Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
1
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Understanding new EU Guidan...
2
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Today’s Speakers
Beth Sipula
Senior Privacy Consu...
3
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
The GDPR and When to Use
DP...
4
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
PIA definition
A privacy impact assessment (PIA) ...
5
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Does your organization have a PIA process in plac...
6
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Frameworks and Jurisdictions
•Many countries and ...
7
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
How many PIAs will your organization complete in ...
8
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
GDPR Triggers for DPIAa/PIAs
DPIAs are required f...
9
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Triggers for when to use a DPIA/PIA
•Implementing...
10
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
•Assign clearly defined roles for all stages
•Ha...
11
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Paul Iagnocco
Chief Privac...
12
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Privacy Overview at Kellogg
.
Global Privacy
Off...
13
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Privacy Overview at Kellogg (continued)
Global
P...
14
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Collaborative Approach Between Privacy & IT Secu...
15
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
5 Steps to Operationalizing PIAs
Know your
key P...
16
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Know your key stakeholders
Objective:
Implementi...
17
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Align on the role of the PIA
Objective:
With you...
18
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Design the PIA workflow
Objective:
Leveraging th...
19
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Build and Implement the PIA Solution
Objective:
...
20
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Refine and scale the PIA Solution
Objective:
Ide...
21
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
Summary
1. Cultivate evangelists for the PIA sol...
22
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Questions?
23
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Beth Sipula bsipula@truste...
24
vPrivacy Insight Series - truste.com/insightseries
© TRUSTe Inc., 2016
v © TRUSTe Inc., 2016
Register now for the final...
Upcoming SlideShare
Loading in …5
×

Understanding new EU Guidance on DPIA/PIA requirements [Webinar Slides]

4,151 views

Published on

Watch the FULL webinar on-demand w/ these slides here: https://info.truste.com/eu-guidance-dpia-pia-requirements-webinar.html

Whether you call them Data Protection Impact Assessments or just PIAs, they are an indispensable way to gauge the potential impact of projects, systems, programs, products or services on the data an organization holds. Having a good understanding of what DPIA/PIAs are, how to implement them and who needs to be involved can be the key to embedding privacy in the heart of your organization. And of course they are now a requirement for certain types of processing under the GDPR.

Watch this webinar on-demand now as we:

- Review PIA best practices
- Review latest compliance guidance from the EU regulators
- Provide a range of tips and tools to help streamline and embed the process in your organization

Make sure to register NOW to watch the on-demand webinar here: https://info.truste.com/eu-guidance-dpia-pia-requirements-webinar.html

To register for upcoming other TRUSTe Webinars (upcoming/on-demand) visit: https://www.truste.com/events/privacy-insight-webinar-schedule/

Published in: Law
  • Login to see the comments

  • Be the first to like this

Understanding new EU Guidance on DPIA/PIA requirements [Webinar Slides]

  1. 1. 1 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Understanding new EU Guidance on DPIA/PIA requirements November 10, 2016
  2. 2. 2 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Today’s Speakers Beth Sipula Senior Privacy Consultant TRUSTe Paul Iagnocco Chief Privacy Officer Kellogg
  3. 3. 3 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 The GDPR and When to Use DPIAs/PIAs Beth Sipula, Senior Privacy Consultant TRUSTe
  4. 4. 4 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 PIA definition A privacy impact assessment (PIA) is a tool or process for identifying and assessing privacy risks throughout the development life cycle of a program or system. - Information Commissioner's Office
  5. 5. 5 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Does your organization have a PIA process in place? 1. Yes 2. No Poll Question #1
  6. 6. 6 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Frameworks and Jurisdictions •Many countries and regions of the world have been using PIAs dating back to the mid 90’s –Papers published regarding PIAs often started in the private sector •A handful of countries have the most presence; more countries are emerging in LATAM and APAC •The GDPR has drawn a spotlight onto DPIAs and adopting a framework as part of compliance •While there are differences in the methodologies, the goals are the same: to identify risks to privacy and determine ways of overcoming those risks •DPIAs/PIAs are not “one size fits all”
  7. 7. 7 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 How many PIAs will your organization complete in 2016? 1. Less than 10 2. 11 - 50 3. 51-100 4. 100+ 5. I have no idea Poll Question #2
  8. 8. 8 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 GDPR Triggers for DPIAa/PIAs DPIAs are required for any processing that may result in “high risk”, and for: • Systematic and extensive automated processing, including profiling, if the decisions produce legal effects or significantly affect the individual Example: Making predictions based on a person’s behavior, credit decisions, economic situation, location • Processing special categories of data (i.e. genetic or biometric data) or criminal records on a large scale • Systematic monitoring of a publicly accessible area on a large scale • As otherwise indicated by the DPAs or EUDPB • GDPR requires you to conduct PIAs for “high risk” activities and implement operational changes Note: Most common “high risk” areas tend to center around new products/systems that change the way the business uses / collects / stores personal data.
  9. 9. 9 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Triggers for when to use a DPIA/PIA •Implementing a new system in your organization; •Launching a new product or service; •Providing new third party provider with access to PI; •Conversion of records from paper-based to electronic form; •Conversion of information from anonymous to identifiable form; •System management changes involving significant new uses and/or application of new technologies; •Significant merging, matching or other manipulation of multiple databases containing personal data; •Incorporation into existing databases of personal data obtained from commercial or public sources; •Alteration of a business process resulting in significant new collection, use and/or disclosure of personal data
  10. 10. 10 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 •Assign clearly defined roles for all stages •Having an Executive “Champion” or Sponsor is critical •PIAs need to be simple, repeatable, concise, and they need to map to the GDPR requirements •One size does not fit all – consider the level of risk –Also consider a bifurcated PIA process, with traditional PIAs for all projects and EU DPIAs for projects that trigger EU DP rules •Build a robust process with scalability in mind –Consider the system you are using, what it’ll take to make the process more efficient and automate •Monitor - Article 29 Working Party will be releasing guidance for controllers and processors on high-risk assessments by end of 2016 Recommendations for Success
  11. 11. 11 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Paul Iagnocco Chief Privacy Officer Operationalizing a PIA Solution within the Enterprise
  12. 12. 12 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Privacy Overview at Kellogg . Global Privacy Office established in August 2015 4 Strategic Pillars Build a Global Capability Ensure Compliance & Education Champion Privacy Advocacy Unlock Data Use Types of Data Held Employee (PII, PFI, PHI) Consumer (PII) Reporting Line A function within Global Legal & Compliance CPO reports directly to Chief Counsel (access to Global General Counsel & Vice Chair of Company)
  13. 13. 13 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Privacy Overview at Kellogg (continued) Global Privacy Office Regional/Local Business Functions Internal Audit Defines the “what” Determines the “how” IT Security Kellogg employs a decentralized business model in addressing data protection and privacy matters. • strategy • training content • business compliance • standards and best practices • common global tools • privacy impact assessments (PIAs) • requests and complaints • data breach management • liaison with regulators • execute strategy • conduct training • Execute compliance • Implement standards and best practices • Address PIA results
  14. 14. 14 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Collaborative Approach Between Privacy & IT Security Notice Choice Use Availability Integrity Access Confidentiality Acquisition and Use of Data Focus is on whether the Company is allowed to possess consumer or employee data and what we are allowed to do with it. Safeguards, Secured Storage and Proper Destruction of Data Focus is on the protection of the data stored, processed, transmitted and destroyed. IT Security
  15. 15. 15 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 5 Steps to Operationalizing PIAs Know your key PIA stakeholders Align on the role of a PIA Design the PIA workflow Build and implement the PIA solution Refine and scale the PIA Process
  16. 16. 16 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Know your key stakeholders Objective: Implementing anything new within an organization is challenging. People fear the uncertainty of change. Need to identify key stakeholders that that see value in a PIA. Recommendation: Leverage these stakeholders to drive change within their function. These are your early adopters (evangelists). Key Stakeholders How would a PIA benefit their function? Legal Counsel - Transactions Provides intelligence to incorporate into MSA or SOW Risk Management Provides intelligence that may require change in risk policy Procurement Ensures that data protection and privacy are addressed IT Security Ensures that data protection and authorization is addressed Human Resources External data processors are vetted and deliver expected services for our employees Marketing External data processors are vetted and deliver expected services for our consumers Internal Audit Provides an audit trail Outside Consultants N/A
  17. 17. 17 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Align on the role of the PIA Objective: With your key stakeholders, determine what you want to solve for using a PIA. Recommendation: Start small and scale. It might be easier to start leveraging PIAs externally since you will likely have less resistance to change. Common Components of a PIA What are we assessing? Internal Procedures and Policies Overall program accountability Data Collection What data is collected? Choice and Consent How was the data collected? Use, Retention and Disposal What is the intended use, storage and purge of the collected data? Disclosures to Third Parties Are we sharing this data? Access Does the data subject have access? Data Security How is the data secured?
  18. 18. 18 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Design the PIA workflow Objective: Leveraging the PIA alignment gained in step 2, now design the PIA workflow. Recommendation: Again start small and scale. Look at how new data processes and vendor agreements/SOWs commence. Review existing workflows and determine best means to intersect without being disruptive. Where should a PIA be considered? Review existing vendor statement of work (SOW) New vendor set-up (MSA) Changes to internal data processing Significant IT infrastructure changes Mergers and acquisitions New product development (that engages data) Annual assessments To assess new regulations Process starts in Contract Database Privacy Threshold Questions Answered PIA Published and Vendor Responds Responses Reviewed by Legal and IT Security Additional Follow- ups by Other Key Stakeholders Changes negotiated in MSA MSA Approved and Filed New Vendor Set-up Workflow
  19. 19. 19 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Build and Implement the PIA Solution Objective: Identify what PIA solution needs to be built and eventually implemented. Recommendation: Review step 2 to ensure you are building a PIA solution that achieves your goal. Also, be mindful that of the expected annual volume. Do NOT over engineer. In addition, be sure to produce communication materials and a simple user-guide to facilitate adoption beyond the key stakeholders. You MUST be prepared to Sell, Sell, Sell. Simple PIA Solution 1. Build out content (questions and benchmarks) 2. Load spreadsheet – use macros to create “flags” 3. Develop Email Template with purpose, deadline, etc. along with spreadsheet 4. Publish to XYZ, collect responses 5. Review and analyze 6. Take necessary action 7. File Complex PIA Solution 1. Conduct privacy threshold assessment 2. Add Respondent to TRUSTe Assessment Manager 3. Select or customize PIA 4. Publish to XYZ, collect responses 5. Centrally review and analyze 6. Assign necessary follow-up action 7. Archive and set calendar to automatically re-send in12 months
  20. 20. 20 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Refine and scale the PIA Solution Objective: Identify what’s working and what’s not working and refine solution accordingly. What other areas (identified in Step 3) should we scale this PIA solution to address? Recommendation: Identify a means to gather on-going feedback on how to improve the solution. Always look for opportunities to further imbed the PIA into normal business operations. As you expand follow the process – Step and Repeat. Potential Refinements Customized PIA questions based on specific target audience (e.g., EU data processors) Implement for additional business scenarios (e.g., internal infrastructure or data processing changes) New PIA questions to assess internal or external compliance with new regulation (e.g., EU GDPR) Provide additional access to responses and analysis Add new functions to overall process Expand user-guides to reflect changes Expand communication plan – Sell, Sell, Sell
  21. 21. 21 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 Summary 1. Cultivate evangelists for the PIA solution 2. Define value of the PIA solution 3. Align on initial PIA solution goals 4. Start small – scale later 5. Look for new opportunities 6. Listen to feedback 7. Keep it simple 8. Over communicate Be sure to commit and start somewhere.
  22. 22. 22 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Questions?
  23. 23. 23 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Beth Sipula bsipula@truste.com Paul Iagnocco paul.iagnocco@kellogg.com Contacts
  24. 24. 24 vPrivacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2016 v © TRUSTe Inc., 2016 Register now for the final webinar in our our 2016 Summer/Fall Webinar Series on December 8 “Metrics for Success: Quantifying the Value of the Privacy Function” See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. Thank You!

×