PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
One Week to Go: Are you Ready for May 25th? May 16, 2018
© 2018 TrustArc Inc Proprietary and Confidential Information
Today’s Speaker Paul Iagnocco Mid-West Consulting Director & Senior Privacy Consultant TrustArc
2
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
Today’s Agenda • Welcome & Introduction • Status of GDPR Compliance • GDPR Enforcement • GDPR Ongoing Risk Management • Demonstrating Compliance
• Questions?
3
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Thanks for your interest in the webinar slides! To watch the on-demand recording please CLICK HERE.
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Status of GDPR Compliance
5
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll #1
6
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
November 2017 Research IAPP & TrustArc: How Far Towards GDPR Compliance 48.62% 0= haven’t started
100 = fully compliant
Expect To Be GDPR Compliant By…
7
Overall
U.S.
EU
By end of 2017
7%
7%
7%
By end of March 2018
29%
36%
24%
By May 25, 2018
41%
41%
41%
After May 25, 2018
17%
9%
24%
Not sure
6%
7%
4%
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
April 2018 Research How Far Towards GDPR Compliance • Only 7% compliant in April • 33% expect to be compliant by May 25th
• 60% not ready for GDPR
• Only 13% compliant in April • 23% somewhat compliant by May 25th • 52% not ready for GDPR
8
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
For most of us ‌
9
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
What solutions did companies invest in to address the GDPR?
Getting to GDPR Compliance TrustArc & IAPP Research – Nov 2017
10
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
What We are Seeing: Actual Compliance Status of Businesses • Most organizations now have now: – Identified Subject Matter Experts and/or DPO or lead – Developed a plan of action – Updated outward facing privacy notices – Understood their data flows and created a data inventory
– Prioritized high risk data – Established legal basis for processing, revised consent mechanisms where necessary – Identified means to address individual rights requests • But there is still a long way to go… – Pushing the plans out to the business
– Updating technology and culture takes time 11
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
What Now? • Privacy doesn’t go away! • May 25th is NOT about checking a box – not a “yes/no” answer, but a risk management approach • The laws will change (ePrivacy Regulation will replace ePrivacy Directive) • Case law will evolve • Technology will continue to disrupt • Business will find new ways to harness the power of data • Accountability processes are ongoing, and need maintenance • Privacy compliance of the company and partners will need monitoring and measuring • Documents and records of evidence will need updates
12
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
Article 25 – Transforms How We Go Forward
13
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
GDPR Enforcement
14
© 2018 TrustArc Inc Proprietary and Confidential Information
What the “Enforcers” are Saying?
“there will be fines, and they will be significant….”
“…make sure that this question of compliance is not focused on the legal departments, but throughout company.”
15
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
What the “Enforcers” are Saying? “Voluntary compliance is still the preferred route, but we will back up with tough action where it’s necessary.”
“It’s NOT our first task to fine, it’s our first task to see if you’re compliant, and if you’re not compliant it will be a problem.”
16
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
But are They Ready to Enforce? Reuters surveyed all EU regulators on May 8th and 24 disclosed the following:
21% fully enforcement ready
17
71%
46%
lack funding and local legislation to act
expect to have both funding and local legislation to act in near future
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
GDPR Enforcement Actions When will the regulators show up? 1. 2. 3. 4.
Data Subject (complaints) Data Breach (notifications) Media Report (publicity) Invitation (audit)
Potential GDPR enforcement actions and penalties
Data Subject individual right for compensation Industry predictions as to GDPR enforcement actions
18
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
Goodbye WP29, Hello EDPB • As of May 25th, the European Data Protection Board is established, replacing Working Party 29. • GDPR Article 68: establishes the EDPB, contains general rules regarding composition and function. • GDPR Article 69: emphasizes the independence of the EDPB, in the exercise of its powers it doesn’t seek nor take instructions for anyone. • GDPR Article 70: describes the many tasks of the EDPB. • EDPB Website forthcoming as well.
19
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
Poll #2
20
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
GDPR Ongoing Risk Management
21
© 2018 TrustArc Inc Proprietary and Confidential Information
What is the Ongoing Risk Management Role? Ensure timely reporting of data breaches and response to data subject requests, etc.
Build Program
Improve Actions
Test compliance framework
22
most organizations are here
Be Vigilant
Assess, Monitor, Measure
Privacy Insight Series - trustarc.com/insightseries
Deliver Controls
Demonstrate Compliance
#trustarcGDPRevents
Review and adapt controls as needed
Ensure compliance records are maintained
Š 2018 TrustArc Inc
Ongoing GDPR Accountability Areas
Privacy Impact Assessments
Monitoring Compliance and Assurance
Information Lifecycle/Records Management Updates
Information Security
Data Breach Notification
Individual Rights Responses
Data Processor/ Vendor Audits
Updating Data Inventories
Ensuring New Processes and Tech Complies
Regulator Registrations/ Notifications
Employee Training and Certifications
23
Privacy by Design and Default Processes
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
Liaison with Board Audit Committees & Support of Data Protection Officers (DPOs) • Partner with audit teams to ensure ongoing compliance (e.g., data subject consents, processing accountabilities) • Build GDPR Portals • Policies and Procedures
• Employee Training
Consultants and projects may get you “there”, but the challenge is to keep it “there”!
• Summary Due Diligence Records
• Internal Presentations • Impact on Financials • Find Evangelists
24
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Demonstrating Compliance
25
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll #3
26
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
Importance of Demonstrating Compliance • Come May 25th: Readiness will no longer be enough. • Huge Fines: Regulators will be able to fine companies up to 4% of their annual revenue for non-compliance. • Lost Customers: Companies may lose existing customers for failure to show they can comply with GDPR.
• Lost Deals: Companies may lose new deals if they cannot show they are compliant with GDPR. • Lawsuits: Companies may have legal actions brought directly against them under GDPR. Demonstrating GDPR compliance at any time will be critical to managing these risks in a GDPR world. 27
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
Sorry No Such Thing as “GDPR Certified” • Articles 40 (codes of conduct), 41 (Monitoring of approved codes of conduct), 42 (certification) and 43 (certification bodies) have not been established quite yet – NO GDPR CERTIFICATION AVAILABLE TODAY • Companies can ready themselves for this future certification by independently validating their GDPR efforts and status that can be shared with both internal and external stakeholders.
28
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
© 2018 TrustArc Inc
In the absence of an official GDPR certification, what does it mean for a company to say that it is GDPR-compliant? Regulators Regulators
Customers
Customers
Prospects
Prospects
Individuals
Process/ Product Specific Requirements
Company-Wide Requirements
29
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
TrustArc GDPR Validation
Visit: https://www.trustarc.com/products/gdpr-validation/
30
Privacy Insight Series - trustarc.com/insightseries
#trustarcGDPRevents
Š 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Thanks for your interest in the webinar slides!
To watch the on-demand recording please CLICK HERE.
31
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Questions?
32
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Contact Paul Iagnocco
33
email: piagnocco@trustarc.com
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Winter / Spring 2018 Webinar Program
Thank You! Details of our Summer/Fall Privacy Insight Series will be announced shortly. Look out for details on email. See http://www.trustarc.com/insightseries for the 2018 Privacy Insight Series and past webinar recordings.
34
Š 2018 TrustArc Inc Proprietary and Confidential Information