)

Data protection impact assessments (where required)

Mandatory DPOs for public sector and Big Data

Security and notification of breaches (controllers & processors)

9

17 © 2016 CA. ALL RIGHTS RESERVED.

GDPR - People in control of their information

Right to access personal data

Right to object to the processing of personal data

Right to erasure of personal data

Right to object to automated decision-making

Privacy Notice: Controller must notify clearly about purpose of collection, how data is used, with whom it’s shared and why

17

18 © 2016 CA. ALL RIGHTS RESERVED.

GDPR - Consent

Silence, pre-ticked boxes or inactivity may not constitute consent (still unclear)

This could include

Ticking a box when visiting an

internet websiteChoosing technical settings

A statement or conduct clearly

indicating acceptance of the proposed processing.

Consent must be:

Freely given Specific Informed Unambiguous Easy to withdraw

10

19 © 2016 CA. ALL RIGHTS RESERVED.

Breach Notification – new to the EU

Controllers to notify regulator and data subjects if the personal data breach is likely to result in a high risk to the rights and freedoms of individuals.

A personal data breach = 'a breach of security leading to the accidental or

unlawful destruction, loss, alternation, unauthorized disclosure of, or access to,

personal data.

Notice to regulator: without undue delay and, where feasible, not later than 72

hours after having become aware of the personal data breach

Notice to data subject – “without undue delay.”

20 © 2016 CA. ALL RIGHTS RESERVED.

Exceptions to notice requirement

Notification to the data subjects not

required if:

• the data is unintelligible (e.g., encrypted)

• the high risk is negated by measures taken: where the controller takes actions subsequent to the personal data breach to 'ensure that the high risk for the rights and freedoms of data subjects' is unlikely to materialize; or

• Public notice OK if it would involve disproportionate effort to notify each one

11

21 © 2016 CA. ALL RIGHTS RESERVED.

Data transfer mechanisms

Consent

• Difficult to get

• Not accepted by all regulators

• Presumed to be coerced

Binding Corporate Rules

• Expensive

• Take a long time

Standard Contractual Clauses (Model

Clauses)

• Not easy to manage Safe Harbor/

Privacy Shield

• Only EU to US

• P.S. still new but looks good!

22 © 2016 CA. ALL RIGHTS RESERVED.

Safe Harbor: born in 2000; died in 2015

U.S. was not deemed adequate for the transfer of data

Safe Harbor agreement formed in 2000 - permitted transfer of PII from EEA to US

Over 4000 companies certified

All was good for 15 years, until….

12

23 © 2016 CA. ALL RIGHTS RESERVED.

Remember these two?

24 © 2016 CA. ALL RIGHTS RESERVED.

Safe Harbor Invalid – How it happened?

June 2013: Snowden revelations about NSA

mass surveillance.

November 2013 – October, 2015:

Discussions between EU Commission and US Dept of

Commerce about revising Safe Harbor to make it more acceptable to the EU.

2014: Max Schrems sues Facebook in Ireland for

transferring his data to the U.S.

6 October 2015: Schrems case against Facebook goes

up to highest court in Europe - SAFE HARBOR

DECLARED INVALID

13

25 © 2016 CA. ALL RIGHTS RESERVED.

Privacy Shield

U.S. Department of Commerce and European Commission reach agreement in July - the Privacy Shield is born

Lots of changes made in order to appease the European regulators

Representations from US re: government surveillance

Companies must address issues promptly and provide recourse for EU residents

DPAs still not 100% sold, but will give it a year

26 © 2016 CA. ALL RIGHTS RESERVED.

Dept of Commerce Website Went Live August 1

14

27 © 2016 CA. ALL RIGHTS RESERVED.

What are the Privacy Shield Principles?

Notice

Choice

Accountability for onward transfer

Security

Data Integrity and purpose limitation

Access

Recourse, Enforcement and Liability

28 © 2016 CA. ALL RIGHTS RESERVED.

Informing individuals about data processing

Commitment

• commitment to comply with the Privacy Shield Principles

Dispute Resolution

• Link to Department of Commerce’s Privacy Shield website; and

• Link to independent recourse mechanism

Notice to individuals of:

• their rights to access personal data

• Company’s requirement to disclose personal information in response to lawful request by public authorities

• enforcement authority with jurisdiction over compliance

• company’s liability in cases of onward transfer

Privacy Notice Must Contain:

15

29 © 2016 CA. ALL RIGHTS RESERVED.

Providing free and accessible dispute resolution

Individuals bring complaint to Privacy Shield participant; participant must respond within 45 days

Arrange for independent recourse mechanism to address complaints and disputes

DoC commits to review complaints to DPA; use best efforts to resolve and respond to DPA within 90 days

Participants must commit to binding arbitration at the request of the individual to address unresolved complaints

30 © 2016 CA. ALL RIGHTS RESERVED.

What you need to do to comply with the Shield

Modify Privacy Notice

Select independent recourse mechanism to investigate complaints

Establish verification program – self-assessment or 3rd party assessment

Review/modify third party contracts (onward transfer)

Train employees

16

31 © 2016 CA. ALL RIGHTS RESERVED.

Questions

?