SlideShare a Scribd company logo

Assessing Risk: How Organizations Can Proactively Manage Privacy Risk

Download as PPTX, PDF
TrustArc
TrustArc

In today’s uncertain environment, organizations are regularly confronting new and evolving risks. Data-related risks can stand alone or converge with other enterprise risks, such as third party risk, regulatory compliance risk - such as CCPA and GDPR, security risk, operational and financial risks. Identifying, understanding, managing, and reporting on data risks across the organization is a critical part of an integrated data governance strategy and essential to enterprise risk management. Organizations that have continuous insights into their evolving risks are able to focus resources on the highest areas of risk and prioritize risk mitigation strategies and plans. This webinar will review: risk management & privacy, 3rd party vendor risks in today’s climate, top considerations to focus resources on highest areas of risk, risk reporting to management and the board; and the tools & best practices to manage, automate and continuously monitor both company and third-party risk.

Technology
1 of 37
© 2019 TrustArc Inc Proprietary and Confidential Information © 2020 TrustArc Inc Proprietary and Confidential Information Assessing Risk: How Organizations Can Proactively Manage Company and Third-Party Risk TrustArc Privacy Insight Series Webinar April 22, 2020
Thank you for joining the webinar Assessing Risk: How Organizations Can Proactively Manage Company and Third-Party Risk 2 ● We will be starting a couple minutes after the hour ● This webinar will be recorded and the recording and slides sent out later today ● Please use the GoToWebinar control panel on the right hand side to submit any questions for the speakers
Speakers Hilary Wandall SVP, Privacy Intelligence and General Counsel TrustArc 3 Paul Breitbarth Director, EU Policy & Strategy TrustArc Michael Lin SVP, Products and Engineering TrustArc
Agenda 4 ● Risk management and privacy ● Third party risks in today’s climate ● Focusing resources on highest areas of risk ● Risk reporting to management and the board ● Tools and best practices to manage, automate and continuously monitor both company and third-party risk
Polling Question 1 What data-related risks are you most concerned about? (Select one) ● Compliance with new laws ● Enforcement of existing laws ● Third party controls and compliance ● Security controls ● New technologies 5
© 2019 TrustArc Inc Proprietary and Confidential Information Risk Management and Privacy: An Introduction
Risk Management and Privacy 7 Main Organizational Risks from a Privacy Perspective ● Data Security ○ Security and Data Breaches, followed by (often) mandatory notification requirements ○ Bring Your Own Device ○ Remote Working, Working from Home, Working on the Road ● Changing Legal Frameworks ○ Legislation is continuously changing, and even more so in recent years ● International Data Flows ○ Can data flow across borders without any restrictions ● Enforcement Action & Court Cases ○ Safe Harbour & Privacy Shield cases ○ Class Actions ○ Reputation
Risk Management and Privacy 8 Privacy Risks to Individuals - Data Processing Sensitivity ● Volume of data collected and shared ● Scope of individuals involved (e.g., global health study) ● Unnecessary data processing ● Unexpected secondary data uses ● Automated decision-making ● Algorithmic decision-making ● Profiling ● Monitoring and surveillance ● Vulnerable role (e.g., children) ● Disadvantaged group (e.g., member of a protected class) ● New technologies (e.g., contact tracing apps) ● Sensitive data (e.g., health information) ● Disclosures to third parties ● Limiting individual rights Terminology Tip Data Processing is a collective set of data actions, such as data collection, generation, storage, retrieval, analysis, transformation, alteration, combination, use, transmission, disclosure, sharing, alignment, disposal, deletion, or destruction
Changing Compliance Landscape 9 2001
Changing Compliance Landscape 10 2019
11 Legal and Regulatory Risks are Exploding Category North America Latin America EMEA Asia Pacific Totals Comprehensive Data Protection 1 4 2 7 GDPR Implementation 9 9 Information Security 9 1 3 13 Health Privacy 4 2 6 Financial Privacy 5 5 Education Privacy 3 3 Breach 11 1 12 Privacy Rights 3 1 1 5 Other 8 1 9 2 20 Totals for 2019 43 4 25 8 80 80 New Laws in 2019 >600 Laws Globally More Complex Rules
Risk Management and Privacy 12 GDPR Risk-based Approach (recitals 74-76) Take into account: ● the nature, scope, context and purposes of a processing operation; ● the risk to the rights and freedoms of natural persons [not just privacy / data protection]; ● possible physical, material or non-material damage; as well as ● the likelihood and severity of the risk The fundamental principles of data protection law apply to all data controllers and processors, but how they implement their compliance efforts, may depend on the assessment of risk. As the WP29 put it: “Compliance should never be a box-ticking exercise, but should really be about ensuring that personal data is sufficiently protected”. (WP218, 2014) In order to assess risk, you will first need to understand your processing operations. Managing risk therefore is supported by the creation and maintenance of a data and processing activities inventory.
Risk Management and Privacy 13 Privacy & Data Protection Impact Assessments are under many privacy and data protection laws mandatory processes. ● A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information is collected, used, shared, and maintained. (U.S. Federal Trade Commission) ● A PIA is a risk management process that helps institutions ensure they meet legislative requirements and identify the impacts their programs and activities will have on individuals’ privacy. (Office of the Privacy Commissioner of Canada) ● A Data Protection Impact Assessment (DPIA) is an assessment of the impact of the envisaged processing operations on the protection of personal data in case of high risk(s) to the rights and freedoms of individuals (GDPR)
Risk Management and Privacy 14 The EDPB considers that the more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA. As a rule of thumb, processing operations which meet at least two of these criteria will require a DPIA. 1. Evaluation or scoring (including profiling) 2. Automated-decision making with legal or similar significant effect 3. Systematic monitoring 4. Use of sensitive data (as defined by Article 9 GDPR) 5. Data processed on a large scale (taking into account the number of data subjects concerned, the volume of data, the duration of the processing and the geographical extent) 6. Datasets that have been matched or combined 7. Data concerning vulnerable data subjects 8. Innovative use or applying technological or organisational solutions 9. When the processing in itself “prevents data subjects from exercising a right or using a service or a contract” In addition to these generic criteria, there are national lists of processing operations requiring a DPIA in a specific EU Member State.
Risk Management and Privacy: Enforcement Action 15
NIST Privacy Framework 1.0 - An Enterprise Approach to Privacy Risk 16 Alignment of Privacy Risks with Cybersecurity Risks Throughout the Data Lifecycle Images from the NIST Privacy Framework 1.0 Role of the Privacy Impact Assessment Source: NIST Privacy Framework 1.0 (2020) NIST Privacy Framework Functions ● Identify - Data inventory and risk assessments ● Govern - Strategy, policies, processes, procedures, awareness, training ● Control - Data processing management ● Communicate - Internal and external ● Protect - Security, identity management, access, authentication ● Detect - monitoring, anomalies, events ● Respond - analysis, mitigation ● Recover - recovery planning, improvements, communications
Polling Question 2 How do you manage third party risks? (Select all that apply) ● Contracts, Data Processing Agreements, NDAs ● Vendor Assessments ● Security Risk Assessments ● Certifications and Audits ● Third Party Risk Tools 17
© 2019 TrustArc Inc Proprietary and Confidential Information Third Party Risks in Today’s Climate
Third Party Risks in Today’s Climate 19 What business activities don’t involve third parties? ● Supply chains ● SaaS ● Advertising ● Data analytics ● Professional services ● Advisors But how do you monitor and compare third party risks? ● Not all third parties are the same - Roles: vendors, data processors, business associates, service providers, partners - Data processing sensitivity (e.g., - Data sensitivity - Geographic location - Security posture - Compliance maturity - Privacy engineering practices - Financial solvency Image from the NIST Privacy Framework 1.0
Third Party Risks in Today’s Climate: COVID-19 WFH 20 Confidential Data Awareness Remind employees about confidential data, including both personal data and business data, such as trade secrets. Make sure documents are not downloaded unless necessary and minimize transmission. If confidential data must be emailed or shared, use encryption. No Document Printing A home environment is not the best for paperwork. Restrict printing unless absolutely necessary. Work & Personal Devices Work devices, including phone and laptops, should not be shared with other people. Especially now, there are likely other people in the house who may require distractions. If using a personal device, develop a checklist for what should be in place on devices. Antimalware, encryption, password managers and VPN are some basic tools. Cleansing Data Be prepared to have employees clear the data on their devices and stored in the cloud on a regular basis, such as weekly. In all cases, have a plan for clearing data once standard work hours resume. Source: TrustArc Top 10 Tips for Enabling (new) Remote Workers
Third Party Risks in Today’s Climate: Regulatory Changes 21 ● Data usage For what purposes can your service providers/processors use personal data collected by you? And how to prevent deliberate or accidental misuse of the data? ○ e.g. use of telemetry data for product improvement - requires a separate legal basis, according to EU DPAs ○ also includes cookies and other tracking technologies (e.g. CJEU Planet49 case) ● Cross-border data transfers, also when using service providers/processors Local requirements and guidance are subject to continuous change and uncertainties ○ EU: ongoing discussion on validity Standard Contractual Clauses and Privacy Shield ○ Turkey: no approval on cross-border transfer mechanisms from Regulator (consent only) ○ Japan: PPC looking to strengthen cross-border transfer requirements and extraterritorial scope of application of Japanese privacy laws ○ Canada: OPC considering moving away from consent for cross-border transfer requirements ● Video Conferencing ○ Ensuring policies, procedures and notices are up-to-date and covering all processing via VC apps ○ Complete security assessments: right tool for the right conversation
Polling Question 3 How does your organization prioritize risks? (Select one) ● Risk owners prioritize risks for which they are responsible ● Risks are prioritized by each functional area ● A cross-functional team oversees all risk priorities ● Have enterprise risk mgmt program for prioritizing risks ● We don’t have a process for risk prioritization 22
© 2019 TrustArc Inc Proprietary and Confidential Information Focusing Resources on Highest Areas of Risk
Focusing Resources on Highest Areas of Risk 24 ConsequencesRisk Severity Likelihood Sources: CIPL - The role of risk management in data protection (2014) Gellert - Understanding the notion of risk in the GDPR (ScienceDirect, 2018) Balancing Test Risk Factor
Focusing Resources on Highest Areas of Risk 25 1. Risks with a high severity and likelihood absolutely must be avoided or reduced by implementing security measures that reduce both their severity and their likelihood. Measures should focus on prevention, protection and recovery. 2. Risks with a high severity but a low likelihood must be avoided or reduced by implementing security measures that reduce either their severity or their likelihood. Emphasis must be placed on preventive measures. 3. Risks with a low severity but a high likelihood must be reduced by implementing security measures that reduce their likelihood. Emphasis must be placed on recovery measures. 4. Risks with a low severity and likelihood may be taken, especially since the treatment of other risks should also lead to their treatment. Source: CNIL - Methodology for Privacy Risk Management (2012)
Polling Question 4 What risks does your organization report to your Board of Directors? (Select all that apply) ● Anti-bribery and anti-corruption ● Cybersecurity ● Fraud ● Privacy ● Other / Unsure 26
© 2019 TrustArc Inc Proprietary and Confidential Information Risk Reporting to Management and the Board
Board of Directors Risk Oversight Critical to Organizational Strategy 28 “Nothing is more fundamental to business - or vexing to boards - than risk…” - NACD Board role in risk governance - oversight of the organization’s risk management activities Governance Risks Decisions regarding board composition, leadership, directors, executive management (e.g., CEO) Business Management Risks Categories that present significant threats: Reporting risks Operational risks Financial risks Compliance risks HR/Labor risks Reputational risks Board Approval Risks Decisions regarding strategic initiatives, such as M&A, material investments, entry into new markets, new product lines Critical Enterprise Risks Top risks that affect the company’s strategy, business model, or viability Emerging Risks Awareness of external risks such as environmental, demographic shifts, and catastrophic events Source: Report of the NACD Blue Ribbon Commission. Risk Governance: Balancing Risk and Reward (2009)
Risk Reporting to Management and the Board 29 Annual Privacy Governance Report, 2019
Risk Reporting to Management and the Board 30 Accountability as part of a solution ● Demonstrable compliance will help to tell the story behind risk identification and mitigation. ● Ongoing process allowing to have a structured review process. ● A Framework-based approach also allows for structured and detailed management reporting.
© 2019 TrustArc Inc Proprietary and Confidential Information Tools and Best Practices for Managing Risk
Tools and Best Practices - Key Pillars of Third Party and Company Risk Management Assess Risk Associated with Vendors, Company Entities and other Third Parties Assess Identify and Prioritize Potential Areas of Third Party and Company Risk Identify Prioritize key remediation tasks to ensure compliance and risk mitigation Remediate Analyze and Prioritize risk based on severity and likelihood Analyze Ongoing and real time monitoring of risk - automated detection based on changes or time Ongoing Monitoring
Tools and Best Practices - Other Tools for Consideration 33 ● Automation ○ Automated identification of possible risk ○ Prioritization of remediation tasks ○ Continuous Risk Monitoring ● Drive a holistic view of the vendor ○ Security ratings ○ Financial ratings ○ Other Risk related ratings ● Ease of Use ○ Vendor and Third Party Libraries ○ Streamlined user experience ● Managed Services and Consulting ○ Build your program ○ Help in running your program on an ongoing basis
© 2019 TrustArc Inc Proprietary and Confidential Information Q&A
Speakers Hilary Wandall SVP, Privacy Intelligence and General Counsel TrustArc 35 Paul Breitbarth Director, EU Policy & Strategy TrustArc Michael Lin SVP, Products and Engineering TrustArc
Upcoming Webinars 36 Past Webinars EMEA Quarterly Update: Two Years Later April 29, 2020 @ 10:00 EDT Privacy Frameworks: The Foundation for Every Privacy Program Free Download
© 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.

Recommended

COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?
TrustArc
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
TrustArc
 
EMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterEMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years Later
TrustArc
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & Act
TrustArc
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You
TrustArc
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to Know
TrustArc
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
Cookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceCookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain Compliance
TrustArc
 

Recommended

COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?COVID-19: What are the Potential Impacts on Data Privacy?
COVID-19: What are the Potential Impacts on Data Privacy?
TrustArc
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
TrustArc
 
EMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years LaterEMEA Quarterly Update: GDPR Two Years Later
EMEA Quarterly Update: GDPR Two Years Later
TrustArc
 
Third-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & ActThird-Party Risk Management: How to Identify, Assess & Act
Third-Party Risk Management: How to Identify, Assess & Act
TrustArc
 
5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You5 Signs Your Privacy Management Program is Not Working for You
5 Signs Your Privacy Management Program is Not Working for You
TrustArc
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to Know
TrustArc
 
Post US Election Privacy Updates & Implications
Post US Election Privacy Updates & ImplicationsPost US Election Privacy Updates & Implications
Post US Election Privacy Updates & Implications
TrustArc
 
Cookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain ComplianceCookie Consent Regulatory Updates: How to Maintain Compliance
Cookie Consent Regulatory Updates: How to Maintain Compliance
TrustArc
 
CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementCCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
TrustArc
 
Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR Management
TrustArc
 
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
TrustArc
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & Predictions
TrustArc
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
TrustArc
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
TrustArc
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
TrustArc
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
TrustArc
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
TrustArc
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
IT Governance Ltd
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
TrustArc
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
Frederick Penaud
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
TrustArc
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
Richard Hogg,Global GDPR Offerings Evangelist
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
IT Governance Ltd
 
An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPR
Tripwire
 
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-161211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
jbauerofprivacy
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
IT Governance Ltd
 
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
Andrey Prozorov, CISM, CIPP/E, CDPSE. LA 27001
 
What is a data protection impact assessment? what are the essential stages to...
What is a data protection impact assessment? what are the essential stages to...What is a data protection impact assessment? what are the essential stages to...
What is a data protection impact assessment? what are the essential stages to...
Infinity Legal Solutions
 

More Related Content

What's hot

CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementCCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
TrustArc
 
Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR Management
TrustArc
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
TrustArc
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
TrustArc
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
TrustArc
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
TrustArc
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
TrustArc
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
IT Governance Ltd
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
TrustArc
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
TrustArc
 
An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPR
Tripwire
 
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-161211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
jbauerofprivacy
 

What's hot (20)

CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementCCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
 
Building Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR ManagementBuilding Consumer Trust through Individual Rights / DSAR Management
Building Consumer Trust through Individual Rights / DSAR Management
 
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2021 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
 
Privacy 2020: Recap & Predictions
Privacy 2020: Recap & PredictionsPrivacy 2020: Recap & Predictions
Privacy 2020: Recap & Predictions
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
 
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
Mastering Article 30 Compliance: Conducting, Maintaining & Reporting on your ...
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
 
China's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 DaysChina's PIPL: How to Comply in Under 60 Days
China's PIPL: How to Comply in Under 60 Days
 
Data Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPRData Flow Mapping and the EU GDPR
Data Flow Mapping and the EU GDPR
 
NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...NY State's cybersecurity legislation requirements for risk management, securi...
NY State's cybersecurity legislation requirements for risk management, securi...
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
 
GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?GDPR security services - Areyou ready ?
GDPR security services - Areyou ready ?
 
So Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law UpdateSo Many States, So Many Privacy Laws: US State Privacy Law Update
So Many States, So Many Privacy Laws: US State Privacy Law Update
 
20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here20170323 are you ready the new gdpr is here
20170323 are you ready the new gdpr is here
 
GDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud ProvidersGDPR: Requirements for Cloud Providers
GDPR: Requirements for Cloud Providers
 
An Essential Guide to EU GDPR
An Essential Guide to EU GDPRAn Essential Guide to EU GDPR
An Essential Guide to EU GDPR
 
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-161211000-792-2-Promontory - Data Mapping Slides 06-06-16
1211000-792-2-Promontory - Data Mapping Slides 06-06-16
 
Privacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failingPrivacy and the GDPR: How Cloud computing could be your failing
Privacy and the GDPR: How Cloud computing could be your failing
 

Similar to Assessing Risk: How Organizations Can Proactively Manage Privacy Risk

Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
Sirius
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 States
TrustArc
 
Data privacy and security in uae
Data privacy and security in uaeData privacy and security in uae
Data privacy and security in uae
RishalHalid1
 
Ethical Considerations in Data Analysis_ Balancing Power, Privacy, and Respon...
Ethical Considerations in Data Analysis_ Balancing Power, Privacy, and Respon...Ethical Considerations in Data Analysis_ Balancing Power, Privacy, and Respon...
Ethical Considerations in Data Analysis_ Balancing Power, Privacy, and Respon...
Soumodeep Nanee Kundu
 

Similar to Assessing Risk: How Organizations Can Proactively Manage Privacy Risk (20)

All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdfAll about a DPIA by Andrey Prozorov 2.0, 220518.pdf
All about a DPIA by Andrey Prozorov 2.0, 220518.pdf
 
What is a data protection impact assessment? what are the essential stages to...
What is a data protection impact assessment? what are the essential stages to...What is a data protection impact assessment? what are the essential stages to...
What is a data protection impact assessment? what are the essential stages to...
 
What is a data protection impact assessment?
What is a data protection impact assessment?What is a data protection impact assessment?
What is a data protection impact assessment?
 
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to SuccessAddressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
 
GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?GDPR Are you ready for auditing privacy ?
GDPR Are you ready for auditing privacy ?
 
5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance5 key steps for SMBs for reaching GDPR Compliance
5 key steps for SMBs for reaching GDPR Compliance
 
Learn ImpactQA's Approach to GDPR compliance
Learn ImpactQA's Approach to GDPR compliance Learn ImpactQA's Approach to GDPR compliance
Learn ImpactQA's Approach to GDPR compliance
 
Keep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR SuccessKeep Calm and Comply: 3 Keys to GDPR Success
Keep Calm and Comply: 3 Keys to GDPR Success
 
Setting the right GDPR priorities
Setting the right GDPR prioritiesSetting the right GDPR priorities
Setting the right GDPR priorities
 
Data Privacy Program – a customized solution for the new EU General Regulatio...
Data Privacy Program – a customized solution for the new EU General Regulatio...Data Privacy Program – a customized solution for the new EU General Regulatio...
Data Privacy Program – a customized solution for the new EU General Regulatio...
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 States
 
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
Polina Zvyagina - Airbnb - Privacy & GDPR Compliance - Stanford Engineering -...
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
Richard Hogg & Dennis Waldron - #InfoGov17 - Cognitive Unified Governance & P...
 
Data privacy and security in uae
Data privacy and security in uaeData privacy and security in uae
Data privacy and security in uae
 
WP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devsWP Helsinki Meetup - GDPR for devs
WP Helsinki Meetup - GDPR for devs
 
Resume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and ControlsResume: The Complete Guide to Cybersecurity Risks and Controls
Resume: The Complete Guide to Cybersecurity Risks and Controls
 
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
Symantec Webinar Part 5 of 6 GDPR Compliance, the Operational Impact of Cross...
 
Ethical Considerations in Data Analysis_ Balancing Power, Privacy, and Respon...
Ethical Considerations in Data Analysis_ Balancing Power, Privacy, and Respon...Ethical Considerations in Data Analysis_ Balancing Power, Privacy, and Respon...
Ethical Considerations in Data Analysis_ Balancing Power, Privacy, and Respon...
 
Brussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACKBrussels Privacy Hub: SATORI and iTRACK
Brussels Privacy Hub: SATORI and iTRACK
 

More from TrustArc

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc
 
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
TrustArc
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy Compliance
TrustArc
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
TrustArc
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
TrustArc
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy Certifications
TrustArc
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI Governance
TrustArc
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023
TrustArc
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
TrustArc
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To Know
TrustArc
 

More from TrustArc (20)

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
 
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
 
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy Compliance
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
 
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy Certifications
 
The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI Governance
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To Know
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 

Assessing Risk: How Organizations Can Proactively Manage Privacy Risk

  • 1. © 2019 TrustArc Inc Proprietary and Confidential Information © 2020 TrustArc Inc Proprietary and Confidential Information Assessing Risk: How Organizations Can Proactively Manage Company and Third-Party Risk TrustArc Privacy Insight Series Webinar April 22, 2020
  • 2. Thank you for joining the webinar Assessing Risk: How Organizations Can Proactively Manage Company and Third-Party Risk 2 ● We will be starting a couple minutes after the hour ● This webinar will be recorded and the recording and slides sent out later today ● Please use the GoToWebinar control panel on the right hand side to submit any questions for the speakers
  • 3. Speakers Hilary Wandall SVP, Privacy Intelligence and General Counsel TrustArc 3 Paul Breitbarth Director, EU Policy & Strategy TrustArc Michael Lin SVP, Products and Engineering TrustArc
  • 4. Agenda 4 ● Risk management and privacy ● Third party risks in today’s climate ● Focusing resources on highest areas of risk ● Risk reporting to management and the board ● Tools and best practices to manage, automate and continuously monitor both company and third-party risk
  • 5. Polling Question 1 What data-related risks are you most concerned about? (Select one) ● Compliance with new laws ● Enforcement of existing laws ● Third party controls and compliance ● Security controls ● New technologies 5
  • 6. © 2019 TrustArc Inc Proprietary and Confidential Information Risk Management and Privacy: An Introduction
  • 7. Risk Management and Privacy 7 Main Organizational Risks from a Privacy Perspective ● Data Security ○ Security and Data Breaches, followed by (often) mandatory notification requirements ○ Bring Your Own Device ○ Remote Working, Working from Home, Working on the Road ● Changing Legal Frameworks ○ Legislation is continuously changing, and even more so in recent years ● International Data Flows ○ Can data flow across borders without any restrictions ● Enforcement Action & Court Cases ○ Safe Harbour & Privacy Shield cases ○ Class Actions ○ Reputation
  • 8. Risk Management and Privacy 8 Privacy Risks to Individuals - Data Processing Sensitivity ● Volume of data collected and shared ● Scope of individuals involved (e.g., global health study) ● Unnecessary data processing ● Unexpected secondary data uses ● Automated decision-making ● Algorithmic decision-making ● Profiling ● Monitoring and surveillance ● Vulnerable role (e.g., children) ● Disadvantaged group (e.g., member of a protected class) ● New technologies (e.g., contact tracing apps) ● Sensitive data (e.g., health information) ● Disclosures to third parties ● Limiting individual rights Terminology Tip Data Processing is a collective set of data actions, such as data collection, generation, storage, retrieval, analysis, transformation, alteration, combination, use, transmission, disclosure, sharing, alignment, disposal, deletion, or destruction
  • 11. 11 Legal and Regulatory Risks are Exploding Category North America Latin America EMEA Asia Pacific Totals Comprehensive Data Protection 1 4 2 7 GDPR Implementation 9 9 Information Security 9 1 3 13 Health Privacy 4 2 6 Financial Privacy 5 5 Education Privacy 3 3 Breach 11 1 12 Privacy Rights 3 1 1 5 Other 8 1 9 2 20 Totals for 2019 43 4 25 8 80 80 New Laws in 2019 >600 Laws Globally More Complex Rules
  • 12. Risk Management and Privacy 12 GDPR Risk-based Approach (recitals 74-76) Take into account: ● the nature, scope, context and purposes of a processing operation; ● the risk to the rights and freedoms of natural persons [not just privacy / data protection]; ● possible physical, material or non-material damage; as well as ● the likelihood and severity of the risk The fundamental principles of data protection law apply to all data controllers and processors, but how they implement their compliance efforts, may depend on the assessment of risk. As the WP29 put it: “Compliance should never be a box-ticking exercise, but should really be about ensuring that personal data is sufficiently protected”. (WP218, 2014) In order to assess risk, you will first need to understand your processing operations. Managing risk therefore is supported by the creation and maintenance of a data and processing activities inventory.
  • 13. Risk Management and Privacy 13 Privacy & Data Protection Impact Assessments are under many privacy and data protection laws mandatory processes. ● A Privacy Impact Assessment (PIA) is an analysis of how personally identifiable information is collected, used, shared, and maintained. (U.S. Federal Trade Commission) ● A PIA is a risk management process that helps institutions ensure they meet legislative requirements and identify the impacts their programs and activities will have on individuals’ privacy. (Office of the Privacy Commissioner of Canada) ● A Data Protection Impact Assessment (DPIA) is an assessment of the impact of the envisaged processing operations on the protection of personal data in case of high risk(s) to the rights and freedoms of individuals (GDPR)
  • 14. Risk Management and Privacy 14 The EDPB considers that the more criteria are met by the processing, the more likely it is to present a high risk to the rights and freedoms of data subjects, and therefore to require a DPIA. As a rule of thumb, processing operations which meet at least two of these criteria will require a DPIA. 1. Evaluation or scoring (including profiling) 2. Automated-decision making with legal or similar significant effect 3. Systematic monitoring 4. Use of sensitive data (as defined by Article 9 GDPR) 5. Data processed on a large scale (taking into account the number of data subjects concerned, the volume of data, the duration of the processing and the geographical extent) 6. Datasets that have been matched or combined 7. Data concerning vulnerable data subjects 8. Innovative use or applying technological or organisational solutions 9. When the processing in itself “prevents data subjects from exercising a right or using a service or a contract” In addition to these generic criteria, there are national lists of processing operations requiring a DPIA in a specific EU Member State.
  • 15. Risk Management and Privacy: Enforcement Action 15
  • 16. NIST Privacy Framework 1.0 - An Enterprise Approach to Privacy Risk 16 Alignment of Privacy Risks with Cybersecurity Risks Throughout the Data Lifecycle Images from the NIST Privacy Framework 1.0 Role of the Privacy Impact Assessment Source: NIST Privacy Framework 1.0 (2020) NIST Privacy Framework Functions ● Identify - Data inventory and risk assessments ● Govern - Strategy, policies, processes, procedures, awareness, training ● Control - Data processing management ● Communicate - Internal and external ● Protect - Security, identity management, access, authentication ● Detect - monitoring, anomalies, events ● Respond - analysis, mitigation ● Recover - recovery planning, improvements, communications
  • 17. Polling Question 2 How do you manage third party risks? (Select all that apply) ● Contracts, Data Processing Agreements, NDAs ● Vendor Assessments ● Security Risk Assessments ● Certifications and Audits ● Third Party Risk Tools 17
  • 18. © 2019 TrustArc Inc Proprietary and Confidential Information Third Party Risks in Today’s Climate
  • 19. Third Party Risks in Today’s Climate 19 What business activities don’t involve third parties? ● Supply chains ● SaaS ● Advertising ● Data analytics ● Professional services ● Advisors But how do you monitor and compare third party risks? ● Not all third parties are the same - Roles: vendors, data processors, business associates, service providers, partners - Data processing sensitivity (e.g., - Data sensitivity - Geographic location - Security posture - Compliance maturity - Privacy engineering practices - Financial solvency Image from the NIST Privacy Framework 1.0
  • 20. Third Party Risks in Today’s Climate: COVID-19 WFH 20 Confidential Data Awareness Remind employees about confidential data, including both personal data and business data, such as trade secrets. Make sure documents are not downloaded unless necessary and minimize transmission. If confidential data must be emailed or shared, use encryption. No Document Printing A home environment is not the best for paperwork. Restrict printing unless absolutely necessary. Work & Personal Devices Work devices, including phone and laptops, should not be shared with other people. Especially now, there are likely other people in the house who may require distractions. If using a personal device, develop a checklist for what should be in place on devices. Antimalware, encryption, password managers and VPN are some basic tools. Cleansing Data Be prepared to have employees clear the data on their devices and stored in the cloud on a regular basis, such as weekly. In all cases, have a plan for clearing data once standard work hours resume. Source: TrustArc Top 10 Tips for Enabling (new) Remote Workers
  • 21. Third Party Risks in Today’s Climate: Regulatory Changes 21 ● Data usage For what purposes can your service providers/processors use personal data collected by you? And how to prevent deliberate or accidental misuse of the data? ○ e.g. use of telemetry data for product improvement - requires a separate legal basis, according to EU DPAs ○ also includes cookies and other tracking technologies (e.g. CJEU Planet49 case) ● Cross-border data transfers, also when using service providers/processors Local requirements and guidance are subject to continuous change and uncertainties ○ EU: ongoing discussion on validity Standard Contractual Clauses and Privacy Shield ○ Turkey: no approval on cross-border transfer mechanisms from Regulator (consent only) ○ Japan: PPC looking to strengthen cross-border transfer requirements and extraterritorial scope of application of Japanese privacy laws ○ Canada: OPC considering moving away from consent for cross-border transfer requirements ● Video Conferencing ○ Ensuring policies, procedures and notices are up-to-date and covering all processing via VC apps ○ Complete security assessments: right tool for the right conversation
  • 22. Polling Question 3 How does your organization prioritize risks? (Select one) ● Risk owners prioritize risks for which they are responsible ● Risks are prioritized by each functional area ● A cross-functional team oversees all risk priorities ● Have enterprise risk mgmt program for prioritizing risks ● We don’t have a process for risk prioritization 22
  • 23. © 2019 TrustArc Inc Proprietary and Confidential Information Focusing Resources on Highest Areas of Risk
  • 24. Focusing Resources on Highest Areas of Risk 24 ConsequencesRisk Severity Likelihood Sources: CIPL - The role of risk management in data protection (2014) Gellert - Understanding the notion of risk in the GDPR (ScienceDirect, 2018) Balancing Test Risk Factor
  • 25. Focusing Resources on Highest Areas of Risk 25 1. Risks with a high severity and likelihood absolutely must be avoided or reduced by implementing security measures that reduce both their severity and their likelihood. Measures should focus on prevention, protection and recovery. 2. Risks with a high severity but a low likelihood must be avoided or reduced by implementing security measures that reduce either their severity or their likelihood. Emphasis must be placed on preventive measures. 3. Risks with a low severity but a high likelihood must be reduced by implementing security measures that reduce their likelihood. Emphasis must be placed on recovery measures. 4. Risks with a low severity and likelihood may be taken, especially since the treatment of other risks should also lead to their treatment. Source: CNIL - Methodology for Privacy Risk Management (2012)
  • 26. Polling Question 4 What risks does your organization report to your Board of Directors? (Select all that apply) ● Anti-bribery and anti-corruption ● Cybersecurity ● Fraud ● Privacy ● Other / Unsure 26
  • 27. © 2019 TrustArc Inc Proprietary and Confidential Information Risk Reporting to Management and the Board
  • 28. Board of Directors Risk Oversight Critical to Organizational Strategy 28 “Nothing is more fundamental to business - or vexing to boards - than risk…” - NACD Board role in risk governance - oversight of the organization’s risk management activities Governance Risks Decisions regarding board composition, leadership, directors, executive management (e.g., CEO) Business Management Risks Categories that present significant threats: Reporting risks Operational risks Financial risks Compliance risks HR/Labor risks Reputational risks Board Approval Risks Decisions regarding strategic initiatives, such as M&A, material investments, entry into new markets, new product lines Critical Enterprise Risks Top risks that affect the company’s strategy, business model, or viability Emerging Risks Awareness of external risks such as environmental, demographic shifts, and catastrophic events Source: Report of the NACD Blue Ribbon Commission. Risk Governance: Balancing Risk and Reward (2009)
  • 29. Risk Reporting to Management and the Board 29 Annual Privacy Governance Report, 2019
  • 30. Risk Reporting to Management and the Board 30 Accountability as part of a solution ● Demonstrable compliance will help to tell the story behind risk identification and mitigation. ● Ongoing process allowing to have a structured review process. ● A Framework-based approach also allows for structured and detailed management reporting.
  • 31. © 2019 TrustArc Inc Proprietary and Confidential Information Tools and Best Practices for Managing Risk
  • 32. Tools and Best Practices - Key Pillars of Third Party and Company Risk Management Assess Risk Associated with Vendors, Company Entities and other Third Parties Assess Identify and Prioritize Potential Areas of Third Party and Company Risk Identify Prioritize key remediation tasks to ensure compliance and risk mitigation Remediate Analyze and Prioritize risk based on severity and likelihood Analyze Ongoing and real time monitoring of risk - automated detection based on changes or time Ongoing Monitoring
  • 33. Tools and Best Practices - Other Tools for Consideration 33 ● Automation ○ Automated identification of possible risk ○ Prioritization of remediation tasks ○ Continuous Risk Monitoring ● Drive a holistic view of the vendor ○ Security ratings ○ Financial ratings ○ Other Risk related ratings ● Ease of Use ○ Vendor and Third Party Libraries ○ Streamlined user experience ● Managed Services and Consulting ○ Build your program ○ Help in running your program on an ongoing basis
  • 34. © 2019 TrustArc Inc Proprietary and Confidential Information Q&A
  • 35. Speakers Hilary Wandall SVP, Privacy Intelligence and General Counsel TrustArc 35 Paul Breitbarth Director, EU Policy & Strategy TrustArc Michael Lin SVP, Products and Engineering TrustArc
  • 36. Upcoming Webinars 36 Past Webinars EMEA Quarterly Update: Two Years Later April 29, 2020 @ 10:00 EDT Privacy Frameworks: The Foundation for Every Privacy Program Free Download
  • 37. © 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.