On-demand recording link:https://info.trustarc.com/WB-2019-06-19-GDPR-Compliance-Convince-Customers-Partners-Board.html?utm_source=slideshare
Many companies have invested significant time and resources trying to design and implement GDPR compliance programs. Internally, they may have generated hundreds or thousands of pages of project plans, policies, processes and reports – including records of processing, DPIA reports and much more. But how can you demonstrate to internal stakeholders, clients and partners that you have a comprehensive program and that your processes and products are GDPR-compliant?
This webinar will provide these key takeaways:
-The current state of an official GDPR certification and codes of conduct
-Case studies of how companies are demonstrating compliance
-The benefits of an external third party GDPR validation
13. Accountability, Effective
Compliance and
Protection for Individuals
Leadership and
Oversight
Risk Assessment
Policies and
Procedures
Transparency
Training and
Awareness
Monitoring and
Verification
Response and
Enforcement
Accountability translates legal
requirements into risk-based, verifiable
and enforceable corporate practices and
controls
Implementing Accountability
Company values and business ethics
shape accountability
Organisations must be able to
demonstrate accountability –
internally and externally
Accountability is not static, but dynamic,
reiterative and a constant journey
14. Accountability – Examples of Content of
Privacy Management Programmes
• Tone from the top
• Executive oversight
• Data privacy officer/office oversight
and reporting
• Data privacy governance
• Privacy engineers
• Internal/External Ethics Committees
Leadership &
Oversight
• At program level
• At product or service level
• DPIA for high risk processing
• Risk register
• Risk to organisations
• Risk to individuals
• Records of processing
Risk Assessment
• Internal privacy rules based on DP
principles
• Information security
•Legal basis and fair processing
•Vendor/processor management
•Procedures for response to
individual rights
• Other (e.g. Marketing rules, HR rules,
M&A due diligence)
• Data transfers mechanisms
• Privacy by design
• Templates and tools for PIA
• Crisis management and incident
response
Policies & Procedures
•Privacy policies and notices to
individuals
•Innovative transparency –
dashboards, integrated in
products/apps, articulate value
exchange and benefits, part of
customer relationship
• Information portals
•Notification of data breaches
Transparency
• Mandatory corporate training
• Ad hoc and functional training
• Awareness raising campaigns and
communication strategy
Training &
Awareness
•Documentation and evidence -
consent, legitimate interest and
other legal bases, notices, PIA,
processing agreements, breach
response
•Compliance monitoring and testing,
such as verification, self-assessments
and audits
•Seals and certifications
Monitoring &
Verification
•Individual requests and complaints-
handling
•Breach reporting, response and
rectification procedures
•Managing breach notifications to
individuals and regulators
•Implementing response plans to address
audit reports
•Internal enforcement of non-compliance
subject to local laws
•Engagement/Co-operation with DPAs
Response and
Enforcement
Organisations must be able to demonstrate their own implementation - internally and externally
15. All the above models of accountability require:
• Following substantive privacy rules
• Implementation infrastructure
• Verification
• Ability to demonstrate
Corporate
Privacy
Programs
Binding
Corporate
Rules (BCR)
APEC Cross
Border
Privacy Rules
(CBPR)
Codes of
Conduct
Certifications
&
Seals
ISO Standards
Demonstrating Accountability - to Whom and How?
To Whom?
* internally - executives leadership, Board of Directors, shareholders
* externally - business partners, regulators, individuals and civil society
16. 16
BCR Requirements Mapped to CIPL Accountability Wheel
Accountability,
Effective Compliance
and Protection for
Individuals
Leadership and
Oversight
Risk Assessment
Policies and
Procedures
Transparency
Training and
Awareness
Monitoring and
Verification
Response and
Enforcement
Elements of Accountability Elements Found In BCR
➢ Binding nature internally and externally
➢ Binding on companies and employees
➢ Third party beneficiary rights
➢ Breach remediation and compensation
➢ Transparency and easy access
➢ Effectiveness
➢ Training program
➢ Complaint handling process
➢ Audit program
➢ Network of DPO
➢ Cooperation Duty
➢ Duty to cooperate with the DPA
➢ Description of processing and data flows
➢ Material scope and geographical scope
➢ Mechanism for reporting and recording changes
➢ Process for updating the BCR
➢ Data protection safeguards
➢ Compliance with data protection principles
including onward transfers
➢ Accountability of entities (records, DPIAs,
appropriate TOMs)
➢ Relationship with national laws
17. 17
BCR Requirements Mapped to CIPL Accountability Wheel
Transparency
&
easy access
Breach
remediation &
compensation
Third party
beneficiary
rights
Binding on
company
and
employees
National
Laws
Process for
updating
the BCR
Training
Program
Complaint
Handling
Process
Audit
Program
Network
of DPOs
Duty to
cooperate
with the
DPA
Material &
geographical
scope
Compliance
with Data
Protection
Pples
Accountability
Accountability,
Effective Compliance
and Protection for
Individuals
Leadership and
Oversight
Risk Assessment
Policies and
Procedures
Transparency
Training and
Awareness
Monitoring and
Verification
Response and
Enforcement
Elements of Accountability Elements Found In BCR
18. CIPL Papers on Accountability in Data Protection
Introduction: The Central Role of Organisational Accountability in Data Protection
The Case for Accountability: How it Enables Effective Data Protection and Trust
in the Digital Society
Incentivising Accountability: How Data Protection Authorities and Law Makers Can
Encourage Accountability
19. GDPR 1 Year In: Benefits
Made privacy a board
level issue
Shifted view of privacy
from compliance
obligation to business
enabler
Improved
organizational
accountability within
organizations
Served as a global
privacy management
standard for
organizations
Improved privacy
awareness and
ownership in
organizations
Increased business
acumen of privacy
team
Provided organizations
with identified
expert/team
responsible for data
privacy governance
Fostered good data
hygiene and
management
Systematized risk
assessments within
organizations
Promoted user-centric
and innovative
transparency
Provided competitive
advantage in B2B
negotiations and due
diligence processes
Improved process to
facilitate exercise of
individual rights
Strengthened resilience
to breaches and
prepared organizations
to respond
Broke organizational
silos
CIPL White Paper: GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges
20. CIPL White Paper: GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges
GDPR 1 Year In: Challenges
Lack of harmonization
across the EU (e.g.
opening clauses; differing
national guidance)
Non-data privacy
regulators ruling on data
protection matters
One-Stop-Shop not
providing benefit of
interaction with a single
regulatory interlocutor in
the EU
Complexities around rules
on territorial scope
Inconsistency with
sectoral laws (e.g. Clinical
Trial Regulation; ePrivacy
Regulation)
Imposed regulatory
burden on DPAs to handle
every complaint
Not fully tech neutral or
future proof (e.g. tensions
with AI; biotech and
blockchain)
Too much focus on
consent and a narrowing
of other processing
grounds
Lack of clarity and
consistency regarding risk
assessments
Potential of GDPR
certifications and codes of
conduct not realized as
accountability or transfer
tools
Little progress made to
expand/improve existing
transfer mechanisms (e.g.
updating model clauses)
Potential of BCR not
realized (e.g. for joint
economic activity;
recognized as a
comprehensive program)
22. 22
The Significant Role of Certifications
Demonstrate accountability and compliance
• Enable organisations to achieve and demonstrate accountability and local compliance
• Demonstrate due diligence in the context of contractors/service providers
Enable international data transfers
• Enable organisations to transfer data responsibly, safely and efficiently across borders
Facilitate interoperability
• Organisations need to be able to leverage different certifications as they build their
privacy program and certifications need to work with each other
24. 24
Certifications in the GDPR
Article
40-41
Article
42
Article
43
Codes of Conduct Certification Certification Bodies
• Associations or other bodies representing
categories of controllers/processors may
prepare codes specifying the requirements
of the regulation
• Monitoring may be carried out by body with
appropriate expertise and which has been
accredited by the DPA
• Competent DPA shall submit draft criteria for
accreditation of a body to the Board
pursuant to the consistency mechanism
• Member States, DPAs, the Board and
Commission shall encourage the
establishment of certification mechanisms
• Issued by certification bodies pursuant to
Article 43 of the GDPR
• May be established to demonstrate
existence of appropriate safeguards for
purposes of data transfers
• Certification bodies with an
appropriate level of expertise
may issue and renew
certification
• Accreditation by DPA or
National Accreditation Body
25. 25
The Certification Landscape: Where are we now?
EDPB final guidance on Codes of Conduct and Monitoring Bodies under the GDPR (adopted 4 June 2019)
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf
EDPB final guidance on certifications (adopted 23 January 2019)
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf
Annex 2 to certification guidelines (adopted 4 June 2019)
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf
EDPB final guidance on the accreditation of certification bodies under Regulation (adopted 4 December 2018)
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201804_v3.0_accreditationcertificationbodies_annex1_en.pdf
Annex 1 to accreditation guidelines (adopted 4 June 2019)
https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201804_v3.0_accreditationcertificationbodies_annex1_en.pdf
EU Commission study on certification mechanisms (published February 2019)
https://ec.europa.eu/info/sites/info/files/data_protection_certification_mechanisms_study_publish_0.pdf
26. 26
Achieving GDPR Certifications Promise?
GDPR certification
framework is extremely
complex
GDPR certification
framework relies on
Accreditation Regulation
ISO 17061 which adds
further complexity
DPA activity on
certification varies with
some more advanced
than others
DPAs currently focused
on certifications at the
national level rather
than EU level
Fragmentation of EU
certification market
likely
GDPR certifications
currently not possible for
privacy management
programs as a whole
BCR not considered
programmatic
certification but transfer
mechanism
GDPR certification
schemes will be offered
by both DPAs and the
market
Available guidance does
not address
certifications as a
transfer tool – separate
guidance forthcoming
27. Thank you
Bojana Bellamy
bbellamy@HuntonAK.com
Centre for Information Policy Leadership
www.informationpolicycentre.com
Hunton Andrews Kurth Privacy and Information Security Law Blog
www.huntonprivacyblog.com
FOLLOW US ON TWITTER
@THE_CIPL
FOLLOW US ON LINKEDIN
linkedin.com/company/centre-for-information-policy-leadership
Thank You