PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Managing Multiple Compliance Priorities - GDPR, HIPAA, APEC, ISO 27001, etc. August 22, 2018
© 2018 TrustArc Inc Proprietary and Confidential Information
Today’s Speakers K Royal, CIPP/US, CIPP/E, CIPM, FIP Privacy Consulting Director, US West TrustArc
Hilary Wandall, CIPP/US, CIPP/E, CIPM, FIP Chief Data Governance Officer, General Counsel & Corporate Secretary TrustArc
2
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
Today’s Agenda • • • • • •
3
Welcome & Introductions The Primary Driver Aligning for Simplification Establishing your Baseline Putting it into Practice Questions?
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Thanks for your interest in our webinar slides! Click here to watch the on-demand recording.
4
Š 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
The Primary Driver
5
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll 1 What was the primary regulatory driver for your company to start a privacy program?
EU Data Protection Directive 95/46/EC GDPR HIPAA U.S. State Breach Notification laws EU-U.S. Privacy Shield
6
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
Starting with your primary driver • One customer expects you to self-certify to the Privacy Shield Frameworks • A business partner views you as a HIPAA business associate • Another customer expects you to sign a GDPR DPA and Standard Contractual Clauses • Still another customer wants you supports its efforts in Asia and would like you to seek APEC Privacy Rules for Processors (PRP) certification. • Your board is worried about public trust and confidence.
Where do you start? 7
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Aligning for Simplification
8
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll 2 Does your company have any of the following programs in place?
Corporate Compliance Program Information Risk Management Program Data Governance Program Trade Secret Protection Program No
9
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
Our model for aligning regulatory requirements Integrating Privacy and Data Governance We Start with 3 Pillars
Build
Implement
Demonstrate
Program Strategy, Governance, Processes and Policies, Data Inventory
PIAs, DPIAs, Consent, Individual Rights, Data Transfer
Compliance Reports, Certification, Verification, Ongoing Management
TrustArc Privacy & Data Governance Framework Privacy Insight Series - trustarc.com/insightseries
Š 2018 TrustArc Inc
The 3 Pillars are Supported by 16 Standards Build Your Program
Integrated Governance
Identify stakeholders. Establish program leadership and governance. Define program mission, vision and goals.
• Establish and maintain an integrated data governance program aligned with other information risk management functions such as security, IP and trade secret protection and e-discovery
Risk Assessment
Identify, assess and classify data-related strategic, operational, legal compliance and financial risks.
Resource Allocation
Establish budgets. Define roles and responsibilities. Assign personnel.
Policies & Standards
Develop policies, procedures and guidelines to define and deploy effective and sustainable governance and controls for managing data-related risks.
Processes
Establish, manage, measure and continually improve processes for PIAs, vendor assessments, incident management and breach notification, complaint handling and individual rights management.
Awareness & Training
Communicate expectations. Provide general & contextual training.
Data Necessity
Optimize data value by collecting and retaining only the data necessary for strategic goals. Leverage anonymization, de-identification, pseudonymization and coding to mitigate data storage-related risks.
Use, Retention & Disposal
Ensure data are used solely for purposes that are relevant to and compatible with the purposes for which it was collected.
Disclosure to 3rd Parties & Onward Transfer
Preserve the standards and protections for data when it is transferred to third party organizations and / or across country borders.
Choice & Consent
Enable individuals to choose whether personal data about them is processed. Obtain and document prior permission where necessary and appropriate, and enable individual to opt-out of ongoing processing.
Access & Individual Rights
Enable individuals to access information about themselves, to amend, correct, and as appropriate, delete information that is inaccurate, incomplete or outdated.
Data Integrity & Quality
Assure that data are kept sufficiently accurate, complete, relevant and current consistent with its intended use.
Security
Protect data from loss, misuse and unauthorized access, disclosure, alteration or destruction.
Transparency
Inform individuals about the ways in which data about them are processed and how to exercise their data-related rights.
Monitoring & Assurance
Evaluate and audit effectiveness of controls and risk mitigation initiatives.
Reporting &
Demonstrate the effectiveness of your program and controls to management, the
Implement Your Program Across Products, Processes and Technologies • Design and/or engineer effective privacy and data governance controls into organizational processes, products and technologies and maintain and enhance those controls throughout the lifecycle for the product, process or technology
Demonstrate Your Program Privacy Insight Series 11 TrustArc. © 2018, All rights reserved.
© 2018 TrustArcand Inc the public. - trustarc.com/insightseries Certification board of directors, employees, customers, regulators
Interoperability in Practice 3 Pillars and 16 Standards are Operationalized with 55 Core Controls Mapping alignment across regulatory controls Program Element
TrustArc Framework
Privacy Shield
APEC CBPRs
GDPR
ISO 27001
Build Integrated Governance
Risk Assessment Resource Allocation Policies and Standards Processes Awareness and Training Implement Data Necessity Use, Retention, Disposal Third Parties and Onward Transfer Choice and Consent Individual Rights Data Quality and Integrity Security Transparency Demonstrate Monitoring and Assurance Reporting & Certification
Š 2018 TrustArc Inc Proprietary and Confidential Information
HIPAA
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Establishing Your Baseline
13
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll 3 What kind of “internal” privacy policy does your company have?
14
We have a global privacy policy for our entire company We have different policies for each functional area of our company We have different policies for each region of our company We have a policy only for parts of our company in scope of GDPR We don’t have an internal policy
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
The 3 Pillars are Supported by 16 Standards Build Your Program
Integrated Governance
Identify stakeholders. Establish program leadership and governance. Define program mission, vision and goals.
• Establish and maintain an integrated data governance program aligned with other information risk management functions such as security, IP and trade secret protection and e-discovery
Risk Assessment
Identify, assess and classify data-related strategic, operational, legal compliance and financial risks.
Resource Allocation
Establish budgets. Define roles and responsibilities. Assign personnel.
Policies & Standards
Develop policies, procedures and guidelines to define and deploy effective and sustainable governance and controls for managing data-related risks.
Processes
Establish, manage, measure and continually improve processes for PIAs, vendor assessments, incident management and breach notification, complaint handling and individual rights management.
Awareness & Training
Communicate expectations. Provide general & contextual training.
Data Necessity
Optimize data value by collecting and retaining only the data necessary for strategic goals. Leverage anonymization, de-identification, pseudonymization and coding to mitigate data storage-related risks.
Use, Retention & Disposal
Ensure data are used solely for purposes that are relevant to and compatible with the purposes for which it was collected.
Disclosure to 3rd Parties & Onward Transfer
Preserve the standards and protections for data when it is transferred to third party organizations and / or across country borders.
Choice & Consent
Enable individuals to choose whether personal data about them is processed. Obtain and document prior permission where necessary and appropriate, and enable individual to opt-out of ongoing processing.
Access & Individual Rights
Enable individuals to access information about themselves, to amend, correct, and as appropriate, delete information that is inaccurate, incomplete or outdated.
Data Integrity & Quality
Assure that data are kept sufficiently accurate, complete, relevant and current consistent with its intended use.
Security
Protect data from loss, misuse and unauthorized access, disclosure, alteration or destruction.
Transparency
Inform individuals about the ways in which data about them are processed and how to exercise their data-related rights.
Monitoring & Assurance
Evaluate and audit effectiveness of controls and risk mitigation initiatives.
Reporting &
Demonstrate the effectiveness of your program and controls to management, the
Implement Your Program Across Products, Processes and Technologies • Design and/or engineer effective privacy and data governance controls into organizational processes, products and technologies and maintain and enhance those controls throughout the lifecycle for the product, process or technology
Demonstrate Your Program Privacy Insight Series 15 TrustArc. © 2018, All rights reserved.
© 2018 TrustArcand Inc the public. - trustarc.com/insightseries Certification board of directors, employees, customers, regulators
Developing the Policy 1.
2.
Build
3. 4. 5.
6.
16
Start with your company’s goals for data – how does data drive your business Select the core privacy and data protection principles that will serve as your baseline (e.g., OECD, APEC, HIPAA, GDPR, Privacy Shield) Add considerations for special cases or more stringent laws Develop the core standards that will operationalize your principles Build in exceptions or an exceptions process Validate your principles and standards against the laws and regulations that apply to your business
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Putting it into Practice
17
© 2018 TrustArc Inc Proprietary and Confidential Information
Poll 4 Which requirements do you find most difficult to harmonize?
18
Contracts (DPAs, BAAs, SCCs, Onward Transfer Agreements) Privacy Notices and/or Consent Data Inventory / Records of Processing Management Individual Rights Requests Vendor Assessments
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
Spotlight on Implementation Managing Individual Rights
Implement
19
1. Request received 2. Validate the request 3. Determine which requirements apply (a) Law or regulation (b) Legal basis of processing 4. Retrieve the data 5. Validate the data against your records of processing, retention schedules, and your privacy notice disclosures 6. Timely respond to the request 7. Update records as applicable
Privacy Insight Series - trustarc.com/insightseries
Š 2018 TrustArc Inc
Interoperability in Practice Mapping alignment across frameworks for certification and validation
Š 2018 TrustArc Inc Proprietary and Confidential Information
Spotlight on Demonstration Certification and Validation 1.
Demonstrate 2. 3. 4. 5. 6. 7. 21
Identify your certification or validation goals – Public trust – Customer trust – Business partner trust – Simplified cross-border transfers Select your certification or validation standard Submit your application to your certifying authority (external reviewer) Demonstrate your controls Complete remediation, if needed Obtain, publicize and maintain certification Respond to disputes, upon request
Privacy Insight Series - trustarc.com/insightseries
© 2018 TrustArc Inc
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Thanks for your interest in our webinar slides! Click here to watch the on-demand recording.
22
Š 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Questions?
23
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Contacts K Royal Hilary Wandall
24
kroyal@trustarc.com hilary@trustarc.com
© 2018 TrustArc Inc Proprietary and Confidential Information
PRIVACY INSIGHT SERIES Summer / Fall 2018 Webinar Program
Thank You! Our Next Webinar will be on September 19, 2018: Data Breach Management Requirements and Best Practices See http://www.trustarc.com/insightseries to register and to access past Privacy Insight Series webinar recordings.
25
Š 2018 TrustArc Inc Proprietary and Confidential Information