GDPR/CBPR ARE WE AWARE? ARE WE READY?
Jarernsri Mitrpanont, Ph.D.
Faculty of ICT,
Mahidol UniversityDecember 11, 2018
~ Looking ahead to CBPR system certificate and GDPR compliance management ~
“Thailand and Japan Digital Governance seminar”
1
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
MAHIDOL UNIVERSITYORIGINATES FROM THAILAND’S FIRST HOSPITAL, SIRIRAJ HOSPITAL, FOUNDED IN 1888.
Prince Mahidol
“Thailand and Japan Digital Governance seminar”
2
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
MAHIDOL-ICT FACULTY PROFILEA LEADING ICT INSTITUTE FOR INNOVATIVE LEARNER AND DEDICATOR
Established in 2009 by merging the Department of Computer Science (1988), Faculty of Science and Mahidol University Computing Center (1980).
43 faculty members, 850 undergrad students, 60 grad students
www.ict.mahidol.ac.th
Strong Degree Program @ Faculty of ICT Mahidol
University (all taught in English)
CapabilityExcellence
Leading ICT Institute
AgilityFounding DEAN
Strong International and Industry Network
“Thailand and Japan Digital Governance seminar”
3
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
THE GENERAL DATA PROTECTION REGULATION (EU-GDPR): WHAT WE NEED TO KNOW
GDPR is the result of an effort by the European Parliament and other governmental bodies to strengthen data protection for those living in the EU
Approved in 2016 by the European Union (EU)
GDPR implementation effective on May 25, 2018
provide greater uniformity to existing data laws.
EU Residents will gain greater measure control over their data and how it is used, by parties both inside and outside the EU.
GDPR applies to organizations outside EU
Example: A U.S.-based company with a website collecting personal data of EU citizens where that website is hosted outside the Euro Zone would be subject to GDPR rules.
GDPR “the biggest change to data protection law for a generation.” Elizabeth Denham, U.K. Information Commissioner
GDPR applies to organizations both inside and outside EU !
Although the positive is for EU
citizens, these tightened regulations
presented the legal and technical challenges for companies doing business in the EU.
Fail to comply to GDPR introduces
stronger sanctions and assess a fine of up to 20 million euros (21.4 million dollars) or 4% of the prior year’s global turnover, whichever is higher.
“Thailand and Japan Digital Governance seminar”
4
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
Data breaches must be reported within 72
hours if that breach represents a threat to the rights or freedoms of an individual.
How personal data is defined. New definition is comprehensive from
names, emails, social media posts, medical records, IP addresses or other metadata.
GDPR protects even information that can be used to infer personal attributes.
Profiling usage of personal data. Profiling of users through their
interaction with a system or in the way a company analyzes their data comes under
regulation. If typical user profiling tools are used in a non-anonymized manner,
restrictions can apply & certain data analysis where aggregation is not used as well.
The rules governing consent. GDPR requires that consent can be
withdrawn as easily as it’s given, and that requests for consent must be clear,
intelligible, delivered in plain language and distinguishable from other materials.
The right to be forgotten. EU residents can request to erase their
data or halt dissemination. The right to third-party data processing can be revoked.
The right to be informed. Businesses must be transparent on to how
they use the data they collect.
Lawful processing. Must have a lawful basis to process personal data.
The right to data access. EU citizens retain the right to discover how
their data is being used, including where and to what purpose. They may request a
copy of stored data, which must be furnished in an electronic form free of charge.
The right to data portability. Citizens may transmit their data
between multiple controllers.
The right to breach notifications. Such notifications are now
mandatory in EU countries where security lapses could result in “a risk for the rights
and freedoms of individuals.” This alert must be issued within 72 hours.
Transferring data internationally. Certain conditions must be
satisfied before personal information can be transmitted beyond the EU.
Privacy by design. Data protections must be included during
development processes, not tacked on as an afterthought.
1) Defining personal data
2) Profiling usage of personal data
3) Privacy by design
4) Transferring data internationally
5) Rules governing consent
6) Right to be forgotten
7) Right to breach notifications
8) Right to be informed
9) Right to data portability
10) Lawful processing
11) Right to data access
COMPANY Note!!GDPR compliance changes and
challenges-AWARENESS.
GDPR applies to any organization
processing certain types of EU
citizen data regardless of that
company is in Europe or not.
Non-compliance penalty is up to
20 million euros (24.4 million
dollars) or 4% of the previous
year’s global turnover, whichever
figure is higher.
Organizations must demonstrate
how they comply with GDPR.
Data breaches must be reported
within 72 hours if that breach
represents a threat to the rights or
freedoms of an individual.
Some companies, depending on
classification and other variables,
may be required to hire a Data Protection Officer.
Ref:https://www.researchgate.net/publication/323538588_The_
General_Data_Protection_Regulation_GDPR_What_Organizations_Need_to_Know
5
“Thailand and Japan Digital Governance seminar”
GDPR REQUIREMENTS AND CONSIDERATION
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
THE JOURNEY TO GDPR COMPLIANCE CASES
IBMsurveyed 1,500 executives about their organizations’ GDPR preparations in 15 industries around the world
The end of the beginning: Unleashing
the transformational power of GDPR
GDPR – bane or boon?
Ref:https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=86015886USEN
6
“Thailand and Japan Digital Governance seminar”
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
THE JOURNEY TO GDPR COMPLIANCE CASES
IBM journey to GDPR
IBM is one of the first to have a data privacy officer and an ethics statement that is woven into all new products and services to include built-in privacy and security.
GDPR is about personal data
Key for GDPR is the focus on personal data, any data that can directly or indirectly identify living individuals — we need to know what personal data the business uses, where it's stored, how it's processed and its lineage —where it comes from, what we do with it and where it ends up.
There are GDPR essentials every organization should have in place: Defining, discovering, cataloging, and protecting personal data and managing consent.
IBM Pathways for
GDPR readinessPreparing your business for the changingrealities of data privacy and protection in the EU
1. Rights of EU Data Subjects
2. Security of Processing
3. Lawfulness and Consent
4. Accountability of Compliance5. Design and Default
Ref:IBM hybrid-cloud-analytics-platform-white-paper-external-asw12436usen-20180516.pdf7
“Thailand and Japan Digital Governance seminar”
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
THE JOURNEY TO GDPR COMPLIANCE CASES
IBM Pathways for GDPR readiness Framework
5 Phases
Assess, Design, Transform, Operate, and Conform
A complete and accurate data
inventory or catalogue (Figure 4) can
create the foundation for a unified
information governance strategy for
the GDPR. It helps answer questions
about where personal data is located,
why it is being collected and stored,
and who has access.
As such, its benefits are not limited to
GDPR readiness: it can help you
comply with other rules and
regulations that might affect you, now
or in the future.
Design: Unified Governance Catalogue
Ref:IBM hybrid-cloud-analytics-platform-white-paper-external-asw12436usen-20180516.pdf
8
“Thailand and Japan Digital Governance seminar”
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
THE JOURNEY TO GDPR COMPLIANCE CASES
KPMG GDPR Discovery
and Maturity Assessment ARE YOU READY FOR THE GENERAL DATA PROTECTION REGULATION?
Ref:https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2018/03/gdpr-discovery-maturity.pdf
9
“Thailand and Japan Digital Governance seminar”
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
THE JOURNEY TO GDPR COMPLIANCE CASESKPMG GDPR Discovery and
Maturity Assessment ARE YOU READY FOR THE GENERAL DATA PROTECTION REGULATION?
Present the overall GDPR readiness of the organization. Compare current state against target state of privacy maturity
Ref:https://assets.kpmg.com/content/dam/kpmg/xx/pdf/2018/03/gdpr-discovery-maturity.pdf
10
“Thailand and Japan Digital Governance seminar”
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
THE JOURNEY TO GDPR COMPLIANCE CASES
Set up of working team and allocation of jobs
Phase I: GDPR Readiness
Work streams allocation1. DPO & DPA
2. Data Privacy Policy
3. Change Management
4. Data Subjects Rights
5. Data Protection Impact Assessment : DPIA
6. Consent Management
7. Data Flow & Process
8. Data Retention & Backup
9. Contract Management
10. Cross-Border Data Transfers
11. Data Breach
TG Pathways for GDPR readiness FrameworkAre you ready for GDPR? How we start?
Phase II: GDPR Compliance
www.law.chula.ac.th/home/file.aspx?ID=732 THAI GDPR Project. Dr.SitdhinaiChantranon. Director, Office of the EVP,. Legal and General Administration. -THAI GDPR Working Team (Legal).
11
“Thailand and Japan Digital Governance seminar”
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
KPMG Thailand explored the implications of the General Data
Protection Regulation (GDPR) enforced by the EU. Bangkok, 24 August 2018
Implications of GDPR in Thailand: Gaining competitive edge through your data strategy
Where are we? How far?
KPMG Given that Thailand is the EU’s third-largest commercial
partner in ASEAN, businesses in Thailand need to be aware and
integrate GDPR regulations within their business processes.
KPMG revealed that from a recent
survey consumers are increasingly
concerned about data privacy and
how their personal data is being
used. For example,
78% of consumers think that offline
targeted ads (e.g. electronic
billboards) that knows personal
product preference and details, are
‘creepy’ rather than ‘cool’.
A finding from the survey of the participants:
45% of the participants admits that they do not
fully understand the interaction between Thai
regulations & GDPR;
47% have yet to start preparing for possible
future privacy regulations applicable to Thailand
but are planning to;
40% already have a privacy program in place;
74% admits that they do not understand how
and when to report a breach affecting EU
customers to the relevant supervisory authority.
GDPR builds competitive advantage rather than simply a regulatory requirement by creating a privacy-aware culture
strengthen governance infrastructure focus on customers’ right to data privacy & transparency.
THAILAND Draft Personal Data Protection Act
Thailand, on 22 May 2018, the Thai Cabinet
approved in principle a revised draft of Thailand’s first
personal data protection act (Draft Act) which is
currently under consideration by the Council of State.
Thailand currently does not have any specific law
regulating data protection. The Office of the Prime
Minister first published the Draft Act in 2014. The
Draft Act has undergone several rounds of changes.
Key definitions
Extraterritorial application
General protections
Collection of personal data
Cross-border transfer of
personal data
No official announcement of the enforce time frame yet.Ref:Mark Thompson, Global Privacy Lead, KPMG in the UK,
https://home.kpmg.com/th/en/home/ media/press-releases/2018
/08/th-press-release-24082018-implications-of-gdpr-nglish.html
The Draft Act has been revised to replicate many of
the concepts and obligations which are common
across global data protection laws and in particular the GDPR such as
Rights of data subject
Fines and penalties
Grandfathering
provisions
Ref:https://www.dataprotectionreport.com/2018/08/overview-of-thailand-draft-personal-data-protection-act/
12
“Thailand and Japan Digital Governance seminar”
THE JOURNEY TO GDPR IN THAILAND
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
APEC PRIVACY FRAMEWORK (2015) DRAWS ON CONCEPTS INTRODUCED IN OECD GUIDELINES (2013)AIMS TO PROMOTE E-COMMERCE THROUGHOUT THE ASIA PACIFIC REGION.
APEC PRIVACY FRAMEWORK (2015)- A Principle-based and
accountability-based approach which recognize the importance of
protecting information privacy while maintaining information flows
among APEC economies and among their trading partners while
avoiding the creation of unnecessary barriers to information flows.
1)Personal Information
2)Personal Information
Controller
3)Publicly available
Information
4)CBPR System
APEC Privacy FrameworkInformation Privacy Principles
1)Preventing Harm
2)Collection Limitation
3)Uses of Personal Information
4)Notice
5)Choice
6)Integrity of Personal Information
7)Security Safeguards
8)Access and Correction
9)Accountability
Ref:Malcolm Crompton APEC Information Privacy Principles: Relationship https://slideplayer.com/slide/8792319/
5)CPEA (APEC Cross-border Privacy
Enforcement Arrangement)
6)Privacy Enforcement Authority
7)Privacy Law
8)PRP System (APEC Privacy
Recognition for Processors System)
9)Application
six participating APEC CBPR economies: USA, Mexico, Japan, Canada, Singapore, and the Republic of Korea
APEC Privacy Framework
Clear extent of Scope and Definitions
Ref: APEC Privacy Framework 2015 ISBN 981-05-4471-5 APEC#217-CT-01.9
13
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
APEC CROSS-BORDER PRIVACY RULES SYSTEMAPEC CBPR SYSTEM
About the APEC CBPR system, endorsed by APEC Leaders in 2011, is a
voluntary, accountability-based system that facilitates privacy-respecting data flows
among APEC economies.
The APEC CBPR system has four main components:
1. recognition criteria for organisations wishing to become
an APEC CBPR System certified Accountability Agent;
2. an intake questionnaire for organisations that wish to
be certified as APEC CBPR System compliant by a
third-party CBPR system certified Accountability Agent;
3. assessment criteria for use by APEC CBPR System
certified Accountability Agents when reviewing an
organisation's answers to the intake questionnaire; and
4. a regulatory cooperative arrangement (the CPEA) to
ensure that each of the APEC CBPR system program
requirements can be enforced by participating APEC
economies.
Ref: APEC Privacy Framework 2015 ISBN 981-05-4471-5 APEC#217-CT-01.9six participating APEC CBPR economies: USA, Mexico, Japan, Canada, Singapore, and the Republic of Korea
14
“Thailand and Japan Digital Governance seminar”
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
THE READINESS OF APEC ECONOMIES WITH CBPRS
The survey on whether an economy could satisfy basic requirements to participate in APEC CBPRs: 1. the existence of data privacy law2. enforcement authority on privacy3. trust-mark providers4. the consistency between privacy legislation with APEC Privacy Framework
Survey on the Readiness for Joining Cross Border Privacy Rules System - CBPRs Final Report Electronic Commerce Steering Group January 2017
16 out of 21 APEC Economies have alaw on privacy for their own
14 out of 21 APEC Economies have a Privacy Enforcement Authority
10 out of 21 APEC Economies have at least one trust-mark provider
13 out of 21 APEC Economies appears the consistency between their own privacy legislation and the APEC Privacy Framework.
Survey of Intention of joining CBPRs
Survey on Obstacles
- lack of privacy law - lack of State Institution - lack of industrial needs
1
2
3
4
56
15
“Thailand and Japan Digital Governance seminar”
Jarernsri Mitrpanont, Ph.D. , Faculty of ICT, Mahidol University
Ref:https://iapp.org/resources/article/a-brief-history-of-safe-harbor/
Ref:http://ubir.bolton.ac.uk/1398/1/Griffiths%20D%20%20Preprint%20Hoel%20Griffiths%20Chen%20LAK17.pdf
https://www.slideshare.net/JanDhont1/roadmap-to-the-gdpr-governance-and-accountability-v30
ANOTHER VIEW OF GDPR / CBPR
Ref:https://www.clickz.com/1980-next-may-evolution-gdpr/203155/
2018 GDPR1980 OECD
2015 APEC PRIVACY FRAMEWORK
2018 GDPR ENFORCEMENT
16
Example of a research study the
Privacy Framework to see how to
design the Learning Analytics System
and NOT to violate the Privacy Laws!!
EU-GDPR / APEC-CBPR
ARE WE AWARE? ARE WE READY?
Jarernsri Mitrpanont, Ph.D.
Faculty of ICT,
Mahidol UniversityDecember 11, 2018
~ Looking ahead to CBPR system certificate and GDPR compliance management ~
“Thailand and Japan Digital Governance seminar”
THANK YOU
17