Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]

© 2017 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program
Building Your DPIA/PIA Program:
Tips & Case Studies
September 12, 2017

© 2017 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Today’s Speakers
Alexia Maas
SVP - General Counsel, Volvo Financial Services
Beth Sipula
Sr. Privacy Consultant, TrustArc

Today’s Agenda
• Welcome & Introductions
• GDPR compliance requirements
• Essential elements for building your program
• Recommendations for success
• Q&A

Poll Question
Do you have an internal PIA or DPIA process in place?
4%
4
TrustArc / Dimensional Research 2017
A. Yes
B. No

GDPR Requirements for DPIAs

The EU GDPR – May 25, 2018 Deadline
Significant Compliance Requirements
6

GDPR Requirements for DPIAs (Articles 35 and 36)
Processing likely to
result in high risk
Article 35(1)
No
No DPIA Required
DPIA Required
• Systematic description of the processing
• Assessment of necessity and
proportionality
• Assessment of the risks to the rights and
freedoms of data subjects
• Measures to address the risks
Is residual risk high?
No
DPA Consult RequiredNo DPA Consult
Required

• The terms “PIA” and “DPIA” are used interchangeably by many
organizations. An organization may use a DPIA, even if a DPIA is
not required, to conduct an assessment to ensure the required data
protection controls are in place and to demonstrate compliance with
GDPR requirements.
• DPIAs are required of organizations acting as Data Controllers.
Data Processors may also use DPIAs to assess whether they are
processing data in a manner that supports the Controller in meeting
its compliance obligations under the GDPR.
• Both PIAs and DPIAs enable organizations to identify the controls
needed to address and reduce risk—be it a risk to the rights of
individuals, a compliance risk of the organization, or both.
PIAs and DPIAs: Similarities and Differences

• Automated-decision making with legal or similar significant effect
• Evaluation or scoring
• Systematic monitoring
• Sensitive data
• Data processed on a large scale
• Datasets that have been matched or combined
• Data concerning vulnerable subjects
• Data transfer across borders outside of the EU
• Innovative use or applying technological or organizational
solutions
• Where the processing itself prevents individuals from exercising a
right or using a service or a contract
Processing Likely to Result in High Risk – Key Criteria
Based on Article 29 Working Party Guidelines WP 248 (4 Apr 2017)

A. Less than 10
B. 11 - 50
C. 51-100
D. 100+
E. I have no idea
Poll Question #2
How many PIAs will your organization complete in
2017?

Essential Elements for Building Your
Program

Build Your Program – 6 Essential Elements
Build
Establish, maintain
and evolve an
integrated privacy
and data governance
program aligned with
other data
management and
information risk
functions such as
security, IP, trade
secret protection and
e-discovery
Integrated
Governance
Identify stakeholders. Establish
program leadership and governance.
Define program mission, vision and
goals.
Risk
Assessment
Identify, assess and classify data-
related strategic, operational, legal
compliance and financial risks.
Resource
Allocation
Establish budgets. Define roles and
responsibilities. Assign competent
personnel.
Policies &
Standards
Develop policies, procedures and
guidelines to define and deploy
effective and sustainable governance
and controls for managing data-
related risks.
Processes Establish, manage, measure and
continually improve processes for
PIAs, vendor assessments, incident
management and breach notification,
complaint handling and individual
rights management.
Awareness &
Training
Communicate expectations. Provide
general & contextual training.
Learn and Evolve Over Time

1. Integrated Governance
Identify your key stakeholders: Establish program leadership and
governance. Define program mission, vision and goals.
Leverage relationships with key internal stakeholders (and build new ones) to
drive change and adoption
Key Stakeholders Key Area (examples)
IT/Security Responsible for data protection and securing
internal systems
Human Resources Responsible for HR data and systems
Marketing Responsible for services to customers (both
internal and external)
Legal Responsible for ensuring legal requirements are
met
Internal Audit Responsible for managing an audit trail
Procurement Responsible for vetting and contracting with
vendors and third parties

2. Risk Assessment
Identify and assess risk: Classify data-related strategic, operational,
legal compliance and financial risks.
Key Risks (examples)
Significant infrastructure or systems changes
New Product development where data is collected; changes to existing
products new uses for data collected
New regulations and compliance requirements (GDPR)
Mergers and acquisitions
New vendors and third party business partners
Ongoing HR related data requirements (example: employee monitoring)

3. Resource Allocation
Identify resource needs: Establish budgets. Define roles and
responsibilities. Assign knowledgeable and trained personnel.
Resource Needs to Consider
Executive Champion; “top down” support essential to success
Training and knowledgeable personnel needed to manage PIA/DPIA
process; Define roles and responsibilities
Systems needed to support the program; automation
New regulations and compliance requirements (monitoring)
Outside consulting and legal resources

4. Policies and Standards
Develop policies and standards: Procedures and guidelines
to define and deploy effective and sustainable governance and
controls for managing data-related risks.
• IT Security, Data Security
and Acceptable Use
• Privacy Notices and Policies
• Data Use, Retention and
Disposal
• Data Classification
• Marketing Operations
• Product Development

5. Processes
Establish, manage, measure and continually improve processes:
Ensure a unified approach to PIAs/DPIAs, vendor assessments,
incident management and breach notification, complaint handling and
individual rights management.
• One size does not fit all. Organizations should develop and follow a
process that makes sense for their size, type of processing, and
resources
• PIAs/DPIAs need to be conducted according to a documented process
to ensure consistency
• Documentation to demonstrate accountability is also critical (on
demand)
Build Assess Implement Manage Demonstrate

6. Awareness & Training
Communicate
expectations
Provide
general &
contextual
training
Embed in
established
training
cycles

Recommendations

• Assign clearly defined roles for all stages
• Having an Executive “Champion” or Sponsor
• PIA/DPIA processes need to be simple, repeatable, concise, and they
need to map to the GDPR requirements
• One size does not fit all – consider the level of risk
– Also consider a process with traditional PIAs for all projects and EU
DPIAs for projects that trigger EU DP rules
• Build a robust process with scalability in mind
– Consider the system you are using, what it’ll take to make the
process more efficient and automate
• Over communicate and reinforce training at every opportunity
Recommendations for Success

Additional Resources
21
www.trustarc.com/resources

Contacts
Alexia Maas alexia.maas@vfsco.com
Beth Sipula bsipula@trustarc.com

Privacy Insight Series – 2017 Calendar
23
www.trustarc.com/insightseries

Thank You!
Register for the next webinar in our Series – October 11th
“Profiling, Big Data & Consent Under the GDPR”
For full Summer/Fall schedule and past webinar recordings
visit: http://www.trustarc.com/insightseries

Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]

Similar to Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides] (20)

More from TrustArc

More from TrustArc (20)

Recently uploaded

Recently uploaded (20)

Building Your DPIA/PIA Program: Tips & Case Studies [TrustArc Webinar Slides]