understanding new eu guidance on dpia/pia requirements [webinar slides]

1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016

v © TRUSTe Inc., 2016

Understanding new EU Guidance

on DPIA/PIA requirements

November 10, 2016


Today’s Speakers

Beth Sipula

Senior Privacy Consultant

TRUSTe

Paul Iagnocco

Chief Privacy Officer

Kellogg



The GDPR and When to Use

DPIAs/PIAs

Beth Sipula, Senior Privacy Consultant TRUSTe


PIA definition

A privacy impact assessment (PIA) is a

tool or process for identifying and

assessing privacy risks throughout the

development life cycle of a program or

system.

- Information Commissioner's Office


Does your organization have a PIA process in place?

1. Yes

2. No

Poll Question #1


Frameworks and Jurisdictions

•Many countries and regions of the world have been using PIAs dating back to the mid 90’s

–Papers published regarding PIAs often started in the private sector

•A handful of countries have the most presence; more countries are emerging in LATAM and APAC

•The GDPR has drawn a spotlight onto DPIAs and adopting a framework as part of compliance

•While there are differences in the methodologies, the goals are the same: to identify risks to privacy and determine ways of overcoming those risks

•DPIAs/PIAs are not “one size fits all”


How many PIAs will your organization complete in 2016?

1. Less than 10

2. 11 - 50

3. 51-100

4. 100+

5. I have no idea

Poll Question #2


GDPR Triggers for DPIAa/PIAs

DPIAs are required for any processing that may result in “high risk”, and for:

• Systematic and extensive automated processing, including profiling, if the decisions produce legal effects or significantly affect the individual

Example: Making predictions based on a person’s behavior, credit decisions, economic situation, location

• Processing special categories of data (i.e. genetic or biometric data) or criminal records on a large scale

• Systematic monitoring of a publicly accessible area on a large scale

• As otherwise indicated by the DPAs or EUDPB

• GDPR requires you to conduct PIAs for “high risk” activities and implement operational changes

Note: Most common “high risk” areas tend to center around new products/systems that change the way the business uses / collects / stores personal data.


Triggers for when to use a DPIA/PIA

•Implementing a new system in your organization;

•Launching a new product or service;

•Providing new third party provider with access to PI;

•Conversion of records from paper-based to electronic form;

•Conversion of information from anonymous to identifiable form;

•System management changes involving significant new uses and/or

application of new technologies;

•Significant merging, matching or other manipulation of multiple databases

containing personal data;

•Incorporation into existing databases of personal data obtained from

commercial or public sources;

•Alteration of a business process resulting in significant new collection, use

and/or disclosure of personal data


•Assign clearly defined roles for all stages

•Having an Executive “Champion” or Sponsor is critical

•PIAs need to be simple, repeatable, concise, and they need to map to

the GDPR requirements

•One size does not fit all – consider the level of risk

–Also consider a bifurcated PIA process, with traditional PIAs for all projects and

EU DPIAs for projects that trigger EU DP rules

•Build a robust process with scalability in mind

–Consider the system you are using, what it’ll take to make the process more

efficient and automate

•Monitor - Article 29 Working Party will be releasing guidance for

controllers and processors on high-risk assessments by end of 2016

Recommendations for Success



Paul Iagnocco

Chief Privacy Officer

Operationalizing a PIA Solution

within the Enterprise


Privacy Overview at Kellogg

.

Global Privacy Office

established in August 2015

4 Strategic Pillars

Build a Global Capability

Ensure Compliance & Education

Champion Privacy

Advocacy

Unlock Data Use

Types of Data Held

Employee (PII, PFI, PHI)

Consumer (PII)

Reporting Line

A function within Global Legal &

Compliance

CPO reports directly to Chief Counsel (access to Global

General Counsel & Vice Chair of Company)


Privacy Overview at Kellogg (continued)

Global

Privacy

Office

Regional/Local

Business

Functions

Internal

Audit

Defines

the

“what”

Determines

the

“how”

IT Security

Kellogg employs a decentralized business model in addressing

data protection and privacy matters.

• strategy

• training content

• business compliance

• standards and best practices

• common global tools

• privacy impact assessments (PIAs)

• requests and complaints

• data breach management

• liaison with regulators

• execute strategy

• conduct training

• Execute compliance

• Implement standards and best

practices

• Address PIA results


Collaborative Approach Between Privacy & IT Security

Notice

Choice

Use

Availability

Integrity

Access

Confidentiality

Acquisition and Use of Data

Focus is on whether the Company is allowed to possess consumer or employee data and what we are allowed to do with it.

Safeguards, Secured Storage and Proper Destruction of Data

Focus is on the protection of the data stored, processed, transmitted and destroyed.

IT Security


5 Steps to Operationalizing PIAs

Know your key PIA stakeholders

Align on the role of a PIA

Design the PIA workflow

Build and implement the PIA solution

Refine and scale the PIA Process


Know your key stakeholders

Objective: Implementing anything new within an organization is challenging. People fear the uncertainty of change. Need to identify key stakeholders that that see value in a PIA. Recommendation: Leverage these stakeholders to drive change within their function. These are your early adopters (evangelists).

Key Stakeholders How would a PIA benefit their function?

Legal Counsel - Transactions Provides intelligence to incorporate into MSA or SOW

Risk Management Provides intelligence that may require change in risk policy

Procurement Ensures that data protection and privacy are addressed

IT Security Ensures that data protection and authorization is addressed

Human Resources External data processors are vetted and deliver expected

services for our employees

Marketing External data processors are vetted and deliver expected

services for our consumers

Internal Audit Provides an audit trail

Outside Consultants N/A


Align on the role of the PIA

Objective:

With your key stakeholders, determine what you want to solve for using a PIA.

Recommendation:

Start small and scale. It might be easier to start leveraging PIAs externally since you will likely have

less resistance to change.

Common Components of a PIA What are we assessing?

Internal Procedures and Policies Overall program accountability

Data Collection What data is collected?

Choice and Consent How was the data collected?

Use, Retention and Disposal What is the intended use, storage and purge of

the collected data?

Disclosures to Third Parties Are we sharing this data?

Access Does the data subject have access?

Data Security How is the data secured?


Design the PIA workflow

Objective:

Leveraging the PIA alignment gained in step 2,

now design the PIA workflow.

Recommendation:

Again start small and scale. Look at how new

data processes and vendor agreements/SOWs

commence. Review existing workflows and

determine best means to intersect without being

disruptive.

Where should a PIA be considered?

Review existing vendor statement of work (SOW)

New vendor set-up (MSA)

Changes to internal data processing

Significant IT infrastructure changes

Mergers and acquisitions

New product development

(that engages data)

Annual assessments

To assess new regulations

Process starts in Contract Database

Privacy Threshold Questions Answered

PIA Published and Vendor Responds

Responses Reviewed by Legal and IT

Security

Additional Follow-ups by Other Key

Stakeholders

Changes negotiated in

MSA

MSA Approved and Filed

New Vendor Set-up Workflow


Build and Implement the PIA Solution

Objective: Identify what PIA solution needs to be built and eventually implemented. Recommendation: Review step 2 to ensure you are building a PIA solution that achieves your goal. Also, be mindful that of the expected annual volume. Do NOT over engineer. In addition, be sure to produce communication materials and a simple user-guide to facilitate adoption beyond the key stakeholders. You MUST be prepared to Sell, Sell, Sell.

Simple PIA Solution

1. Build out content (questions and

benchmarks)

2. Load spreadsheet – use macros to

create “flags”

3. Develop Email Template with purpose,

deadline, etc. along with spreadsheet

4. Publish to XYZ, collect responses

5. Review and analyze

6. Take necessary action

7. File

Complex PIA Solution

1. Conduct privacy threshold assessment

2. Add Respondent to TRUSTe

Assessment Manager

3. Select or customize PIA

4. Publish to XYZ, collect responses

5. Centrally review and analyze

6. Assign necessary follow-up action

7. Archive and set calendar to

automatically re-send in12 months


Refine and scale the PIA Solution

Objective: Identify what’s working and what’s not working and refine solution accordingly. What other areas (identified in Step 3) should we scale this PIA solution to address? Recommendation: Identify a means to gather on-going feedback on how to improve the solution. Always look for opportunities to further imbed the PIA into normal business operations. As you expand follow the process – Step and Repeat.

Potential Refinements

Customized PIA questions based on specific target audience (e.g., EU data processors)

Implement for additional business scenarios (e.g., internal infrastructure or data processing changes)

New PIA questions to assess internal or external compliance with new regulation (e.g., EU GDPR)

Provide additional access to responses and analysis

Add new functions to overall process

Expand user-guides to reflect changes

Expand communication plan – Sell, Sell, Sell


Summary

1. Cultivate evangelists for the PIA solution

2. Define value of the PIA solution

3. Align on initial PIA solution goals

4. Start small – scale later

5. Look for new opportunities

6. Listen to feedback

7. Keep it simple

8. Over communicate

Be sure to commit and start somewhere.



Questions?



Beth Sipula [email protected]

Paul Iagnocco [email protected]

Contacts

mailto:[email protected]



Register now for the final webinar in our our 2016 Summer/Fall Webinar

Series on December 8 “Metrics for Success: Quantifying the Value of the

Privacy Function”

See http://www.truste.com/insightseries for the 2016 Privacy Insight Series

and past webinar recordings.

Thank You!

http://www.truste.com/insightseries

understanding new eu guidance on dpia/pia requirements [webinar slides]

Law