Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
vPrivacy Insight Series - truste.com/insightseries
v
Preparing for the GDPR – the
Compliance Countdown Begins
April 14, ...
2
vPrivacy Insight Series - truste.com/insightseries
Today’s Speakers
Barbara Mangan Sondag,
Privacy Counsel, North
Americ...
3
vPrivacy Insight Series - truste.com/insightseries
v
The GDPR – Story so Far
Ralph T O’Brien, Principal Consultant EU, T...
4
vPrivacy Insight Series - truste.com/insightseries
• GOAL: One single law for the EU
• Previous Directive of 1995 and na...
5
vPrivacy Insight Series - truste.com/insightseries
• Applicability now extra territorial
• Based on “residency of indivi...
6
vPrivacy Insight Series - truste.com/insightseries
• Political agreement reached between Council and Parliament
December...
7
vPrivacy Insight Series - truste.com/insightseries
Privacy under the EU Model
Data Protection Authority
(supervising aut...
8
vPrivacy Insight Series - truste.com/insightseries
•Access to data
•Remedy from supervisory
body/court
•Compensation for...
9
vPrivacy Insight Series - truste.com/insightseries
• Lawful basis
• Fair processing
• Specify Purposes
• (Limitation)
• ...
10
vPrivacy Insight Series - truste.com/insightseries
• National Laws may set up additional penalties (enforced
audit, rep...
11
vPrivacy Insight Series - truste.com/insightseries
Fines
Up to 10m EUR or
2% world annual
turnover of last FY
Up to 20m...
12
vPrivacy Insight Series - truste.com/insightseries
•How prepared is your organization with the European Union's
upcomin...
13
vPrivacy Insight Series - truste.com/insightseries
v
Paul Lanois
Legal Counsel, Cross-border Legal, Credit Suisse
GDPR:...
14
vPrivacy Insight Series - truste.com/insightseries
Scope
The scope of application of the GDPR is broader than the EU cu...
15
vPrivacy Insight Series - truste.com/insightseries
Start building awareness now
Change is coming… and your staff needs ...
16
vPrivacy Insight Series - truste.com/insightseries
How to raise awareness
o This is a big and serious change from the c...
17
vPrivacy Insight Series - truste.com/insightseries
Some less known points to consider
• With the GDPR, additional point...
18
vPrivacy Insight Series - truste.com/insightseries
v
Barbara Mangan Sondag,
Privacy Counsel, North America, eBay
GDPR: ...
19
vPrivacy Insight Series - truste.com/insightseries
Privacy Impact Assessments (PIAs) at a glance
Privacy Impact Assessm...
20
vPrivacy Insight Series - truste.com/insightseries
Privacy Impact Assessments (PIAs) at a glance
Benefits of PIAs:
• de...
21
vPrivacy Insight Series - truste.com/insightseries
GDPR Requirements
Applicable GDPR Text Obligations
Data Protection I...
22
vPrivacy Insight Series - truste.com/insightseries
GDPR Requirements
Implementation Considerations
Evaluate existing PI...
23
vPrivacy Insight Series - truste.com/insightseries
Practical Points for PIAs
• Build, implement and be able to document...
24
vPrivacy Insight Series - truste.com/insightseries
Practical Points for PIAs (2)
• Consider a bifurcated PIA process, w...
25
vPrivacy Insight Series - truste.com/insightseries
Case Study: eBay Vendor Assessments
• Global Privacy partnered with ...
26
vPrivacy Insight Series - truste.com/insightseries
Sample
27
vPrivacy Insight Series - truste.com/insightseries
v
Questions?
28
vPrivacy Insight Series - truste.com/insightseries
v
Ralph T O’Brien robrien@truste.com
Barbara Mangan Sondag bmangan@e...
29
vPrivacy Insight Series - truste.com/insightseries
v
Don’t miss the next webinar in the Series – “Global Privacy Enforc...
Upcoming SlideShare
Loading in …5
×

[GDPR Webinar Slides] Preparing for the GDPR - the Compliance Countdown Begins

9,577 views

Published on

To watch the full on-demand webinar recording please visit: https://info.truste.com/WB-2016-04-14-Insight-Series-Preparing-for-the-GDPR---the-Compliance-Countdown-Begins_RegPage-OnDemand.html

The introduction of the European General Data Protection Regulation (GDPR) has been heralded as the most significant change in global privacy regulations for the last 20 years. But now the talking is over and the legislation is agreed, the compliance countdown begins. What does this mean for your business? Where should you start?

This webinar will review the final text of the GDPR and explain the key things you need to know to comply including:
• EU-wide data breach notification requirements
• New responsibilities for data processors
• Compulsory PIAs for certain types of processing
• Difference between GDPR & new Privacy Shield

Register to watch the On-Demand Webinar now to get a clear roadmap for GDPR compliance within your organization! Please visit: https://info.truste.com/WB-2016-04-14-Insight-Series-Preparing-for-the-GDPR---the-Compliance-Countdown-Begins_RegPage-OnDemand.html

Published in: Technology
  • I also like the www.HelpWriting.net site. They helped me
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I also like the www.HelpWriting.net site. They helped me
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download Full doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download PDF EBOOK here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download EPUB Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... Download doc Ebook here { https://redirect.is/fyxsb0u } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • If we are speaking about saving time and money this site ⇒ www.HelpWriting.net ⇐ is going to be the best option!! I personally used lots of times and remain highly satisfied.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • I have always found it hard to meet the requirements of being a student. Ever since my years of high school, I really have no idea what professors are looking for to give good grades. After some google searching, I found this service ⇒ www.WritePaper.info ⇐ who helped me write my research paper. The final result was amazing, and I highly recommend ⇒ www.WritePaper.info ⇐ to anyone in the same mindset as me.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

[GDPR Webinar Slides] Preparing for the GDPR - the Compliance Countdown Begins

  1. 1. 1 vPrivacy Insight Series - truste.com/insightseries v Preparing for the GDPR – the Compliance Countdown Begins April 14, 2016
  2. 2. 2 vPrivacy Insight Series - truste.com/insightseries Today’s Speakers Barbara Mangan Sondag, Privacy Counsel, North America, eBay Inc Paul Lanois Counsel, Cross-border Legal Credit Suisse Ralph T O’Brien, Principal Consultant EU, TRUSTe
  3. 3. 3 vPrivacy Insight Series - truste.com/insightseries v The GDPR – Story so Far Ralph T O’Brien, Principal Consultant EU, TRUSTe
  4. 4. 4 vPrivacy Insight Series - truste.com/insightseries • GOAL: One single law for the EU • Previous Directive of 1995 and national laws to be repealed • Member scope needs enabling legislation (with some ability to vary) • 50/99 articles have scope for variance. • Interpreted nationally by “supervisory authorities” • Consistency brought by a European Data Protection Board (EDPB) • Organizations have a lead authority… • …based on the organizations “main establishment” (EU HQ) Why and what is the GDPR?
  5. 5. 5 vPrivacy Insight Series - truste.com/insightseries • Applicability now extra territorial • Based on “residency of individuals in EU” • Offering goods or services • Monitoring of behavior (such as internet tracking and profiling) • Where the organization is processing personal data • Data that relates to an individual who can be identified from it (or other data you have) • Regardless of format (digital, paper, audio, video etc) • Doesn’t have to be names (ID by picture, IP addresses, devices IDs, Cookies etc) • Sets up Consistency Mechanisms and EDPB • Supports Codes of Conduct, Seals and Certifications as evidence of compliance Applicability
  6. 6. 6 vPrivacy Insight Series - truste.com/insightseries • Political agreement reached between Council and Parliament December 2015 • Final text 6 April 2016 from Technical drafting committees • The text of the regulation will be sent to the European Parliament where it will first be approved by the Civil Liberties, Justice and Home Affairs (LIBE) committee in an extraordinary session • It has been adopted in plenary on 14 April 2016 (Today!) • It will then be published in the Official Journal of the European Union (OJEU) • Exactly two years after the date of publication in the OJEU, the Regulation will enter into force (April/May 2018?) Timeline
  7. 7. 7 vPrivacy Insight Series - truste.com/insightseries Privacy under the EU Model Data Protection Authority (supervising authority, based on main establishment) Data Controller (organisations) Data Subject (individuals) Data Processor Third Countries Third Parties Duties Rights Disclosure? Inform? Security? Guarantees? Advisory and Enforcement European Data Protection Board (consistency mechanism) EU Courts National Courts Complain?
  8. 8. 8 vPrivacy Insight Series - truste.com/insightseries •Access to data •Remedy from supervisory body/court •Compensation for Damage •Compensation for Distress •Rectification (NEW) •Objection –Absolute for direct marketing •Erasure (NEW) •Data Portability (NEW) •Restrict processing (put on hold) •Automated decisions and profiling Increased Individual Rights Increased Obligations •Consent harder to obtain/prove •Privacy notices more detailed/clearer •Proactively Demonstrate Compliance •Breach Notification (72 hours) -To individual and regulator •Appointment of Data Protection Officer (250+, or high risk processing) •Privacy by Design •Privacy Impact Assessments •More obligations for Processors (Joint Controllership) Key Requirements
  9. 9. 9 vPrivacy Insight Series - truste.com/insightseries • Lawful basis • Fair processing • Specify Purposes • (Limitation) • Adequate, relevant, not excessive • (Minimization) • Accuracy • Retention • Rights of Individuals • Appropriate Security • International Transfer adequacy Privacy Principles Remain consistent
  10. 10. 10 vPrivacy Insight Series - truste.com/insightseries • National Laws may set up additional penalties (enforced audit, reprimand, criminal sanctions) • Fines • Increased Consumer awareness • Increased activism • Courts now finding for individual more often (courts as activists) • Greater “visibility” of privacy in the media • Ethical business practices (“creepiness”) • Reputational harm • Decreased Consumer Trust Key Privacy Risks
  11. 11. 11 vPrivacy Insight Series - truste.com/insightseries Fines Up to 10m EUR or 2% world annual turnover of last FY Up to 20m EUR or 4% world annual turnover of last FY
  12. 12. 12 vPrivacy Insight Series - truste.com/insightseries •How prepared is your organization with the European Union's upcoming General Data Protection Regulation (the "GDPR")? 1. Sorry, GDPR? Any connection with the Gross Domestic Product? 2. We are already prepared, ready and waiting. Bring it on! 3. We have already begun work and expect to be in time. 4. We are not sure we will be ready by the deadline. 5. We have not started anything yet. POLL:
  13. 13. 13 vPrivacy Insight Series - truste.com/insightseries v Paul Lanois Legal Counsel, Cross-border Legal, Credit Suisse GDPR: what you can do now to prepare yourself Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.
  14. 14. 14 vPrivacy Insight Series - truste.com/insightseries Scope The scope of application of the GDPR is broader than the EU current data protection regime: • Under the current regime, organizations are in scope if they are located within the EU or make use of (automated) equipment located within the EU. • With the GDPR, the legislation extends to all organizations offering goods or services to EU citizens, irrespective of whether connected to a payment and organizations that monitor (online) behavior of EU citizens, in so far as the behavior takes place in the EU. Even if your organization does not have any branches or processing equipment in the EU, it could still fall within the scope of the GDPR! Any entity holding or using European personal data will be impacted.
  15. 15. 15 vPrivacy Insight Series - truste.com/insightseries Start building awareness now Change is coming… and your staff needs to know about it sooner rather than later! But an implementation timeframe of 2 years is plenty of time, right? • French “Digital Republic” bill anticipating the GDPR. • Some obligations are new and will take time to implement, for example: o Subject access requests: Processes may need to be created to be able to respond to requests from individuals without undue delay and at the latest within one month. o Data Portability: GDPR gives individuals the right to receive their personal data in a structured, commonly-used and machine- readable format. Individuals may also request, where technically feasible, that the controller send the personal data to another controller. o Privacy by Design: embed privacy into the design specifications of technologies, business practices, and physical infrastructures.
  16. 16. 16 vPrivacy Insight Series - truste.com/insightseries How to raise awareness o This is a big and serious change from the current regime. o "Data protection will be the new anti-trust" - Giovanni Butarelli, European Data Protection Supervisor. Ensure that decision makers and key people in your organization are now aware that the law is changing so that they can start identifying the areas that will have the biggest impact on them. • Right to compensation: “Any person who has suffered material or non- material damage as a result of an infringement of the Regulation has the right to receive compensation for the damage suffered.” • Sanctions : fines can amount to EUR 20 million or up to 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
  17. 17. 17 vPrivacy Insight Series - truste.com/insightseries Some less known points to consider • With the GDPR, additional points must be covered in the privacy notice: for example, you will need to explain your legal basis for processing the data, your data retention periods and that individuals have a right to complain if they think there is a problem with the way you are handling their data. • Information must be provided “in a concise, transparent, intelligible and easily accessible form, using clear and plain language.” • Restrictions surrounding automated data processing and decisions based upon such processing (i.e. profiling). • Parental consent will be needed to process personal data of children under 16 (Member States may bring this down to 13).
  18. 18. 18 vPrivacy Insight Series - truste.com/insightseries v Barbara Mangan Sondag, Privacy Counsel, North America, eBay GDPR: Privacy Impact Assessments Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.
  19. 19. 19 vPrivacy Insight Series - truste.com/insightseries Privacy Impact Assessments (PIAs) at a glance Privacy Impact Assessment a.k.a. Data Protection Impact Assessment (DPIA) • No definition in GDPR text • Regarded as a systematic assessment of a project that identifies the impact that the project might have on the privacy of individuals, and sets out recommendations for managing, minimizing or eliminating that impact. • Plays an important role in the overall risk management and planning processes of a company PIAs can assist businesses with: • Describing how personal information flows in a project • Analyzing the possible impacts on individuals’ privacy • Identifying and recommending options for avoiding, minimizing or mitigating negative privacy impacts • Building privacy considerations into the design of a project • Achieving the project’s goals while minimizing the negative and enhancing the positive privacy impacts.
  20. 20. 20 vPrivacy Insight Series - truste.com/insightseries Privacy Impact Assessments (PIAs) at a glance Benefits of PIAs: • demonstrating that a project is compliant with privacy laws • reducing future costs in management time, legal expenses and potential negative publicity by considering privacy issues early in a project • identifying strategies to achieve the project’s goals without impacting on privacy • promoting awareness and understanding of privacy issues inside the organization or agency • contributing to broader organizational or agency risk management processes. Risks of not undertaking a PIA include: • non-compliance with the letter or the spirit of relevant privacy laws, potentially leading to a privacy breach and/or negative publicity • loss of credibility by the entity through lack of transparency in response to public concern about handling personal information • damage to an entity’s reputation if the project fails to meet expectations about how personal information will be protected • identification of privacy risks at a late stage in the project development or implementation, resulting in unnecessary costs or inadequate solutions.
  21. 21. 21 vPrivacy Insight Series - truste.com/insightseries GDPR Requirements Applicable GDPR Text Obligations Data Protection Impact Assessments (DPIAs) (Sect. 3, Art. 35) The supervisory authority shall establish and make public a list of the types of processing operations that require a DPIA. They may also establish and make public a list of the types of processing operations that do not require a DPIA. Lists shall be communicated to EUDPB. Penalty, Art. 83: Administrative fines up to 10,000,000 EUR, or in case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher DPIAs are required for any processing that may result in “high risk”, and for: • Systematic and extensive automated processing, including profiling, if the decisions produce legal effects or significantly affect the individual Example: Making predictions based on a person’s behavior, economic situation, health, location • Processing special categories of data (ie. genetic or biometric data) or criminal records on a large scale • Systematic monitoring of a publicly accessible area on a large scale • As indicated by the DPAs or EUDPB Each DPIA shall contain at least: • A systematic description of the processing operations and the purposes of the processing, including where applicable the legitimate interest of the controller • An assessment of the necessity and proportionality of the processing operations in relation to the purposes; • An assessment of the risks to the rights and freedoms of data subjects, and • The measures needed address the risks, including safeguards, security measures and mechanisms to demonstrate compliance
  22. 22. 22 vPrivacy Insight Series - truste.com/insightseries GDPR Requirements Implementation Considerations Evaluate existing PIA processes against PIA requirements, particularly events that may constitute high risk: • Conversion of records from paper-based to electronic form; • Conversion of information from anonymous to identifiable form; • System management changes involving significant new uses and/or application of new technologies; • Significant merging, matching or other manipulation of multiple databases containing personal data; • Incorporation into existing databases of personal data obtained from commercial or public sources; • Alteration of a business process resulting in significant new collection, use and/or disclosure of personal data • Consider risk definitions and evaluation criteria used within the business • A single DPIA may address a set of processing operations that present similar high risks. • Where appropriate, seek the views of data subjects on the intended processing. • Conduct audits to verify that processing is performed in compliance with the DPIA, at least when there is a change of the risk represented by the processing operations. • Where a DPIA indicates high risk: If the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.
  23. 23. 23 vPrivacy Insight Series - truste.com/insightseries Practical Points for PIAs • Build, implement and be able to document a robust PIA process • Your company’s core business drivers influences the content of a PIA (for example, eBay’s PIA would likely look very different from American Express’ PIA because of the products/services they offer). • A single assessment may involve many people in multiple geographies. It can cross various business units and be reviewed by several internal and external stakeholders. • Systematically evaluate how personally identifiable information is collected, used, shared and maintained by your organization in the context of business change • What areas of your program should you address? At what level? Privacy Notice? Large-scale strategic projects? Individual use cases?
  24. 24. 24 vPrivacy Insight Series - truste.com/insightseries Practical Points for PIAs (2) • Consider a bifurcated PIA process, with traditional PIAs for all projects and EU DPIAs for projects that trigger these rules • Documentation requirements may impose a burden on development teams using agile and similar methods – additional resources may have to be added to manage recordkeeping • Consider advantages and risks of maintaining DPIA records with records of processing activities required by Art. 30. • Where possible, automate parts of the PIA, standardize reviews, and obtain metrics on PIAs. • Your Information Security Team is a great partner! • PIAs should be an integral part of the project planning process, not an afterthought.
  25. 25. 25 vPrivacy Insight Series - truste.com/insightseries Case Study: eBay Vendor Assessments • Global Privacy partnered with Information Security team to build out a ticketing system for vendor security assessments • Security + Privacy questions to comprehensively assess risk • Share body of knowledge in one system; align resources between teams; quickly prompt the preparation of the right type of Data Protection Requirements Addendum (DPRA) • Business notified of if further information required • Executed DPRA attached to ticket for future reference • Save time for Business, Legal, Privacy and Information Security  One time ticket completion, Business can communicate project details to InfoSec and Privacy simultaneously.  Everyone wins – save time for future lookup  The project details and assessment are documented in ticketing system, not in emails.
  26. 26. 26 vPrivacy Insight Series - truste.com/insightseries Sample
  27. 27. 27 vPrivacy Insight Series - truste.com/insightseries v Questions?
  28. 28. 28 vPrivacy Insight Series - truste.com/insightseries v Ralph T O’Brien robrien@truste.com Barbara Mangan Sondag bmangan@ebay.com Paul Lanois planois@alumni.law.upenn.edu Contacts
  29. 29. 29 vPrivacy Insight Series - truste.com/insightseries v Don’t miss the next webinar in the Series – “Global Privacy Enforcement Priorities” on May 19 featuring Chris Hoofnagle, Adjunct Full Professor, University of California, Berkeley See http://www.truste.com/insightseries for details of our 2016 Privacy Insight Series and past webinar recordings. Thank You!

×