Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

Privacy Shield: What you

need to know

German American Chamber of Commerce

of the Midwest, Inc.

Nick Graham

PartnerDentons UK

Jan Hertzberg

DirectorBaker Tilly

• European Commission of the European Union (EU) and the US

Department of Commerce reached agreement on a new pact

for data transfers (February 2, 2016)

• “Safe Harbor” agreement was invalidated after the European

Court of Justice found that the US had violated the privacy of

its citizens

• Privacy Shield imposes:

− Stronger obligations on US companies to protect the personal data of EU

citizens

− Stronger monitoring, oversight and enforcement of the agreement

− Limitations and oversight on US government access to data

− US privacy office established to handle complaints of EU citizens

− Annual review of US commitments and performance against the Privacy

Shield agreement

Setting the Scene

2

Privacy Rules (current and future)

Privacy Shield

Securing Personally Identifiable Information (PII)

Wrap-up and takeaways

Q&A

Agenda

3

Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

Privacy Rules:

Current Landscape

EU versus US – Treatment of Privacy

European US

Privacy is a human right Privacy is a consumer

protection issue

"Personal Data" "PII" (Personally Identifiable

Information)

No processing of personal

information is the default

The commercial use of

personal information is

acceptable as the default

• Cultural conflicts: e-discovery/litigation 5

Current German Legal Structure deriving

from EU Directive

Each of the other 27 EU

member states have similar

data protection regimes.

Comparable data protection

laws also apply outside the

EU (e.g. Russia).

EU Data Protection Directive

1995

6

When do the rules apply?

The EU rules apply when there is:

− processing

− of personal data

− by a data controller

− established in the EU (in the context of that establishment) or

(where the data controller is established outside of the EEA) using

equipment in the EU.

7

Controllers and Processors

Data Controller:

A person who determines the purposes and means of the processing of personal data

Data Processor:

A person who processes personal data on behalf of the data controller

ABC KGaA

(Data Controller)

Employee

(Data Subject)

Microsoft

(Data Processor)8

You will be required to:

• Comply with the Data Protection Principles

• Comply with the Rights of Data Subjects

• Notify its data processing to certain regulators

• Take the Consequences if it fails to comply

What does it mean if EU rules apply?

9

• Transparency: privacy policies and notices

• Comply: with one of the conditions for processing (e.g. consent/necessary to

perform a contract)

• Purpose limitation: only use personal data for specified and lawful

purposes; no incompatible purposes

• Proportionality: personal data to be adequate, relevant and not excessive

• Accuracy: personal data to be accurate/kept up-to-date

• Retention: personal data not to be retained for longer than necessary

• Individual rights: to access, correct and object as well as claim

compensation

• Security: appropriate measures to protect data required

• Exports: no transfers of personal data outside of the EEA without adequate

protection

Data Protection Principles

10

• Regulators can fine us

• Regulators may also have the ability to:

− issue an information notice

− issue an enforcement notice

− seek to bring criminal proceedings

• Compensation

• Bad publicity and reputational harm

• Personal liability for individuals who violate the rules

What happens if we get it wrong?

11

Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

Privacy Rules:

Changing Landscape

EU Data Protection Regulation

• Scope: EEA, overseas and processors

• Model: "one stop shop"

• Governance: DPO and "privacy office;" refresh

policies and procedures; training; audit

• Privacy by design

• Privacy by default

IN FORCE FROM 25 MAY 2018

13

EU Data Protection Regulation

• Enhanced rights and duties of transparency and proportionality

• Data breach notification: to be a legal requirement

• Penalties: fines of up to 4% of annual worldwide revenue or EUR 20 million

(USD 22.6 million)

• Risk control: new "principle of accountability." This requires "control

framework" of polices, procedures, training and audit to manage and mitigate

global privacy risk.

14

Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

EU-US Privacy Shield

Max Schrems complaint against

Facebook

Safe Harbor declared invalid 6 October 2015

Explore alternative transfer tools

Privacy Shield

Safe Harbor: The Case

16

Privacy Shield: The 7 Principles

• Notice

• Choice

• Accountability for onward transfer

• Security

• Data Integrity and Purpose Limitation

• Access

• Recourse, Enforcement and Liability

17

Old World: Safe Harbor New World : Privacy Shield

"Essentially

equivalent"

• Annual self-certification

• Notice

• Choice

• Onward Transfer

• Security

• Data Integrity / Purpose

Limitation

• Access

• Much more detailed privacy notices

• Onward transfer accountability:

• Agreement with Controllers

• Liability for Processor non-

compliance

Remedies /

individual

Redress

• Federal Trade Commission

Complaint

• Private dispute resolution

• Direct complaint - 45 days response

• ADR / DP Panel

• DP Authority complaints

• DoC Complaints

• Binding arbitration / Privacy Shield Panel

• Ombudsman for National Security

queries

Oversight • Federal Trade Commission

(but no control over public

authorities)

• Foreign Intelligence Services

Court - ex parte proceedings

• Proactive DoC investigation and extra

resource

• Name & shame for removal

• Release of Privacy Shield sections of

compliance reports

• Annual verification

• DP Authorities (especially HR data)

• Ombudsman: all US transfers

• Annual review of Privacy Shield

• Privacy Shield may be suspended

Safe Harbor v Privacy Shield

18

• Who can apply?

• Effective: Aug 1, 2016

• 9 month grace period on vendor contract review (if signed up by

Sept 30, 2016)

• Who have signed up?

Privacy Shield: Implementation

19

Put in place governance - who will own Privacy Shield?

Update notices to data subjects and create Privacy Shield

Privacy Policy

Set-up procedures to enable customers to opt-out, access

their personal information and the ability to correct, amend

or delete the data

Establish an annual compliance review

Set up a complaint handling process

Choose independent dispute resolution body

Update contracts with vendors/suppliers

Privacy Shield: Checklist for applying

20

Upsides

• Provides "adequate protection"

• Stepping stone for BCRs

• Less cumbersome contract

negotiations

Privacy Shield: Upsides and Downsides

Downsides

• Only transfers to the US

• Regulatory scrutiny

• Upgrade to policies/procedures

• FTC enforcement risk

• Annual verification

• Court challenge21

https://www.privacyshield.gov/welcome

http://ec.europa.eu/justice/data-protection/international-transfers/eu-us-privacy-

shield/index_en.htm

Privacy Shield: How to apply?

22

• Consent from individuals - dubious validity

• Model Clauses - "snap shot" only, so require refreshing

• Binding Corporate Rules - Platinum standard; control framework

Alternative Data Transfer Options?

23

Baker Tilly refers to Baker Tilly Virchow Krause, LLP,

an independently owned and managed member of Baker Tilly International.

Securing Personally

Identifiable Information (PII)

Society Has Become Highly Digital

Hyper-Connectivity

Hyper-Mobility

Highly Sophisticated

Adversaries

Hyper-Sociability

Cyber-Physical “Things”

Physical Cyber “Things”

Smart fridge

can track what it stores,

alerting when products

expire, & even add items to

smartphone shopping list

Sources: Forbes, Vice, Cisco IBSG, University of Michigan, ABC News, Qmed, Network World

Security cameras & systems

can be remotely armed &

checked, get alerts or review

your security feeds from

any location

Lighting systems

can be controlled using a

smartphone app or via the web, as

can fans, hot tubs, water pumps,

thermostats, even door openers

Personal medical devices

can be implantable or

external & allow remote

monitoring / treatment

Today’s cars

are computer-guided and

wirelessly connected via Bluetooth,

GPS, radio protocols

F-35 fighter jet

has a highly advanced computerized

logistics system designed to minimize

repair and re-equipping turnaround

times by monitoring the plane’s status

and pre-emptively making service

decisions so that ground crews are

ready to go before the plane even lands

Smart TVs

connect to the Internet for web

browsing, image sharing, gaming,

or watching streaming video

Sources: http://krebsonsecurity.com/2016/04/fbi-2-3-billion-lost-to-ceo-email-scams/

https://www.fbi.gov/phoenix/press-releases/2016/fbi-warns-of-dramatic-increase-in-business-e-mail-scams

From October 2013 through February 2016, law enforcement received reports from 17,642 victims.

Total Exposed Loss =

$2.3 billion since 2013

Business Email Compromise: A Special Kind of “Phish”

The FBI has identified a 270% increase in BEC

attacks victims and exposed loss since Jan. 2015.

Law enforcement globally has received complaints from victims in every U.S. state & 95 countries.

In Arizona the average loss per scam is between $25,000 and $75,000.

Strategies must be Intelligence-Driven

Business Lines

Require AGILITY and fast time

to market to meet business

goals and customer demand

Cyber-Threats

Require us to have MATURE

prevention, detection and

recovery controls to keep pace

Employees

Strive for excellence and are

interested in how and where they

WORK.

Shareholders

Require we protect revenue

to enable GROWTH

CustomersPlace TRUST in us and demand we

are careful stewards of their data and

transactions

Regulators

Expect we provide evidence

of a STRONG information

security program

Client and

Strategies must also be Comprehensive

NETWORKSAre monitored 24x7

IDENTITY & ACCESS Is appropriate based

on job role

INDUSTRY &

PARTNERSHIPSProvide actionable cost-

effective threat and risk

intelligence

DATA &

INFORMATION Is secure at rest

and in transit

APPLICATIONSAre secure in development

and production

CUSTOMERS & CLIENTS Are educated on cyber-risks and

their role protecting their devices

Eight Security Ecosystem

Components

ANTICIPATE emerging threats & risks

ENABLE business growth while protecting existing revenue

SAFEGUARD Information & assets

THIRD PARTIES

& VENDORS Control parity is risk-based and

protections are appropriate

DEVICESAre secure and patched

regularly to keep

secure over time

Information Security ProgramDeveloped, documented, approved, and implemented security

program. Includes the following:

– Risk Assessment and treatment

– Security policy

– Organization of information security

– Asset management

– Human resources security

– Physical and environmental security

– Communications and operations management

– Access control

– Information systems acquisition, development, and maintenance

– Business continuity management

– Compliance

Security for Privacy Requirements

30

Logical Access ControlsAccess to personal information is restricted by procedures that address

the following:

– Authorizing and registering internal personnel

– Identifying & authenticating internal personnel

– Changes and updating access profiles

– Granting permissions for access to IT infrastructure components and

personal information

– Preventing individuals from accessing anything other than their own or

sensitive information

– Limiting access to personal information only to authorized internal

personnel

– Restricting logical access to offline storage, backup data, systems and

media

– Restricting access to system configurations, superuser functionality,

master passwords, powerful utilities, and security devices

– Preventing the introduction of viruses, and malicious code

Security for Privacy Requirements (Cont.)

31

Physical Access Controls• Restricted to personal information in any form (including the

components of the entity’s system(s) that contain or protect

personal information).

• Examples include:

− Theft

− Espionage

− Dumpster diving

− Social engineering (including phishing)

− Shoulder “surfing”

Security for Privacy Requirements (Cont.)

32

Environmental Safeguards• Personal information, in all forms, is protected against accidental

disclosure due to natural disasters and environmental hazards

Security for Privacy Requirements (Cont.)

33

Transmitted Personal Information• Personal information is protected when transmitted by mail or other

physical means such as:

− Emailing data from one person to another

− Faxing data from one person to another

− Updating or editing database information

− Storing data on USB drives, CDs, floppy disks (called “removable

media”)

− Storing data on a computer hard drive or networked drive (called “fixed

media”)

− Deleting information from fixed or removable media

− Scanning of a document and emailing to yourself

• Personal information collected and transmitted over the Internet is

protected by deploying industry-standard encryption technology for

transferring and receiving personal information

Security for Privacy Requirements (Cont.)

34

Personal Information on Portable Media• Personal information stored on portable media or devices is

protected from unauthorized access.

Security for Privacy Requirements (Cont.)

35

Centralized Device ManagementAutomatically register user to devices and implements policies

• Low System overhead and limited support staff required

Manage Multiple Device Types and Brands

• Leverages existing investment

Provide Forensic Level Auditing

File level blocking by type and name

Manage Devices off the network

Remote Kill of Devices

Device Coverage:Optical Products - CD/DVD

USB Flash Drives

External Hard Disk Drives

Multiple Authentication Methods

Password (hardware rules)

Biometric + Password

Validated Encryption

Security for Privacy Requirements (Cont.)

36

Testing Security Safeguards• Test of the effectiveness of the key administrative, technical, and

physical safeguards protecting personal information are conducted

at least annually.

Security Risk Assessment• Understand all information systems at a granular level

• Determine what assets really matter (crown jewels)

• Translate and align to business objectives and priorities

• A clear definition of risk tolerance levels is required

• The assessment must be unique to the company and its industry

• The process must be iterative and dynamic to adopt to constant

change

• Standard frameworks improve effectiveness (e.g., NIST, ISO)

Security for Privacy Criteria (Cont.)

37

NIST Cybersecurity Framework

Framework

Categories

Asset Management

Business Environment

Governance

Risk Assessment

Risk Management

Strategy

Access Control

Awareness and Training

Data Security

Information Protection Processes

Maintenance

Protective Technology

Anomalies and Events

Security Continuous

Monitoring

Response Planning

Detection Processes

Communications

Analysis

Mitigation

Improvements

Recovery Planning

Improvements

Communications

• Know your data (mapping)

• Check EU compliance

• Implement PIA

• Implement data transfer solution

• Understand the risks based on the agreement

• Evaluate and Implement data transfer solution

• Conduct a Security Assessment

• Closely Monitor developments

Wrap-up and Takeaways

39

Questions?

40

Contact

41

NICK GRAHAMPARTNER / GLOBAL CO-CHAIR,

PRIVACY & CYBERSECURITY GROUP

Dentons

Nick.Graham@dentons.com

44 20 7320 6907

JAN HERTZBERGDIRECTOR,

IL RISK & INTERNAL AUDIT

Baker Tilly

Jan.Hertzberg@bakertilly.com

312 729 8067