22
1 v Privacy Insight Series - truste.com/insightseries v Privacy Shield is Here: What You Need to Know July 21, 2016

[Webinar Slides] Privacy Shield is Here – What You Need to Know

  • Upload
    truste

  • View
    4.433

  • Download
    1

Embed Size (px)

Citation preview

1 v Privacy Insight Series - truste.com/insightseries v

Privacy Shield is Here: What You

Need to Know

July 21, 2016

2 v Privacy Insight Series - truste.com/insightseries

Today’s Speakers

Chris Babel,

CEO

TRUSTe

Caitlin Fennessy

Senior Policy Advisor

Data Flows and Privacy Team

International Trade Administration

U.S. Department of Commerce

3 v Privacy Insight Series - truste.com/insightseries

• Welcome & Introductions

• Understanding the Differences between Safe Harbor & Privacy Shield

• How the Department of Commerce will Operate the Program

• Working with Third Party Verification & Dispute Resolution Providers

• Looking Forward

• Q&A

Today’s Agenda

4 v Privacy Insight Series - truste.com/insightseries v

Understanding the Differences between

Safe Harbor & Privacy Shield

Caitlin Fennessy, Senior Policy Advisor, Privacy & Data Flows Team,

U.S. Department of Commerce

5 v Privacy Insight Series - truste.com/insightseries

Understanding the Privacy Shield Framework

What does the Privacy Shield contain?

Privacy Shield Principles

–Requirements to which U.S.-based organizations can make an enforceable

commitment to receive data in compliance with EU data protection laws

Letters Describing Oversight and Enforcement from:

–Secretary of Commerce and Under Secretary for International Trade

–Chairwoman of the Federal Trade Commission

–Secretary of Transportation

Government Access to Data

−Letter from the Secretary of State on the new Privacy Shield Ombudsperson

−Letter concerning safeguards and limitations from the Office of the Director of

National Intelligence

−Letter concerning safeguards and limitations from the Department of Justice

5

6 v Privacy Insight Series - truste.com/insightseries

Understanding the Privacy Shield Framework

What should your company focus on to come into compliance?

What’s new compared to Safe Harbor

1. New Privacy Protections

Notice requirements

Accountability for onward transfer

Purpose limitation and data retention

Note: Companies should review the Framework in its entirety. These slides are only meant to highlight certain aspects.

6

7 v Privacy Insight Series - truste.com/insightseries

Understanding the Privacy Shield Framework

What should your company focus on to come into compliance?

What’s new compared to Safe Harbor

2. Enhanced Complaint Resolution

Response time to EU individuals

Free dispute resolution

Binding arbitration as last-resort option

7

8 v Privacy Insight Series - truste.com/insightseries

Understanding the Privacy Shield Framework

What should your company focus on to come into compliance?

What’s new compared to Safe Harbor

3. Improved Cooperation and Transparency

Monitoring and dispute resolution requires cooperation with ITA Privacy Shield Team

Ongoing requirements (if withdraw and maintain data)

Publication of FTC compliance reports (if subject to enforcement action)

8

9 v Privacy Insight Series - truste.com/insightseries v

Caitlin Fennessy, Senior Policy Advisor, Privacy & Data Flows Team,

Department of Commerce

How the Department of Commerce will

Operate the Program

10 v Privacy Insight Series - truste.com/insightseries

Joining the Privacy Shield Program

How will a company join Privacy Shield?

1. Confirm Your Organization’s Eligibility to Participate

2. Develop a Compliant Privacy Policy

3. Establish an Independent Recourse Mechanism (IRM)

4. Ensure a Verification Mechanism is in place

5. Identify your Privacy Shield Point of Contact

6. Self-certify Using the Privacy Shield Website

7. Reaffirm Self-certification Annually

8. Reply to Inquiries from EU citizens, IRM, Commerce, and/or DPAs as Required

10

11 v Privacy Insight Series - truste.com/insightseries

Joining the Privacy Shield Program

ITA Administration: What’s new that matters to you?

Maintenance of the Privacy Shield Website

Verification of Self-Certification Requirements

Monitoring of Compliance

Facilitating Resolution of Complaints Referred by EU DPAs

11

12 v Privacy Insight Series - truste.com/insightseries

Joining the Privacy Shield Program

FTC Enforcement: What has changed (and what hasn’t)?

Prioritization of DPA Referrals

Enforcement Cooperation

Investigatory Assistance

Publication of FTC Compliance Reports

12

13 v Privacy Insight Series - truste.com/insightseries v

Chris Babel, CEO, TRUSTe

Third Party Verification &

Dispute Resolution Providers

14 v Privacy Insight Series - truste.com/insightseries

•Companies must take steps to verify assertions made around Privacy

Shield compliance are true

•Third party compliance reviews can be used to satisfy this requirement

•Third party reviews must:

–Verify privacy policies are being complied with

–Consumers are informed of how they can file a compliant

• Companies must be able to demonstrate an external review has been

successfully completed annually

–This can be provided by the external compliance review provider

•Companies must retain records of their implementation of the Privacy

Shield Principles and privacy policies

–Records must be provided upon request in context of a Privacy Shield related

investigation

Privacy Practices Verification

15 v Privacy Insight Series - truste.com/insightseries

•Companies must respond to initial complaint within 45-days

•Alternative mechanism must be in place to address Privacy Shield

related complaints

–Independent Dispute Resolution Provider (IDR) can be used for consumer data

–DPAs must be used for employee data

• Must be provided free of charge to individuals

• Companies must provide information regarding their IDR Provider in

their privacy notice

– Name of the designated provider and how to contact them

–Whether the provider is EU or U.S. based

–That it is available free of charge

•Binding arbitration is available after other mechanisms have been

exhausted

Dispute Resolution

16 v Privacy Insight Series - truste.com/insightseries

• Make information available to consumers about Privacy Shield and the

IDR Provider’s role under Privacy Shield

–Needs to be accessible from IDR Provider’s website

–Link to the DOC’s Privacy Shield site

–Explanation of how to file a complaint, dispute resolution process and

timeframes, and potential remedies

•Report annually to the DOC regarding number, types, and outcomes of

complaints received, and length of time to resolve.

–Reporting in the aggregate

• IDR Providers must notify DOC of companies that fail to resolve

Privacy Shield related complaints.

New requirements for IDR Providers

17 v Privacy Insight Series - truste.com/insightseries

Impacts on Business

• Companies face stronger obligations for data transfers

• Increased risk stemming from 3rd party processors, partners,

and vendors

• Privacy Shield language needs to be added to contracts,

and be provided to the DOC upon request

• Companies must respond to disputes faster through

additional channels

• Increased regulatory focus

• Companies must document, maintain records and deliver

reports on their compliance efforts

18 v Privacy Insight Series - truste.com/insightseries

Levels of Third Party Assistance

18

Verification Assessment Dispute

Resolution

Dispute Resolution mechanism (non

HR) ✔ ✔ ✔

Dispute Resolution Seal/Button (non

HR) ✔ ✔ ✔

Comprehensive Assessment –

Customer and / or HR Data ✔ ✔

Online Asset Review and Scanning ✔ ✔

Findings Report ✔ ✔

Searchable Audit Trail ✔ ✔

DOC Registration Assistance ✔ ✔

Ongoing Guidance ✔ ✔

Remediation Assistance ✔

Verification Seal ✔

Verification Letter of Attestation ✔

Verification Listing for DOC ✔

19 v Privacy Insight Series - truste.com/insightseries v

Caitlin Fennessy, Senior Policy Advisor, Privacy & Data Flows Team,

Department of Commerce

Looking Forward

20 v Privacy Insight Series - truste.com/insightseries

Looking Forward

The GDPR

European Court of Justice

Cooperation with EU DPAs

20

How was the Framework designed to remain durable?

21 v Privacy Insight Series - truste.com/insightseries v

Chris Babel [email protected]

Contacts

22 v Privacy Insight Series - truste.com/insightseries v

Details of our 2016 Summer/Fall Webinar Series are now available. Register

now for our next webinar on August 18 “Brazil & Beyond: Privacy Trends in

Latin America”

See http://www.truste.com/insightseries for the 2016 Privacy Insight Series

and past webinar recordings.

Thank You!