Embed Size (px)
Citation preview
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 0
Top 5 Privacy Concerns
CCO’s Should Care About
Presented byCarrie Penman | Chief Compliance Officer & Senior VP, Advisory Services
Amanda L. Gratchner | Global Privacy Officer & Senior Counsel
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 1www.navexglobal.com
Presenters
Carrie PenmanChief Compliance Officer & Sr. VP, Advisory Services, NAVEX Global
Global Privacy Officer & Senior Counsel, NAVEX Global
Amanda L. Gratchner
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 2www.navexglobal.com
• Privacy: In Brief
• Top 5 Privacy Concerns1. The EU General Data Protection Regulation
2. Data Breaches
3. Sapin II and CNIL
4. Vendors
5. Operational Considerations
Agenda
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 3www.navexglobal.com
A (Very) Brief History…
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 4www.navexglobal.com
Here’s a little context…Data Privacy: In Brief … Very Brief
• Data Privacy is not really new…
- France
- OECD Guidelines
- EU Directive
- US
• and its spreading…
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 5www.navexglobal.com
• US (HIPAA, GLBA)
• Canada
• Australia
• Latin America
• Japan
• Russia
• China
Data PrivacyData Privacy laws are not limited to the European Union
Source: DLA Piper: https://www.dlapiperdataprotection.com
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 6www.navexglobal.com
Data Localization
• Russia: Data Localization Law
1 September 2015
Data must be stored and hosted within the Russian Federation
• China: Cybersecurity Law
1 June 2017
Cross-border transfer requirements
Data localization within the borders of China
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 7www.navexglobal.com
1. European Union General Data Protection Regulation
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 8www.navexglobal.com
The EU General Data Protection Regulation
• Fines: 2%-4% of global annual turnover
• Extra-jurisdictional reach
• Privacy Impact Assessments
• Privacy by Design as default
• Personal Data Breach notification requirement
• Appointment of Data Protection Officer
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 9www.navexglobal.com
Key Attributes & Responsibilities of a Privacy Officer
• Guidance on risk assessments/data protection impact assessments
• Flexible and culturally sensitive
• Expert knowledge of the law
• Independence in job function and reporting
• Leadership and project management experience
• Possess a “common touch”
• Be credible
• Can be external
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 10www.navexglobal.com
2. Data Breaches
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 11www.navexglobal.com
Data Breaches
• What can we do? Plan, Plan, Plan
• Not a matter of if but a matter of when … so be prepared
• Challenges with cross jurisdictional requirements
− Data mapping is crucial; what data do you have, where is it and where does it go
− Vendors
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 12www.navexglobal.com
3. Sapin II and CNIL
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 13www.navexglobal.com
Sapin II & CNIL Guidance
• Sapin II
− 1 June 2017
− Increase transparency and modernize existing laws in support of anti-corruption initiatives
• CNIL guidance regarding anti-bribery reports
− Realigned AU-004 to Sapin II
− Disclosure of report only to management
− Reinforced
• Anonymity as a “last resort”
• Confidentiality of whistleblower and accused identities
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 14www.navexglobal.com
How are global employees actually using the reporting systems?NAVEX Global Benchmarking Results
Source: 2017 Ethics and Compliance Hotline and Incident Management Benchmark Report
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 15www.navexglobal.com
Europe receives the highest percentage of anonymous reportsAnonymous Reports by Geography
Source: 2017 Ethics and Compliance Hotline and Incident Management Benchmark Report
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 16www.navexglobal.com
Anonymous Reports from Europe are Substantiated More FrequentlySubstantiation Rate by Geography
Source: 2017 Ethics and Compliance Hotline and Incident Management Benchmark Report
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 17www.navexglobal.com
4. Vendors
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 18www.navexglobal.com
Vendors
• Vendor Management Programs
• Audits
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 19www.navexglobal.com
5. Operational Considerations
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 20www.navexglobal.com
Operational Considerations
• Strengthen the bond between Compliance, Security and Privacy
• Include privacy as a component of audits / assessments
• Embed privacy in the development life cycle across the organization (Privacy by Design)
• Encourage privacy discussions and interest across enterprise
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 21www.navexglobal.com
Key Takeaways: Advice for Compliance Officers
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 22www.navexglobal.com
Key Takeaways: Advice for Compliance Officers
1. Appoint a Privacy Lead (DPO or otherwise)
2. Add Privacy to my committee
3. Understand the scope of your geographic footprint
4. Identify your points of contact
5. Review current audits or assessments
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 24www.navexglobal.com
Questions?
Copyright © 2017 NAVEX Global, Inc. All Rights Reserved. | Page 25www.navexglobal.com
Thank You
