understanding new eu guidance on dpia/pia requirements [webinar slides]
TRANSCRIPT
1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Understanding new EU Guidance
on DPIA/PIA requirements
November 10, 2016
2 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Today’s Speakers
Beth Sipula
Senior Privacy Consultant
TRUSTe
Paul Iagnocco
Chief Privacy Officer
Kellogg
3 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
The GDPR and When to Use
DPIAs/PIAs
Beth Sipula, Senior Privacy Consultant TRUSTe
4 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
PIA definition
A privacy impact assessment (PIA) is a
tool or process for identifying and
assessing privacy risks throughout the
development life cycle of a program or
system.
- Information Commissioner's Office
5 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Does your organization have a PIA process in place?
1. Yes
2. No
Poll Question #1
6 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Frameworks and Jurisdictions
•Many countries and regions of the world have been using PIAs dating back to the mid 90’s
–Papers published regarding PIAs often started in the private sector
•A handful of countries have the most presence; more countries are emerging in LATAM and APAC
•The GDPR has drawn a spotlight onto DPIAs and adopting a framework as part of compliance
•While there are differences in the methodologies, the goals are the same: to identify risks to privacy and determine ways of overcoming those risks
•DPIAs/PIAs are not “one size fits all”
7 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
How many PIAs will your organization complete in 2016?
1. Less than 10
2. 11 - 50
3. 51-100
4. 100+
5. I have no idea
Poll Question #2
8 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
GDPR Triggers for DPIAa/PIAs
DPIAs are required for any processing that may result in “high risk”, and for:
• Systematic and extensive automated processing, including profiling, if the decisions produce legal effects or significantly affect the individual
Example: Making predictions based on a person’s behavior, credit decisions, economic situation, location
• Processing special categories of data (i.e. genetic or biometric data) or criminal records on a large scale
• Systematic monitoring of a publicly accessible area on a large scale
• As otherwise indicated by the DPAs or EUDPB
• GDPR requires you to conduct PIAs for “high risk” activities and implement operational changes
Note: Most common “high risk” areas tend to center around new products/systems that change the way the business uses / collects / stores personal data.
9 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Triggers for when to use a DPIA/PIA
•Implementing a new system in your organization;
•Launching a new product or service;
•Providing new third party provider with access to PI;
•Conversion of records from paper-based to electronic form;
•Conversion of information from anonymous to identifiable form;
•System management changes involving significant new uses and/or
application of new technologies;
•Significant merging, matching or other manipulation of multiple databases
containing personal data;
•Incorporation into existing databases of personal data obtained from
commercial or public sources;
•Alteration of a business process resulting in significant new collection, use
and/or disclosure of personal data
10 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
•Assign clearly defined roles for all stages
•Having an Executive “Champion” or Sponsor is critical
•PIAs need to be simple, repeatable, concise, and they need to map to
the GDPR requirements
•One size does not fit all – consider the level of risk
–Also consider a bifurcated PIA process, with traditional PIAs for all projects and
EU DPIAs for projects that trigger EU DP rules
•Build a robust process with scalability in mind
–Consider the system you are using, what it’ll take to make the process more
efficient and automate
•Monitor - Article 29 Working Party will be releasing guidance for
controllers and processors on high-risk assessments by end of 2016
Recommendations for Success
11 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Paul Iagnocco
Chief Privacy Officer
Operationalizing a PIA Solution
within the Enterprise
12 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Privacy Overview at Kellogg
.
Global Privacy Office
established in August 2015
4 Strategic Pillars
Build a Global Capability
Ensure Compliance & Education
Champion Privacy
Advocacy
Unlock Data Use
Types of Data Held
Employee (PII, PFI, PHI)
Consumer (PII)
Reporting Line
A function within Global Legal &
Compliance
CPO reports directly to Chief Counsel (access to Global
General Counsel & Vice Chair of Company)
13 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Privacy Overview at Kellogg (continued)
Global
Privacy
Office
Regional/Local
Business
Functions
Internal
Audit
Defines
the
“what”
Determines
the
“how”
IT Security
Kellogg employs a decentralized business model in addressing
data protection and privacy matters.
• strategy
• training content
• business compliance
• standards and best practices
• common global tools
• privacy impact assessments (PIAs)
• requests and complaints
• data breach management
• liaison with regulators
• execute strategy
• conduct training
• Execute compliance
• Implement standards and best
practices
• Address PIA results
14 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Collaborative Approach Between Privacy & IT Security
Notice
Choice
Use
Availability
Integrity
Access
Confidentiality
Acquisition and Use of Data
Focus is on whether the Company is allowed to possess consumer or employee data and what we are allowed to do with it.
Safeguards, Secured Storage and Proper Destruction of Data
Focus is on the protection of the data stored, processed, transmitted and destroyed.
IT Security
15 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
5 Steps to Operationalizing PIAs
Know your key PIA stakeholders
Align on the role of a PIA
Design the PIA workflow
Build and implement the PIA solution
Refine and scale the PIA Process
16 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Know your key stakeholders
Objective: Implementing anything new within an organization is challenging. People fear the uncertainty of change. Need to identify key stakeholders that that see value in a PIA. Recommendation: Leverage these stakeholders to drive change within their function. These are your early adopters (evangelists).
Key Stakeholders How would a PIA benefit their function?
Legal Counsel - Transactions Provides intelligence to incorporate into MSA or SOW
Risk Management Provides intelligence that may require change in risk policy
Procurement Ensures that data protection and privacy are addressed
IT Security Ensures that data protection and authorization is addressed
Human Resources External data processors are vetted and deliver expected
services for our employees
Marketing External data processors are vetted and deliver expected
services for our consumers
Internal Audit Provides an audit trail
Outside Consultants N/A
17 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Align on the role of the PIA
Objective:
With your key stakeholders, determine what you want to solve for using a PIA.
Recommendation:
Start small and scale. It might be easier to start leveraging PIAs externally since you will likely have
less resistance to change.
Common Components of a PIA What are we assessing?
Internal Procedures and Policies Overall program accountability
Data Collection What data is collected?
Choice and Consent How was the data collected?
Use, Retention and Disposal What is the intended use, storage and purge of
the collected data?
Disclosures to Third Parties Are we sharing this data?
Access Does the data subject have access?
Data Security How is the data secured?
18 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Design the PIA workflow
Objective:
Leveraging the PIA alignment gained in step 2,
now design the PIA workflow.
Recommendation:
Again start small and scale. Look at how new
data processes and vendor agreements/SOWs
commence. Review existing workflows and
determine best means to intersect without being
disruptive.
Where should a PIA be considered?
Review existing vendor statement of work (SOW)
New vendor set-up (MSA)
Changes to internal data processing
Significant IT infrastructure changes
Mergers and acquisitions
New product development
(that engages data)
Annual assessments
To assess new regulations
Process starts in Contract Database
Privacy Threshold Questions Answered
PIA Published and Vendor Responds
Responses Reviewed by Legal and IT
Security
Additional Follow-ups by Other Key
Stakeholders
Changes negotiated in
MSA
MSA Approved and Filed
New Vendor Set-up Workflow
19 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Build and Implement the PIA Solution
Objective: Identify what PIA solution needs to be built and eventually implemented. Recommendation: Review step 2 to ensure you are building a PIA solution that achieves your goal. Also, be mindful that of the expected annual volume. Do NOT over engineer. In addition, be sure to produce communication materials and a simple user-guide to facilitate adoption beyond the key stakeholders. You MUST be prepared to Sell, Sell, Sell.
Simple PIA Solution
1. Build out content (questions and
benchmarks)
2. Load spreadsheet – use macros to
create “flags”
3. Develop Email Template with purpose,
deadline, etc. along with spreadsheet
4. Publish to XYZ, collect responses
5. Review and analyze
6. Take necessary action
7. File
Complex PIA Solution
1. Conduct privacy threshold assessment
2. Add Respondent to TRUSTe
Assessment Manager
3. Select or customize PIA
4. Publish to XYZ, collect responses
5. Centrally review and analyze
6. Assign necessary follow-up action
7. Archive and set calendar to
automatically re-send in12 months
20 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Refine and scale the PIA Solution
Objective: Identify what’s working and what’s not working and refine solution accordingly. What other areas (identified in Step 3) should we scale this PIA solution to address? Recommendation: Identify a means to gather on-going feedback on how to improve the solution. Always look for opportunities to further imbed the PIA into normal business operations. As you expand follow the process – Step and Repeat.
Potential Refinements
Customized PIA questions based on specific target audience (e.g., EU data processors)
Implement for additional business scenarios (e.g., internal infrastructure or data processing changes)
New PIA questions to assess internal or external compliance with new regulation (e.g., EU GDPR)
Provide additional access to responses and analysis
Add new functions to overall process
Expand user-guides to reflect changes
Expand communication plan – Sell, Sell, Sell
21 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
Summary
1. Cultivate evangelists for the PIA solution
2. Define value of the PIA solution
3. Align on initial PIA solution goals
4. Start small – scale later
5. Look for new opportunities
6. Listen to feedback
7. Keep it simple
8. Over communicate
Be sure to commit and start somewhere.
22 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Questions?
23 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Beth Sipula [email protected]
Paul Iagnocco [email protected]
Contacts
24 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Register now for the final webinar in our our 2016 Summer/Fall Webinar
Series on December 8 “Metrics for Success: Quantifying the Value of the
Privacy Function”
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
Thank You!