Click here to load reader

Privacy Shield Self-Certification – What's Next? [Webinar Slides]

  • View
    1.622

  • Download
    0

Embed Size (px)

Text of Privacy Shield Self-Certification – What's Next? [Webinar Slides]

  • 1 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    v TRUSTe Inc., 2017

    Privacy Shield Self-Certification

    What's Next?

    February 23, 2017

  • 2 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Todays Speakers

    K Royal, JD, CIPP/E/US

    Senior Privacy Consultant,

    TRUSTe

    Amanda Gratchner

    Global Privacy Counsel,

    NAVEX Global

    David Fowler

    Chief Privacy & Digital Compliance Officer,

    Act-On Software

  • 3 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Welcome & Introductions

    Privacy Shield

    Self-certification

    Updates

    Relationships

    Various frameworks

    Leveraging Privacy Shield

    Q&A

    Todays Agenda

  • 4 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Have you Self-certified for Privacy Shield?

    Yes

    No

    In Progress

    Webinar Poll

  • 5 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    v TRUSTe Inc., 2017

    Privacy Shield One Year On

  • 6 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Understanding the Privacy Shield Framework

    Whats different compared to Safe Harbor? New Privacy Protections

    Notice requirements, accountability for onward transfer, purpose limitation and data retention

    Enhanced Complaint Resolution Response time to EU individuals, free dispute

    resolution, binding arbitration as last-resort option Improved Cooperation and Transparency

    Monitoring and dispute resolution requires cooperation with International Trade Administration (ITA) Privacy Shield Team, ongoing requirements (if withdraw and maintain data), publication of FTC compliance reports (if subject to enforcement action)

    6

  • 7 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Joining the Privacy Shield Program

    1. Confirm Your Organizations Eligibility to Participate

    2. Develop a Compliant Privacy Policy 3. Establish an Independent Recourse Mechanism

    (IRM) 4. Ensure a Verification Mechanism is in place 5. Identify your Privacy Shield Point of Contact 6. Self-certify Using the Privacy Shield Website 7. Reaffirm Self-certification Annually 8. Reply to Inquiries from EU citizens, IRM,

    Commerce, and/or DPAs as Required

    7

  • 8 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Practical Considerations and Challenges

    Understanding the Privacy Shield Framework

    Understanding your business operations

    Developing compliant privacy statements and notices

    Developing privacy program governance, policies, and

    procedures

    Verification of privacy practices and monitoring of

    compliance

    Keeping records of Privacy Shield Principles implementation

    Employee training and awareness

    Dealing with onward transfer issues

    Dealing with data subject access requests and privacy

    complaints

    8

  • 9 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Privacy Shield Self-Certification

    Companies that had EU/US Safe Harbor

    Filed by September 30, 2016

    9 months to come into compliance

    - June 30, 2017

    Posted: 1705

    What about those that did not certify?

    What about those who were not in Safe Harbor?

  • 10 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Privacy Shield Updates

    Whats the future for Privacy Shield?

    Brexit

    Irish lawsuit

    French lawsuits

    Executive orders

    What about other Data Transfer Compliance

    Mechanisms?

  • 11 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    v TRUSTe Inc., 2017

    Frameworks

  • 12 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Privacy Shield vs.

    the GDPR

  • 13 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    General Data Protection Regulation

    European law

    From Directive 95 to GDPR

    Address societal and technological changes

    May 25, 2018

    Stats

    Companies impacted

    Privacy jobs

  • 14 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Cross Border Data Transfers

    Adequacy

    Privacy Shield

    Binding Corporate Rules

    Controllers and Processors

    Standard Contractual Clauses

    Under GDPR codes of conduct

  • 15 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Binding Corporate Rules

    Intergroup agreement

    Group defined

    Transfer mechanism

    Specifically mentioned in GDPR

    Considered gold standard

    Companies:

    Binding Safe Processing Rules

    BCRs for Controllers and Processors

  • 16 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Cross Border Privacy Rules

    Asia-Pacific Economic Cooperation

    Voluntary program

    2011

    Independent accountability agent required

    4 economies so far

    - USA, Mexico, Japan and Canada

    Crosswalk published BCRs/CBPRs

    - Merck

  • 17 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    v TRUSTe Inc., 2017

    Leveraging Privacy Shield

  • 18 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    What should a company do?

    Data

    Policies

    Practices

    Legal/Compliance Specific

    Consider certification programs

  • 19 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Data To-Dos

    Data

    inventory

    classification

    minimization

    record retention

    destruction

  • 20 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Policy To-Dos

    Information security policies

    training

    monitor compliance

    Privacy policies

    easily accessible

    clear and plain language

    full disclosure of data collection and processing

  • 21 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Practices To-Dos

    PIAs

    Complaint process (must be easy)

    Review and revise methods of obtaining consent

    Data portability and erasure processes

    Update incident response plans

    notice to supervisory agencies within 72 hours

  • 22 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    Legal-Specific To-Dos

    DPO (Data Protection Officer) authority and independence, monitor compliance, perform training, and conduct internal audits. Accountability: detailed records of the processing performed on personal data Review BCRs (or SCCs) for compliance w/ GDPR Addendums for onward transfer requirements Vendor oversight and accountability Insurance policies global or enterprise coverage, types of data issues, and increased costs and liabilities

  • 23 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    v TRUSTe Inc., 2017

    Questions?

  • 24 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    v TRUSTe Inc., 2017

    K Royal [email protected]

    Amanda Gratchner [email protected]

    David Fowler [email protected]

    Contacts

    mailto:[email protected]

  • 25 v Privacy Insight Series - truste.com/insightseries TRUSTe Inc., 2017

    v TRUSTe Inc., 2017

    Register now for the next webinar in our 2017 Winter/Spring Webinar Series

    on March 23 Privacy Program Management: A Framework for Success

    See http://www.truste.com/insightseries for the 2017 Privacy Insight Series

    and past webinar recordings.

    Thank You!

    http://www.truste.com/insightseries

Search related