To watch the full on-demand webinar recording accompanying these slides please visit: http://bit.ly/29pVCEX
As companies start to assess the dizzying array of tasks needed to comply with the GDPR it’s important to have a plan for compliance. This on-demand webinar will review the four steps that are key to getting your plans on track:
1. Assessing where you currently stand
2. Building internal engagement
3. Creating a prioritized plan
4. Identifying solutions for implementation
Bojana Bellamy, CIPP/E, President of the Centre for Information Policy Leadership (CIPL) will share insight into how companies are preparing their organizations for the new Regulation as well as current CIPL initiatives to ensure consistency in interpretation of the GDPR across industry, government and policymakers.
Register now to watch the on-demand webinar to understand how companies are starting to prepare, how to create a clear path to achieving GDPR compliance and options for helping you get it done: http://bit.ly/29pVCEX
2. 2
vPrivacy Insight Series - truste.com/insightseries
v
• We will be starting a couple minutes after the hour
• This webinar will be recorded and the recording and slides sent out
later today
• Please use the GotoWebinar control panel on the right hand side to
submit any questions for the speakers
Thank you for joining the webinar
3. 3
vPrivacy Insight Series - truste.com/insightseries
Today’s Speakers
Eleanor Treharne-Jones, CIPP/E
VP Consulting
TRUSTe
(moderator)
Beth Sipula
Senior Privacy Consultant
TRUSTe
Bojana Bellamy, CIPP/E
President Hunton & Williams Centre for
Information Policy Leadership (CIPL)
4. 4
vPrivacy Insight Series - truste.com/insightseries
v
The New EU Data Protection
Regulation: A Catalyst for Sea Change
for All?
Bojana Bellamy, CIPP/E
President,
Hunton & Williams Centre for information Policy Leadership (CIPL)
5. 5
vPrivacy Insight Series - truste.com/insightseries
Harmonisation and
some progress
•Harmonised rules,
but not fully (e.g.
employee data,
children data)
•One Stop Shop:
Lead DPA for pan-
European matters, in
cooperation with other
DPAs; Local DPA for
local matters and
redress for individuals
•Risk-based
approach
•Some reduction of
administrative
burden (no national
registration of
processing. or prior
authorisation)
•BCR, seals and
certifications
•Greater cooperation
and consistency by
DP regulators
Broader scope
•Obligations on both
controller and
processor
•Extraterritorial
application to foreign
controller and
processor
•Wider definition of
personal data and
sensitive data;
anonymous data and
pseudonymisation
•Processing data of
children under 16
requires parental
consent
Increased
obligations
•DP principles
tightened (consent,
transparency/notices)
• Profiling rules
•Privacy Impact
Assessment
•Privacy by Design
•Breach notification -
to DPAs and
individuals
•Direct obligations
and liability for
processor
•Accountability -
privacy program
•Internal record of
processing
•DP Officer
Strengthened
rights of
individuals
•Right to erasure
•Data portability
•Right not to be
subject to automated
profiling / right to
object
Increased
enforcement, fines,
liability
•Regulatory fines up to
4% of annual
worldwide turnover
•Individual action
•Class action
•Criminal sanctions
(in national laws)
•Larger role for
European Data
Protection Board
(EDPB)
EU Data Protection Regulation at a Glance
6. 6
vPrivacy Insight Series - truste.com/insightseries
Accountability in GDPR – Privacy Programme
Controllers must:
•Be responsible for compliance with GDPR
•Implement appropriate and effective technical and
organisational measures to comply with the GDPR
•Demonstrate compliance & effectiveness of the measures
Taking into account:
•The nature, scope, context, and purposes of the data
processing
•The risk for individuals - physical, moral, material damages
7. 7
vPrivacy Insight Series - truste.com/insightseries
Accountability,
Effective
Compliance
and Protection
for Individuals
Leadership
and oversight
Risk
assessment
Policies and
Procedures
Privacy by
Design
Transparency
Training and
awareness
Monitoring
and
verification
Response and
enforcement
Privacy Management Programme –
Universal Elements
8. 8
vPrivacy Insight Series - truste.com/insightseries
Internal privacy policies
and procedures -
compliance rules for DP
principles and individual
rights
Security policies
External transparency
measures
Measures to implement
Privacy by
Design/Default
Maintaining internal
records of processing
Keeping documentation
and evidence - consent,
legitimate interest,
notices, PIA, processing
agreements, breach
response
Conducting Privacy Impact
Assessments - for high risk
processing
Processor choice and
management
Documenting and notifying
personal data breaches - to
the DPA and individuals
Maintaining transfer
mechanisms for global
data transfers
Appointing a DP Officer,
with independent status,
protected employment and
statutory responsibilities
Co-operating with DPAs, on
request
8
Accountability Measures Under GDPR
9. 9
vPrivacy Insight Series - truste.com/insightseries
Accountability can be demonstrated via:
•BCR
•Approved Codes of Conduct
•Approved certifications
•Seals?
•Other accountability frameworks – e.g. ISO Cloud
Privacy and Security Standard? CBPR?
Demonstrating Accountability under GDPR
10. 10
vPrivacy Insight Series - truste.com/insightseries
Game Changer or Business as Usual?
DP Program –
Corporate
Digital
Responsibility
DPO led,
documented,
risk-based,
verified,
demonstrated
Data transfers
strategy
Big Data
enablement
DPIA Process
Privacy
Engineers
Vendor
management
Breach
management
Relationship
with DPAs
Legal
uncertainty
and disputes
management
11. 11
vPrivacy Insight Series - truste.com/insightseries
Systematic Changes Ahead for Organisations
Greater need for managing external engagement and relationships (DPAs, EDPB,
individuals, media, privacy advocates)
DP Officer (DPO) becomes a more strategic, senior and multi-skilled role
Holistic and joined-up approach between CIO, CISO, CDO, CMO, CPO, Legal and
communications / media relations
DP becomes high-profile and board-level issue – higher enterprise risk; larger
business, legal and compliance impact; security breach notification and management
DP becomes a business issue - wide impact on company’s globalisation, digital
transformation and data strategy
GDPR Implementation - company-wide change management program required
12. 12
vPrivacy Insight Series - truste.com/insightseries
WP29 Project Work Plan 2016
WP 29 Guidance
Risk DPO
Data
Portability
Certifications
Main Establishment, Consistency Procedure, Governance and
working of EDPB
13. 13
vPrivacy Insight Series - truste.com/insightseries
Some examples of further rules and
implementation
Member States
• Age of children (13-
16)
• Rules for health,
genetic, criminal
convictions
• Rules to authorise
profiling / automated
decision taking
• Restrictions to rights /
breach notifications
• Responsibility of joint
controllers
• DPO appointment
• Employee data
• Statistical, scientific,
historical purposes
• National ID numbers
Commission
• Icons and
standardised privacy
policies
• Technical standards
for certifications /
seals
EDPB /DPAs
• Standard processing
contracts
• List of high risk
processing
• Conditions for
profiling
• High risk re data
breaches
14. 14
vPrivacy Insight Series - truste.com/insightseries
Key Themes and Takeaways from CIPL GDPR Project
Workshop I Report (1)
Open engagement between industry, regulators, Member States and the Commission is essential for
consistent implementation and interpretation of the GDPR.
The successful GDPR implementation will require (1) taking into account the aims of the European Digital
Single Market, (2) “future-proof” and technologically neutral interpretation and implementation guidance,
(3) EU-wide harmonisation, and (4) consideration of other overlapping EU laws.
“Accountability” is central to the GDPR (for both controllers and processors) and must be coherently
understood and actively incentivised by the regulators.
“Smart regulation” may enable European DPAs to discharge their GDPR roles more effectively and
tackle the significant changes in their role, powers and national and pan-European operations.
DPO is a cornerstone of organisational accountability and it is essential to clarify the functional and
organisational aspects of the role of the DPO, to ensure effectiveness of the role.
15. 15
vPrivacy Insight Series - truste.com/insightseries
Key Themes and Takeaways from CIPL GDPR
Project Workshop I Report (2)
The understanding of “risk” and “high risk” must be harmonized, and effective risk assessment
methodologies that consider both the risks and the benefits of processing must be developed and
agreed, without determining the definitive list of high risk processing.
Codes of conduct, certifications, seals and BCR can be effective compliance and accountability tools;
they must work at the “programmatic” level rather than at the product-level only and be incentivised by the
relevant authorities.
Implementing the right to data portability raises various problems, such as the interactions between data
portability and other legal areas.
Transparency to individuals is the other side to organisational accountability – the implementation of
transparency requirements should minimise any tension between effective transparency and detailed
legal notice requirements; industry queried whether icons are suitable and should be imposed top-down
by the Commission
The GDPR will raise specific challenges for start-ups and SMEs that need to be addressed, for example,
by involving these organisations in the stakeholder engagement process and leveraging tool and
processes of larger organisations.
16. 16
vPrivacy Insight Series - truste.com/insightseries
v
Beth Sipula
Senior Privacy Consultant, TRUSTe
GDPR: Your Path to Compliance
17. 17
vPrivacy Insight Series - truste.com/insightseries
Your Path to GDPR Compliance
TRUSTe has developed a four-step process designed to provide you with a
path to achieving GDPR compliance. This multi-step program provides both
guidance on what to do, along with options for how TRUSTe can help.
Are you impacted? Where
do you stand?
What do I need to do to
secure stakeholder
commitment and resources
for execution?
How do I build a plan that’s
prioritized based on risks?
How do I efficiently
implement all of the
modules required in the
GDPR program?
18. 18
vPrivacy Insight Series - truste.com/insightseries
Step 1: Assess Readiness
Are you impacted?
• Do you “offer goods or services to EU residents”?
• Do you “monitor the behavior of EU residents”?
• Are you a “Data Processor” of EU resident personal data” (any information
relating to an identified or identifiable natural person)?
Where do you stand?
• Use a controls checklist, build one yourself, or leverage the TRUSTe GDPR
Readiness Assessment that guides you through core GDPR requirements:
✓ Transparency (i.e., Privacy Policy)
✓ Collection & Purpose Limitation
✓ Consent
✓ Data Quality
✓ Privacy Program Management
✓ Security in the Context of Privacy
✓ Data Breach Readiness & Response
✓ Individual Rights & Remedies
19. 19
vPrivacy Insight Series - truste.com/insightseries
Step 2: Build Consensus
What do I need to do to secure stakeholder commitment
and resources for execution?
Gather relevant info to present to others
• Overview of the GDPR and its impact
• Best practice frameworks / industry benchmarks
• Scoreboard of where the company currently stands
• Review of the company’s current gaps and risks
• Summary of what it would take to close the gaps
• Rough time and cost analysis of the work required
Facilitate internal kickoff and on-going planning sessions
with relevant stakeholders across the organization. Goals:
• Formalize GDPR response team structure / roles / responsibilities
• Agree on short, medium and long-term goals
• Set measurable objectives with success criteria, key milestones
• Secure commitment to, and budget for, the GDPR program
20. 20
vPrivacy Insight Series - truste.com/insightseries
Step 3: Develop Plan
How do I build a plan that’s prioritized based on risks?
Data
Collection
Storage Processing
Resources
Involved
Retention /
Deletion
• Map personal data flows across the business at
each stage
• Take into account broader definition of “personal
data” (“any information concerning an identified or
identifiable natural person”, e.g., geo, IP addresses)
• Resources include all internal systems, 3rd party
service providers, and cloud providers
• For new products – review requirements, database
schemas, third party integration agreements
• For M&A situations - include data flow analysis for
all new entities
Conduct a data flow analysis to add to the initial gap analysis
21. 21
vPrivacy Insight Series - truste.com/insightseries
Step 3: Develop Plan
Build project timeline with commitment dates based on:
• Privacy team’s goals – short, mid, long-term
• Key milestones, e.g., 2018 GDPR enforcement start
• Budget and people resources available
• Remediation activities required from gap analysis
• Prioritized areas for “high risk” and longer implementation times
• Consider using the Privacy Shield to cover a large percentage quickly
22. 22
vPrivacy Insight Series - truste.com/insightseries
Step 4: Implement Programs…
Triage … conduct PIAs & remediate “high risk”
areas
• GDPR requires you to conduct PIAs for “high risk”
activities and implement operational changes
• Most common “high risk” areas tend to center around
new products that change the way the business uses /
collects / stores personal data
• Put processes in place to conduct ongoing PIAs –
templates, technology, training
• Maintain record to demonstrate compliance
Prioritize … implement components with “long timelines”
• Search for qualified DPOs
• New processes and tech capabilities to manage obligations
around “Right to be Forgotten” and “Data Portability Rights”
• Security – revise information security policies & deploy training
• Data breach response plans – new 72 hour notification, “without
undue delay” for breaches with potential for serious harm
23. 23
vPrivacy Insight Series - truste.com/insightseries
• Conduct Final GDPR Assessment to ensure
all gaps are closed
• Leverage an assessment repository to house
all past, present and future PIAs
• Keep detailed records of any processing
performed on personal data
• Leverage template library for ongoing PIAs
against the GDPR requirements along with
any local or evolving requirements
• Have a Findings Report ready that shows that
all GDPR requirements have been met
Step 4: Implement Programs continued …
Demonstrate … build compliance audit trail and on-going
PIA process
25. 25
vPrivacy Insight Series - truste.com/insightseries
GDPR Readiness Assessment
• A comprehensive online tool to help assess readiness to
meet GDPR requirements
• Control questions mapped to GDPR requirements
• Real-time gap analysis and recommendations
• Remediation management
• Centralized, on-demand reporting
• Easy implementation (no software to
install)
Get visibility on where you stand with the IAPP GDPR
Assessment Powered by TRUSTe
26. 26
vPrivacy Insight Series - truste.com/insightseries
GDPR Priorities Assessment
Gap Assessment and Findings Report provides a “heat map”
and prioritized GDPR remediation plan followed by an onsite
review with Key Stakeholders to build consensus
• Summary of company’s current posture
assessed against the GDPR and the desired
position
• “Heat map” identifying areas of high, mid, low
risk
• Level of effort assessment for all operational
changes
• Plan organized in immediate, mid-term and
long-term priorities to get GDPR program
completed
• Onsite Review with Key Stakeholders to help
build awareness, secure buy-in, and
agreement on an initial program
• The half day on-site interactive sessions led
by a TRUSTe Privacy Consultant and custom-
tailored to your organization
27. 27
vPrivacy Insight Series - truste.com/insightseries
Implementation Programs
Privacy Shield
Assessment / Certification against Privacy Shield requirements
Data Discovery & Classification
Building data flow visualizations to understand associated privacy risks
PIAs / Privacy Risk Assessments + PIA Program Development
Assess specifically identified “high risk” activities against the GDPR requirements, remediate
and develop a sustainable PIA program going forward.
Consent Manager
Technology implementation on your digital properties to meet explicit and implied consent
requirements, whether in the context of Cookie Consent or Data Processing
Ads Compliance Manager
Technology implementation on your digital properties to meet consent and choice
requirements for Interest Based Advertising (IBA) and Profiling
TRUSTe has a suite of services that can help with all GDPR
program implementation steps
28. 28
vPrivacy Insight Series - truste.com/insightseries
Implementation Programs
Assessment Manager & AM Managed Service
TRUSTe has a suite of services that can help with all GDPR
program implementation steps
For companies that have robust in-house privacy assessment operations
and want to further optimize, implement our SaaS-based Assessment
Manager platform
• Quickly streamline your privacy
assessment process
• Get a dashboard view of progress
at the tactical level
• Get an enterprise view of risk and
mitigation at the Board-level
30. 30
vPrivacy Insight Series - truste.com/insightseries
v
Bojana Bellamy bbellamy@hunton.com
Beth Sipula bsipula@truste.com
Eleanor Treharne-Jones eleanor@truste.com
Contacts
31. 31
vPrivacy Insight Series - truste.com/insightseries
v
Our 2016 Summer/Fall Webinar Series will be launched today. Look out for
details and register for our next webinar on July 21 “Validating Vendor
Assessments – Preparing for Privacy Shield”
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
Thank You!