SlideShare a Scribd company logo

2019 06-19 convince customerspartnersboard gdpr-compliant

TrustArc
TrustArc

On-demand recording link:https://info.trustarc.com/WB-2019-06-19-GDPR-Compliance-Convince-Customers-Partners-Board.html?utm_source=slideshare Many companies have invested significant time and resources trying to design and implement GDPR compliance programs. Internally, they may have generated hundreds or thousands of pages of project plans, policies, processes and reports – including records of processing, DPIA reports and much more. But how can you demonstrate to internal stakeholders, clients and partners that you have a comprehensive program and that your processes and products are GDPR-compliant? This webinar will provide these key takeaways: -The current state of an official GDPR certification and codes of conduct -Case studies of how companies are demonstrating compliance -The benefits of an external third party GDPR validation

Technology
1 of 29
Download to read offline
© 2019 TrustArc Inc Proprietary and Confidential Information GDPR Compliance: Convince Customers, Partners, and The Board You Are Compliant Bojana Bellamy – Centre for Information Policy Leadership Hilary Wandall - TrustArc 19 June 2019
© 2019 TrustArc Inc Proprietary and Confidential Information Thank you for joining the webinar “GDPR Compliance: Convince Customers, Partners, and The Board You Are Compliant!” 2 • We will be starting a couple minutes after the hour • This webinar will be recorded and the recording and slides sent out later today • Please use the GotoWebinar control panel on the right hand side to submit any questions for the speakers
© 2019 TrustArc Inc Proprietary and Confidential Information Bojana Bellamy – President, Centre for Information Policy Leadership at Hunton & Williams LLP 3 • Appointed President of the preeminent global information policy think tank, the Centre for Information Policy Leadership, in 2013 • 2019 IAPP Privacy Vanguard Award Winner • Former Accenture Global Director of Data Privacy for 12 years • Former IAPP Board Chair bbellamy@hunton.com
© 2019 TrustArc Inc Proprietary and Confidential Information Hilary Wandall, SVP, Privacy Intelligence and General Counsel, TrustArc 4 • Joined TrustArc in 2016 • Responsible for Legal, Regulatory, Public Policy, and Business Development, and Privacy Intelligence R&D team • Former Chief Privacy Officer at Merck for 12 years • Former IAPP Board Chair hilary@trustarc.com
A GLOBAL PRIVACY AND SECURITY THINK TANK
© 2019 TrustArc Inc Proprietary and Confidential Information Overview 6 • GDPR Accountability Principle – Article 5(2) • Demonstrating Compliance – Article 24(1) – Technical and Organizational Measures (Policies, Controls, Validation) – Article 28(1) - Processor – Article 30 – Records of Processing – Article 35 – Data Protection Impact Assessments – Article 39 – Tasks of the DPO – Audits – Article 40 – Codes of Conduct – Article 42 – Certifications
© 2019 TrustArc Inc Proprietary and Confidential Information Poll Question 7 • How do you demonstrate GDPR compliance at your organization? [response choices] – Data Inventory / Records of Processing Reports – Internal Audits – DPIAs – Vendor Assessments – External Audits / Validation
© 2019 TrustArc Inc Proprietary and Confidential Information© 2019 TrustArc Inc Proprietary and Confidential Information A Global Privacy and Data Governance Framework Build. Design, establish, and manage a program to ensure effective governance, risk management, policies, processes, and accountability. Integrated Governance e.g., Brazil, Canada, Philippines, APEC, EU Risk Assessment e.g., U.S., South Korea, Canada, Israel Resource Allocation e.g., EU, Brazil Policies and Standards e.g., Nigeria, CCPA, U.S. (HIPAA) Processes e.g., CCPA, Argentina Awareness and Training e.g., CCPA, GDPA, U.S. (HIPAA) Implement. Define data needs, identify data processing risks, ensure that data processing is lawful, manage data flows and third parties, address individual third parties, provide data security, data quality, and transparency. Data Necessity e.g., U.S. (HIPAA), Argentina, Use, Retention, and Disposal e.g., Philippines, CCPA, U.S. (GLBA) Disclosures to 3rd Parties / Onward Transfer e.g., CCPA, U.S. (GLBA), Privacy Shield Choice and Consent e.g., U.S. (CAN-SPAM), Singapore, Canada Access and Individual Rights e.g., CCPA, Brazil, GDPR, U.S. (HIPAA) Data Integrity and Quality e.g., Privacy Shield Security e.g., U.S. (GLBA), Mass, ISO 27001 Transparency e.g., U.S. FTC Health Breach), Canada Demonstrate. Monitor, evaluate, and report on compliance, control effectiveness, risk, and maturity. Monitoring and Assurance e.g., Nigeria, Brazil, GDPR Reporting and Certification e.g., Privacy Shield, APEC, U.S. (COPPA), Brazil, Argentina, Philippines, Singapore, Japan, Canada, Mexico, Korea
© 2019 TrustArc Inc Proprietary and Confidential Information A Framework View – “Demonstrate” 9
© 2019 TrustArc Inc Proprietary and Confidential Information A Framework View – “Demonstrate” (Cont’d) 10
© 2019 TrustArc Inc Proprietary and Confidential Information Articles 28, 30, and 35 11 Description Example • Technical and organizational measures implemented by the data processor Vendor Assessment • Processing activities carried about by the controller or processor • Types of data, purposes, recipients Article 30 (Records of Processing) Report • Determination of inherent risk • Assessment of mitigating controls • Evaluation of residual risk Article 35 DPIA Report
Accountability Under the GDPR
Accountability, Effective Compliance and Protection for Individuals Leadership and Oversight Risk Assessment Policies and Procedures Transparency Training and Awareness Monitoring and Verification Response and Enforcement Accountability translates legal requirements into risk-based, verifiable and enforceable corporate practices and controls Implementing Accountability Company values and business ethics shape accountability Organisations must be able to demonstrate accountability – internally and externally Accountability is not static, but dynamic, reiterative and a constant journey
Accountability – Examples of Content of Privacy Management Programmes • Tone from the top • Executive oversight • Data privacy officer/office oversight and reporting • Data privacy governance • Privacy engineers • Internal/External Ethics Committees Leadership & Oversight • At program level • At product or service level • DPIA for high risk processing • Risk register • Risk to organisations • Risk to individuals • Records of processing Risk Assessment • Internal privacy rules based on DP principles • Information security •Legal basis and fair processing •Vendor/processor management •Procedures for response to individual rights • Other (e.g. Marketing rules, HR rules, M&A due diligence) • Data transfers mechanisms • Privacy by design • Templates and tools for PIA • Crisis management and incident response Policies & Procedures •Privacy policies and notices to individuals •Innovative transparency – dashboards, integrated in products/apps, articulate value exchange and benefits, part of customer relationship • Information portals •Notification of data breaches Transparency • Mandatory corporate training • Ad hoc and functional training • Awareness raising campaigns and communication strategy Training & Awareness •Documentation and evidence - consent, legitimate interest and other legal bases, notices, PIA, processing agreements, breach response •Compliance monitoring and testing, such as verification, self-assessments and audits •Seals and certifications Monitoring & Verification •Individual requests and complaints- handling •Breach reporting, response and rectification procedures •Managing breach notifications to individuals and regulators •Implementing response plans to address audit reports •Internal enforcement of non-compliance subject to local laws •Engagement/Co-operation with DPAs Response and Enforcement Organisations must be able to demonstrate their own implementation - internally and externally
All the above models of accountability require: • Following substantive privacy rules • Implementation infrastructure • Verification • Ability to demonstrate Corporate Privacy Programs Binding Corporate Rules (BCR) APEC Cross Border Privacy Rules (CBPR) Codes of Conduct Certifications & Seals ISO Standards Demonstrating Accountability - to Whom and How? To Whom? * internally - executives leadership, Board of Directors, shareholders * externally - business partners, regulators, individuals and civil society
16 BCR Requirements Mapped to CIPL Accountability Wheel Accountability, Effective Compliance and Protection for Individuals Leadership and Oversight Risk Assessment Policies and Procedures Transparency Training and Awareness Monitoring and Verification Response and Enforcement Elements of Accountability Elements Found In BCR ➢ Binding nature internally and externally ➢ Binding on companies and employees ➢ Third party beneficiary rights ➢ Breach remediation and compensation ➢ Transparency and easy access ➢ Effectiveness ➢ Training program ➢ Complaint handling process ➢ Audit program ➢ Network of DPO ➢ Cooperation Duty ➢ Duty to cooperate with the DPA ➢ Description of processing and data flows ➢ Material scope and geographical scope ➢ Mechanism for reporting and recording changes ➢ Process for updating the BCR ➢ Data protection safeguards ➢ Compliance with data protection principles including onward transfers ➢ Accountability of entities (records, DPIAs, appropriate TOMs) ➢ Relationship with national laws
17 BCR Requirements Mapped to CIPL Accountability Wheel Transparency & easy access Breach remediation & compensation Third party beneficiary rights Binding on company and employees National Laws Process for updating the BCR Training Program Complaint Handling Process Audit Program Network of DPOs Duty to cooperate with the DPA Material & geographical scope Compliance with Data Protection Pples Accountability Accountability, Effective Compliance and Protection for Individuals Leadership and Oversight Risk Assessment Policies and Procedures Transparency Training and Awareness Monitoring and Verification Response and Enforcement Elements of Accountability Elements Found In BCR
CIPL Papers on Accountability in Data Protection Introduction: The Central Role of Organisational Accountability in Data Protection The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society Incentivising Accountability: How Data Protection Authorities and Law Makers Can Encourage Accountability
GDPR 1 Year In: Benefits Made privacy a board level issue Shifted view of privacy from compliance obligation to business enabler Improved organizational accountability within organizations Served as a global privacy management standard for organizations Improved privacy awareness and ownership in organizations Increased business acumen of privacy team Provided organizations with identified expert/team responsible for data privacy governance Fostered good data hygiene and management Systematized risk assessments within organizations Promoted user-centric and innovative transparency Provided competitive advantage in B2B negotiations and due diligence processes Improved process to facilitate exercise of individual rights Strengthened resilience to breaches and prepared organizations to respond Broke organizational silos CIPL White Paper: GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges
CIPL White Paper: GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges GDPR 1 Year In: Challenges Lack of harmonization across the EU (e.g. opening clauses; differing national guidance) Non-data privacy regulators ruling on data protection matters One-Stop-Shop not providing benefit of interaction with a single regulatory interlocutor in the EU Complexities around rules on territorial scope Inconsistency with sectoral laws (e.g. Clinical Trial Regulation; ePrivacy Regulation) Imposed regulatory burden on DPAs to handle every complaint Not fully tech neutral or future proof (e.g. tensions with AI; biotech and blockchain) Too much focus on consent and a narrowing of other processing grounds Lack of clarity and consistency regarding risk assessments Potential of GDPR certifications and codes of conduct not realized as accountability or transfer tools Little progress made to expand/improve existing transfer mechanisms (e.g. updating model clauses) Potential of BCR not realized (e.g. for joint economic activity; recognized as a comprehensive program)
Significant Role of Certifications
22 The Significant Role of Certifications Demonstrate accountability and compliance • Enable organisations to achieve and demonstrate accountability and local compliance • Demonstrate due diligence in the context of contractors/service providers Enable international data transfers • Enable organisations to transfer data responsibly, safely and efficiently across borders Facilitate interoperability • Organisations need to be able to leverage different certifications as they build their privacy program and certifications need to work with each other
23 Benefits of Certification
24 Certifications in the GDPR Article 40-41 Article 42 Article 43 Codes of Conduct Certification Certification Bodies • Associations or other bodies representing categories of controllers/processors may prepare codes specifying the requirements of the regulation • Monitoring may be carried out by body with appropriate expertise and which has been accredited by the DPA • Competent DPA shall submit draft criteria for accreditation of a body to the Board pursuant to the consistency mechanism • Member States, DPAs, the Board and Commission shall encourage the establishment of certification mechanisms • Issued by certification bodies pursuant to Article 43 of the GDPR • May be established to demonstrate existence of appropriate safeguards for purposes of data transfers • Certification bodies with an appropriate level of expertise may issue and renew certification • Accreditation by DPA or National Accreditation Body
25 The Certification Landscape: Where are we now? EDPB final guidance on Codes of Conduct and Monitoring Bodies under the GDPR (adopted 4 June 2019) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf EDPB final guidance on certifications (adopted 23 January 2019) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf Annex 2 to certification guidelines (adopted 4 June 2019) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf EDPB final guidance on the accreditation of certification bodies under Regulation (adopted 4 December 2018) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201804_v3.0_accreditationcertificationbodies_annex1_en.pdf Annex 1 to accreditation guidelines (adopted 4 June 2019) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201804_v3.0_accreditationcertificationbodies_annex1_en.pdf EU Commission study on certification mechanisms (published February 2019) https://ec.europa.eu/info/sites/info/files/data_protection_certification_mechanisms_study_publish_0.pdf
26 Achieving GDPR Certifications Promise? GDPR certification framework is extremely complex GDPR certification framework relies on Accreditation Regulation ISO 17061 which adds further complexity DPA activity on certification varies with some more advanced than others DPAs currently focused on certifications at the national level rather than EU level Fragmentation of EU certification market likely GDPR certifications currently not possible for privacy management programs as a whole BCR not considered programmatic certification but transfer mechanism GDPR certification schemes will be offered by both DPAs and the market Available guidance does not address certifications as a transfer tool – separate guidance forthcoming
Thank you Bojana Bellamy bbellamy@HuntonAK.com Centre for Information Policy Leadership www.informationpolicycentre.com Hunton Andrews Kurth Privacy and Information Security Law Blog www.huntonprivacyblog.com FOLLOW US ON TWITTER @THE_CIPL FOLLOW US ON LINKEDIN linkedin.com/company/centre-for-information-policy-leadership Thank You
© 2019 TrustArc Inc Proprietary and Confidential Information Questions?
© 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2019 Privacy Insight Series and past webinar recordings.

Recommended

2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your BusinessTrustArc
 
Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...
Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...
Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...TrustArc
 
2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy management2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy managementTrustArc
 
2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa compliance2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa complianceTrustArc
 
2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy ManagementTrustArc
 
2019 11-13 how to comply with ccpa as part of a global privacy strategy
2019 11-13 how to comply with ccpa as part of a global privacy strategy2019 11-13 how to comply with ccpa as part of a global privacy strategy
2019 11-13 how to comply with ccpa as part of a global privacy strategyTrustArc
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guideTrustArc
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec
 

Recommended

2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your BusinessTrustArc
 
Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...
Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...
Update Your CCPA Plan with Practical Insights into the Proposed Regulations, ...TrustArc
 
2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy management2019 09-26 leveraging the power of automated intelligence for privacy management
2019 09-26 leveraging the power of automated intelligence for privacy managementTrustArc
 
2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa compliance2019 04-17 10 steps to ccpa compliance
2019 04-17 10 steps to ccpa complianceTrustArc
 
2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy Management2019 08-21 Automating Privacy Management
2019 08-21 Automating Privacy ManagementTrustArc
 
2019 11-13 how to comply with ccpa as part of a global privacy strategy
2019 11-13 how to comply with ccpa as part of a global privacy strategy2019 11-13 how to comply with ccpa as part of a global privacy strategy
2019 11-13 how to comply with ccpa as part of a global privacy strategyTrustArc
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guideTrustArc
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshellMatthew Butler
 
CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementCCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementTrustArc
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowOgilvy Health
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & SecurityEryk Budi Pratama
 
CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...
CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...
CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...Knobbe Martens - Intellectual Property Law
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law Priyanka Aash
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowTrustArc
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]TrustArc
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Privacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldPrivacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldArab Federation for Digital Economy
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processingTim Gough
 
BigID IAPP webinar on data-driven enterprise privacy management
BigID IAPP webinar on data-driven enterprise privacy managementBigID IAPP webinar on data-driven enterprise privacy management
BigID IAPP webinar on data-driven enterprise privacy managementBigID Inc
 
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental ownersGDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental ownersSpain-Holiday.com
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...TrustArc
 
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...IDERA Software
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsTrustArc
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 

More Related Content

What's hot

CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementCCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementTrustArc
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowOgilvy Health
 
CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...
CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...
CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...Knobbe Martens - Intellectual Property Law
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskTrustArc
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Jan Carroza
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...TrustArc
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law Priyanka Aash
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowTrustArc
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesDimitri Sirota
 
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]TrustArc
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulationGreg Ezeilo
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processingTim Gough
 
BigID IAPP webinar on data-driven enterprise privacy management
BigID IAPP webinar on data-driven enterprise privacy managementBigID IAPP webinar on data-driven enterprise privacy management
BigID IAPP webinar on data-driven enterprise privacy managementBigID Inc
 
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental ownersGDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental ownersSpain-Holiday.com
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...TrustArc
 
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...IDERA Software
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer PrivacyAshish Jain
 

What's hot (20)

Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
 
CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st EnforcementCCPA Update: What You Need to Know about CPRA & July 1st Enforcement
CCPA Update: What You Need to Know about CPRA & July 1st Enforcement
 
California Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to knowCalifornia Consumer Privacy Act: What your brand needs to know
California Consumer Privacy Act: What your brand needs to know
 
Data Privacy & Security
Data Privacy & SecurityData Privacy & Security
Data Privacy & Security
 
CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...
CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...
CCPA Webinar: Amendments, Proposed Regulations, New Ballot Initiative, and R...
 
How to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy RiskHow to Manage Vendors and Third Parties to Minimize Privacy Risk
How to Manage Vendors and Third Parties to Minimize Privacy Risk
 
Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...Personally Identifiable Information – FTC: Identity theft is the most common ...
Personally Identifiable Information – FTC: Identity theft is the most common ...
 
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
How to Leverage Your GDPR Compliance for CCPA, Privacy Shield & More New Requ...
 
India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law India'a Proposed Privacy & Personal Data Protection Law
India'a Proposed Privacy & Personal Data Protection Law
 
CCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to KnowCCPA for CISOs: What You Need to Know
CCPA for CISOs: What You Need to Know
 
BigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar SlidesBigID GDPR Compliance Automation Webinar Slides
BigID GDPR Compliance Automation Webinar Slides
 
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
Managing Consent and Legitimate Interests Under the GDPR [Webinar Slides]
 
Data protection regulation
Data protection regulationData protection regulation
Data protection regulation
 
Privacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital WorldPrivacy & Data Protection in the Digital World
Privacy & Data Protection in the Digital World
 
Building a register of data processing
Building a register of data processingBuilding a register of data processing
Building a register of data processing
 
BigID IAPP webinar on data-driven enterprise privacy management
BigID IAPP webinar on data-driven enterprise privacy managementBigID IAPP webinar on data-driven enterprise privacy management
BigID IAPP webinar on data-driven enterprise privacy management
 
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental ownersGDPR & the Travel Industry: Practical recommendations for holiday rental owners
GDPR & the Travel Industry: Practical recommendations for holiday rental owners
 
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
2020 Global Privacy Survey: Emerging Trends, Benchmarking Research and Best P...
 
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
Geek Sync: Database Auditing Essentials: Tracking Who Did What to Which Data ...
 
Consumer Privacy
Consumer PrivacyConsumer Privacy
Consumer Privacy
 

Similar to 2019 06-19 convince customerspartnersboard gdpr-compliant

CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsTrustArc
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementEryk Budi Pratama
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...PECB
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceEquiGov Institute
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...AIIM International
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014Paul Simidi
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findwise
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach CostResilient Systems
 
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...TrustArc
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due DiligenceResilient Systems
 
Build Your Foundation: Strategies and Tools for Managing Retention and Person...
Build Your Foundation: Strategies and Tools for Managing Retention and Person...Build Your Foundation: Strategies and Tools for Managing Retention and Person...
Build Your Foundation: Strategies and Tools for Managing Retention and Person...Iron Mountain
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsJim Merrifield, IGP, CIP
 
Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerCapgemini
 
Data Privacy: The Hidden Beast within Mergers & Acquisitions
Data Privacy: The Hidden Beast within Mergers & AcquisitionsData Privacy: The Hidden Beast within Mergers & Acquisitions
Data Privacy: The Hidden Beast within Mergers & AcquisitionsTrustArc
 
2 -2-6 kista watson summit-gdpr how ibm preparing hogg-sm
2 -2-6 kista watson summit-gdpr how ibm preparing hogg-sm2 -2-6 kista watson summit-gdpr how ibm preparing hogg-sm
2 -2-6 kista watson summit-gdpr how ibm preparing hogg-smIBM Sverige
 

Similar to 2019 06-19 convince customerspartnersboard gdpr-compliant (20)

CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc SolutionsCCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
CCPA Compliance from Ground Zero: Start to Finish with TrustArc Solutions
 
Common Practice in Data Privacy Program Management
Common Practice in Data Privacy Program ManagementCommon Practice in Data Privacy Program Management
Common Practice in Data Privacy Program Management
 
Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19 Standards in Third Party Risk - DVV Solutions ISACA North May 19
Standards in Third Party Risk - DVV Solutions ISACA North May 19
 
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
GDPR and Data Protection: Ensure compliance and minimize the risk of penaltie...
 
IAPP certification programs overview
IAPP certification programs overviewIAPP certification programs overview
IAPP certification programs overview
 
Data protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure complianceData protection: Steps Organisations can take to ensure compliance
Data protection: Steps Organisations can take to ensure compliance
 
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
[Webinar Slides] Data Privacy for the IM Practitioner - Practical Advice for ...
 
GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014GRC - Isaca Training 16.9.2014
GRC - Isaca Training 16.9.2014
 
Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?Findability Day 2016 - What is GDPR?
Findability Day 2016 - What is GDPR?
 
Deconstructing Data Breach Cost
Deconstructing Data Breach CostDeconstructing Data Breach Cost
Deconstructing Data Breach Cost
 
Co3 rsc r5
Co3 rsc r5Co3 rsc r5
Co3 rsc r5
 
2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar2016 11-17-gdpr-integro-webinar
2016 11-17-gdpr-integro-webinar
 
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
Managing Multiple Compliance Priorities - GDPR, CCPA, HIPAA, APEC, ISO 27001,...
 
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
3rd Party Risk: Practical Considerations for Privacy & Security Due Diligence
 
Build Your Foundation: Strategies and Tools for Managing Retention and Person...
Build Your Foundation: Strategies and Tools for Managing Retention and Person...Build Your Foundation: Strategies and Tools for Managing Retention and Person...
Build Your Foundation: Strategies and Tools for Managing Retention and Person...
 
Evolution of Records Management in Law Firms
Evolution of Records Management in Law FirmsEvolution of Records Management in Law Firms
Evolution of Records Management in Law Firms
 
Data- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offerData- and database security & GDPR: end-to-end offer
Data- and database security & GDPR: end-to-end offer
 
GDPR Series Session 4
GDPR Series Session 4GDPR Series Session 4
GDPR Series Session 4
 
Data Privacy: The Hidden Beast within Mergers & Acquisitions
Data Privacy: The Hidden Beast within Mergers & AcquisitionsData Privacy: The Hidden Beast within Mergers & Acquisitions
Data Privacy: The Hidden Beast within Mergers & Acquisitions
 
2 -2-6 kista watson summit-gdpr how ibm preparing hogg-sm
2 -2-6 kista watson summit-gdpr how ibm preparing hogg-sm2 -2-6 kista watson summit-gdpr how ibm preparing hogg-sm
2 -2-6 kista watson summit-gdpr how ibm preparing hogg-sm
 

More from TrustArc

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc
 
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...TrustArc
 
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...TrustArc
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesTrustArc
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceTrustArc
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfTrustArc
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...TrustArc
 
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsTrustArc
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsTrustArc
 
The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...TrustArc
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdfTrustArc
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceTrustArc
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023TrustArc
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustTrustArc
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowTrustArc
 

More from TrustArc (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie WorldTrustArc Webinar - How to Live in a Post Third-Party Cookie World
TrustArc Webinar - How to Live in a Post Third-Party Cookie World
 
TrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI InnovationsTrustArc Webinar - TrustArc's Latest AI Innovations
TrustArc Webinar - TrustArc's Latest AI Innovations
 
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
TrustArc Webinar - Managing Online Tracking Technology Vendors_ A Checklist f...
 
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data SecurityTrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
TrustArc Webinar - Privacy in Healthcare_ Ensuring Data Security
 
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
Unlocking AI Potential: Leveraging PIA Processes for Comprehensive Impact Ass...
 
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
Mitigating Third-Party Risks: Best Practices for CISOs in Ensuring Robust Sec...
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 States
 
CBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy ComplianceCBPR - Navigating Cross-Border Data Privacy Compliance
CBPR - Navigating Cross-Border Data Privacy Compliance
 
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdfEverything You Need to Know about DPF But Are Afraid to Ask.pdf
Everything You Need to Know about DPF But Are Afraid to Ask.pdf
 
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
Your Guide to Understanding the Global Privacy Control (GPC): Preparing for C...
 
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and RecommendationsPrivacy Enhancing Technologies: Exploring the Benefits and Recommendations
Privacy Enhancing Technologies: Exploring the Benefits and Recommendations
 
Building Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy CertificationsBuilding Trust and Competitive Advantage: The Value of Privacy Certifications
Building Trust and Competitive Advantage: The Value of Privacy Certifications
 
The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...The California Age Appropriate Design Code Act Navigating the New Requirement...
The California Age Appropriate Design Code Act Navigating the New Requirement...
 
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
2023 Global Privacy Benchmarks Survey - Webinar May 30 2023.pdf
 
Artificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI GovernanceArtificial Intelligence Bill of Rights: Impacts on AI Governance
Artificial Intelligence Bill of Rights: Impacts on AI Governance
 
How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023How To Do Data Transfers Between EU-US in 2023
How To Do Data Transfers Between EU-US in 2023
 
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining TrustThe Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
The Ultimate Balancing Act: Using Consumer Data and Maintaining Trust
 
The Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To KnowThe Cost of Privacy Teams: What Your Business Needs To Know
The Cost of Privacy Teams: What Your Business Needs To Know
 

Recently uploaded

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 

Recently uploaded (20)

SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 

2019 06-19 convince customerspartnersboard gdpr-compliant

  • 1. © 2019 TrustArc Inc Proprietary and Confidential Information GDPR Compliance: Convince Customers, Partners, and The Board You Are Compliant Bojana Bellamy – Centre for Information Policy Leadership Hilary Wandall - TrustArc 19 June 2019
  • 2. © 2019 TrustArc Inc Proprietary and Confidential Information Thank you for joining the webinar “GDPR Compliance: Convince Customers, Partners, and The Board You Are Compliant!” 2 • We will be starting a couple minutes after the hour • This webinar will be recorded and the recording and slides sent out later today • Please use the GotoWebinar control panel on the right hand side to submit any questions for the speakers
  • 3. © 2019 TrustArc Inc Proprietary and Confidential Information Bojana Bellamy – President, Centre for Information Policy Leadership at Hunton & Williams LLP 3 • Appointed President of the preeminent global information policy think tank, the Centre for Information Policy Leadership, in 2013 • 2019 IAPP Privacy Vanguard Award Winner • Former Accenture Global Director of Data Privacy for 12 years • Former IAPP Board Chair bbellamy@hunton.com
  • 4. © 2019 TrustArc Inc Proprietary and Confidential Information Hilary Wandall, SVP, Privacy Intelligence and General Counsel, TrustArc 4 • Joined TrustArc in 2016 • Responsible for Legal, Regulatory, Public Policy, and Business Development, and Privacy Intelligence R&D team • Former Chief Privacy Officer at Merck for 12 years • Former IAPP Board Chair hilary@trustarc.com
  • 5. A GLOBAL PRIVACY AND SECURITY THINK TANK
  • 6. © 2019 TrustArc Inc Proprietary and Confidential Information Overview 6 • GDPR Accountability Principle – Article 5(2) • Demonstrating Compliance – Article 24(1) – Technical and Organizational Measures (Policies, Controls, Validation) – Article 28(1) - Processor – Article 30 – Records of Processing – Article 35 – Data Protection Impact Assessments – Article 39 – Tasks of the DPO – Audits – Article 40 – Codes of Conduct – Article 42 – Certifications
  • 7. © 2019 TrustArc Inc Proprietary and Confidential Information Poll Question 7 • How do you demonstrate GDPR compliance at your organization? [response choices] – Data Inventory / Records of Processing Reports – Internal Audits – DPIAs – Vendor Assessments – External Audits / Validation
  • 8. © 2019 TrustArc Inc Proprietary and Confidential Information© 2019 TrustArc Inc Proprietary and Confidential Information A Global Privacy and Data Governance Framework Build. Design, establish, and manage a program to ensure effective governance, risk management, policies, processes, and accountability. Integrated Governance e.g., Brazil, Canada, Philippines, APEC, EU Risk Assessment e.g., U.S., South Korea, Canada, Israel Resource Allocation e.g., EU, Brazil Policies and Standards e.g., Nigeria, CCPA, U.S. (HIPAA) Processes e.g., CCPA, Argentina Awareness and Training e.g., CCPA, GDPA, U.S. (HIPAA) Implement. Define data needs, identify data processing risks, ensure that data processing is lawful, manage data flows and third parties, address individual third parties, provide data security, data quality, and transparency. Data Necessity e.g., U.S. (HIPAA), Argentina, Use, Retention, and Disposal e.g., Philippines, CCPA, U.S. (GLBA) Disclosures to 3rd Parties / Onward Transfer e.g., CCPA, U.S. (GLBA), Privacy Shield Choice and Consent e.g., U.S. (CAN-SPAM), Singapore, Canada Access and Individual Rights e.g., CCPA, Brazil, GDPR, U.S. (HIPAA) Data Integrity and Quality e.g., Privacy Shield Security e.g., U.S. (GLBA), Mass, ISO 27001 Transparency e.g., U.S. FTC Health Breach), Canada Demonstrate. Monitor, evaluate, and report on compliance, control effectiveness, risk, and maturity. Monitoring and Assurance e.g., Nigeria, Brazil, GDPR Reporting and Certification e.g., Privacy Shield, APEC, U.S. (COPPA), Brazil, Argentina, Philippines, Singapore, Japan, Canada, Mexico, Korea
  • 9. © 2019 TrustArc Inc Proprietary and Confidential Information A Framework View – “Demonstrate” 9
  • 10. © 2019 TrustArc Inc Proprietary and Confidential Information A Framework View – “Demonstrate” (Cont’d) 10
  • 11. © 2019 TrustArc Inc Proprietary and Confidential Information Articles 28, 30, and 35 11 Description Example • Technical and organizational measures implemented by the data processor Vendor Assessment • Processing activities carried about by the controller or processor • Types of data, purposes, recipients Article 30 (Records of Processing) Report • Determination of inherent risk • Assessment of mitigating controls • Evaluation of residual risk Article 35 DPIA Report
  • 13. Accountability, Effective Compliance and Protection for Individuals Leadership and Oversight Risk Assessment Policies and Procedures Transparency Training and Awareness Monitoring and Verification Response and Enforcement Accountability translates legal requirements into risk-based, verifiable and enforceable corporate practices and controls Implementing Accountability Company values and business ethics shape accountability Organisations must be able to demonstrate accountability – internally and externally Accountability is not static, but dynamic, reiterative and a constant journey
  • 14. Accountability – Examples of Content of Privacy Management Programmes • Tone from the top • Executive oversight • Data privacy officer/office oversight and reporting • Data privacy governance • Privacy engineers • Internal/External Ethics Committees Leadership & Oversight • At program level • At product or service level • DPIA for high risk processing • Risk register • Risk to organisations • Risk to individuals • Records of processing Risk Assessment • Internal privacy rules based on DP principles • Information security •Legal basis and fair processing •Vendor/processor management •Procedures for response to individual rights • Other (e.g. Marketing rules, HR rules, M&A due diligence) • Data transfers mechanisms • Privacy by design • Templates and tools for PIA • Crisis management and incident response Policies & Procedures •Privacy policies and notices to individuals •Innovative transparency – dashboards, integrated in products/apps, articulate value exchange and benefits, part of customer relationship • Information portals •Notification of data breaches Transparency • Mandatory corporate training • Ad hoc and functional training • Awareness raising campaigns and communication strategy Training & Awareness •Documentation and evidence - consent, legitimate interest and other legal bases, notices, PIA, processing agreements, breach response •Compliance monitoring and testing, such as verification, self-assessments and audits •Seals and certifications Monitoring & Verification •Individual requests and complaints- handling •Breach reporting, response and rectification procedures •Managing breach notifications to individuals and regulators •Implementing response plans to address audit reports •Internal enforcement of non-compliance subject to local laws •Engagement/Co-operation with DPAs Response and Enforcement Organisations must be able to demonstrate their own implementation - internally and externally
  • 15. All the above models of accountability require: • Following substantive privacy rules • Implementation infrastructure • Verification • Ability to demonstrate Corporate Privacy Programs Binding Corporate Rules (BCR) APEC Cross Border Privacy Rules (CBPR) Codes of Conduct Certifications & Seals ISO Standards Demonstrating Accountability - to Whom and How? To Whom? * internally - executives leadership, Board of Directors, shareholders * externally - business partners, regulators, individuals and civil society
  • 16. 16 BCR Requirements Mapped to CIPL Accountability Wheel Accountability, Effective Compliance and Protection for Individuals Leadership and Oversight Risk Assessment Policies and Procedures Transparency Training and Awareness Monitoring and Verification Response and Enforcement Elements of Accountability Elements Found In BCR ➢ Binding nature internally and externally ➢ Binding on companies and employees ➢ Third party beneficiary rights ➢ Breach remediation and compensation ➢ Transparency and easy access ➢ Effectiveness ➢ Training program ➢ Complaint handling process ➢ Audit program ➢ Network of DPO ➢ Cooperation Duty ➢ Duty to cooperate with the DPA ➢ Description of processing and data flows ➢ Material scope and geographical scope ➢ Mechanism for reporting and recording changes ➢ Process for updating the BCR ➢ Data protection safeguards ➢ Compliance with data protection principles including onward transfers ➢ Accountability of entities (records, DPIAs, appropriate TOMs) ➢ Relationship with national laws
  • 17. 17 BCR Requirements Mapped to CIPL Accountability Wheel Transparency & easy access Breach remediation & compensation Third party beneficiary rights Binding on company and employees National Laws Process for updating the BCR Training Program Complaint Handling Process Audit Program Network of DPOs Duty to cooperate with the DPA Material & geographical scope Compliance with Data Protection Pples Accountability Accountability, Effective Compliance and Protection for Individuals Leadership and Oversight Risk Assessment Policies and Procedures Transparency Training and Awareness Monitoring and Verification Response and Enforcement Elements of Accountability Elements Found In BCR
  • 18. CIPL Papers on Accountability in Data Protection Introduction: The Central Role of Organisational Accountability in Data Protection The Case for Accountability: How it Enables Effective Data Protection and Trust in the Digital Society Incentivising Accountability: How Data Protection Authorities and Law Makers Can Encourage Accountability
  • 19. GDPR 1 Year In: Benefits Made privacy a board level issue Shifted view of privacy from compliance obligation to business enabler Improved organizational accountability within organizations Served as a global privacy management standard for organizations Improved privacy awareness and ownership in organizations Increased business acumen of privacy team Provided organizations with identified expert/team responsible for data privacy governance Fostered good data hygiene and management Systematized risk assessments within organizations Promoted user-centric and innovative transparency Provided competitive advantage in B2B negotiations and due diligence processes Improved process to facilitate exercise of individual rights Strengthened resilience to breaches and prepared organizations to respond Broke organizational silos CIPL White Paper: GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges
  • 20. CIPL White Paper: GDPR One Year In: Practitioners Take Stock of the Benefits and Challenges GDPR 1 Year In: Challenges Lack of harmonization across the EU (e.g. opening clauses; differing national guidance) Non-data privacy regulators ruling on data protection matters One-Stop-Shop not providing benefit of interaction with a single regulatory interlocutor in the EU Complexities around rules on territorial scope Inconsistency with sectoral laws (e.g. Clinical Trial Regulation; ePrivacy Regulation) Imposed regulatory burden on DPAs to handle every complaint Not fully tech neutral or future proof (e.g. tensions with AI; biotech and blockchain) Too much focus on consent and a narrowing of other processing grounds Lack of clarity and consistency regarding risk assessments Potential of GDPR certifications and codes of conduct not realized as accountability or transfer tools Little progress made to expand/improve existing transfer mechanisms (e.g. updating model clauses) Potential of BCR not realized (e.g. for joint economic activity; recognized as a comprehensive program)
  • 21. Significant Role of Certifications
  • 22. 22 The Significant Role of Certifications Demonstrate accountability and compliance • Enable organisations to achieve and demonstrate accountability and local compliance • Demonstrate due diligence in the context of contractors/service providers Enable international data transfers • Enable organisations to transfer data responsibly, safely and efficiently across borders Facilitate interoperability • Organisations need to be able to leverage different certifications as they build their privacy program and certifications need to work with each other
  • 24. 24 Certifications in the GDPR Article 40-41 Article 42 Article 43 Codes of Conduct Certification Certification Bodies • Associations or other bodies representing categories of controllers/processors may prepare codes specifying the requirements of the regulation • Monitoring may be carried out by body with appropriate expertise and which has been accredited by the DPA • Competent DPA shall submit draft criteria for accreditation of a body to the Board pursuant to the consistency mechanism • Member States, DPAs, the Board and Commission shall encourage the establishment of certification mechanisms • Issued by certification bodies pursuant to Article 43 of the GDPR • May be established to demonstrate existence of appropriate safeguards for purposes of data transfers • Certification bodies with an appropriate level of expertise may issue and renew certification • Accreditation by DPA or National Accreditation Body
  • 25. 25 The Certification Landscape: Where are we now? EDPB final guidance on Codes of Conduct and Monitoring Bodies under the GDPR (adopted 4 June 2019) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201901_v2.0_codesofconduct_en.pdf EDPB final guidance on certifications (adopted 23 January 2019) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf Annex 2 to certification guidelines (adopted 4 June 2019) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201801_v3.0_certificationcriteria_annex2_en.pdf EDPB final guidance on the accreditation of certification bodies under Regulation (adopted 4 December 2018) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201804_v3.0_accreditationcertificationbodies_annex1_en.pdf Annex 1 to accreditation guidelines (adopted 4 June 2019) https://edpb.europa.eu/sites/edpb/files/files/file1/edpb_guidelines_201804_v3.0_accreditationcertificationbodies_annex1_en.pdf EU Commission study on certification mechanisms (published February 2019) https://ec.europa.eu/info/sites/info/files/data_protection_certification_mechanisms_study_publish_0.pdf
  • 26. 26 Achieving GDPR Certifications Promise? GDPR certification framework is extremely complex GDPR certification framework relies on Accreditation Regulation ISO 17061 which adds further complexity DPA activity on certification varies with some more advanced than others DPAs currently focused on certifications at the national level rather than EU level Fragmentation of EU certification market likely GDPR certifications currently not possible for privacy management programs as a whole BCR not considered programmatic certification but transfer mechanism GDPR certification schemes will be offered by both DPAs and the market Available guidance does not address certifications as a transfer tool – separate guidance forthcoming
  • 27. Thank you Bojana Bellamy bbellamy@HuntonAK.com Centre for Information Policy Leadership www.informationpolicycentre.com Hunton Andrews Kurth Privacy and Information Security Law Blog www.huntonprivacyblog.com FOLLOW US ON TWITTER @THE_CIPL FOLLOW US ON LINKEDIN linkedin.com/company/centre-for-information-policy-leadership Thank You
  • 28. © 2019 TrustArc Inc Proprietary and Confidential Information Questions?
  • 29. © 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2019 Privacy Insight Series and past webinar recordings.