privacy shield self-certification – what's next? [webinar slides]
TRANSCRIPT
1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Privacy Shield Self-Certification –
What's Next?
February 23, 2017
2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Today’s Speakers
K Royal, JD, CIPP/E/US
Senior Privacy Consultant,
TRUSTe
Amanda Gratchner
Global Privacy Counsel,
NAVEX Global
David Fowler
Chief Privacy & Digital Compliance Officer,
Act-On Software
3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
•Welcome & Introductions
•Privacy Shield
–Self-certification
–Updates
•Relationships
–Various frameworks
•Leveraging Privacy Shield
•Q&A
Today’s Agenda
4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Have you Self-certified for Privacy Shield?
• Yes
• No
• In Progress
Webinar Poll
5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Privacy Shield – One Year On
6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Understanding the Privacy Shield Framework
What’s different compared to Safe Harbor? • New Privacy Protections
• Notice requirements, accountability for onward transfer, purpose limitation and data retention
• Enhanced Complaint Resolution • Response time to EU individuals, free dispute
resolution, binding arbitration as last-resort option • Improved Cooperation and Transparency
• Monitoring and dispute resolution requires cooperation with International Trade Administration (ITA) Privacy Shield Team, ongoing requirements (if withdraw and maintain data), publication of FTC compliance reports (if subject to enforcement action)
6
7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Joining the Privacy Shield Program
1. Confirm Your Organization’s Eligibility to Participate
2. Develop a Compliant Privacy Policy 3. Establish an Independent Recourse Mechanism
(IRM) 4. Ensure a Verification Mechanism is in place 5. Identify your Privacy Shield Point of Contact 6. Self-certify Using the Privacy Shield Website 7. Reaffirm Self-certification Annually 8. Reply to Inquiries from EU citizens, IRM,
Commerce, and/or DPAs as Required
7
8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Practical Considerations and Challenges
• Understanding the Privacy Shield Framework
• Understanding your business operations
• Developing compliant privacy statements and notices
• Developing privacy program governance, policies, and
procedures
• Verification of privacy practices and monitoring of
compliance
• Keeping records of Privacy Shield Principles implementation
• Employee training and awareness
• Dealing with onward transfer issues
• Dealing with data subject access requests and privacy
complaints
8
9 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Privacy Shield Self-Certification
Companies that had EU/US Safe Harbor
• Filed by September 30, 2016
• 9 months to come into compliance
- June 30, 2017
• Posted: 1705
What about those that did not certify?
What about those who were not in Safe Harbor?
10 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Privacy Shield Updates
What’s the future for Privacy Shield?
• Brexit
• Irish lawsuit
• French lawsuits
• Executive orders
What about other Data Transfer Compliance
Mechanisms?
11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Frameworks
12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Privacy Shield vs.
the GDPR
13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
General Data Protection Regulation
European law
• From Directive 95 to GDPR
• Address societal and technological changes
May 25, 2018
Stats
• Companies impacted
• Privacy jobs
14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Cross Border Data Transfers
Adequacy
• Privacy Shield
Binding Corporate Rules
• Controllers and Processors
Standard Contractual Clauses
Under GDPR – codes of conduct
15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Binding Corporate Rules
Intergroup agreement
• Group – defined
Transfer mechanism
• Specifically mentioned in GDPR
Considered “gold standard”
Companies:
Binding Safe Processing Rules
• BCRs for Controllers and Processors
16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Cross Border Privacy Rules
• Asia-Pacific Economic Cooperation
• Voluntary program
• 2011
• Independent accountability agent required
• 4 economies so far
- USA, Mexico, Japan and Canada
• Crosswalk published BCRs/CBPRs
- Merck
17 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Leveraging Privacy Shield
18 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
What should a company do?
• Data
• Policies
• Practices
• Legal/Compliance Specific
• Consider certification programs
19 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Data To-Dos
Data
• inventory
• classification
• minimization
• record retention
• destruction
20 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Policy To-Dos
Information security policies
• training
• monitor compliance
Privacy policies
• easily accessible
• clear and plain language
• full disclosure of data collection and processing
21 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Practices To-Dos
PIAs
Complaint process (must be easy)
Review and revise methods of obtaining consent
Data portability and erasure processes
Update incident response plans
• notice to supervisory agencies within 72 hours
22 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
Legal-Specific To-Dos
• DPO (Data Protection Officer) authority and independence, monitor compliance, perform training, and conduct internal audits. • Accountability: detailed records of the processing performed on personal data • Review BCRs (or SCCs) for compliance w/ GDPR • Addendums for onward transfer requirements • Vendor oversight and accountability • Insurance policies global or enterprise coverage, types of data issues, and increased costs and liabilities
23 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Questions?
24 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
K Royal [email protected]
Amanda Gratchner [email protected]
David Fowler [email protected]
Contacts
25 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
Register now for the next webinar in our 2017 Winter/Spring Webinar Series
on March 23 “Privacy Program Management: A Framework for Success”
See http://www.truste.com/insightseries for the 2017 Privacy Insight Series
and past webinar recordings.
Thank You!