implications of new data protection and privacy rules for ... · #eatpconf additional obligations...
TRANSCRIPT
#EATPconf
Implications of New Data Protection
and Privacy Rules for Test Sponsors, Providers
and Users in the EU and US
#EATPconf
Privacy Shield Impacts on US Testing CompaniesGary Behrens, General Dynamics IT
10/4/2016 2
#EATPconf
EU-US Privacy Shield Timeline
■ 2 February 2016 – EU-US Privacy Shield announced
■ 26 May – Resolution passed by EU Parliament Request EU Commission to adopt Article 29 Working Party suggestions
■ 30 May – Rejected by EU Data Protection Supervisor Not robust enough to prevent bulk surveillance by U.S. government
■ 8 July – Approved by 24 EU member states Strengthened provisions for protection from U.S. government surveillance
■ 12 July – Privacy Shield agreement takes effect Formal adoption by EU Commission
■ 26 July – Article 29 Working Party sets one year trial period Still concerned with automated decision rules, how it applies to processors, and allowance for
general right to object, among other issues
■ 1 August – U.S. companies able to register for certification Applications can be submitted to U.S. Department of Commerce
■ But for how long? Critics have vowed to challenge it up to the EU Court of Justice
12/2/2014 3
#EATPconf
Obligations on U.S. Companies
■ Register annually Compliance will be verified by U.S. Department of Commerce
■ Publish certification details Must insert statement of compliance in privacy policy online
Must include links to Commerce website about Privacy Shield
■ Respond to complaints Must address individual complaints by EU residents within 45 days
EU residents can file with home country data authorities if no timely response; triggers request for Commerce Department intercession
■ Provide resolution services Must make 3rd party Alternative Dispute Resolution services available
■ Submit to arbitration Must agree to abide by Privacy Shield Panel rulings if not resolved
10/4/2016 4
#EATPconf
Additional Obligations Relevant to Testing
■ Employment testing and assessment may qualify as “HR-related personal information” Must commit to abide by EU data protection authority advice on
policy and procedure changes
Resolve current complaint and avoid future similar ones
Uncertainty as to whether this might include pre-employment testing of job applicants as well as current employee assessment
■ Tighter restrictions for onward 3rd party transfers Ensure 3rd party partners handle transferred data consistent with
provider’s obligations under Privacy Shield and EU privacy principles
Could entail contractual stipulations (e.g., Model Contract Clauses)
Nine month grace period to put contractual language in place
Uncertainty as to whether service providers/data processors are then considered data controllers or if end users become 3rd parties
Additional requirements still to be determined
10/4/2016 5
#EATPconf
Enforcement of Commitments
■ Verification Department of Commerce checks privacy policy alignment to Privacy
Shield principles
■ Investigation Commerce or Federal Trade Commission can probe unresolved
complaints and related matters
■ Sanctions Noncompliance may lead to suspension of data transfers, possibly fines,
until fixed
■ Exclusion Prolonged or serial noncompliance may result in permanent ban from
Privacy Shield participation
■ Legal Action Willful noncompliance could result in prosecution/liability for fraudulent
business practices
10/4/2016 6
#EATPconf
What It Comes Down To Is This
Key Takeaways
■ Privacy Shield offers business continuity at a price
■ Data transfers are not any easier
■ Greater compliance expense
■ Greater risk of legal exposure
Other Possible Options
■ Binding corporate rules For internal company transfers Uncertainty about future validity Need EU data authority approval
from individual member countries
■ Model contract clauses For customer contracts only, not
3rd party transfers Uncertainty about future validity Need EU data authority approval
from individual member countries
■ Stand up EU data centre Start up and maintenance costs Time required to implement
■ Partner with EU testing vendor Need a compatible platform
12/2/2014 7
#EATPconf10/4/2016 8
EU-US Privacy Shield Practical Implications
Prometric Global Testing – A Case Study
Garrett Sherry, Prometric
#EATPconf
EU-US Privacy Shield Practical Implications
Prometric Global Testing – A Case Study
■What actions have we considered and taken
■What was involved in the process and what were the implications
■What are we doing, when and why
12/2/2014 9
#EATPconf
Review and Action Planning
■Comprehensive Review of Current Policies Review by Legal Group
Review by Global Standards Group
Review by Technology Group
Review by International Business Group
■Gap Analysis Identified changes we needed to make to comply
■ Financial impact and planning Cost implications and timing of spend identified and agreed
■ Executive sponsorship and agreement on action Full engagement and support from senior management team
10/4/2016 10
#EATPconf
Privacy Shield Requirements Identified
■ New Accountability Obligations for onward transfers Ultimately responsible for all personal data transferred to any 3rd party
partner / contractor New contract provisions necessary New process required for Monitoring, reporting, remediation and
disclosure
■ Process to Maintain all records related to Privacy Shield verification Strong Audit Trail processes to cover potential enquiries from the U.S.
Federal Trade Commission and Department of Commerce and EU Regulators and DPAs.
■ Explicit Consent from Candidates Obtaining explicit consent of the individual whose personal data is being
collected has now become the normal standard in the majority of countries. This is a challenge as the data is often collected at the client-level
We need to ensure that the appropriate consent is obtained at the client-level, and that the language covers us as the data processor.
10/4/2016 11
#EATPconf
EU General Data Protection Regulation Issues
■ Data Protection Authority Registration Businesses operating in multiple Member States will be required to
register with the Data Protection Authority in their “main place of establishment”
We have chosen Ireland, but issues with Schrems / Facebook case
■ Information Notices and Explicit Consent Information notices to candidates require more detailed information
to be provided.
Explicit consent of the data subject regarding the collection/processing of “sensitive data”
■ Breach Notification and Penalties More onerous notification obligation when a data breach occurs
Obtaining explicit consent of the individual whose personal data is being collected has now become the normal standard in the majority of countries. Heightened penalties for non-compliance
10/4/2016 12
#EATPconf
Preparing for Privacy Shield and GDPR
■ Decision taken to prepare now for both Take actions to prepare to be compliant, now and fund it!
■ Actions Taken Changes to Scheduling and Registration Systems Changes to Data Privacy Notices Opt in / Out capability as part of registration process Changes to internal procedures Data Centre Strategy in planning New Audit trail process in place Monitoring and reporting protocols agreed and implemented
■ EU–US Privacy Shield Adopted in July Certification process with US Department of Commerce from Aug 1. Prometric completed all the required steps to apply for and receive
Privacy Shield certification from the US Department of Commerce As of August 31
■ Review Process in Place to Monitor GDPR developments
10/4/2016 13
#EATPconf
Global Data Processing Strategy
■ Data Centre Strategy Concept of PII being processed & held where it needs to be
System development to allow remote storage & processing of PII
International Data Centre Infrastructure strategy
■ Infrastructure Plan Data Centre build out in US, Europe & Asia
System changes to be implemented to facilitate, centralised testing system architecture, but localised PII processing
Data held in the geographic region where it is required for processing
No PII transferred to the US from other regions
■We have embraced the concepts of: The risk to reputation of inappropriate data handling / breach is high
PII obligations are here to stay and the organisation has to plan accordingly
Only move and keep data where it needs to be
A global strategy is required to meet local needs
10/4/2016 14
#EATPconf
Summary
Key Takeaways
■ A comprehensive review of current processes, procedures and systems
■ Understand risks and agree what needs to change to comply
■ Agree costs and timelines for implementation
■ Be prepared for higher operating & compliance costs
12/2/2014 15
10/4/2016 16
EU-US Privacy Shield Implications to I/O Customers:
Reflections from the Market Today
Rostislav Benák, Assessment Systems International
#EATPconf
EU-US Privacy Shield Impact to I/O Customers:
Assessment Systems International Experience
What response and actions have we observed on the market lately :
■Where we have observed it
■Who is involved in the process and who are the key stakeholders
■ How customer-clusters tend to differ in their response
■ Local specifics of CE, EE, SEE
■ Key Takeaways
12/2/2014 17
#EATPconf
Different Stakeholders with Different Needs
■ US Test Publisher
■ EU Test Distributor
■ Institutional Customer
■ Individual Proband (test-taker)
10/4/2016 18
#EATPconf
Customer Clusters
■Governmental Organizations Armed forces and intelligence services
■ Large Multinational Corporations Often with governmental ownership or US HQ
■ Privately-held Businesses and SMEs
10/4/2016 19
#EATPconf
Local Specifics in CE, EE, SEE
■ Difference between DECLARED and LIVED
■ Paradox of hypercompensations
■ Russia, Kazakhstan, (CIS)
10/4/2016 20
#EATPconf
Summary
Key Takeaways
■ The process after Safe Harbor is hopefully starting to be promising.
■ Implications are higher costs for sure,
with positive impact still questionable.
■ Continuous uncertainty is bringing some customers to a full halt.
■ Some customers consider returning to a pre-cloud and pre-internet software “Stone-age“.
■ Further clarity, transparency, certainty, and stability would be vital!
12/2/2014 21
12/2/2014 22