SlideShare a Scribd company logo

Building Consumer Trust through Individual Rights / DSAR Management

TrustArc
TrustArc

Perhaps the most customer facing and public compliance requirements for GDPR, CCPA and LGPD are around the rights of the data subject, often referred to as individual rights or data subject access requests (DSARs). These regulations have significantly increased the requirements on businesses regarding how they address individual rights and related requests, specifically the type of requests they need to address and the timeline and process they need to follow in order to fulfill the requests. In order to build consumer trust and fulfil data subject rights requirements, organizations must have a consistent and streamlined process for the intake and management of consumer requests. This webinar will review: -Summary of data subject rights requirements for GDPR, CCPA & LGPD -Best practices and tips to comply -Practical steps for implementing a Data Subject Rights -Management program along with sample case studies

Technology
1 of 37
Download to read offline
© 2020 TrustArc Inc. Proprietary and Confidential Information. Building Consumer Trust through Individual Rights / DSAR Management October 14, 2020
Speakers 2 K Royal FIP, CIPP/US / E, CIPM, CDPSE Associate General Counsel, Privacy Intelligence TrustArc Maggie Gloeckle FIP CIPP/US/E, CIPM, CIPT, CDPSE, PMP VP, Privacy and Compliance Counsel A&E Networks
Agenda 3 ● Data subject rights under GDPR, CCPA, & LGPD ● Recommended practices and tips to comply ● Practical steps for implementing a Data Subject Rights Management program
Quick Review 4 GDPR European Union’s General Data Protection Regulation, passed in 2016, effective 2018 CCPA California Consumer Privacy Act, process started in 2017, passed 2018, amended 2019, regulations 2020, plus new proposed modifications and looming California Privacy Rights Act (CPRA) LGPD Brazil’s Lei Geral de Proteção de Dados, passed in 2018 to be effective in 2020, and then this year - not delayed, pushing enforcement out to 2021
Poll 1 5 What are you most interested in learning about today? 1. Specifics on laws and individual rights 2. Case studies / practical examples 3. How to operationalize managing individual rights 4. All of the above
© 2019 TrustArc Inc Proprietary and Confidential Information Individual Rights under GDPR, CCPA, and LGPD
7 What are Individual Rights? https://app.sli.do/event/d7d2fkix/embed/polls/fdf9f038-95ab-4660-96cc-0f5857f69223
Individual Rights Mapped to Other Regulations 8 GDPR CCPA LGPD NZ Privacy Act 2020 Japan LPPI* China Civil Code Dubai DPL 2020 Egypt LPPD Privacy Shield Access X X X X X X X X X Correction X Z* X X X X X X X Erasure X X X X X X X Object, Opt-Out X X X X X X X Portability X X** X X
GDPR Individual Rights 9 Article Right of the Data Subject 15 Right of access 16 Right to rectification 17 Right to erasure (‘right to be forgotten’) 18 Right to restriction of processing 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing 20 Right to data portability 21 Right to object 22 Automated individual decision-making, including profiling
Individual Rights Articles 15 - 22 10 Credit to the brilliance of Ashley Slavik Chief Privacy Office, Lead Data Counsel Veeva Systems
CCPA Individual Rights 11 CCPA Section Right of the Consumer § 1798.100 Right to access, notice, and data portability § 1798.105 Right to deletion § 1798.110 Right to disclosures of personal information § 1798.115 Right to disclosures of personal information sold § 1798.120 Right to opt-out of sales § 1798.125 Right to nondiscrimination
CCPA Individual Rights: Third set of proposed modifications - Oct. 12 12 Collection of personal data (999.306) ● Interacting with consumers offline Must provide an offline method that the consumer is aware of so they can exercise their right to opt out ● Over the phone May provide the notice orally during the call where the information is collected Opting out (999.315) ● Must be easy for the consumer and require minimal amount of steps to do so Examples: Don’t ask for unnecessary information for process request AND scrolling through a page = bad Authorized Agent (999.326) ● Clarifies the proof that a business may require an authorized agent to provide, as well as ● What the business may require a consumer to do to verify their request
LGPD Individual Rights 13 Art. 18 Right of the Consumer I Confirmation of the existence of the processing II Access to the data III Correction of incomplete, inaccurate or out-of-date data IV Anonymization, blocking or deletion of unnecessary/excessive data or data processed in noncompliance with the law V Portability to another provider, by express request, subject to commercial and industrial secrecy VI Deletion of personal data processed with consent of the data subject VII Information on public/private entities where controller shared data VIII Information about denying consent and the consequences IX Revocation of consent as provided in §5 of Art. 8
Poll Question 14 Where would you categorize your individual rights management program? 1. Initial / ad hoc - respond as arises 2. Repeatable - some processes 3. Defined - policies in place 4. Managed 5. Optimized
Compliance Requirements 15 Element GDPR CCPA LGPD Method of request Not addressed Two or more methods, including a toll-free phone and online Not addressed Delivery of request Must be concise, transparent, intelligible, easily accessible, using clear and plain language, especially to a child. in writing, electronically, or orally if identity verified. Electronic requests = electronic delivery Through consumer account if one exists or by mail or electronically at consumer’s option (not allowed to require an account to be created for this purpose) Printed or electronic, per data subject, in safe and suitable means Number of requests permitted Not addressed (if excessive, because repetitive nature, may charge or refuse to act) May limit to 2 in a 12-month period Not addressed Limitation time frame Not addressed Applies to information collected in the preceding 12 months Not addressed
Compliance Requirements 16 Element GDPR CCPA LGPD Identity verification May refuse to act if not able to identify; May verify identity if reasonable doubt exists Verifiable request required, but time to verify identity does not extend time to respond Not addressed, but does have “express consent” Timeframe to respond Without undue delay and in any event within one month 45 days Confirmation & access 15 days if not simple, all other immediately Extension of response time Two-month extension where necessary for complexity and # of requests; inform within first month with reason for delay 45 days extension if inform consumer during first 45 days Not addressed Charge Free unless manifestly unfounded or excessive - then reasonable fee Free except for multiple copies - then administrative costs. Free Training for processing requests DPO advises on obligations and monitors compliance, including awareness- raising and training All individuals responsible for handling inquiries must be trained. DPO orients employees and contractors regarding practices to be taken in relation to personal data protection
© 2019 TrustArc Inc Proprietary and Confidential Information Recommended Practices
Poll Question 18 How many individual rights requests do you receive in total (that require some level of management)? 1. less than 10 a month 2. between 11 - 100 a month 3. between 101 - 500 a month 4. between 501 - 999 a month 5. more than 1,000 a month
Key Individual Right: The Right to Access 19 GDPR Article 15: Allows various methods, includes confirmation data is processed ● Exception: Aside from the uniform exception for manifestly unfounded or excessive requests, the right to access should only be limited to the extent it adversely affects the rights and freedoms of others. CCPA Section 1798.100: Right to know ● Exception: The CCPA regulations make an exception for disclosure where there is a conflict with state or federal law, and prohibits businesses from disclosing certain data elements like government-issued identification numbers, financial account numbers, account passwords, security questions and answers, health insurance or medical ID numbers, and unique biometric information. LGPD Article 18, II: Right to Access ● Exception: the LGPD does not provide a list of exceptions to the right to access, but does state that access should be provided taking into consideration trade and commercial secrecy and LGPD does not apply to data processed exclusively for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses
Practical Example: The Right to Access 20 ● Request for video inside a store (or employer) to identify who may have stolen something or did a particular action or what about in a parking lot, (a crime seems logical, but what about leaving a note?)
GDPR: Key Individual Right: The Right to Erasure (‘Right to be Forgotten’) 21 Eligible only if: ● personal data are no longer necessary for purposes they were collected or otherwise processed; ● DS withdraws consent and where there is no other legal ground for the processing; ● DS objects to processing (marketing, public interest) and no overriding legitimate grounds exist ● the personal data have been unlawfully processed; ● the personal data have to be erased for compliance with a legal obligation; or ● the personal data have been collected in relation to the offer of information society services Exceptions: ● exercising the right of freedom of expression and information; ● compliance with a legal obligation by law, public interest or official authority task; ● public interest in the area of public health; ● archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or ● establishment, exercise or defence of legal claims
CCPA: Key Individual Right: The Right to Erasure 22 Exception: Businesses may decline to delete a customer’s personal information when a business requires the personal information at issue in order to: ■ Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. ■ Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. ■ Debug to identify and repair errors that impair existing intended functionality. ■ Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law. ■ Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code. ■ Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
LGPD: Key Individual Right: The Right to Erasure 23 Article 8 VI deletion of personal data processed with the consent of the data subject, except in the situations provided in Article 16 (Termination of Data Processing ) or unnecessary or excessive data Exceptions: Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, unless retention is authorized for the following purposes: ● compliance with a legal or regulatory obligation by the controller; ● study by a research entity, ensuring, whenever possible, the anonymization of the personal data; ● transfer to third parties provided that the requirements for data processing as provided in this Law are obeyed; or ● exclusive use of the controller, with prohibited access by third parties and provided the data has been anonymized. And keep in mind, LGPD does not apply to data processed exclusively for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses (Article 4)
Practical Example: The Right to Erasure (‘Right to be Forgotten’) 24 Common examples we seen: ● Drug screens ● Prior applications for jobs ● Annual reviews ● Social media posts ● Internet search history ● Movie rental history ● Hotel stays ● Visits to restaurants ● Church records ● Grades / school records
Key Individual Right: The Right to Restriction of Processing 25 GDPR Article 18: Individuals may, in certain circumstances, have their personal data excluded from processing. This right prevents the personal data from being used for most processing purposes, other than simply storing the data (with exceptions). Once the processing has ceased, the controller must notify an individual before processing resumes. Data subjects may request and obtain cessation of processing (Article 18(1)). ● Exception: If processing has been restricted, it may only be processed with “the data subject’s consent, or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another person”. CCPA Section: The CCPA does not have an analogous right. LGPD Article 18 IV and IX: Blocking and also revocation of consent as provided in §5 of Article 8 of this Law. §2 The data subject may oppose the processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of this Law.
Practical Example: The Right to Restriction of Processing (and Blocking) 26 ● Request for deletion denied, requests restriction of processing while awaiting resolution
Key Individual Right: The Right to Data Portability 27 GDPR Article 20: The right to data portability is under the GDPR. This right supports the free flow of information, provides user control and empowerment, and fosters competition and development of new services. ● Exception: This right does not apply to processing necessary data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right is also limited if it adversely affects the rights and freedoms of others. CCPA, this right is included in the right to access in section 1798.100(d) and simply requires that if the data is "provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance". LGPD, in Article 18, V, provides portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency; In addition, Article 11 prohibits sharing sensitive data between controllers to obtain an economic advantage, except portability consented by the data subject. Also, anonymized data is exempted
Practical Examples: The Right to Data Portability 28 ● Porting contracts from one contract manager solution to another ● Books from reading services or movies from providers? ● Medical records Notes: GDPR Recital 68 “The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.” LGPD - commercial secrecy
Steps to Comply 29 Ensure understanding of what data you collect, the collection process, and where it resides. Establish a process to intake individual rights requests that is easy the individual, and ensure this process is well- communicated throughout the organization. A request may come in from many routes and the person receiving that request needs to understand that a request is being made. Individuals typically won’t understand or use the exact verbiage in the law. Validate the individual's identity. Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data, and evaluate any exceptions. Have a response process. Put in place an appeals process for denied requests. Retain documentation throughout the process.
Best Practice Tips 30 Incorporate these rights into your privacy program and ensure there is an established process from beginning to end. Take your data inventory and data processing records a step further to envision requests made for that data. Work with your vendors to ensure that these rights can be honored their side and get documentation to validate that ability. Be helpful. This is not an adversarial process. These are rights provided to individuals to protect their freedoms and right to privacy.
Simple Flow Chart 31
Case Study 32 Ann worked at a large grocery store chain (Food-n-More, HQ in California) and was also both a customer and a rewards member. She was honored to be profiled in their public blog as the employee of the month. Food-n-More provided great benefits, including tuition reimbursement. After she resigned to attend college full-time in Arizona, she worked for them during seasonal busy times, such as Christmas. Ann used Food-n-More’s online individual rights form to request access to her information. She received a response back that they determined the only information they have on her is her email subscription. Ann contacted the email this response came from stating that she was a past employee and in fact, still worked for them seasonally. No response. Ann looked up the contact information online and called the number listed. It went to the general answering service. She explained the purpose of her call and was routed to the HR hotline. She left a message, but also called a number listed for customer service. She explained what she wanted and the person asked her to hold. After coming back on, the person routed her to a voicemail that instructed her to leave details for her inquiry. After multiple back-and-forth communications with both HR and the privacy department over about 4 months, Ann finally received information on her employment dates, role, pay rate, and that she could request benefit information for her FT employment. *This fictitious case study was written to highlight the best practice tips.
Case Study Continued 33 What went wrong here? The company did not: ● Response was not inclusive ● Have a process to clarify responses ● Train all people who manage responses ● Have a process to receive or evaluate requests within the required timeframes ● Have a plan for communication or response in a timely fashion What went right? The Company did: ● Had an individual rights form ● Did have someone in privacy ● Did provide information…. If the company had an Individual Rights program in place, the process could have been smoother. Efficiently managing numerous requests per month can be further enhanced through a technology solution designed to automate and streamline requests processing.
Automate the data subject request lifecycle TrustArc Individual Rights Manager enables organizations to efficiently and securely respond to data subject requests at scale. With the ability to configure and automate workflows, combined with our unique privacy intelligence solution, organizations can meet global regulatory requirements, reduce cost, and build customer trust. Confidently Maintain Global Compliance Receive contextualized up- to-date regulatory guidance to ensure workflows are always aligned with the latest privacy regulations Tailor Workflows to Meet Every Need Address business requirements by customizing automated workflows to streamline end-to-end request fulfillment Streamline Verification Process Configure identity verification workflows based on regulatory requirements by leveraging our suite of validation approaches and integrated partner solutions Deliver a Branded Experience Create an on-brand privacy experience through customizable intake forms, landing pages, and email templates
© 2019 TrustArc Inc Proprietary and Confidential Information Questions?
Upcoming Webinars 36 Schrems II: Practical Considerations from a Legal Process and Technology Perspective October 27, 2020 @ 9:00 PST How to Manage Vendors and Third Parties to Minimize Privacy Risk October 28, 2020 @ 9:00 PST Post 'Schrems II': Examining Your Options and How to Action the Ruling October 29, 2020 @ 9:00 PST
© 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.

Recommended

How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
 
Cookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceCookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceTrustArc
 
CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementCCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementTrustArc
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for YouTrustArc
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsTrustArc
 

Recommended

How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsTrustArc
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
 
Cookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceCookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceTrustArc
 
CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementCCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementTrustArc
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateTrustArc
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for YouTrustArc
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsTrustArc
 
LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionTrustArc
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramTrustArc
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...TrustArc
 
EMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterEMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterTrustArc
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsTrustArc
 
U.S. Quarterly Privacy Update
U.S. Quarterly Privacy UpdateU.S. Quarterly Privacy Update
U.S. Quarterly Privacy UpdateTrustArc
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowTrustArc
 
The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand TrustArc
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysTrustArc
 
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskTrustArc
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...TrustArc
 
International Data Transfer Update
International Data Transfer UpdateInternational Data Transfer Update
International Data Transfer UpdateTrustArc
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guideTrustArc
 
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?TrustArc
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017isc2-hellenic
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActTrustArc
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processingTim Gough
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business ReadyMoEngage Inc.
 
California Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAMCalifornia Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAMWSO2
 
Data privacy presentation
Data privacy presentationData privacy presentation
Data privacy presentationTravers Morgan
 

More Related Content

What's hot

LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionTrustArc
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramTrustArc
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...TrustArc
 
EMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterEMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterTrustArc
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsTrustArc
 
U.S. Quarterly Privacy Update
U.S. Quarterly Privacy UpdateU.S. Quarterly Privacy Update
U.S. Quarterly Privacy UpdateTrustArc
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowTrustArc
 
The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand TrustArc
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysTrustArc
 
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskTrustArc
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceTinuiti
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...TrustArc
 
International Data Transfer Update
International Data Transfer UpdateInternational Data Transfer Update
International Data Transfer UpdateTrustArc
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guideTrustArc
 
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?TrustArc
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActTrustArc
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processingTim Gough
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business ReadyMoEngage Inc.
 

What's hot (20)

LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement action
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
 
EMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterEMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years Later
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
 
U.S. Quarterly Privacy Update
U.S. Quarterly Privacy UpdateU.S. Quarterly Privacy Update
U.S. Quarterly Privacy Update
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to Know
 
The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand The Conversation Continues: Where International Data Transfers Stand
The Conversation Continues: Where International Data Transfers Stand
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
 
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy RiskAssessing Risk: How Organizations Can Proactively Manage Privacy Risk
Assessing Risk: How Organizations Can Proactively Manage Privacy Risk
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
 
International Data Transfer Update
International Data Transfer UpdateInternational Data Transfer Update
International Data Transfer Update
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
 
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
EU Update: Applying the new SCCs, or ‘just’ the complete GDPR?
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & Act
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
 
*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready*Webinar* CCPA: Get Your Business Ready
*Webinar* CCPA: Get Your Business Ready
 

Similar to Building Consumer Trust through Individual Rights / DSAR Management

California Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAMCalifornia Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAMWSO2
 
Data privacy presentation
Data privacy presentationData privacy presentation
Data privacy presentationTravers Morgan
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
Second Verse, Different from the First.
Second Verse, Different from the First. Second Verse, Different from the First.
Second Verse, Different from the First. Judy Selby
 
Comparing California's Consumer Protection Act with the European Union's GDPR
Comparing California's Consumer Protection Act with the European Union's GDPRComparing California's Consumer Protection Act with the European Union's GDPR
Comparing California's Consumer Protection Act with the European Union's GDPRAlison Bird
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupThe Pathway Group
 
TrustArc-Webinar-Slides-2022-09-20-Cross-Contextual-Advertising
TrustArc-Webinar-Slides-2022-09-20-Cross-Contextual-AdvertisingTrustArc-Webinar-Slides-2022-09-20-Cross-Contextual-Advertising
TrustArc-Webinar-Slides-2022-09-20-Cross-Contextual-AdvertisingTrustArc
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeIBB Law
 
California Consumer Privacy Act (CCPA) - Kloudlearn
California Consumer Privacy Act (CCPA) - KloudlearnCalifornia Consumer Privacy Act (CCPA) - Kloudlearn
California Consumer Privacy Act (CCPA) - KloudlearnKloudLearn
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. dan hyde
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Burton Lee
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRJenny Ferguson
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceSarah Fox
 
epic-adppavccpa-07292022.pdf
epic-adppavccpa-07292022.pdfepic-adppavccpa-07292022.pdf
epic-adppavccpa-07292022.pdfDanielBerkowitz11
 

Similar to Building Consumer Trust through Individual Rights / DSAR Management (20)

California Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAMCalifornia Consumer Privacy Act and the Role of IAM
California Consumer Privacy Act and the Role of IAM
 
Data privacy presentation
Data privacy presentationData privacy presentation
Data privacy presentation
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
Second Verse, Different from the First.
Second Verse, Different from the First. Second Verse, Different from the First.
Second Verse, Different from the First.
 
Comparing California's Consumer Protection Act with the European Union's GDPR
Comparing California's Consumer Protection Act with the European Union's GDPRComparing California's Consumer Protection Act with the European Union's GDPR
Comparing California's Consumer Protection Act with the European Union's GDPR
 
GDPR: how IT works
GDPR: how IT worksGDPR: how IT works
GDPR: how IT works
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
An Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway GroupAn Overview of GDPR by Pathway Group
An Overview of GDPR by Pathway Group
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
 
TrustArc-Webinar-Slides-2022-09-20-Cross-Contextual-Advertising
TrustArc-Webinar-Slides-2022-09-20-Cross-Contextual-AdvertisingTrustArc-Webinar-Slides-2022-09-20-Cross-Contextual-Advertising
TrustArc-Webinar-Slides-2022-09-20-Cross-Contextual-Advertising
 
Charity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of ChangeCharity Law Updates for 2018: Making the Most of Change
Charity Law Updates for 2018: Making the Most of Change
 
California Consumer Privacy Act (CCPA) - Kloudlearn
California Consumer Privacy Act (CCPA) - KloudlearnCalifornia Consumer Privacy Act (CCPA) - Kloudlearn
California Consumer Privacy Act (CCPA) - Kloudlearn
 
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR. A Brave New World Of Data Protection. Ready? Counting down to GDPR.
A Brave New World Of Data Protection. Ready? Counting down to GDPR.
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
 
Horner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPRHorner Downey & Co Newsletter- GDPR
Horner Downey & Co Newsletter- GDPR
 
Checklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR complianceChecklist for SMEs for GDPR compliance
Checklist for SMEs for GDPR compliance
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
epic-adppavccpa-07292022.pdf
epic-adppavccpa-07292022.pdfepic-adppavccpa-07292022.pdf
epic-adppavccpa-07292022.pdf
 

More from TrustArc

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc
 
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
 
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...TrustArc
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesTrustArc
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceTrustArc
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfTrustArc
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...TrustArc
 
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsTrustArc
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsTrustArc
 
The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...TrustArc
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdfTrustArc
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceTrustArc
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023TrustArc
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustTrustArc
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowTrustArc
 
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdfTrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdfTrustArc
 

More from TrustArc (20)

TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
 
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
 
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 States
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy Compliance
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
 
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy Certifications
 
The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI Governance
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To Know
 
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdfTrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
 

Recently uploaded

A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxAna-Maria Mihalceanu
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...amber724300
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integrationmarketing932765
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...Karmanjay Verma
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...itnewsafrica
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFMichael Gough
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 

Recently uploaded (20)

A Glance At The Java Performance Toolbox
A Glance At The Java Performance ToolboxA Glance At The Java Performance Toolbox
A Glance At The Java Performance Toolbox
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
JET Technology Labs White Paper for Virtualized Security and Encryption Techn...
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data IntegrationBridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
Bridging Between CAD & GIS: 6 Ways to Automate Your Data Integration
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...React JS; all concepts. Contains React Features, JSX, functional & Class comp...
React JS; all concepts. Contains React Features, JSX, functional & Class comp...
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...Zeshan Sattar- Assessing the skill requirements and industry expectations for...
Zeshan Sattar- Assessing the skill requirements and industry expectations for...
 
All These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDFAll These Sophisticated Attacks, Can We Really Detect Them - PDF
All These Sophisticated Attacks, Can We Really Detect Them - PDF
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 

Building Consumer Trust through Individual Rights / DSAR Management

  • 1. © 2020 TrustArc Inc. Proprietary and Confidential Information. Building Consumer Trust through Individual Rights / DSAR Management October 14, 2020
  • 2. Speakers 2 K Royal FIP, CIPP/US / E, CIPM, CDPSE Associate General Counsel, Privacy Intelligence TrustArc Maggie Gloeckle FIP CIPP/US/E, CIPM, CIPT, CDPSE, PMP VP, Privacy and Compliance Counsel A&E Networks
  • 3. Agenda 3 ● Data subject rights under GDPR, CCPA, & LGPD ● Recommended practices and tips to comply ● Practical steps for implementing a Data Subject Rights Management program
  • 4. Quick Review 4 GDPR European Union’s General Data Protection Regulation, passed in 2016, effective 2018 CCPA California Consumer Privacy Act, process started in 2017, passed 2018, amended 2019, regulations 2020, plus new proposed modifications and looming California Privacy Rights Act (CPRA) LGPD Brazil’s Lei Geral de Proteção de Dados, passed in 2018 to be effective in 2020, and then this year - not delayed, pushing enforcement out to 2021
  • 5. Poll 1 5 What are you most interested in learning about today? 1. Specifics on laws and individual rights 2. Case studies / practical examples 3. How to operationalize managing individual rights 4. All of the above
  • 6. © 2019 TrustArc Inc Proprietary and Confidential Information Individual Rights under GDPR, CCPA, and LGPD
  • 7. 7 What are Individual Rights? https://app.sli.do/event/d7d2fkix/embed/polls/fdf9f038-95ab-4660-96cc-0f5857f69223
  • 8. Individual Rights Mapped to Other Regulations 8 GDPR CCPA LGPD NZ Privacy Act 2020 Japan LPPI* China Civil Code Dubai DPL 2020 Egypt LPPD Privacy Shield Access X X X X X X X X X Correction X Z* X X X X X X X Erasure X X X X X X X Object, Opt-Out X X X X X X X Portability X X** X X
  • 9. GDPR Individual Rights 9 Article Right of the Data Subject 15 Right of access 16 Right to rectification 17 Right to erasure (‘right to be forgotten’) 18 Right to restriction of processing 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing 20 Right to data portability 21 Right to object 22 Automated individual decision-making, including profiling
  • 10. Individual Rights Articles 15 - 22 10 Credit to the brilliance of Ashley Slavik Chief Privacy Office, Lead Data Counsel Veeva Systems
  • 11. CCPA Individual Rights 11 CCPA Section Right of the Consumer § 1798.100 Right to access, notice, and data portability § 1798.105 Right to deletion § 1798.110 Right to disclosures of personal information § 1798.115 Right to disclosures of personal information sold § 1798.120 Right to opt-out of sales § 1798.125 Right to nondiscrimination
  • 12. CCPA Individual Rights: Third set of proposed modifications - Oct. 12 12 Collection of personal data (999.306) ● Interacting with consumers offline Must provide an offline method that the consumer is aware of so they can exercise their right to opt out ● Over the phone May provide the notice orally during the call where the information is collected Opting out (999.315) ● Must be easy for the consumer and require minimal amount of steps to do so Examples: Don’t ask for unnecessary information for process request AND scrolling through a page = bad Authorized Agent (999.326) ● Clarifies the proof that a business may require an authorized agent to provide, as well as ● What the business may require a consumer to do to verify their request
  • 13. LGPD Individual Rights 13 Art. 18 Right of the Consumer I Confirmation of the existence of the processing II Access to the data III Correction of incomplete, inaccurate or out-of-date data IV Anonymization, blocking or deletion of unnecessary/excessive data or data processed in noncompliance with the law V Portability to another provider, by express request, subject to commercial and industrial secrecy VI Deletion of personal data processed with consent of the data subject VII Information on public/private entities where controller shared data VIII Information about denying consent and the consequences IX Revocation of consent as provided in §5 of Art. 8
  • 14. Poll Question 14 Where would you categorize your individual rights management program? 1. Initial / ad hoc - respond as arises 2. Repeatable - some processes 3. Defined - policies in place 4. Managed 5. Optimized
  • 15. Compliance Requirements 15 Element GDPR CCPA LGPD Method of request Not addressed Two or more methods, including a toll-free phone and online Not addressed Delivery of request Must be concise, transparent, intelligible, easily accessible, using clear and plain language, especially to a child. in writing, electronically, or orally if identity verified. Electronic requests = electronic delivery Through consumer account if one exists or by mail or electronically at consumer’s option (not allowed to require an account to be created for this purpose) Printed or electronic, per data subject, in safe and suitable means Number of requests permitted Not addressed (if excessive, because repetitive nature, may charge or refuse to act) May limit to 2 in a 12-month period Not addressed Limitation time frame Not addressed Applies to information collected in the preceding 12 months Not addressed
  • 16. Compliance Requirements 16 Element GDPR CCPA LGPD Identity verification May refuse to act if not able to identify; May verify identity if reasonable doubt exists Verifiable request required, but time to verify identity does not extend time to respond Not addressed, but does have “express consent” Timeframe to respond Without undue delay and in any event within one month 45 days Confirmation & access 15 days if not simple, all other immediately Extension of response time Two-month extension where necessary for complexity and # of requests; inform within first month with reason for delay 45 days extension if inform consumer during first 45 days Not addressed Charge Free unless manifestly unfounded or excessive - then reasonable fee Free except for multiple copies - then administrative costs. Free Training for processing requests DPO advises on obligations and monitors compliance, including awareness- raising and training All individuals responsible for handling inquiries must be trained. DPO orients employees and contractors regarding practices to be taken in relation to personal data protection
  • 17. © 2019 TrustArc Inc Proprietary and Confidential Information Recommended Practices
  • 18. Poll Question 18 How many individual rights requests do you receive in total (that require some level of management)? 1. less than 10 a month 2. between 11 - 100 a month 3. between 101 - 500 a month 4. between 501 - 999 a month 5. more than 1,000 a month
  • 19. Key Individual Right: The Right to Access 19 GDPR Article 15: Allows various methods, includes confirmation data is processed ● Exception: Aside from the uniform exception for manifestly unfounded or excessive requests, the right to access should only be limited to the extent it adversely affects the rights and freedoms of others. CCPA Section 1798.100: Right to know ● Exception: The CCPA regulations make an exception for disclosure where there is a conflict with state or federal law, and prohibits businesses from disclosing certain data elements like government-issued identification numbers, financial account numbers, account passwords, security questions and answers, health insurance or medical ID numbers, and unique biometric information. LGPD Article 18, II: Right to Access ● Exception: the LGPD does not provide a list of exceptions to the right to access, but does state that access should be provided taking into consideration trade and commercial secrecy and LGPD does not apply to data processed exclusively for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses
  • 20. Practical Example: The Right to Access 20 ● Request for video inside a store (or employer) to identify who may have stolen something or did a particular action or what about in a parking lot, (a crime seems logical, but what about leaving a note?)
  • 21. GDPR: Key Individual Right: The Right to Erasure (‘Right to be Forgotten’) 21 Eligible only if: ● personal data are no longer necessary for purposes they were collected or otherwise processed; ● DS withdraws consent and where there is no other legal ground for the processing; ● DS objects to processing (marketing, public interest) and no overriding legitimate grounds exist ● the personal data have been unlawfully processed; ● the personal data have to be erased for compliance with a legal obligation; or ● the personal data have been collected in relation to the offer of information society services Exceptions: ● exercising the right of freedom of expression and information; ● compliance with a legal obligation by law, public interest or official authority task; ● public interest in the area of public health; ● archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or ● establishment, exercise or defence of legal claims
  • 22. CCPA: Key Individual Right: The Right to Erasure 22 Exception: Businesses may decline to delete a customer’s personal information when a business requires the personal information at issue in order to: ■ Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. ■ Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. ■ Debug to identify and repair errors that impair existing intended functionality. ■ Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law. ■ Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code. ■ Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
  • 23. LGPD: Key Individual Right: The Right to Erasure 23 Article 8 VI deletion of personal data processed with the consent of the data subject, except in the situations provided in Article 16 (Termination of Data Processing ) or unnecessary or excessive data Exceptions: Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, unless retention is authorized for the following purposes: ● compliance with a legal or regulatory obligation by the controller; ● study by a research entity, ensuring, whenever possible, the anonymization of the personal data; ● transfer to third parties provided that the requirements for data processing as provided in this Law are obeyed; or ● exclusive use of the controller, with prohibited access by third parties and provided the data has been anonymized. And keep in mind, LGPD does not apply to data processed exclusively for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses (Article 4)
  • 24. Practical Example: The Right to Erasure (‘Right to be Forgotten’) 24 Common examples we seen: ● Drug screens ● Prior applications for jobs ● Annual reviews ● Social media posts ● Internet search history ● Movie rental history ● Hotel stays ● Visits to restaurants ● Church records ● Grades / school records
  • 25. Key Individual Right: The Right to Restriction of Processing 25 GDPR Article 18: Individuals may, in certain circumstances, have their personal data excluded from processing. This right prevents the personal data from being used for most processing purposes, other than simply storing the data (with exceptions). Once the processing has ceased, the controller must notify an individual before processing resumes. Data subjects may request and obtain cessation of processing (Article 18(1)). ● Exception: If processing has been restricted, it may only be processed with “the data subject’s consent, or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another person”. CCPA Section: The CCPA does not have an analogous right. LGPD Article 18 IV and IX: Blocking and also revocation of consent as provided in §5 of Article 8 of this Law. §2 The data subject may oppose the processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of this Law.
  • 26. Practical Example: The Right to Restriction of Processing (and Blocking) 26 ● Request for deletion denied, requests restriction of processing while awaiting resolution
  • 27. Key Individual Right: The Right to Data Portability 27 GDPR Article 20: The right to data portability is under the GDPR. This right supports the free flow of information, provides user control and empowerment, and fosters competition and development of new services. ● Exception: This right does not apply to processing necessary data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right is also limited if it adversely affects the rights and freedoms of others. CCPA, this right is included in the right to access in section 1798.100(d) and simply requires that if the data is "provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance". LGPD, in Article 18, V, provides portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency; In addition, Article 11 prohibits sharing sensitive data between controllers to obtain an economic advantage, except portability consented by the data subject. Also, anonymized data is exempted
  • 28. Practical Examples: The Right to Data Portability 28 ● Porting contracts from one contract manager solution to another ● Books from reading services or movies from providers? ● Medical records Notes: GDPR Recital 68 “The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.” LGPD - commercial secrecy
  • 29. Steps to Comply 29 Ensure understanding of what data you collect, the collection process, and where it resides. Establish a process to intake individual rights requests that is easy the individual, and ensure this process is well- communicated throughout the organization. A request may come in from many routes and the person receiving that request needs to understand that a request is being made. Individuals typically won’t understand or use the exact verbiage in the law. Validate the individual's identity. Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data, and evaluate any exceptions. Have a response process. Put in place an appeals process for denied requests. Retain documentation throughout the process.
  • 30. Best Practice Tips 30 Incorporate these rights into your privacy program and ensure there is an established process from beginning to end. Take your data inventory and data processing records a step further to envision requests made for that data. Work with your vendors to ensure that these rights can be honored their side and get documentation to validate that ability. Be helpful. This is not an adversarial process. These are rights provided to individuals to protect their freedoms and right to privacy.
  • 32. Case Study 32 Ann worked at a large grocery store chain (Food-n-More, HQ in California) and was also both a customer and a rewards member. She was honored to be profiled in their public blog as the employee of the month. Food-n-More provided great benefits, including tuition reimbursement. After she resigned to attend college full-time in Arizona, she worked for them during seasonal busy times, such as Christmas. Ann used Food-n-More’s online individual rights form to request access to her information. She received a response back that they determined the only information they have on her is her email subscription. Ann contacted the email this response came from stating that she was a past employee and in fact, still worked for them seasonally. No response. Ann looked up the contact information online and called the number listed. It went to the general answering service. She explained the purpose of her call and was routed to the HR hotline. She left a message, but also called a number listed for customer service. She explained what she wanted and the person asked her to hold. After coming back on, the person routed her to a voicemail that instructed her to leave details for her inquiry. After multiple back-and-forth communications with both HR and the privacy department over about 4 months, Ann finally received information on her employment dates, role, pay rate, and that she could request benefit information for her FT employment. *This fictitious case study was written to highlight the best practice tips.
  • 33. Case Study Continued 33 What went wrong here? The company did not: ● Response was not inclusive ● Have a process to clarify responses ● Train all people who manage responses ● Have a process to receive or evaluate requests within the required timeframes ● Have a plan for communication or response in a timely fashion What went right? The Company did: ● Had an individual rights form ● Did have someone in privacy ● Did provide information…. If the company had an Individual Rights program in place, the process could have been smoother. Efficiently managing numerous requests per month can be further enhanced through a technology solution designed to automate and streamline requests processing.
  • 34. Automate the data subject request lifecycle TrustArc Individual Rights Manager enables organizations to efficiently and securely respond to data subject requests at scale. With the ability to configure and automate workflows, combined with our unique privacy intelligence solution, organizations can meet global regulatory requirements, reduce cost, and build customer trust. Confidently Maintain Global Compliance Receive contextualized up- to-date regulatory guidance to ensure workflows are always aligned with the latest privacy regulations Tailor Workflows to Meet Every Need Address business requirements by customizing automated workflows to streamline end-to-end request fulfillment Streamline Verification Process Configure identity verification workflows based on regulatory requirements by leveraging our suite of validation approaches and integrated partner solutions Deliver a Branded Experience Create an on-brand privacy experience through customizable intake forms, landing pages, and email templates
  • 35. © 2019 TrustArc Inc Proprietary and Confidential Information Questions?
  • 36. Upcoming Webinars 36 Schrems II: Practical Considerations from a Legal Process and Technology Perspective October 27, 2020 @ 9:00 PST How to Manage Vendors and Third Parties to Minimize Privacy Risk October 28, 2020 @ 9:00 PST Post 'Schrems II': Examining Your Options and How to Action the Ruling October 29, 2020 @ 9:00 PST
  • 37. © 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.