[gdpr webinar slides] path to gdpr compliance

1 v Privacy Insight Series - truste.com/insightseries v

Path to GDPR Compliance

June 29, 2016


• We will be starting a couple minutes after the hour

• This webinar will be recorded and the recording and slides sent out

later today

• Please use the GotoWebinar control panel on the right hand side to

submit any questions for the speakers

Thank you for joining the webinar

3 v Privacy Insight Series - truste.com/insightseries

Today’s Speakers

Eleanor Treharne-Jones, CIPP/E

VP Consulting

TRUSTe

(moderator)

Beth Sipula

Senior Privacy Consultant

TRUSTe

Bojana Bellamy, CIPP/E

President Hunton & Williams Centre for

Information Policy Leadership (CIPL)


The New EU Data Protection

Regulation: A Catalyst for Sea Change

for All? Bojana Bellamy, CIPP/E

President,

Hunton & Williams Centre for information Policy Leadership (CIPL)


Harmonisation and some progress

•Harmonised rules, but not fully (e.g. employee data, children data)

•One Stop Shop: Lead DPA for pan-European matters, in cooperation with other DPAs; Local DPA for local matters and redress for individuals

•Risk-based approach

•Some reduction of administrative burden (no national registration of processing. or prior authorisation)

•BCR, seals and certifications

•Greater cooperation and consistency by DP regulators

Broader scope

•Obligations on both controller and processor

•Extraterritorial application to foreign controller and processor

•Wider definition of personal data and sensitive data; anonymous data and pseudonymisation

•Processing data of children under 16 requires parental consent

Increased obligations

•DP principles tightened (consent, transparency/notices)

• Profiling rules

•Privacy Impact Assessment

•Privacy by Design

•Breach notification - to DPAs and individuals

•Direct obligations and liability for processor

•Accountability - privacy program

•Internal record of processing

•DP Officer

Strengthened rights of

individuals

•Right to erasure

•Data portability

•Right not to be subject to automated profiling / right to object

Increased enforcement, fines,

liability

•Regulatory fines up to 4% of annual worldwide turnover

•Individual action

•Class action

•Criminal sanctions (in national laws)

•Larger role for European Data Protection Board (EDPB)

EU Data Protection Regulation at a Glance


Accountability in GDPR – Privacy Programme

Controllers must:

•Be responsible for compliance with GDPR

•Implement appropriate and effective technical and

organisational measures to comply with the GDPR

•Demonstrate compliance & effectiveness of the measures

Taking into account:

•The nature, scope, context, and purposes of the data

processing

•The risk for individuals - physical, moral, material damages


Accountability, Effective

Compliance and Protection for Individuals

Leadership and oversight

Risk assessment

Policies and Procedures

Privacy by Design

Transparency

Training and awareness

Monitoring and

verification

Response and enforcement

Privacy Management Programme – Universal Elements


Internal privacy policies and procedures -

compliance rules for DP principles and individual

rights

Security policies External transparency

measures

Measures to implement Privacy by

Design/Default

Maintaining internal records of processing

Keeping documentation and evidence - consent,

legitimate interest, notices, PIA, processing

agreements, breach response

Conducting Privacy Impact Assessments - for high risk

processing

Processor choice and management

Documenting and notifying personal data breaches - to

the DPA and individuals

Maintaining transfer mechanisms for global

data transfers

Appointing a DP Officer, with independent status,

protected employment and statutory responsibilities

Co-operating with DPAs, on request

8

Accountability Measures Under GDPR


Accountability can be demonstrated via:

•BCR

•Approved Codes of Conduct

•Approved certifications

•Seals?

•Other accountability frameworks – e.g. ISO Cloud

Privacy and Security Standard? CBPR?

Demonstrating Accountability under GDPR


Game Changer or Business as Usual?

DP Program – Corporate

Digital Responsibility

DPO led, documented, risk-based,

verified, demonstrated

Data transfers strategy

Big Data enablement

DPIA Process

Privacy Engineers

Vendor management

Breach management

Relationship with DPAs

Legal uncertainty

and disputes management


Systematic Changes Ahead for Organisations

Greater need for managing external engagement and relationships (DPAs, EDPB, individuals, media, privacy advocates)

DP Officer (DPO) becomes a more strategic, senior and multi-skilled role

Holistic and joined-up approach between CIO, CISO, CDO, CMO, CPO, Legal and communications / media relations

DP becomes high-profile and board-level issue – higher enterprise risk; larger business, legal and compliance impact; security breach notification and management

DP becomes a business issue - wide impact on company’s globalisation, digital transformation and data strategy

GDPR Implementation - company-wide change management program required


WP29 Project Work Plan 2016

WP 29 Guidance

Risk DPO Data

Portability Certifications

Main Establishment, Consistency Procedure, Governance and working of EDPB


Some examples of further rules and

implementation

Member States

• Age of children (13-16)

• Rules for health, genetic, criminal convictions

• Rules to authorise profiling / automated decision taking

• Restrictions to rights / breach notifications

• Responsibility of joint controllers

• DPO appointment

• Employee data

• Statistical, scientific, historical purposes

• National ID numbers

Commission

• Icons and standardised privacy policies

• Technical standards for certifications / seals

EDPB /DPAs

• Standard processing contracts

• List of high risk processing

• Conditions for profiling

• High risk re data breaches


Key Themes and Takeaways from CIPL GDPR Project

Workshop I Report (1)

Open engagement between industry, regulators, Member States and the Commission is essential for consistent implementation and interpretation of the GDPR.

The successful GDPR implementation will require (1) taking into account the aims of the European Digital Single Market, (2) “future-proof” and technologically neutral interpretation and implementation guidance, (3) EU-wide harmonisation, and (4) consideration of other overlapping EU laws.

“Accountability” is central to the GDPR (for both controllers and processors) and must be coherently understood and actively incentivised by the regulators.

“Smart regulation” may enable European DPAs to discharge their GDPR roles more effectively and tackle the significant changes in their role, powers and national and pan-European operations.

DPO is a cornerstone of organisational accountability and it is essential to clarify the functional and organisational aspects of the role of the DPO, to ensure effectiveness of the role.


Key Themes and Takeaways from CIPL GDPR

Project Workshop I Report (2)

The understanding of “risk” and “high risk” must be harmonized, and effective risk assessment methodologies that consider both the risks and the benefits of processing must be developed and agreed, without determining the definitive list of high risk processing.

Codes of conduct, certifications, seals and BCR can be effective compliance and accountability tools; they must work at the “programmatic” level rather than at the product-level only and be incentivised by the relevant authorities.

Implementing the right to data portability raises various problems, such as the interactions between data portability and other legal areas.

Transparency to individuals is the other side to organisational accountability – the implementation of transparency requirements should minimise any tension between effective transparency and detailed legal notice requirements; industry queried whether icons are suitable and should be imposed top-down by the Commission

The GDPR will raise specific challenges for start-ups and SMEs that need to be addressed, for example, by involving these organisations in the stakeholder engagement process and leveraging tool and processes of larger organisations.


Beth Sipula

Senior Privacy Consultant, TRUSTe

GDPR: Your Path to Compliance


Your Path to GDPR Compliance

TRUSTe has developed a four-step process designed to provide you with a

path to achieving GDPR compliance. This multi-step program provides both

guidance on what to do, along with options for how TRUSTe can help.

Are you impacted? Where

do you stand?

What do I need to do to

secure stakeholder

commitment and resources

for execution?

How do I build a plan that’s

prioritized based on risks?

How do I efficiently

implement all of the

modules required in the

GDPR program?


Step 1: Assess Readiness

Are you impacted?

• Do you “offer goods or services to EU residents”?

• Do you “monitor the behavior of EU residents”?

• Are you a “Data Processor” of EU resident personal data” (any information

relating to an identified or identifiable natural person)?

Where do you stand?

• Use a controls checklist, build one yourself, or leverage the TRUSTe GDPR

Readiness Assessment that guides you through core GDPR requirements:

✓ Transparency (i.e., Privacy Policy)

✓ Collection & Purpose Limitation

✓ Consent

✓ Data Quality

✓ Privacy Program Management

✓ Security in the Context of Privacy

✓ Data Breach Readiness & Response

✓ Individual Rights & Remedies


Step 2: Build Consensus

What do I need to do to secure stakeholder commitment

and resources for execution?

Gather relevant info to present to others

• Overview of the GDPR and its impact

• Best practice frameworks / industry benchmarks

• Scoreboard of where the company currently stands

• Review of the company’s current gaps and risks

• Summary of what it would take to close the gaps

• Rough time and cost analysis of the work required

Facilitate internal kickoff and on-going planning sessions

with relevant stakeholders across the organization. Goals:

• Formalize GDPR response team structure / roles / responsibilities

• Agree on short, medium and long-term goals

• Set measurable objectives with success criteria, key milestones

• Secure commitment to, and budget for, the GDPR program


Step 3: Develop Plan

How do I build a plan that’s prioritized based on risks?

Data

Collection Storage Processing

Resources

Involved

Retention /

Deletion

• Map personal data flows across the business at

each stage

• Take into account broader definition of “personal

data” (“any information concerning an identified or

identifiable natural person”, e.g., geo, IP addresses)

• Resources include all internal systems, 3rd party

service providers, and cloud providers

• For new products – review requirements, database

schemas, third party integration agreements

• For M&A situations - include data flow analysis for

all new entities

Conduct a data flow analysis to add to the initial gap analysis


Step 3: Develop Plan

Build project timeline with commitment dates based on:

• Privacy team’s goals – short, mid, long-term

• Key milestones, e.g., 2018 GDPR enforcement start

• Budget and people resources available

• Remediation activities required from gap analysis

• Prioritized areas for “high risk” and longer implementation times

• Consider using the Privacy Shield to cover a large percentage quickly


Step 4: Implement Programs…

Triage … conduct PIAs & remediate “high risk”

areas

• GDPR requires you to conduct PIAs for “high risk”

activities and implement operational changes

• Most common “high risk” areas tend to center around

new products that change the way the business uses /

collects / stores personal data

• Put processes in place to conduct ongoing PIAs –

templates, technology, training

• Maintain record to demonstrate compliance

Prioritize … implement components with “long timelines”

• Search for qualified DPOs

• New processes and tech capabilities to manage obligations

around “Right to be Forgotten” and “Data Portability Rights”

• Security – revise information security policies & deploy training

• Data breach response plans – new 72 hour notification, “without

undue delay” for breaches with potential for serious harm


• Conduct Final GDPR Assessment to ensure

all gaps are closed

• Leverage an assessment repository to house

all past, present and future PIAs

• Keep detailed records of any processing

performed on personal data

• Leverage template library for ongoing PIAs

against the GDPR requirements along with

any local or evolving requirements

• Have a Findings Report ready that shows that

all GDPR requirements have been met

Step 4: Implement Programs continued …

Demonstrate … build compliance audit trail and on-going

PIA process


How TRUSTe Can Help


GDPR Readiness Assessment

• A comprehensive online tool to help assess readiness to

meet GDPR requirements

• Control questions mapped to GDPR requirements

• Real-time gap analysis and recommendations

• Remediation management

• Centralized, on-demand reporting

• Easy implementation (no software to

install)

Get visibility on where you stand with the IAPP GDPR

Assessment Powered by TRUSTe


GDPR Priorities Assessment

Gap Assessment and Findings Report provides a “heat map”

and prioritized GDPR remediation plan followed by an onsite

review with Key Stakeholders to build consensus

• Summary of company’s current posture

assessed against the GDPR and the desired

position

• “Heat map” identifying areas of high, mid, low

risk

• Level of effort assessment for all operational

changes

• Plan organized in immediate, mid-term and

long-term priorities to get GDPR program

completed

• Onsite Review with Key Stakeholders to help

build awareness, secure buy-in, and

agreement on an initial program

• The half day on-site interactive sessions led

by a TRUSTe Privacy Consultant and custom-

tailored to your organization


Implementation Programs

Privacy Shield

Assessment / Certification against Privacy Shield requirements

Data Discovery & Classification

Building data flow visualizations to understand associated privacy risks

PIAs / Privacy Risk Assessments + PIA Program Development

Assess specifically identified “high risk” activities against the GDPR requirements, remediate

and develop a sustainable PIA program going forward.

Consent Manager

Technology implementation on your digital properties to meet explicit and implied consent

requirements, whether in the context of Cookie Consent or Data Processing

Ads Compliance Manager

Technology implementation on your digital properties to meet consent and choice

requirements for Interest Based Advertising (IBA) and Profiling

TRUSTe has a suite of services that can help with all GDPR

program implementation steps


Implementation Programs

Assessment Manager & AM Managed Service

TRUSTe has a suite of services that can help with all GDPR

program implementation steps

For companies that have robust in-house privacy assessment operations

and want to further optimize, implement our SaaS-based Assessment

Manager platform

• Quickly streamline your privacy

assessment process

• Get a dashboard view of progress

at the tactical level

• Get an enterprise view of risk and

mitigation at the Board-level


Questions?


Bojana Bellamy [email protected]

Beth Sipula [email protected]

Eleanor Treharne-Jones [email protected]

Contacts

mailto:[email protected]


Our 2016 Summer/Fall Webinar Series will be launched today. Look out for

details and register for our next webinar on July 21 “Validating Vendor

Assessments – Preparing for Privacy Shield”

See http://www.truste.com/insightseries for the 2016 Privacy Insight Series

and past webinar recordings.

Thank You!

http://www.truste.com/insightseries

[gdpr webinar slides] path to gdpr compliance

Law