1) Binding Corporate Rules (BCRs) provide a framework for companies to legally transfer personal data within a corporate group across borders in compliance with EU data privacy laws. Several large payment companies have already implemented BCRs.
2) The EU's upcoming General Data Protection Regulation will significantly strengthen data privacy laws and compliance obligations. Companies can prepare by implementing BCRs, which establish robust privacy governance policies, procedures, and accountability.
3) BCRs help companies streamline privacy practices, demonstrate compliance, and facilitate legal data transfers both within and outside the EU. An increasing number of companies are pursuing BCR approval from European data protection authorities.
Presentation on GDPR which is not technical, nor product specific, focusing on manufacturing industry and providing a non expert view on what the regulation is all about.
Targeted to Senior Management who has a direct responsibility on the treatment (direct or indirect) of personal data.
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
This presentation reviews GDPR at a high level, and presents the core philosophy behind GDPR as well as the key concepts and key elements to consider in your data protection program.
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Helena Wootton looks at the things you need to do to get prepared for the new data protection regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?Join this webinar to learn:
• Case study and legal/regulatory impact to GDPR• Security Metrics• Oversight of third parties• How to measure cybersecurity preparedness
Presenters : Ulf Mattsson, David Morris, Ian West. and Khizar Sheikh
Date & Time : Aug 17 2017 5:00 pm
Timezone : United States - New York
Presentation on GDPR which is not technical, nor product specific, focusing on manufacturing industry and providing a non expert view on what the regulation is all about.
Targeted to Senior Management who has a direct responsibility on the treatment (direct or indirect) of personal data.
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Lilian Edwards looked at the basics on what you need to know about the new regulation.
http://qonex.com/east-midlands-cyber-security-forum/
This presentation reviews GDPR at a high level, and presents the core philosophy behind GDPR as well as the key concepts and key elements to consider in your data protection program.
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
At our Spring East Midlands Cyber Security event on the Impact of the General Data Protection Regulation, Helena Wootton looks at the things you need to do to get prepared for the new data protection regulation.
http://qonex.com/east-midlands-cyber-security-forum/
Do You Have a Roadmap for EU GDPR Compliance?Ulf Mattsson
The General Data Protection Regulation (GDPR) goes into effect in 2018 and it will affect any business that handles data, even if it's not based in the European Union.Are you looking to move and host data for EU citizens? Do you have a roadmap and associated estimated costs for EU GDPR compliance?Join this webinar to learn:
• Case study and legal/regulatory impact to GDPR• Security Metrics• Oversight of third parties• How to measure cybersecurity preparedness
Presenters : Ulf Mattsson, David Morris, Ian West. and Khizar Sheikh
Date & Time : Aug 17 2017 5:00 pm
Timezone : United States - New York
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
GDPR is Top Priority in US
Over half of US multinationals say GDPR is their top data- protection priority according to PWC. Of the 200 respondents, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.
MRS Company Partners have access to an exclusive group, the Operations Network. This Network holds free quarterly meetings to discuss a variety of topics to help your organisation. It is a great opportunity to network and learn new things.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
GDPR and evolving international privacy regulationsUlf Mattsson
Convergence of data privacy principles, standards and regulations
General Data Protection Regulation (GDPR)
GDPR and California Consumer Privacy Act (CCPA)
What role does technologies play in compliance
Use Cases
These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
California Consumer Protection Act (CCPA) is
one such law that empowers the residents of
California, United States to have enhanced
privacy rights & consumer protection. It is the
most comprehensive US state privacy law to
date.
General Data Protection Regulation (GDPR) Implications for Canadian Firmsaccenture
The General Data Protection Regulation (GDPR) represents significant challenges for financial institutions to comply with the new data processing and record keeping requirements. This Accenture Finance & Risk presentation explores the impact of GDPR on Canadian firms, including lessons learned from our work with clients and knowledge gained that can be used for an effective GDPR journey.
Do You Have a Roadmap for EU GDPR Compliance? ArticleUlf Mattsson
GDPR is Top Priority in US
Over half of US multinationals say GDPR is their top data- protection priority according to PWC. Of the 200 respondents, 54 % reported that GDPR readiness is the highest priority on their data-privacy and security agenda. Another 38% said GDPR is one of several top priorities, while only 7% said it isn’t a top priority.
MRS Company Partners have access to an exclusive group, the Operations Network. This Network holds free quarterly meetings to discuss a variety of topics to help your organisation. It is a great opportunity to network and learn new things.
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
This GDPR primer highlights key aspects of the new EU regulation regarding the protection of EU citizens data. It also presents a basic approach and key activities for GDPR preparedness. Useful as a discussion starter with senior management.
GDPR and evolving international privacy regulationsUlf Mattsson
Convergence of data privacy principles, standards and regulations
General Data Protection Regulation (GDPR)
GDPR and California Consumer Privacy Act (CCPA)
What role does technologies play in compliance
Use Cases
These slides explore the reforms to the UK General Data Protection Regulation (GDPR) proposed by the UK Government in Data: A New Direction. It is argued that they are both significant and unbalanced against the data subject but (aside potentially from the e-privacy rules) not generally radical. The great bulk of the proposed substantive changes to data protection could plausibly be justified under the derogation clauses available to EU Member States within the GDPR itself. Reforms to the integrity duties of controllers and others are more far-reaching. Nevertheless, their broad structure remains compatible with even the revised version of the Council of Europe framework, Data Protection Convention 108+, which both the EU and UK remain strongly committed to. Finally, the proposals to shift ICO supervision de jure away from a priority focus on individual data subject rights and complaints are difficult to square even with Convention 108+. Nevertheless, de facto the ICO far from acts as a legal champion for the data subject today. Indeed, despite receiving over 36,000 complaints from individuals during 2020-21, it issued just three fines under the GDPR (all concerning data security breaches) and just one injunctive enforcement notice.
California Consumer Protection Act (CCPA) is
one such law that empowers the residents of
California, United States to have enhanced
privacy rights & consumer protection. It is the
most comprehensive US state privacy law to
date.
General Data Protection Regulation (GDPR) Implications for Canadian Firmsaccenture
The General Data Protection Regulation (GDPR) represents significant challenges for financial institutions to comply with the new data processing and record keeping requirements. This Accenture Finance & Risk presentation explores the impact of GDPR on Canadian firms, including lessons learned from our work with clients and knowledge gained that can be used for an effective GDPR journey.
Embracing Digital Convergence amid Regulatory-Driven OverhaulsCognizant
Facing a wave of regulatory changes, including EU's General Data Protection Regulation (GDPR), banks and other financial institutions are wise to coordinate regulatory implementation with digital transformation to deliver value throughout their ecosystem.
For today’s digital businesses, being prepared to meet new compliance requirements when storing and managing consumer data will not only minimize risk, but also enable more valued and trusted customer experiences that drive increased loyalty, engagement and revenue. To gain better perspective on this important issue, it’s important to understand:
- The trends driving governmental regulatory shifts and the basic tenets of these new laws
- The challenges faced by executives across the enterprise when managing privacy compliance for consumer data
- The emergence of cloud-based solutions that help businesses manage privacy compliance by acting as end-to-end customer data storage and management solutions that are far more scalable and flexible than legacy systems
GDPR & Your Cloud Provider - What You Need to KnowRachel Roach
Learn from our cloud compliance and GDPR experts as they cover:
- Key steps for managing your Data Processors
- How to validate GDPR compliant services
- GDPR requirements for cloud backup, DRaaS and IaaS
- The required contract terms, reporting and certifications
Data protection for Lend.io - legal analysis by Bird and BirdCoadec
New EU data protection rules are coming, with the General Data Protection Regulation likely to be agreed in the next few months. It will have a massive impact on digital businesses
To bring this rather dry subject to life, Coadec working together with techUK has commissioned a leading data protection law firm to look at what current drafts of the new law would mean for a fintech startup we invented, Lend.io.
Impact of GDPR on Third Party and M&A SecurityEQS Group
GDPR impact has been dissected and examined to death - however, M&A activities, as well as third-party security posture, can be greatly affected as well, and this aspect has not been very often pursued. This session hopes to be useful for that.
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
The scope of vendor or third-party requirements has significantly grown due to the global pandemic we’re living in. Not only are you working to ensure your vendor management efforts will result in compliance with GDPR, CCPA and other privacy regulations, now you must consider privacy risks associated with COVID-19.
Regulations have specific provisions that address vendors and extend companies’ data privacy obligations throughout their supply chains. Organizations need to be able to collect, maintain and track critical data for ongoing vendor management in order to properly evaluate, monitor and track their status.
This webinar will provide:
-Overview of privacy laws and regulations (i.e., CCPA, GDPR) and corresponding vendor and third-party requirements
-Summary of vendor management processes and how they can be supplemented to specifically address data privacy and security risks
-Best practices for managing data privacy in your vendor network
-Guidance on how to build & manage your vendor privacy management program with practical solutions
What's Next - General Data Protection Regulation (GDPR) ChangesOgilvy Consulting
The General Data Protection Regulation is the biggest change to the law on data in years. This webinar features Vicky Brown, Deputy General Counsel at WPP, and Paul King, Head of Data at OgilvyOne discussing what it is, why it matters and what companies are doing.
Infographic : What's going to change with the GDPR (2018)Kwanko
The new GDPR regulations will come into force on 25 May 2018 and Kwanko has summarized everything you need to know about these changes to guide you through this process.
See more on Kwanko Blog : https://blog.kwanko.com
General Data Protection Regulation (GDPR) Complianceaccenture
Whether you are at the beginning of your journey, or are already mid-way through, this document presents the key GDPR themes, priority areas, and business opportunities, which we feel are important considerations for any GDPR programme.
Webinar presented live on May 11, 2017.
As data is increasingly accessed and shared across geographic boundaries, a growing web of conflicting laws and regulations dictate where data can be transferred, stored, and shared, and how it is protected. The Object Management Group® (OMG®) and the Cloud Standards Customer Council™ (CSCC™) recently completed a significant effort to analyze and document the challenges posed by data residency. Data residency issues result from the storage and movement of data and metadata across geographies and jurisdictions.
Attend this webinar to learn more about data residency:
• How it may impact users and providers of IT services (including but not limited to the cloud)
• The complex web of laws and regulations that govern this area
• The relevant aspects – and limitations -- of current standards and potential areas of improvement
• How to contribute to future work
Read the OMG's paper, Data Residency Challenges and Opportunities for Standardization: http://www.omg.org/data-residency/
Read the CSCC's edition of the paper, Data Residency Challenges: http://www.cloud-council.org/deliverables/data-residency-challenges.htm
The Evolution of Data Privacy: 3 things you didn’t knowSymantec
The European Union’s proposed General Data Protection Regulation (GDPR) has left even the most informed confused. This new regulation has been designed to update the current directive which was drafted in a time that was in technology terms, prehistoric. It’s time to evolve.
2. Page 2
Introduction
Binding Corporate Rules in the payment services industry.
Examples:
- February 2015 – First Data
- November 2014 – Atos
- December 2013 – American Express
3. Page 3
Introduction – Why Data Privacy?
Payment services industry is heavily data processing-
centric
Payment data is intrinsically sensitive
Protection of payment data is not solely about information
security - Data privacy enhances consumer trust
Data privacy is specifically referenced in Draft Payment
Services Directive II
4. Page 4
EU Data Privacy in Transition
1993 2005 2015
EU DIRECTIVE 1995/46
Main Frame Computing
Internet
- E-Commerce and
Distance Services
- Biometrics /RFIDs
- Big Data
Processing
- Cloud Computing
- IoT/Social Media
- Nano-computing
- Etc.
EU DATA PROTECTION
REGULATION
Delocation / Omnipresence
of Data Processing
EU DIRECTIVE 1995/46
- Omnibus legislation
- Notice & Consent
- Sensitive Data
- Data Protection Rights
- Notification Regulators
- Restrictions on Data Transfers
The Future Data Protection Regulation Will Be ‘Game
Changer’
- Direct binding effect
- Applicable to processing activities related to offering of
services to individuals in the EEA
- Broader obligations for data processors (Internal
documentation, PIAs, data breach, international transfers)
- Data breach notification
- Accountability obligations (PIAs, Internal Documentation)
- Privacy by design/default
- Right to be forgotten/portability
- Administrative sanctions (currently) up to EUR 100,000,000
or up to 5 percent of annual global TO
5. Page 5
“If you think compliance is expensive, try
noncompliance.”
- Former U.S. Deputy Attorney General Paul McNulty
6. Page 6
EU Data Privacy in Transition
EU-US Safe Harbor Framework Under Review
EU Commission Communication (November 27,
2013)
ECJ Maximillian Schrems v. Data Protection
Commissioner ruling likely to catalyze review
process
Does Safe Harbor have a future?
7. Page 7
How To Prepare for Regulatory
Change?
The Regulation will come with a 2 year
implementation period. Where will you start?
Track and document information practices
Assess core risks and determine (non)-acceptable risk
thresholds
Invest in governance structure to oversee information
practices and compliance issues
8. Page 8
You May Consider Binding Corporate
Rules to Be ‘Regulation-Ready’…
Set of rules that set forth a data privacy regime to exchange personal
information within a group of companies
Take the form of a code of conduct, backed by policies, procedures,
and control mechanisms, which are negotiated and approved by the
national DPAs
Binding Corporate Rules for Data Controllers and Data Processors
BCRs are not only a mechanism to transfer
personal information. They help to obtain:
- Accountability
- Adequate Data Privacy Governance
- Awareness and Effective Data Protection
9. Page 9
Key Points When Considering BCRs
Relevancy
Multiplicity of
jurisdictions
Required flexibility
to transfer PII
globally
Amount and nature
of data processed
Effort
Status current privacy
compliance and
governance
Requires a certain
‘maturity’ in terms of
privacy compliance
Vision
Long-term view on
privacy
Legal certainty
Structure, streamline
and reduce
administrative
burden of privacy
compliance for the
future
Commercial benefits
Increases customers’
and partners’ trust and
improves company’s
public reputation
10. Facts and Numbers
1
1
- 66 BCRs approved
- 61 BCR-Cs and 5 BCR-Ps
- 42 BCRs officially in pipeline (more in reality) of which
12 BCR-Ps
- Timing:
5 months in average for lead DPAs to handle
application
3-4 months for mutual recognition and cooperation
procedure with other DPAs
8 months response time applicant
1
12
17
7
2
24
12. Page 12
Robust Privacy Governance Structure
Privacy Governance Structure
Policy
Implementation
Effectiveness
GROUP’S GLOBAL PRIVACY POLICY
Control
AUDIT PROGRAMME
EFFECTIVE COMPLIANCE MEASURES
PROCESSES & PROCEDURES
HR Data & Privacy
Policy
Vendor & Supplier Data
Privacy Policy
Customer Data Privacy
Policy
0
Privacy
Notices
Employee
Policies &
Confidentiality
Clauses
Map Data
Processing
Activities &
Data Flows
IT
Security
0 0
Third Party
Relations 0 0
Roles &
Responsibi-
lities
Data
Quality/
Breach
Response
Training
& Testing
Complaint
& Reqest
Handling
Network of
Privacy
Officers &
Staff
Sanction
Mechanism
PIA &
Template
Contacts for
3rd Parties
Cooperation
with DPA’s
Internal and/or External Annual Audit Ad Hoc Investigations
A robust privacy governance structure is required to successfully apply for BCRs
BCR ADVANTAGES:
• Facilitates data flows within group
• Provides structure for privacy governance
• Increases legal certainty due to DPA check
• Ensures high level of privacy compliance globally
• Harmonizes future approach to privacy compliance within group
• Raises privacy awareness
13. Page 13
BCRs for Vendors (Processor Agents)
Recognized since 2013 and taking off now…
14. Page 14
Challenges Global Data Processors - Reality
EU
Client =
DC
Vendor data processing services
=
EU data processor
EU
Non-
adequate
countries
DP
affiliate
China
Data Flow
DP
affiliate
US
DP
affiliate
India
15. Page 15
EU
Client =
DC
Vendor data processing services
=
EU data processor
EU
Non-
adequate
countries
→ Burdensome for clients
• Commercially impractical
• High administrative burden related to multiple
model contracts
→ Accurate reflections of data flows
C-P Model Contract
C-P Model
Contract
C-P Model Contract
Data Flow
Contractual
arrangements
SLA
DP
affiliate
China
DP
affiliate
US
DP
affiliate
India
Challenges Global Data Processors –
Solutions before 2013
16. Page 16
Challenges Global Data Processors –
Solutions before 2013
EU Client =
DC
Vendor data processing services
=
EU data processor
EU
Non-
adequate
countries
C-P Model
Contract
Data Flow
Contractual arrangements
SLA
DP
affiliate
China
DP
affiliate
US
DP
affiliate
India
C-P Model
Contract
C-P Model
Contract
→ Commercial advantage:
• Reduce burden for clients
→ Legal Risks:
• Does not reflect reality (i.e. Not compliant with actual data
flow + requalification of processor as controller)
• Shift unwanted liability to EU processor
17. Page 17
Challenges Global Data Processors –
Solutions as of 2013
17
EU Client =
DC
Vendor data processing services
=
EU data processor
EU
Non-
adequate
countries
Data Flow
BCR-P
DP
affiliate
China
DP
affiliate
US
DP
affiliate
India
SLA
18. BCR Application Process
Identify Lead DPA
Submit Documents
Lead DPA Review
( + co-reviewers)
Notifications
MR DPAs
Closure
Phase
I
Phase
II
Review
Cooperation
DPAs
National Authorities
WP 133
WP 133 Form / BCRs / IGA (or similar) / Audit Policy
/ Training Program / Overview Entities
Discussion rounds with Lead DPA – Circulation to
Co-Reviewers (possible further amendments)
Mutual Recognition DPAs only need to confirm
receipt – Cooperation DPAs have 1 month to submit
remarks
Lead DPA circulates final version to DPAs + Listing
in Article 29 WP
Notification updates and permits (where required)
http://ec.europa.eu/justice/data-protection/document/international-
transfers/files/table_nat_admin_req_en.pdf
19. Page 19
Future of BCRs
Current situation:
• Phase II approvals in some jurisdictions
• Group of undertakings
Future:
• No Phase II approvals
• BCRs also open to a “group of enterprises engaged in joint activity”
21. Page 21
Takeaways II
- BCRs allow streamlining of company privacy policies and
create awareness.
- Although EU-law inspired, BCRs boost privacy compliance
in non-EU jurisdictions as well.
- DPAs are very supportive. Exponential growing number of
BCR applicants. Alternatively, companies are getting
“BCR-ready”.
- Expected that BCR applications will “explode” as of
adoption of Regulation.
22. Jan Dhont
We appreciate the opportunity to be of service to
you
Vorstlaan 100,1170 Brussels
+32 2 566 9000