GDPR: DPIAs & Risk [Webinar Slides]

1
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2017
v © TRUSTe Inc., 2017
GDPR: DPIAs & Risk
May 23, 2017

2
• We will be starting a couple minutes after the hour
• This webinar will be recorded and the recording and slides sent out
later today
• Please use the GotoWebinar control panel on the right hand side to
submit any questions for the speakers
Thank you for joining the webinar
“GDPR: DPIAs & Risk”

3
Today’s Speakers
Marty Abrams
Executive Director & Chief Strategist
Information Accountability Foundation (IAF)
Hilary Wandall (Moderator)
General Counsel & Chief Data Governance Officer
TRUSTe

4
• Welcome & Introductions
• The role of DPIAs
• Development of privacy assessment methodology
• GDPR and DPIAs
• Risky processing under GDPR
• IAF-TRUSTe DPIA approach
• Privacy risk and enterprise risk management
• Q&A
Today’s Agenda

5
Do you have an internal PIA or DPIA process?
• yes
• no
Webinar Poll

6
The Role of DPIAs

7
Build Your Program – 6 Essential Elements
Build
Establish, maintain
and evolve an
integrated privacy
and data governance
program aligned with
other data
management and
information risk
functions such as
security, IP, trade
secret protection and
e-discovery
Integrated
Governance
Identify stakeholders. Establish
program leadership and governance.
Define program mission, vision and
goals.
Risk
Assessment
Identify, assess and classify data-
related strategic, operational, legal
compliance and financial risks.
Resource
Allocation
Establish budgets. Define roles and
responsibilities. Assign competent
personnel.
Policies &
Standards
Develop policies, procedures and
guidelines to define and deploy
effective and sustainable governance
and controls for managing data-
related risks.
Processes Establish, manage, measure and
continually improve processes for
PIAs, vendor assessments, incident
management and breach notification,
complaint handling and individual
rights management.
Awareness &
Training
Communicate expectations. Provide
general & contextual training.
Learn and Evolve Over Time

8
Development of Privacy Assessment
Methodology

9
How has assessment methodology developed in
the privacy field?

10
How did comprehensive data impact assessments
originate?

11
Genesis of Ethical Assessments
2013 - Challenge by HP, Merck, Intuit and Acxiom to
develop a means to make big data processing defendable
2014 - Unified Ethical frame developed and presented at
the International Conference of Data Protection and Privacy
Commissioners
–Ethical assessments the key
–Embraced by numerous regulators
–The “golden rule” became the proxy for ethics
2015 – Oversight and framework for assessment
–Multi-stakeholder oversight
–Link to legitimate interests established
–Digital marketing assessment framework developed
2016 – Canadian project

12
Canadian Project
•Canadian law, in most cases requires consent
–Raised the question of how big data might be done in Canada as a
link to accountability
•IAF received a grant from Office of the Privacy
Commissioner to explore the concept of ethical
assessments
•Recruited 20 Canadian companies and a lead Canadian
lawyer/expert to work with us
•Took the Canadian framework to a multi-stakeholder group
that included regulators
•End products a framework that includes the legal and
ethical discussion and an assessment framework
–Participants pleased with the outcome
–OPC pleased with the work product

13
Key Findings
•A customized linkage to local law and culture is
necessary
•The assessment framework can be used globally
•Assessing stakeholder benefits and risks was break
through for companies
•This methodology is useful everywhere
•Legal, fair and just - which puts people first - is a great
proxy for ethics
•Automating the process would lead to scalability

14
How does the ethical assessment methodology
align with the GDPR expectations for DPIAs?

15
IAF-TRUSTe DPIA Strategy

16
GDPR Requirements for DPIAs (Articles 35 and 36)
Processing likely to
result in high risk
Article 35(1)
No
No DPIA Required
DPIA Required
• Systematic description of the processing
• Assessment of necessity and
proportionality
• Assessment of the risks to the rights and
freedoms of data subjects
• Measures to address the risks
Is residual risk high?
No
DPA Consult Required
No DPA Consult
Required

17
Based on Article 29 Working Party Guidelines WP 248 (4 Apr 2017)
• Evaluation or scoring
• Automated-decision making with legal or similar significant effect
• Systematic monitoring
• Sensitive data
• Data processed on a large scale
• Datasets that have been matched or combined
• Data concerning vulnerable subjects
• Innovative use or applying technological or organizational solutions
• Data transfer across borders outside of the EU
• Where the processing itself prevents individuals from exercising a right
or using a service or a contract
Processing Likely to Result in High Risk – Key Criteria

18
IAF-TRUSTe DPIA Construct
Part A – Governance
and Accountability
1. Organizational
Accountability
2. Purpose
3. Data
4. Data Sources, Origins
and Characteristics
5. Legal Basis of
Processing
Part C – Mitigations
and Safeguards
10. Data Necessity
(DPbDesign/Default,
Data Minimization)
11. Use, Retention and
Disposal
12. Disclosure to Third
Parties and Onward
Transfer
13. Choice and Consent
14. Access and Individual
Rights
15. Data Integrity and
Quality
16. Security
17. Transparency
Part D – Risk Outcomes
(Report)
18. Mitigations and
Safeguard
Effectiveness
Evaluation (Scale)
19. Calculation of
Residual Risk
Severity and
Likelihood
20. Legitimate Interests
Balancing Test
Outcomes
21. Where residual risks
are high, consultation
of DPA and data
subjects
Part B – Risk, Impacts
and Benefits
6. High Risk Processing
7. Value and Benefits of
the Processing
8. Inherent Risk
Assessment
9. Weighted Inherent
Risk-Benefits

19
Do you have an automated PIA or DPIA process?
• yes
• no
Webinar Poll

20
Automating the IAF-TRUSTe DPIA

21

22

23

24
Do you have an enterprise risk management (ERM)
process?
• yes
• no
Webinar Poll

25
Integrating Privacy into Enterprise Risk Management

26
Questions?

27
Marty Abrams mabrams@informationaccountability.org
Hilary Wandall hilary@truste.com
Contacts

28
Details and registration for our 2017 Summer/Fall Webinar Series will be
published shortly.
Register for our next live event – the Privacy Risk Summit on June 6th 2017
at https://www.truste.com/events/privacy-risk/
See http://www.truste.com/insightseries for the 2017 Privacy Insight Series
and past webinar recordings.
Thank You!

GDPR: DPIAs & Risk [Webinar Slides]

Recommended

Recommended

More Related Content

More from TrustArc

More from TrustArc (20)

Recently uploaded

Recently uploaded (20)

GDPR: DPIAs & Risk [Webinar Slides]