➥🔝 7737669865 🔝▻ Sambalpur Call-girls in Women Seeking Men 🔝Sambalpur🔝 Esc...
How to protect your business post EU-US Privacy Shield
1. ⎥1 Project A
How to protect your business
post EU-US Privacy Shield
Andreas Wild
Head of Customer Engagement at Project A
2. 2 ⎥ Project A
01
02
03
04
05
06
07
Introduction
Rationale
Trend for more 1P Data
End of EU-US Privacy Framework
Immediate next steps?
How to protect your organization?
How to protect your data?
3. 3 ⎥ Project A
Especially so early in the day?
Why are we talking about this?
200.000€
4. 4 ⎥ Project A
→Need for more first party data
→End of EU-US Privacy Shield
Why is this becoming more relevant?
5. 5 ⎥ Project A
Maximilian Schrems is
an Austrian activist
and author who
became known for
campaigns against
Facebook for its
privacy violations,..
Wikipedia
What is a Schrems?
6. 6 ⎥ Project A
Recap of the past couple of months and current statue of the topic.
End of EU-US Privacy Shield
This ruling affects European organisations' ability to show GDPR equivalence even where Standard Contractual
Clauses are used. Organisations should immediately re-assess their data flows from the EU to countries outside
of the EU.
The EU-US Privacy Shield
Framework can no longer be
relied on to evidence compliance
with the GDPR, following the
landmark judgement of the Court
of Justice of the European Union
in Case C-311/18 Data Protection
Commissioner v Facebook Ireland
Ltd and Schrems.
A case-by-case assessment of
Standard Contractual Clauses
approved by the European
Commission must be undertaken
to ensure personal data flowing
from the EU to countries outside
of the EU is adequately protected.
7. 7 ⎥ Project A
Firstly, take a deep breath.
→ Conduct data mapping for all flows of personal data from the EU;
→ where there is an EU-US data flow, urgently consider whether the Privacy Shield is relied on
and, if so, implement other safeguards (such as appropriate SCCs);
→ Conduct a case-by-case assessment of all data flows relying on the SCCs and consider
whether adequate protection is offered (having regard to the privacy and surveillance laws and
practices of those jurisdictions);
→ Consider your organisation's need to undertake due diligence on its partners and providers
(this may take the form of a questionnaire or survey); and
→ Consider implementing additional safeguard for existing EU data flows (such as the encryption
of data or other technological controls).
What should you do now?
8. 8 ⎥ Project A
Activities that ensure smooth operations during and beyond this critical period.
→ Make a list of tools & services that process PII
→ Ensure that GDPR principles are well documented & implemented
– Transparency and modalities
– Information and access
– Rectification and erasure
– Right to object
→ Assess the data paths and stakeholder in your organization and document
accordingly, screen data flow / processing for potential leakages
How can you protect your business in the meantime?
9. 9 ⎥ Project A
Motivation to take action!
→ Complying with regulation to protect sensitive data and overall privacy
→ Securing data that can be a source of competitive advantage
→ Transparency of data access in the company
→ Possibility to backtrack the access at a specific point in time
→ Building a case for improving the infrastructure & processes
The long term protection is called data governance
10. 10 ⎥ Project A
Data entry
→ Website
registration
→ Newsletter
→ Whitepaper
→ Salesforce entry
→ ...
How to look for holes in the system
Where to look? Follow the data!
Transformation
→ Google Scripts
→ ETL
→ Segment
→ ...
Storage
→ Backend
→ Data Warehouse
→ Marketing CRM
→ Sales CRM
→ ...
Export
→ Reporting
→ .csv
→ Excel
→ Google Sheet
→ ...
11. 11 ⎥ Project A
Restricted data access should be
given on a “need to know” basis.
12. 12 ⎥ Project A
Identifying where the data is
What are the weak spots of the current setup?
Are there any access inconsistencies across
systems?
01
“Need to know” basis rule
Is this data necessary for the person to
conduct their weekly responsibilities?
02
Is the process clear, measurable, contain
documented sign-offs? Is it followed?
Data access process
03
Where to start?
If you were to do something about this tomorrow...