SlideShare a Scribd company logo

Understanding new EU Guidance on DPIA/PIA requirements [Webinar Slides]

TrustArc
TrustArc

Watch the FULL webinar on-demand w/ these slides here: https://info.truste.com/eu-guidance-dpia-pia-requirements-webinar.html Whether you call them Data Protection Impact Assessments or just PIAs, they are an indispensable way to gauge the potential impact of projects, systems, programs, products or services on the data an organization holds. Having a good understanding of what DPIA/PIAs are, how to implement them and who needs to be involved can be the key to embedding privacy in the heart of your organization. And of course they are now a requirement for certain types of processing under the GDPR. Watch this webinar on-demand now as we: - Review PIA best practices - Review latest compliance guidance from the EU regulators - Provide a range of tips and tools to help streamline and embed the process in your organization Make sure to register NOW to watch the on-demand webinar here: https://info.truste.com/eu-guidance-dpia-pia-requirements-webinar.html To register for upcoming other TRUSTe Webinars (upcoming/on-demand) visit: https://www.truste.com/events/privacy-insight-webinar-schedule/

Law
1 of 24
Download to read offline
1 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Understanding new EU Guidance on DPIA/PIA requirements November 10, 2016
2 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Today’s Speakers Beth Sipula Senior Privacy Consultant TRUSTe Paul Iagnocco Chief Privacy Officer Kellogg
3 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 The GDPR and When to Use DPIAs/PIAs Beth Sipula, Senior Privacy Consultant TRUSTe
4 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 PIA definition A privacy impact assessment (PIA) is a tool or process for identifying and assessing privacy risks throughout the development life cycle of a program or system. - Information Commissioner's Office
5 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Does your organization have a PIA process in place? 1. Yes 2. No Poll Question #1
6 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Frameworks and Jurisdictions •Many countries and regions of the world have been using PIAs dating back to the mid 90’s –Papers published regarding PIAs often started in the private sector •A handful of countries have the most presence; more countries are emerging in LATAM and APAC •The GDPR has drawn a spotlight onto DPIAs and adopting a framework as part of compliance •While there are differences in the methodologies, the goals are the same: to identify risks to privacy and determine ways of overcoming those risks •DPIAs/PIAs are not “one size fits all”
7 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 How many PIAs will your organization complete in 2016? 1. Less than 10 2. 11 - 50 3. 51-100 4. 100+ 5. I have no idea Poll Question #2
8 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 GDPR Triggers for DPIAa/PIAs DPIAs are required for any processing that may result in “high risk”, and for: • Systematic and extensive automated processing, including profiling, if the decisions produce legal effects or significantly affect the individual Example: Making predictions based on a person’s behavior, credit decisions, economic situation, location • Processing special categories of data (i.e. genetic or biometric data) or criminal records on a large scale • Systematic monitoring of a publicly accessible area on a large scale • As otherwise indicated by the DPAs or EUDPB • GDPR requires you to conduct PIAs for “high risk” activities and implement operational changes Note: Most common “high risk” areas tend to center around new products/systems that change the way the business uses / collects / stores personal data.
9 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Triggers for when to use a DPIA/PIA •Implementing a new system in your organization; •Launching a new product or service; •Providing new third party provider with access to PI; •Conversion of records from paper-based to electronic form; •Conversion of information from anonymous to identifiable form; •System management changes involving significant new uses and/or application of new technologies; •Significant merging, matching or other manipulation of multiple databases containing personal data; •Incorporation into existing databases of personal data obtained from commercial or public sources; •Alteration of a business process resulting in significant new collection, use and/or disclosure of personal data
10 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 •Assign clearly defined roles for all stages •Having an Executive “Champion” or Sponsor is critical •PIAs need to be simple, repeatable, concise, and they need to map to the GDPR requirements •One size does not fit all – consider the level of risk –Also consider a bifurcated PIA process, with traditional PIAs for all projects and EU DPIAs for projects that trigger EU DP rules •Build a robust process with scalability in mind –Consider the system you are using, what it’ll take to make the process more efficient and automate •Monitor - Article 29 Working Party will be releasing guidance for controllers and processors on high-risk assessments by end of 2016 Recommendations for Success
11 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Paul Iagnocco Chief Privacy Officer Operationalizing a PIA Solution within the Enterprise
12 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Privacy Overview at Kellogg . Global Privacy Office established in August 2015 4 Strategic Pillars Build a Global Capability Ensure Compliance & Education Champion Privacy Advocacy Unlock Data Use Types of Data Held Employee (PII, PFI, PHI) Consumer (PII) Reporting Line A function within Global Legal & Compliance CPO reports directly to Chief Counsel (access to Global General Counsel & Vice Chair of Company)
13 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Privacy Overview at Kellogg (continued) Global Privacy Office Regional/Local Business Functions Internal Audit Defines the “what” Determines the “how” IT Security Kellogg employs a decentralized business model in addressing data protection and privacy matters. • strategy • training content • business compliance • standards and best practices • common global tools • privacy impact assessments (PIAs) • requests and complaints • data breach management • liaison with regulators • execute strategy • conduct training • Execute compliance • Implement standards and best practices • Address PIA results
14 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Collaborative Approach Between Privacy & IT Security Notice Choice Use Availability Integrity Access Confidentiality Acquisition and Use of Data Focus is on whether the Company is allowed to possess consumer or employee data and what we are allowed to do with it. Safeguards, Secured Storage and Proper Destruction of Data Focus is on the protection of the data stored, processed, transmitted and destroyed. IT Security
15 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 5 Steps to Operationalizing PIAs Know your key PIA stakeholders Align on the role of a PIA Design the PIA workflow Build and implement the PIA solution Refine and scale the PIA Process
16 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Know your key stakeholders Objective: Implementing anything new within an organization is challenging. People fear the uncertainty of change. Need to identify key stakeholders that that see value in a PIA. Recommendation: Leverage these stakeholders to drive change within their function. These are your early adopters (evangelists). Key Stakeholders How would a PIA benefit their function? Legal Counsel - Transactions Provides intelligence to incorporate into MSA or SOW Risk Management Provides intelligence that may require change in risk policy Procurement Ensures that data protection and privacy are addressed IT Security Ensures that data protection and authorization is addressed Human Resources External data processors are vetted and deliver expected services for our employees Marketing External data processors are vetted and deliver expected services for our consumers Internal Audit Provides an audit trail Outside Consultants N/A
17 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Align on the role of the PIA Objective: With your key stakeholders, determine what you want to solve for using a PIA. Recommendation: Start small and scale. It might be easier to start leveraging PIAs externally since you will likely have less resistance to change. Common Components of a PIA What are we assessing? Internal Procedures and Policies Overall program accountability Data Collection What data is collected? Choice and Consent How was the data collected? Use, Retention and Disposal What is the intended use, storage and purge of the collected data? Disclosures to Third Parties Are we sharing this data? Access Does the data subject have access? Data Security How is the data secured?
18 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Design the PIA workflow Objective: Leveraging the PIA alignment gained in step 2, now design the PIA workflow. Recommendation: Again start small and scale. Look at how new data processes and vendor agreements/SOWs commence. Review existing workflows and determine best means to intersect without being disruptive. Where should a PIA be considered? Review existing vendor statement of work (SOW) New vendor set-up (MSA) Changes to internal data processing Significant IT infrastructure changes Mergers and acquisitions New product development (that engages data) Annual assessments To assess new regulations Process starts in Contract Database Privacy Threshold Questions Answered PIA Published and Vendor Responds Responses Reviewed by Legal and IT Security Additional Follow- ups by Other Key Stakeholders Changes negotiated in MSA MSA Approved and Filed New Vendor Set-up Workflow
19 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Build and Implement the PIA Solution Objective: Identify what PIA solution needs to be built and eventually implemented. Recommendation: Review step 2 to ensure you are building a PIA solution that achieves your goal. Also, be mindful that of the expected annual volume. Do NOT over engineer. In addition, be sure to produce communication materials and a simple user-guide to facilitate adoption beyond the key stakeholders. You MUST be prepared to Sell, Sell, Sell. Simple PIA Solution 1. Build out content (questions and benchmarks) 2. Load spreadsheet – use macros to create “flags” 3. Develop Email Template with purpose, deadline, etc. along with spreadsheet 4. Publish to XYZ, collect responses 5. Review and analyze 6. Take necessary action 7. File Complex PIA Solution 1. Conduct privacy threshold assessment 2. Add Respondent to TRUSTe Assessment Manager 3. Select or customize PIA 4. Publish to XYZ, collect responses 5. Centrally review and analyze 6. Assign necessary follow-up action 7. Archive and set calendar to automatically re-send in12 months
20 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Refine and scale the PIA Solution Objective: Identify what’s working and what’s not working and refine solution accordingly. What other areas (identified in Step 3) should we scale this PIA solution to address? Recommendation: Identify a means to gather on-going feedback on how to improve the solution. Always look for opportunities to further imbed the PIA into normal business operations. As you expand follow the process – Step and Repeat. Potential Refinements Customized PIA questions based on specific target audience (e.g., EU data processors) Implement for additional business scenarios (e.g., internal infrastructure or data processing changes) New PIA questions to assess internal or external compliance with new regulation (e.g., EU GDPR) Provide additional access to responses and analysis Add new functions to overall process Expand user-guides to reflect changes Expand communication plan – Sell, Sell, Sell
21 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Summary 1. Cultivate evangelists for the PIA solution 2. Define value of the PIA solution 3. Align on initial PIA solution goals 4. Start small – scale later 5. Look for new opportunities 6. Listen to feedback 7. Keep it simple 8. Over communicate Be sure to commit and start somewhere.
22 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Questions?
23 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Beth Sipula bsipula@truste.com Paul Iagnocco paul.iagnocco@kellogg.com Contacts
24 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Register now for the final webinar in our our 2016 Summer/Fall Webinar Series on December 8 “Metrics for Success: Quantifying the Value of the Privacy Function” See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. Thank You!

Recommended

Brussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACKBrussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACKTrilateral Research
 
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]TrustArc
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc
 
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
 

Recommended

Brussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACKBrussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACKTrilateral Research
 
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]
Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]TrustArc
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc
 
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
 
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...TrustArc
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesTrustArc
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceTrustArc
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfTrustArc
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...TrustArc
 
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsTrustArc
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsTrustArc
 
The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...TrustArc
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdfTrustArc
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceTrustArc
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023TrustArc
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustTrustArc
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowTrustArc
 
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdfTrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdfTrustArc
 
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc
 
Why Your Company Needs A Privacy Culture & Where To Start
Why Your Company Needs A Privacy Culture & Where To StartWhy Your Company Needs A Privacy Culture & Where To Start
Why Your Company Needs A Privacy Culture & Where To StartTrustArc
 
Data Privacy Perspectives: Get Answers to Your Privacy Questions
Data Privacy Perspectives: Get Answers to Your Privacy QuestionsData Privacy Perspectives: Get Answers to Your Privacy Questions
Data Privacy Perspectives: Get Answers to Your Privacy QuestionsTrustArc
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc
 
TrustArc Webinar: 2023 Privacy Roadmap
TrustArc Webinar: 2023 Privacy RoadmapTrustArc Webinar: 2023 Privacy Roadmap
TrustArc Webinar: 2023 Privacy RoadmapTrustArc
 
TrustArc Webinar: Data Privacy Trends 2023
TrustArc Webinar: Data Privacy Trends 2023TrustArc Webinar: Data Privacy Trends 2023
TrustArc Webinar: Data Privacy Trends 2023TrustArc
 
ENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened to
ENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened toENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened to
ENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened toirenelavilla52178
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxJFSB1
 

More Related Content

More from TrustArc

Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...TrustArc
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesTrustArc
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceTrustArc
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfTrustArc
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...TrustArc
 
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsTrustArc
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsTrustArc
 
The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...TrustArc
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdfTrustArc
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceTrustArc
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023TrustArc
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustTrustArc
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowTrustArc
 
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdfTrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdfTrustArc
 
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc
 
Why Your Company Needs A Privacy Culture & Where To Start
Why Your Company Needs A Privacy Culture & Where To StartWhy Your Company Needs A Privacy Culture & Where To Start
Why Your Company Needs A Privacy Culture & Where To StartTrustArc
 
Data Privacy Perspectives: Get Answers to Your Privacy Questions
Data Privacy Perspectives: Get Answers to Your Privacy QuestionsData Privacy Perspectives: Get Answers to Your Privacy Questions
Data Privacy Perspectives: Get Answers to Your Privacy QuestionsTrustArc
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc
 
TrustArc Webinar: 2023 Privacy Roadmap
TrustArc Webinar: 2023 Privacy RoadmapTrustArc Webinar: 2023 Privacy Roadmap
TrustArc Webinar: 2023 Privacy RoadmapTrustArc
 
TrustArc Webinar: Data Privacy Trends 2023
TrustArc Webinar: Data Privacy Trends 2023TrustArc Webinar: Data Privacy Trends 2023
TrustArc Webinar: Data Privacy Trends 2023TrustArc
 

More from TrustArc (20)

Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 States
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy Compliance
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
 
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy Certifications
 
The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI Governance
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To Know
 
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdfTrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
TrustArc Webinar_ How Data Privacy Demands Impact Your Marketing Team.pdf
 
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
TrustArc Webinar - Rise of Information Technology: How Does it Impact Privacy?
 
Why Your Company Needs A Privacy Culture & Where To Start
Why Your Company Needs A Privacy Culture & Where To StartWhy Your Company Needs A Privacy Culture & Where To Start
Why Your Company Needs A Privacy Culture & Where To Start
 
Data Privacy Perspectives: Get Answers to Your Privacy Questions
Data Privacy Perspectives: Get Answers to Your Privacy QuestionsData Privacy Perspectives: Get Answers to Your Privacy Questions
Data Privacy Perspectives: Get Answers to Your Privacy Questions
 
TrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA ComplianceTrustArc Webinar: DPIA Compliance
TrustArc Webinar: DPIA Compliance
 
TrustArc Webinar: 2023 Privacy Roadmap
TrustArc Webinar: 2023 Privacy RoadmapTrustArc Webinar: 2023 Privacy Roadmap
TrustArc Webinar: 2023 Privacy Roadmap
 
TrustArc Webinar: Data Privacy Trends 2023
TrustArc Webinar: Data Privacy Trends 2023TrustArc Webinar: Data Privacy Trends 2023
TrustArc Webinar: Data Privacy Trends 2023
 

Recently uploaded

ENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened to
ENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened toENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened to
ENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened toirenelavilla52178
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxJFSB1
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideillinoisworknet11
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicableSaraSantiago44
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxgurcharnsinghlecengl
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasBrandy Austin
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21vasanthakumarsk17
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its historyprasannamurthy6
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfssuser3e15612
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksFinlaw Associates
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Rich Bergeron
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Rich Bergeron
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxAnto Jebin
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseRich Bergeron
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesChesley Lawyer
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsRich Bergeron
 
OMassmann - Investment into the grid and transmission system in Vietnam (2024...
OMassmann - Investment into the grid and transmission system in Vietnam (2024...OMassmann - Investment into the grid and transmission system in Vietnam (2024...
OMassmann - Investment into the grid and transmission system in Vietnam (2024...Dr. Oliver Massmann
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Centerejlfernandez22
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.2020000445musaib
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in SalesMelvinPernez2
 

Recently uploaded (20)

ENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened to
ENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened toENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened to
ENG7-Q4-MOD3. determine the worth of ideas mentioned in the text listened to
 
RA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptxRA. 7432 and RA 9994 Senior Citizen .pptx
RA. 7432 and RA 9994 Senior Citizen .pptx
 
Illinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guideIllinois Department Of Corrections reentry guide
Illinois Department Of Corrections reentry guide
 
citizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicablecitizenship in the Philippines as to the laws applicable
citizenship in the Philippines as to the laws applicable
 
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptxThe Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
The Punjab Land Reforms AcT 1972 HIRDEBIR.pptx
 
Choosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in TexasChoosing the Right Business Structure for Your Small Business in Texas
Choosing the Right Business Structure for Your Small Business in Texas
 
Right to life and personal liberty under article 21
Right to life and personal liberty under article 21Right to life and personal liberty under article 21
Right to life and personal liberty under article 21
 
Labour legislations in India and its history
Labour legislations in India and its historyLabour legislations in India and its history
Labour legislations in India and its history
 
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdfWurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
Wurz Financial - Wealth Counsel to Law Firm Owners Services Guide.pdf
 
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal FrameworksUnderstanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
Understanding Cyber Crime Litigation: Key Concepts and Legal Frameworks
 
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
Town of Haverhill's Statement of Material Facts For Declaratory Judgment Moti...
 
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
Town of Haverhill's Statement of Facts for Summary Judgment on Counterclaims ...
 
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptxSarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
Sarvesh Raj IPS - A Journey of Dedication and Leadership.pptx
 
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment CaseTown of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
Town of Haverhill's Summary Judgment Motion for Declaratory Judgment Case
 
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los AngelesAre There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
Are There Any Alternatives To Jail Time For Sex Crime Convictions in Los Angeles
 
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC CounterclaimsTown of Haverhill's Motion for Summary Judgment on DTC Counterclaims
Town of Haverhill's Motion for Summary Judgment on DTC Counterclaims
 
OMassmann - Investment into the grid and transmission system in Vietnam (2024...
OMassmann - Investment into the grid and transmission system in Vietnam (2024...OMassmann - Investment into the grid and transmission system in Vietnam (2024...
OMassmann - Investment into the grid and transmission system in Vietnam (2024...
 
PPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training CenterPPT Template - Federal Law Enforcement Training Center
PPT Template - Federal Law Enforcement Training Center
 
Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.Analysis on Law of Domicile under Private International laws.
Analysis on Law of Domicile under Private International laws.
 
1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales1990-2004 Bar Questions and Answers in Sales
1990-2004 Bar Questions and Answers in Sales
 

Understanding new EU Guidance on DPIA/PIA requirements [Webinar Slides]

  • 1. 1 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Understanding new EU Guidance on DPIA/PIA requirements November 10, 2016
  • 2. 2 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Today’s Speakers Beth Sipula Senior Privacy Consultant TRUSTe Paul Iagnocco Chief Privacy Officer Kellogg
  • 3. 3 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 The GDPR and When to Use DPIAs/PIAs Beth Sipula, Senior Privacy Consultant TRUSTe
  • 4. 4 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 PIA definition A privacy impact assessment (PIA) is a tool or process for identifying and assessing privacy risks throughout the development life cycle of a program or system. - Information Commissioner's Office
  • 5. 5 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Does your organization have a PIA process in place? 1. Yes 2. No Poll Question #1
  • 6. 6 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Frameworks and Jurisdictions •Many countries and regions of the world have been using PIAs dating back to the mid 90’s –Papers published regarding PIAs often started in the private sector •A handful of countries have the most presence; more countries are emerging in LATAM and APAC •The GDPR has drawn a spotlight onto DPIAs and adopting a framework as part of compliance •While there are differences in the methodologies, the goals are the same: to identify risks to privacy and determine ways of overcoming those risks •DPIAs/PIAs are not “one size fits all”
  • 7. 7 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 How many PIAs will your organization complete in 2016? 1. Less than 10 2. 11 - 50 3. 51-100 4. 100+ 5. I have no idea Poll Question #2
  • 8. 8 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 GDPR Triggers for DPIAa/PIAs DPIAs are required for any processing that may result in “high risk”, and for: • Systematic and extensive automated processing, including profiling, if the decisions produce legal effects or significantly affect the individual Example: Making predictions based on a person’s behavior, credit decisions, economic situation, location • Processing special categories of data (i.e. genetic or biometric data) or criminal records on a large scale • Systematic monitoring of a publicly accessible area on a large scale • As otherwise indicated by the DPAs or EUDPB • GDPR requires you to conduct PIAs for “high risk” activities and implement operational changes Note: Most common “high risk” areas tend to center around new products/systems that change the way the business uses / collects / stores personal data.
  • 9. 9 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Triggers for when to use a DPIA/PIA •Implementing a new system in your organization; •Launching a new product or service; •Providing new third party provider with access to PI; •Conversion of records from paper-based to electronic form; •Conversion of information from anonymous to identifiable form; •System management changes involving significant new uses and/or application of new technologies; •Significant merging, matching or other manipulation of multiple databases containing personal data; •Incorporation into existing databases of personal data obtained from commercial or public sources; •Alteration of a business process resulting in significant new collection, use and/or disclosure of personal data
  • 10. 10 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 •Assign clearly defined roles for all stages •Having an Executive “Champion” or Sponsor is critical •PIAs need to be simple, repeatable, concise, and they need to map to the GDPR requirements •One size does not fit all – consider the level of risk –Also consider a bifurcated PIA process, with traditional PIAs for all projects and EU DPIAs for projects that trigger EU DP rules •Build a robust process with scalability in mind –Consider the system you are using, what it’ll take to make the process more efficient and automate •Monitor - Article 29 Working Party will be releasing guidance for controllers and processors on high-risk assessments by end of 2016 Recommendations for Success
  • 11. 11 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Paul Iagnocco Chief Privacy Officer Operationalizing a PIA Solution within the Enterprise
  • 12. 12 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Privacy Overview at Kellogg . Global Privacy Office established in August 2015 4 Strategic Pillars Build a Global Capability Ensure Compliance & Education Champion Privacy Advocacy Unlock Data Use Types of Data Held Employee (PII, PFI, PHI) Consumer (PII) Reporting Line A function within Global Legal & Compliance CPO reports directly to Chief Counsel (access to Global General Counsel & Vice Chair of Company)
  • 13. 13 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Privacy Overview at Kellogg (continued) Global Privacy Office Regional/Local Business Functions Internal Audit Defines the “what” Determines the “how” IT Security Kellogg employs a decentralized business model in addressing data protection and privacy matters. • strategy • training content • business compliance • standards and best practices • common global tools • privacy impact assessments (PIAs) • requests and complaints • data breach management • liaison with regulators • execute strategy • conduct training • Execute compliance • Implement standards and best practices • Address PIA results
  • 14. 14 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Collaborative Approach Between Privacy & IT Security Notice Choice Use Availability Integrity Access Confidentiality Acquisition and Use of Data Focus is on whether the Company is allowed to possess consumer or employee data and what we are allowed to do with it. Safeguards, Secured Storage and Proper Destruction of Data Focus is on the protection of the data stored, processed, transmitted and destroyed. IT Security
  • 15. 15 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 5 Steps to Operationalizing PIAs Know your key PIA stakeholders Align on the role of a PIA Design the PIA workflow Build and implement the PIA solution Refine and scale the PIA Process
  • 16. 16 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Know your key stakeholders Objective: Implementing anything new within an organization is challenging. People fear the uncertainty of change. Need to identify key stakeholders that that see value in a PIA. Recommendation: Leverage these stakeholders to drive change within their function. These are your early adopters (evangelists). Key Stakeholders How would a PIA benefit their function? Legal Counsel - Transactions Provides intelligence to incorporate into MSA or SOW Risk Management Provides intelligence that may require change in risk policy Procurement Ensures that data protection and privacy are addressed IT Security Ensures that data protection and authorization is addressed Human Resources External data processors are vetted and deliver expected services for our employees Marketing External data processors are vetted and deliver expected services for our consumers Internal Audit Provides an audit trail Outside Consultants N/A
  • 17. 17 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Align on the role of the PIA Objective: With your key stakeholders, determine what you want to solve for using a PIA. Recommendation: Start small and scale. It might be easier to start leveraging PIAs externally since you will likely have less resistance to change. Common Components of a PIA What are we assessing? Internal Procedures and Policies Overall program accountability Data Collection What data is collected? Choice and Consent How was the data collected? Use, Retention and Disposal What is the intended use, storage and purge of the collected data? Disclosures to Third Parties Are we sharing this data? Access Does the data subject have access? Data Security How is the data secured?
  • 18. 18 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Design the PIA workflow Objective: Leveraging the PIA alignment gained in step 2, now design the PIA workflow. Recommendation: Again start small and scale. Look at how new data processes and vendor agreements/SOWs commence. Review existing workflows and determine best means to intersect without being disruptive. Where should a PIA be considered? Review existing vendor statement of work (SOW) New vendor set-up (MSA) Changes to internal data processing Significant IT infrastructure changes Mergers and acquisitions New product development (that engages data) Annual assessments To assess new regulations Process starts in Contract Database Privacy Threshold Questions Answered PIA Published and Vendor Responds Responses Reviewed by Legal and IT Security Additional Follow- ups by Other Key Stakeholders Changes negotiated in MSA MSA Approved and Filed New Vendor Set-up Workflow
  • 19. 19 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Build and Implement the PIA Solution Objective: Identify what PIA solution needs to be built and eventually implemented. Recommendation: Review step 2 to ensure you are building a PIA solution that achieves your goal. Also, be mindful that of the expected annual volume. Do NOT over engineer. In addition, be sure to produce communication materials and a simple user-guide to facilitate adoption beyond the key stakeholders. You MUST be prepared to Sell, Sell, Sell. Simple PIA Solution 1. Build out content (questions and benchmarks) 2. Load spreadsheet – use macros to create “flags” 3. Develop Email Template with purpose, deadline, etc. along with spreadsheet 4. Publish to XYZ, collect responses 5. Review and analyze 6. Take necessary action 7. File Complex PIA Solution 1. Conduct privacy threshold assessment 2. Add Respondent to TRUSTe Assessment Manager 3. Select or customize PIA 4. Publish to XYZ, collect responses 5. Centrally review and analyze 6. Assign necessary follow-up action 7. Archive and set calendar to automatically re-send in12 months
  • 20. 20 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Refine and scale the PIA Solution Objective: Identify what’s working and what’s not working and refine solution accordingly. What other areas (identified in Step 3) should we scale this PIA solution to address? Recommendation: Identify a means to gather on-going feedback on how to improve the solution. Always look for opportunities to further imbed the PIA into normal business operations. As you expand follow the process – Step and Repeat. Potential Refinements Customized PIA questions based on specific target audience (e.g., EU data processors) Implement for additional business scenarios (e.g., internal infrastructure or data processing changes) New PIA questions to assess internal or external compliance with new regulation (e.g., EU GDPR) Provide additional access to responses and analysis Add new functions to overall process Expand user-guides to reflect changes Expand communication plan – Sell, Sell, Sell
  • 21. 21 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Summary 1. Cultivate evangelists for the PIA solution 2. Define value of the PIA solution 3. Align on initial PIA solution goals 4. Start small – scale later 5. Look for new opportunities 6. Listen to feedback 7. Keep it simple 8. Over communicate Be sure to commit and start somewhere.
  • 22. 22 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Questions?
  • 23. 23 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Beth Sipula bsipula@truste.com Paul Iagnocco paul.iagnocco@kellogg.com Contacts
  • 24. 24 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Register now for the final webinar in our our 2016 Summer/Fall Webinar Series on December 8 “Metrics for Success: Quantifying the Value of the Privacy Function” See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. Thank You!