[gdpr webinar slides] preparing for the gdpr - the compliance countdown begins

1 v Privacy Insight Series - truste.com/insightseries v

Preparing for the GDPR – the

Compliance Countdown Begins

April 14, 2016

2 v Privacy Insight Series - truste.com/insightseries

Today’s Speakers

Barbara Mangan Sondag,

Privacy Counsel, North

America, eBay Inc

Paul Lanois

Counsel, Cross-border Legal

Credit Suisse

Ralph T O’Brien,

Principal Consultant EU,

TRUSTe


The GDPR – Story so Far

Ralph T O’Brien, Principal Consultant EU, TRUSTe


• GOAL: One single law for the EU

• Previous Directive of 1995 and national laws to be repealed

• Member scope needs enabling legislation (with some ability to vary) • 50/99 articles have scope for variance.

• Interpreted nationally by “supervisory authorities” • Consistency brought by a European Data Protection Board (EDPB)

• Organizations have a lead authority…

• …based on the organizations “main establishment” (EU HQ)

Why and what is the GDPR?


• Applicability now extra territorial • Based on “residency of individuals in EU”

• Offering goods or services

• Monitoring of behavior (such as internet tracking and profiling)

• Where the organization is processing personal data • Data that relates to an individual who can be identified from it (or other data

you have)

• Regardless of format (digital, paper, audio, video etc)

• Doesn’t have to be names (ID by picture, IP addresses, devices IDs, Cookies

etc)

• Sets up Consistency Mechanisms and EDPB

• Supports Codes of Conduct, Seals and Certifications as evidence of compliance

Applicability


• Political agreement reached between Council and Parliament

December 2015

• Final text 6 April 2016 from Technical drafting committees

• The text of the regulation will be sent to the European Parliament

where it will first be approved by the Civil Liberties, Justice and Home

Affairs (LIBE) committee in an extraordinary session

• It has been adopted in plenary on 14 April 2016 (Today!)

• It will then be published in the Official Journal of the European Union

(OJEU)

• Exactly two years after the date of publication in the OJEU, the

Regulation will enter into force (April/May 2018?)

Timeline


Privacy under the EU Model

Data Protection Authority

(supervising authority, based on main establishment)

Data Controller

(organisations)

Data Subject

(individuals)

Data

Processor

Third

Countries

Third

Parties

Duties

Rights

Disclosure?

Inform?

Security?

Guarantees?

Advisory and

Enforcement

European Data Protection Board

(consistency mechanism) EU Courts National Courts

Complain?


•Access to data

•Remedy from supervisory

body/court

•Compensation for Damage

•Compensation for Distress

•Rectification (NEW)

•Objection

–Absolute for direct marketing

•Erasure (NEW)

•Data Portability (NEW)

•Restrict processing (put on hold)

•Automated decisions and profiling

Increased Individual Rights Increased Obligations

•Consent harder to obtain/prove

•Privacy notices more

detailed/clearer

•Proactively Demonstrate

Compliance

•Breach Notification (72 hours)

-To individual and regulator

•Appointment of Data Protection

Officer (250+, or high risk

processing)

•Privacy by Design

•Privacy Impact Assessments

•More obligations for Processors

(Joint Controllership)

Key Requirements


• Lawful basis

• Fair processing

• Specify Purposes

• (Limitation)

• Adequate, relevant, not excessive

• (Minimization)

• Accuracy

• Retention

• Rights of Individuals

• Appropriate Security

• International Transfer adequacy

Privacy Principles Remain consistent


• National Laws may set up additional penalties (enforced

audit, reprimand, criminal sanctions)

• Fines

• Increased Consumer awareness

• Increased activism

• Courts now finding for individual more often (courts as

activists)

• Greater “visibility” of privacy in the media

• Ethical business practices (“creepiness”)

• Reputational harm

• Decreased Consumer Trust

Key Privacy Risks


Fines

Up to 10m EUR or

2% world annual

turnover of last FY

Up to 20m EUR or

4% world annual

turnover of last FY


•How prepared is your organization with the European Union's

upcoming General Data Protection Regulation (the "GDPR")?

1. Sorry, GDPR? Any connection with the Gross Domestic Product?

2. We are already prepared, ready and waiting. Bring it on!

3. We have already begun work and expect to be in time.

4. We are not sure we will be ready by the deadline.

5. We have not started anything yet.

POLL:


Paul Lanois

Legal Counsel, Cross-border Legal, Credit Suisse

GDPR: what you can do now to

prepare yourself

Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.


Scope

The scope of application of the GDPR is broader than the EU current data

protection regime:

• Under the current regime, organizations are in scope if they are located

within the EU or make use of (automated) equipment located within the EU.

• With the GDPR, the legislation extends to all organizations offering goods

or services to EU citizens, irrespective of whether connected to a payment

and organizations that monitor (online) behavior of EU citizens, in so far as

the behavior takes place in the EU.

Even if your organization does not have any branches or processing

equipment in the EU, it could still fall within the scope of the GDPR! Any

entity holding or using European personal data will be impacted.


Start building awareness now

Change is coming… and your staff needs to know about it sooner rather than

later! But an implementation timeframe of 2 years is plenty of time, right?

• French “Digital Republic” bill anticipating the GDPR.

• Some obligations are new and will take time to implement, for example:

o Subject access requests: Processes may need to be created to be

able to respond to requests from individuals without undue delay

and at the latest within one month.

o Data Portability: GDPR gives individuals the right to receive their

personal data in a structured, commonly-used and machine-

readable format. Individuals may also request, where technically

feasible, that the controller send the personal data to another

controller.

o Privacy by Design: embed privacy into the design specifications of

technologies, business practices, and physical infrastructures.


How to raise awareness

o This is a big and serious change from the current regime.

o "Data protection will be the new anti-trust" - Giovanni Butarelli,

European Data Protection Supervisor.

Ensure that decision makers and key people in your organization are

now aware that the law is changing so that they can start identifying

the areas that will have the biggest impact on them.

• Right to compensation: “Any person who has suffered material or non-

material damage as a result of an infringement of the Regulation has the

right to receive compensation for the damage suffered.”

• Sanctions : fines can amount to EUR 20 million or up to 4% of the total

worldwide annual turnover of the preceding financial year, whichever is

higher.


Some less known points to consider

• With the GDPR, additional points must be covered in the privacy notice: for

example, you will need to explain your legal basis for processing the data,

your data retention periods and that individuals have a right to complain if

they think there is a problem with the way you are handling their data.

• Information must be provided “in a concise, transparent, intelligible and

easily accessible form, using clear and plain language.”

• Restrictions surrounding automated data processing and decisions based

upon such processing (i.e. profiling).

• Parental consent will be needed to process personal data of children under

16 (Member States may bring this down to 13).


Barbara Mangan Sondag,

Privacy Counsel, North America, eBay

GDPR: Privacy Impact

Assessments

Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.


Privacy Impact Assessments (PIAs) at a glance

Privacy Impact Assessment a.k.a. Data Protection Impact Assessment (DPIA)

• No definition in GDPR text

• Regarded as a systematic assessment of a project that identifies the impact that

the project might have on the privacy of individuals, and sets out

recommendations for managing, minimizing or eliminating that impact.

• Plays an important role in the overall risk management and planning processes

of a company

PIAs can assist businesses with:

• Describing how personal information flows in a project

• Analyzing the possible impacts on individuals’ privacy

• Identifying and recommending options for avoiding, minimizing or mitigating

negative privacy impacts

• Building privacy considerations into the design of a project

• Achieving the project’s goals while minimizing the negative and enhancing the

positive privacy impacts.


Privacy Impact Assessments (PIAs) at a glance

Benefits of PIAs:

• demonstrating that a project is compliant with privacy laws

• reducing future costs in management time, legal expenses and potential

negative publicity by considering privacy issues early in a project

• identifying strategies to achieve the project’s goals without impacting on

privacy

• promoting awareness and understanding of privacy issues inside the

organization or agency

• contributing to broader organizational or agency risk management processes.

Risks of not undertaking a PIA include:

• non-compliance with the letter or the spirit of relevant privacy laws, potentially

leading to a privacy breach and/or negative publicity

• loss of credibility by the entity through lack of transparency in response to

public concern about handling personal information

• damage to an entity’s reputation if the project fails to meet expectations about

how personal information will be protected

• identification of privacy risks at a late stage in the project development or

implementation, resulting in unnecessary costs or inadequate solutions.


GDPR Requirements

Applicable GDPR Text Obligations

Data Protection Impact

Assessments (DPIAs)

(Sect. 3, Art. 35)

The supervisory authority shall

establish and make public a list of

the types of processing

operations that require a DPIA.

They may also establish and

make public a list of the types of

processing operations that do not

require a DPIA.

Lists shall be communicated to

EUDPB.

Penalty, Art. 83: Administrative

fines up to 10,000,000 EUR, or in

case of an undertaking, up to 2%

of the total worldwide annual

turnover of the preceding financial

year, whichever is higher

DPIAs are required for any

processing that may result in

“high risk”, and for:

• Systematic and extensive

automated processing,

including profiling, if the

decisions produce legal

effects or significantly affect

the individual

Example: Making predictions

based on a person’s behavior,

economic situation, health,

location

• Processing special

categories of data (ie. genetic

or biometric data) or criminal

records on a large scale

• Systematic monitoring of a

publicly accessible area on a

large scale

• As indicated by the DPAs or

EUDPB

Each DPIA shall contain at least:

• A systematic description of

the processing operations

and the purposes of the

processing, including where

applicable the legitimate

interest of the controller

• An assessment of the

necessity and

proportionality of the

processing operations in

relation to the purposes;

• An assessment of the risks

to the rights and freedoms of

data subjects, and

• The measures needed

address the risks, including

safeguards, security

measures and mechanisms to

demonstrate compliance


GDPR Requirements

Implementation Considerations

Evaluate existing PIA processes against PIA

requirements, particularly events that may

constitute high risk:

• Conversion of records from paper-based

to electronic form;

• Conversion of information from

anonymous to identifiable form;

• System management changes involving

significant new uses and/or application of

new technologies;

• Significant merging, matching or other

manipulation of multiple databases

containing personal data;

• Incorporation into existing databases of

personal data obtained from commercial or

public sources;

• Alteration of a business process resulting

in significant new collection, use and/or

disclosure of personal data

• Consider risk definitions and evaluation

criteria used within the business

• A single DPIA may address a set of

processing operations that present similar

high risks.

• Where appropriate, seek the views of data

subjects on the intended processing.

• Conduct audits to verify that processing is

performed in compliance with the DPIA, at

least when there is a change of the risk

represented by the processing operations.

• Where a DPIA indicates high risk: If the

controller cannot mitigate by appropriate

measures in terms of available technology

and costs of implementation, a

consultation of the supervisory

authority should take place prior to the

processing.


Practical Points for PIAs

• Build, implement and be able to document a robust PIA process

• Your company’s core business drivers influences the content of a

PIA (for example, eBay’s PIA would likely look very different from

American Express’ PIA because of the products/services they offer).

• A single assessment may involve many people in multiple

geographies. It can cross various business units and be reviewed by

several internal and external stakeholders.

• Systematically evaluate how personally identifiable information is

collected, used, shared and maintained by your organization in the

context of business change

• What areas of your program should you address? At what level?

Privacy Notice? Large-scale strategic projects? Individual use

cases?


Practical Points for PIAs (2)

• Consider a bifurcated PIA process, with traditional PIAs for all

projects and EU DPIAs for projects that trigger these rules

• Documentation requirements may impose a burden on development

teams using agile and similar methods – additional resources may

have to be added to manage recordkeeping

• Consider advantages and risks of maintaining DPIA records with

records of processing activities required by Art. 30.

• Where possible, automate parts of the PIA, standardize reviews, and

obtain metrics on PIAs.

• Your Information Security Team is a great partner!

• PIAs should be an integral part of the project planning process,

not an afterthought.


Case Study: eBay Vendor Assessments

• Global Privacy partnered with Information Security team to build out

a ticketing system for vendor security assessments

• Security + Privacy questions to comprehensively assess risk

• Share body of knowledge in one system; align resources between

teams; quickly prompt the preparation of the right type of Data

Protection Requirements Addendum (DPRA)

• Business notified of if further information required

• Executed DPRA attached to ticket for future reference

• Save time for Business, Legal, Privacy and Information Security

One time ticket completion, Business can communicate

project details to InfoSec and Privacy simultaneously.

Everyone wins – save time for future lookup

The project details and assessment are documented in ticketing

system, not in emails.


Sample


Questions?


Ralph T O’Brien [email protected]

Barbara Mangan Sondag [email protected]

Paul Lanois [email protected]

Contacts

mailto:[email protected]








Don’t miss the next webinar in the Series – “Global Privacy Enforcement

Priorities” on May 19 featuring Chris Hoofnagle, Adjunct Full Professor,

University of California, Berkeley

See http://www.truste.com/insightseries for details of our 2016 Privacy

Insight Series and past webinar recordings.

Thank You!

http://www.truste.com/insightseries

[gdpr webinar slides] preparing for the gdpr - the compliance countdown begins

Technology