PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
Demonstrating Compliance & the Role of Certification Under the GDPR December 6th, 2017
© 2017 TrustArc Inc Proprietary and Confidential Information
Thank you for joining the webinar “Demonstrating Compliance & the Role of Certification Under the GDPR”
• This webinar will be recorded – both the recording and slides will be sent out via email later today
• Please use the GotoWebinar Control Panel on the right hand side to submit any questions for the speakers
2
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Today’s Speakers
3
Karolina Mojzesowicz Deputy Head of Unit Data Protection, European Commission
Rosemary Jay Senior Consultant Attorney, Hunton & Williams LLP
Eduardo Ustaran Partner, Hogan Lovells
Josh Harris Director of International Regulatory Affairs, TrustArc
Privacy Insight Series - trustarc.com/insightseries
Š 2017 TrustArc Inc
Today’s Agenda • • • •
Intro and Overview Article 42 Description - Structure and Overview The Business Impact of GDPR Certification The Role of the EC and other Authorities and Next Steps • Q and A
4
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
Article 42 Overview Rosemary Jay Senior Consultant Attorney, Hunton & Williams LLP
© 2017 TrustArc Inc Proprietary and Confidential Information
What is the purpose of certification? • Certification is a way of showing publicly that specific processing of personal data by a data controller or data processor is compliant with the GDPR or selected aspects of the GDPR; • For example, that a data processor has appropriate security for a particular kind of data processing, or that a third party outside the EEA has a compliance system in place which meets GDPR standards and will be applied to protect personal data after transfer.
6
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Who is involved? • Certification is carried out by an approved organisation (called a certification provider); • The certification provider examines the processing operation for which the controller or processor seeks certification; and • Assesses that operation against a set of previously approved standards applicable to processing of that type. • If the processing operation meets the standard the certification provider awards the certification. 7
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
The actors • The standards for the different types of processing are set either by the Board (the EDPB) or by supervisory authorities; • The Board can set pan-EU standards which can become an EU “data protection seal”. • Certification providers are approved by supervisory authorities or the national accreditation body working with the supervisory authority. • Supervisory bodies can also issue certificates. 8
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Common questions • Can any type of processing operation be covered by a certificate? • Will certificates have national effect or pan-EU effect or be mutually recognised across jurisdictions? • Can certificates be withdrawn? • Will certificates be expensive to obtain? • How difficult will the process be to obtain a certificate? • How long will certificates last? 9
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
The Business Impact of GDPR Certification Eduardo Ustaran Partner, Hogan Lovells
© 2017 TrustArc Inc Proprietary and Confidential Information
Why Certification? • Demonstrating accountability and compliance (Arts. 5 and 24)
• Demonstrating data protection by design and by default (Art. 25) • Demonstrating "safe processor" status (Art. 28) • Demonstrating security (Art. 32) • Legitimising international data transfers (Art. 46) • Decisions over fines (Art. 83)
11
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Role in relation to international dataflows • 3 step approach to legitimising dataflows: – Adequacy in third jurisdiction
– Appropriate safeguards – Derogations
• Appropriate safeguards: – Binding Corporate Rules
– Contractual solutions – Codes of conduct & certification + binding & enforceable commitments to apply safeguards 12
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
Business advantages • Legal certainty for an uncertain world
• Optional nature will lead to market differentiation • Recognition by regulators • Likely to join BCR as 'gold standard' for transfers
13
Privacy Insight Series - trustarc.com/insightseries
© 2017 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
The Role of the EC and other Authorities and Next Steps Karolina Mojzesowicz Deputy Head of Unit Data Protection, European Commission
© 2017 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
Questions? Josh Harris
jharris@trustarc.com
© 2017 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2017 Webinar Program
Thank You! Please take a quick minute and complete our post-webinar survey that will appear as you exit the GoToWebinar platform.
Keep an eye out for the upcoming Winter / Spring schedule that will be released soon and view past webinar recordings at: https://www.trustarc.com/insightseries Š 2017 TrustArc Inc Proprietary and Confidential Information