The document outlines an August 22, 2018 webinar by TrustArc on managing multiple compliance priorities like GDPR, HIPAA, and ISO 27001. It discusses starting with your primary regulatory driver, aligning programs for simplification using three pillars of build, implement, and demonstrate, and establishing a baseline with policies. Attendees are polled on their programs and challenges. The webinar provides strategies for individual rights requests, certification, and answering audience questions.

1. © 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
PRIVACY INSIGHT SERIES
Managing Multiple Compliance
Priorities - GDPR, HIPAA, APEC, ISO
27001, etc.
August 22, 2018

2. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Today’s Speakers
K Royal, CIPP/US, CIPP/E, CIPM, FIP
Privacy Consulting Director, US West
TrustArc
2
Hilary Wandall, CIPP/US, CIPP/E, CIPM, FIP
Chief Data Governance Officer, General Counsel &
Corporate Secretary
TrustArc

3. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Today’s Agenda
• Welcome & Introductions
• The Primary Driver
• Aligning for Simplification
• Establishing your Baseline
• Putting it into Practice
• Questions?
3

4. © 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
PRIVACY INSIGHT SERIES
4
Thanks for your interest in our webinar slides!
Click here to watch the on-demand recording.

5. PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
© 2018 TrustArc Inc Proprietary and Confidential Information
The Primary Driver
5

6. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Poll 1
6
What was the primary regulatory driver for your company to start a privacy
program?
 EU Data Protection Directive 95/46/EC
 GDPR
 HIPAA
 U.S. State Breach Notification laws
 EU-U.S. Privacy Shield

7. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Starting with your primary driver
• One customer expects you to self-certify to the Privacy
Shield Frameworks
• A business partner views you as a HIPAA business
associate
• Another customer expects you to sign a GDPR DPA and
Standard Contractual Clauses
• Still another customer wants you supports its efforts in
Asia and would like you to seek APEC Privacy Rules for
Processors (PRP) certification.
• Your board is worried about public trust and confidence.
Where do you start?
7

8. © 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
PRIVACY INSIGHT SERIES
Aligning for Simplification
8

9. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Poll 2
9
Does your company have any of the following programs in place?
 Corporate Compliance Program
 Information Risk Management Program
 Data Governance Program
 Trade Secret Protection Program
 No

10. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Build
Program Strategy,
Governance, Processes
and Policies, Data
Inventory
Implement
PIAs, DPIAs, Consent,
Individual Rights, Data
Transfer
Demonstrate
Compliance Reports,
Certification,
Verification, Ongoing
Management
TrustArc Privacy & Data Governance Framework
Our model for aligning regulatory requirements
Integrating Privacy and Data Governance
We Start with 3 Pillars

11. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries11
Build Your Program
• Establish and maintain an
integrated data governance
program aligned with other
information risk management
functions such as security, IP
and trade secret protection and
e-discovery
Integrated Governance Identify stakeholders. Establish program leadership and governance. Define
program mission, vision and goals.
Risk Assessment Identify, assess and classify data-related strategic, operational, legal compliance and
financial risks.
Resource Allocation Establish budgets. Define roles and responsibilities. Assign personnel.
Policies & Standards Develop policies, procedures and guidelines to define and deploy effective and
sustainable governance and controls for managing data-related risks.
Processes Establish, manage, measure and continually improve processes for PIAs, vendor
assessments, incident management and breach notification, complaint handling and
individual rights management.
Awareness & Training Communicate expectations. Provide general & contextual training.
Implement Your Program
Across Products,
Processes and
Technologies
• Design and/or engineer effective
privacy and data governance
controls into organizational
processes, products and
technologies and maintain and
enhance those controls
throughout the lifecycle for the
product, process or technology
Data Necessity Optimize data value by collecting and retaining only the data necessary for strategic
goals. Leverage anonymization, de-identification, pseudonymization and coding to
mitigate data storage-related risks.
Use, Retention &
Disposal
Ensure data are used solely for purposes that are relevant to and compatible with the
purposes for which it was collected.
Disclosure to 3rd Parties
& Onward Transfer
Preserve the standards and protections for data when it is transferred to third party
organizations and / or across country borders.
Choice & Consent Enable individuals to choose whether personal data about them is processed. Obtain
and document prior permission where necessary and appropriate, and enable
individual to opt-out of ongoing processing.
Access & Individual
Rights
Enable individuals to access information about themselves, to amend, correct, and
as appropriate, delete information that is inaccurate, incomplete or outdated.
Data Integrity & Quality Assure that data are kept sufficiently accurate, complete, relevant and current
consistent with its intended use.
Security Protect data from loss, misuse and unauthorized access, disclosure, alteration or
destruction.
Transparency Inform individuals about the ways in which data about them are processed and how
to exercise their data-related rights.
Demonstrate Your Program Monitoring & Assurance Evaluate and audit effectiveness of controls and risk mitigation initiatives.
Reporting &
Certification
Demonstrate the effectiveness of your program and controls to management, the
board of directors, employees, customers, regulators and the public.© 2018, TrustArc. All rights reserved.
The 3 Pillars are Supported by 16 Standards

12. © 2018 TrustArc Inc Proprietary and Confidential Information
Interoperability in Practice
Program Element TrustArc Framework Privacy Shield APEC CBPRs GDPR ISO 27001 HIPAA
Build
Integrated Governance
Risk Assessment
Resource Allocation
Policies and Standards
Processes
Awareness and Training
Implement
Data Necessity
Use, Retention, Disposal
Third Parties and Onward
Transfer
Choice and Consent
Individual Rights
Data Quality and Integrity
Security
Transparency
Demonstrate
Monitoring and
Assurance
Reporting & Certification
Mapping alignment across regulatory controls
3 Pillars and 16 Standards are Operationalized with 55 Core Controls

13. © 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
PRIVACY INSIGHT SERIES
Establishing Your Baseline
13

14. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Poll 3
14
What kind of “internal” privacy policy does your company have?
 We have a global privacy policy for our entire company
 We have different policies for each functional area of our company
 We have different policies for each region of our company
 We have a policy only for parts of our company in scope of GDPR
 We don’t have an internal policy

15. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries15
Build Your Program
• Establish and maintain an
integrated data governance
program aligned with other
information risk management
functions such as security, IP
and trade secret protection and
e-discovery
Integrated Governance Identify stakeholders. Establish program leadership and governance. Define
program mission, vision and goals.
Risk Assessment Identify, assess and classify data-related strategic, operational, legal compliance and
financial risks.
Resource Allocation Establish budgets. Define roles and responsibilities. Assign personnel.
Policies & Standards Develop policies, procedures and guidelines to define and deploy effective and
sustainable governance and controls for managing data-related risks.
Processes Establish, manage, measure and continually improve processes for PIAs, vendor
assessments, incident management and breach notification, complaint handling and
individual rights management.
Awareness & Training Communicate expectations. Provide general & contextual training.
Implement Your Program
Across Products,
Processes and
Technologies
• Design and/or engineer effective
privacy and data governance
controls into organizational
processes, products and
technologies and maintain and
enhance those controls
throughout the lifecycle for the
product, process or technology
Data Necessity Optimize data value by collecting and retaining only the data necessary for strategic
goals. Leverage anonymization, de-identification, pseudonymization and coding to
mitigate data storage-related risks.
Use, Retention &
Disposal
Ensure data are used solely for purposes that are relevant to and compatible with the
purposes for which it was collected.
Disclosure to 3rd Parties
& Onward Transfer
Preserve the standards and protections for data when it is transferred to third party
organizations and / or across country borders.
Choice & Consent Enable individuals to choose whether personal data about them is processed. Obtain
and document prior permission where necessary and appropriate, and enable
individual to opt-out of ongoing processing.
Access & Individual
Rights
Enable individuals to access information about themselves, to amend, correct, and
as appropriate, delete information that is inaccurate, incomplete or outdated.
Data Integrity & Quality Assure that data are kept sufficiently accurate, complete, relevant and current
consistent with its intended use.
Security Protect data from loss, misuse and unauthorized access, disclosure, alteration or
destruction.
Transparency Inform individuals about the ways in which data about them are processed and how
to exercise their data-related rights.
Demonstrate Your Program Monitoring & Assurance Evaluate and audit effectiveness of controls and risk mitigation initiatives.
Reporting &
Certification
Demonstrate the effectiveness of your program and controls to management, the
board of directors, employees, customers, regulators and the public.© 2018, TrustArc. All rights reserved.
The 3 Pillars are Supported by 16 Standards

16. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Developing the Policy
1. Start with your company’s goals for
data – how does data drive your
business
2. Select the core privacy and data
protection principles that will serve as
your baseline (e.g., OECD, APEC,
HIPAA, GDPR, Privacy Shield)
3. Add considerations for special cases or
more stringent laws
4. Develop the core standards that will
operationalize your principles
5. Build in exceptions or an exceptions
process
6. Validate your principles and standards
against the laws and regulations that
apply to your business
16
Build

17. © 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
PRIVACY INSIGHT SERIES
Putting it into Practice
17

18. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Poll 4
18
Which requirements do you find most difficult to harmonize?
 Contracts (DPAs, BAAs, SCCs, Onward Transfer Agreements)
 Privacy Notices and/or Consent
 Data Inventory / Records of Processing Management
 Individual Rights Requests
 Vendor Assessments

19. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Spotlight on Implementation
Managing Individual Rights
1. Request received
2. Validate the request
3. Determine which requirements
apply
(a) Law or regulation
(b) Legal basis of processing
4. Retrieve the data
5. Validate the data against your
records of processing, retention
schedules, and your privacy notice
disclosures
6. Timely respond to the request
7. Update records as applicable
19
Implement

20. © 2018 TrustArc Inc Proprietary and Confidential Information
Interoperability in Practice
Mapping alignment across frameworks for certification and validation

21. © 2018 TrustArc IncPrivacy Insight Series - trustarc.com/insightseries
Spotlight on Demonstration
Certification and Validation
1. Identify your certification or validation
goals
– Public trust
– Customer trust
– Business partner trust
– Simplified cross-border transfers
2. Select your certification or validation
standard
3. Submit your application to your certifying
authority (external reviewer)
4. Demonstrate your controls
5. Complete remediation, if needed
6. Obtain, publicize and maintain certification
7. Respond to disputes, upon request
21
Demonstrate

22. © 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
PRIVACY INSIGHT SERIES
22
Thanks for your interest in our webinar slides!
Click here to watch the on-demand recording.

23. PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
© 2018 TrustArc Inc Proprietary and Confidential Information
Questions?
23

24. PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
© 2018 TrustArc Inc Proprietary and Confidential Information
Contacts
24
K Royal kroyal@trustarc.com
Hilary Wandall hilary@trustarc.com

25. PRIVACY INSIGHT SERIES
Summer / Fall 2018 Webinar Program
© 2018 TrustArc Inc Proprietary and Confidential Information
Thank You!
Our Next Webinar will be on September 19, 2018:
Data Breach Management Requirements and Best Practices
See http://www.trustarc.com/insightseries to register and to access
past Privacy Insight Series webinar recordings.
25