[gdpr webinar slides] path to gdpr compliance
TRANSCRIPT
1 v Privacy Insight Series - truste.com/insightseries v
Path to GDPR Compliance
June 29, 2016
2 v Privacy Insight Series - truste.com/insightseries v
• We will be starting a couple minutes after the hour
• This webinar will be recorded and the recording and slides sent out
later today
• Please use the GotoWebinar control panel on the right hand side to
submit any questions for the speakers
Thank you for joining the webinar
3 v Privacy Insight Series - truste.com/insightseries
Today’s Speakers
Eleanor Treharne-Jones, CIPP/E
VP Consulting
TRUSTe
(moderator)
Beth Sipula
Senior Privacy Consultant
TRUSTe
Bojana Bellamy, CIPP/E
President Hunton & Williams Centre for
Information Policy Leadership (CIPL)
4 v Privacy Insight Series - truste.com/insightseries v
The New EU Data Protection
Regulation: A Catalyst for Sea Change
for All? Bojana Bellamy, CIPP/E
President,
Hunton & Williams Centre for information Policy Leadership (CIPL)
5 v Privacy Insight Series - truste.com/insightseries
Harmonisation and some progress
•Harmonised rules, but not fully (e.g. employee data, children data)
•One Stop Shop: Lead DPA for pan-European matters, in cooperation with other DPAs; Local DPA for local matters and redress for individuals
•Risk-based approach
•Some reduction of administrative burden (no national registration of processing. or prior authorisation)
•BCR, seals and certifications
•Greater cooperation and consistency by DP regulators
Broader scope
•Obligations on both controller and processor
•Extraterritorial application to foreign controller and processor
•Wider definition of personal data and sensitive data; anonymous data and pseudonymisation
•Processing data of children under 16 requires parental consent
Increased obligations
•DP principles tightened (consent, transparency/notices)
• Profiling rules
•Privacy Impact Assessment
•Privacy by Design
•Breach notification - to DPAs and individuals
•Direct obligations and liability for processor
•Accountability - privacy program
•Internal record of processing
•DP Officer
Strengthened rights of
individuals
•Right to erasure
•Data portability
•Right not to be subject to automated profiling / right to object
Increased enforcement, fines,
liability
•Regulatory fines up to 4% of annual worldwide turnover
•Individual action
•Class action
•Criminal sanctions (in national laws)
•Larger role for European Data Protection Board (EDPB)
EU Data Protection Regulation at a Glance
6 v Privacy Insight Series - truste.com/insightseries
Accountability in GDPR – Privacy Programme
Controllers must:
•Be responsible for compliance with GDPR
•Implement appropriate and effective technical and
organisational measures to comply with the GDPR
•Demonstrate compliance & effectiveness of the measures
Taking into account:
•The nature, scope, context, and purposes of the data
processing
•The risk for individuals - physical, moral, material damages
7 v Privacy Insight Series - truste.com/insightseries
Accountability, Effective
Compliance and Protection for Individuals
Leadership and oversight
Risk assessment
Policies and Procedures
Privacy by Design
Transparency
Training and awareness
Monitoring and
verification
Response and enforcement
Privacy Management Programme – Universal Elements
8 v Privacy Insight Series - truste.com/insightseries
Internal privacy policies and procedures -
compliance rules for DP principles and individual
rights
Security policies External transparency
measures
Measures to implement Privacy by
Design/Default
Maintaining internal records of processing
Keeping documentation and evidence - consent,
legitimate interest, notices, PIA, processing
agreements, breach response
Conducting Privacy Impact Assessments - for high risk
processing
Processor choice and management
Documenting and notifying personal data breaches - to
the DPA and individuals
Maintaining transfer mechanisms for global
data transfers
Appointing a DP Officer, with independent status,
protected employment and statutory responsibilities
Co-operating with DPAs, on request
8
Accountability Measures Under GDPR
9 v Privacy Insight Series - truste.com/insightseries
Accountability can be demonstrated via:
•BCR
•Approved Codes of Conduct
•Approved certifications
•Seals?
•Other accountability frameworks – e.g. ISO Cloud
Privacy and Security Standard? CBPR?
Demonstrating Accountability under GDPR
10 v Privacy Insight Series - truste.com/insightseries
Game Changer or Business as Usual?
DP Program – Corporate
Digital Responsibility
DPO led, documented, risk-based,
verified, demonstrated
Data transfers strategy
Big Data enablement
DPIA Process
Privacy Engineers
Vendor management
Breach management
Relationship with DPAs
Legal uncertainty
and disputes management
11 v Privacy Insight Series - truste.com/insightseries
Systematic Changes Ahead for Organisations
Greater need for managing external engagement and relationships (DPAs, EDPB, individuals, media, privacy advocates)
DP Officer (DPO) becomes a more strategic, senior and multi-skilled role
Holistic and joined-up approach between CIO, CISO, CDO, CMO, CPO, Legal and communications / media relations
DP becomes high-profile and board-level issue – higher enterprise risk; larger business, legal and compliance impact; security breach notification and management
DP becomes a business issue - wide impact on company’s globalisation, digital transformation and data strategy
GDPR Implementation - company-wide change management program required
12 v Privacy Insight Series - truste.com/insightseries
WP29 Project Work Plan 2016
WP 29 Guidance
Risk DPO Data
Portability Certifications
Main Establishment, Consistency Procedure, Governance and working of EDPB
13 v Privacy Insight Series - truste.com/insightseries
Some examples of further rules and
implementation
Member States
• Age of children (13-16)
• Rules for health, genetic, criminal convictions
• Rules to authorise profiling / automated decision taking
• Restrictions to rights / breach notifications
• Responsibility of joint controllers
• DPO appointment
• Employee data
• Statistical, scientific, historical purposes
• National ID numbers
Commission
• Icons and standardised privacy policies
• Technical standards for certifications / seals
EDPB /DPAs
• Standard processing contracts
• List of high risk processing
• Conditions for profiling
• High risk re data breaches
14 v Privacy Insight Series - truste.com/insightseries
Key Themes and Takeaways from CIPL GDPR Project
Workshop I Report (1)
Open engagement between industry, regulators, Member States and the Commission is essential for consistent implementation and interpretation of the GDPR.
The successful GDPR implementation will require (1) taking into account the aims of the European Digital Single Market, (2) “future-proof” and technologically neutral interpretation and implementation guidance, (3) EU-wide harmonisation, and (4) consideration of other overlapping EU laws.
“Accountability” is central to the GDPR (for both controllers and processors) and must be coherently understood and actively incentivised by the regulators.
“Smart regulation” may enable European DPAs to discharge their GDPR roles more effectively and tackle the significant changes in their role, powers and national and pan-European operations.
DPO is a cornerstone of organisational accountability and it is essential to clarify the functional and organisational aspects of the role of the DPO, to ensure effectiveness of the role.
15 v Privacy Insight Series - truste.com/insightseries
Key Themes and Takeaways from CIPL GDPR
Project Workshop I Report (2)
The understanding of “risk” and “high risk” must be harmonized, and effective risk assessment methodologies that consider both the risks and the benefits of processing must be developed and agreed, without determining the definitive list of high risk processing.
Codes of conduct, certifications, seals and BCR can be effective compliance and accountability tools; they must work at the “programmatic” level rather than at the product-level only and be incentivised by the relevant authorities.
Implementing the right to data portability raises various problems, such as the interactions between data portability and other legal areas.
Transparency to individuals is the other side to organisational accountability – the implementation of transparency requirements should minimise any tension between effective transparency and detailed legal notice requirements; industry queried whether icons are suitable and should be imposed top-down by the Commission
The GDPR will raise specific challenges for start-ups and SMEs that need to be addressed, for example, by involving these organisations in the stakeholder engagement process and leveraging tool and processes of larger organisations.
16 v Privacy Insight Series - truste.com/insightseries v
Beth Sipula
Senior Privacy Consultant, TRUSTe
GDPR: Your Path to Compliance
17 v Privacy Insight Series - truste.com/insightseries
Your Path to GDPR Compliance
TRUSTe has developed a four-step process designed to provide you with a
path to achieving GDPR compliance. This multi-step program provides both
guidance on what to do, along with options for how TRUSTe can help.
Are you impacted? Where
do you stand?
What do I need to do to
secure stakeholder
commitment and resources
for execution?
How do I build a plan that’s
prioritized based on risks?
How do I efficiently
implement all of the
modules required in the
GDPR program?
18 v Privacy Insight Series - truste.com/insightseries
Step 1: Assess Readiness
Are you impacted?
• Do you “offer goods or services to EU residents”?
• Do you “monitor the behavior of EU residents”?
• Are you a “Data Processor” of EU resident personal data” (any information
relating to an identified or identifiable natural person)?
Where do you stand?
• Use a controls checklist, build one yourself, or leverage the TRUSTe GDPR
Readiness Assessment that guides you through core GDPR requirements:
✓ Transparency (i.e., Privacy Policy)
✓ Collection & Purpose Limitation
✓ Consent
✓ Data Quality
✓ Privacy Program Management
✓ Security in the Context of Privacy
✓ Data Breach Readiness & Response
✓ Individual Rights & Remedies
19 v Privacy Insight Series - truste.com/insightseries
Step 2: Build Consensus
What do I need to do to secure stakeholder commitment
and resources for execution?
Gather relevant info to present to others
• Overview of the GDPR and its impact
• Best practice frameworks / industry benchmarks
• Scoreboard of where the company currently stands
• Review of the company’s current gaps and risks
• Summary of what it would take to close the gaps
• Rough time and cost analysis of the work required
Facilitate internal kickoff and on-going planning sessions
with relevant stakeholders across the organization. Goals:
• Formalize GDPR response team structure / roles / responsibilities
• Agree on short, medium and long-term goals
• Set measurable objectives with success criteria, key milestones
• Secure commitment to, and budget for, the GDPR program
20 v Privacy Insight Series - truste.com/insightseries
Step 3: Develop Plan
How do I build a plan that’s prioritized based on risks?
Data
Collection Storage Processing
Resources
Involved
Retention /
Deletion
• Map personal data flows across the business at
each stage
• Take into account broader definition of “personal
data” (“any information concerning an identified or
identifiable natural person”, e.g., geo, IP addresses)
• Resources include all internal systems, 3rd party
service providers, and cloud providers
• For new products – review requirements, database
schemas, third party integration agreements
• For M&A situations - include data flow analysis for
all new entities
Conduct a data flow analysis to add to the initial gap analysis
21 v Privacy Insight Series - truste.com/insightseries
Step 3: Develop Plan
Build project timeline with commitment dates based on:
• Privacy team’s goals – short, mid, long-term
• Key milestones, e.g., 2018 GDPR enforcement start
• Budget and people resources available
• Remediation activities required from gap analysis
• Prioritized areas for “high risk” and longer implementation times
• Consider using the Privacy Shield to cover a large percentage quickly
22 v Privacy Insight Series - truste.com/insightseries
Step 4: Implement Programs…
Triage … conduct PIAs & remediate “high risk”
areas
• GDPR requires you to conduct PIAs for “high risk”
activities and implement operational changes
• Most common “high risk” areas tend to center around
new products that change the way the business uses /
collects / stores personal data
• Put processes in place to conduct ongoing PIAs –
templates, technology, training
• Maintain record to demonstrate compliance
Prioritize … implement components with “long timelines”
• Search for qualified DPOs
• New processes and tech capabilities to manage obligations
around “Right to be Forgotten” and “Data Portability Rights”
• Security – revise information security policies & deploy training
• Data breach response plans – new 72 hour notification, “without
undue delay” for breaches with potential for serious harm
23 v Privacy Insight Series - truste.com/insightseries
• Conduct Final GDPR Assessment to ensure
all gaps are closed
• Leverage an assessment repository to house
all past, present and future PIAs
• Keep detailed records of any processing
performed on personal data
• Leverage template library for ongoing PIAs
against the GDPR requirements along with
any local or evolving requirements
• Have a Findings Report ready that shows that
all GDPR requirements have been met
Step 4: Implement Programs continued …
Demonstrate … build compliance audit trail and on-going
PIA process
24 v Privacy Insight Series - truste.com/insightseries v
How TRUSTe Can Help
25 v Privacy Insight Series - truste.com/insightseries
GDPR Readiness Assessment
• A comprehensive online tool to help assess readiness to
meet GDPR requirements
• Control questions mapped to GDPR requirements
• Real-time gap analysis and recommendations
• Remediation management
• Centralized, on-demand reporting
• Easy implementation (no software to
install)
Get visibility on where you stand with the IAPP GDPR
Assessment Powered by TRUSTe
26 v Privacy Insight Series - truste.com/insightseries
GDPR Priorities Assessment
Gap Assessment and Findings Report provides a “heat map”
and prioritized GDPR remediation plan followed by an onsite
review with Key Stakeholders to build consensus
• Summary of company’s current posture
assessed against the GDPR and the desired
position
• “Heat map” identifying areas of high, mid, low
risk
• Level of effort assessment for all operational
changes
• Plan organized in immediate, mid-term and
long-term priorities to get GDPR program
completed
• Onsite Review with Key Stakeholders to help
build awareness, secure buy-in, and
agreement on an initial program
• The half day on-site interactive sessions led
by a TRUSTe Privacy Consultant and custom-
tailored to your organization
27 v Privacy Insight Series - truste.com/insightseries
Implementation Programs
Privacy Shield
Assessment / Certification against Privacy Shield requirements
Data Discovery & Classification
Building data flow visualizations to understand associated privacy risks
PIAs / Privacy Risk Assessments + PIA Program Development
Assess specifically identified “high risk” activities against the GDPR requirements, remediate
and develop a sustainable PIA program going forward.
Consent Manager
Technology implementation on your digital properties to meet explicit and implied consent
requirements, whether in the context of Cookie Consent or Data Processing
Ads Compliance Manager
Technology implementation on your digital properties to meet consent and choice
requirements for Interest Based Advertising (IBA) and Profiling
TRUSTe has a suite of services that can help with all GDPR
program implementation steps
28 v Privacy Insight Series - truste.com/insightseries
Implementation Programs
Assessment Manager & AM Managed Service
TRUSTe has a suite of services that can help with all GDPR
program implementation steps
For companies that have robust in-house privacy assessment operations
and want to further optimize, implement our SaaS-based Assessment
Manager platform
• Quickly streamline your privacy
assessment process
• Get a dashboard view of progress
at the tactical level
• Get an enterprise view of risk and
mitigation at the Board-level
29 v Privacy Insight Series - truste.com/insightseries v
Questions?
30 v Privacy Insight Series - truste.com/insightseries v
Bojana Bellamy [email protected]
Beth Sipula [email protected]
Eleanor Treharne-Jones [email protected]
Contacts
31 v Privacy Insight Series - truste.com/insightseries v
Our 2016 Summer/Fall Webinar Series will be launched today. Look out for
details and register for our next webinar on July 21 “Validating Vendor
Assessments – Preparing for Privacy Shield”
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
Thank You!