Privacy Shield Self-Certification – What's Next? February 23, 2017
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 1 © TRUSTe Inc., 2017
Today’s Speakers K Royal, JD, CIPP/E/US Senior Privacy Consultant, TRUSTe
Amanda Gratchner Global Privacy Counsel, NAVEX Global
David Fowler Chief Privacy & Digital Compliance Officer, Act-On Software
Privacy Insight Series - truste.com/insightseries v
2 © TRUSTe Inc., 2017
Today’s Agenda
•Welcome & Introductions •Privacy Shield
–Self-certification –Updates •Relationships –Various frameworks •Leveraging Privacy Shield •Q&A
Privacy Insight Series - truste.com/insightseries v
3 © TRUSTe Inc., 2017
Webinar Poll
Have you Self-certified for Privacy Shield? • Yes • No • In Progress
Privacy Insight Series - truste.com/insightseries v
4 © TRUSTe Inc., 2017
Privacy Shield – One Year On
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 5 © TRUSTe Inc., 2017
Understanding the Privacy Shield Framework What’s different compared to Safe Harbor? •
New Privacy Protections • Notice requirements, accountability for onward transfer, purpose limitation and data retention • Enhanced Complaint Resolution • Response time to EU individuals, free dispute resolution, binding arbitration as last-resort option • Improved Cooperation and Transparency • Monitoring and dispute resolution requires cooperation with International Trade Administration (ITA) Privacy Shield Team, ongoing requirements (if withdraw and maintain data), publication of FTC compliance reports (if subject to enforcement action)
6
Privacy Insight Series - truste.com/insightseries v
6 © TRUSTe Inc., 2017
Joining the Privacy Shield Program 1. Confirm Your Organization’s Eligibility to Participate 2. Develop a Compliant Privacy Policy 3. Establish an Independent Recourse Mechanism (IRM) 4. Ensure a Verification Mechanism is in place 5. Identify your Privacy Shield Point of Contact 6. Self-certify Using the Privacy Shield Website 7. Reaffirm Self-certification Annually 8. Reply to Inquiries from EU citizens, IRM, Commerce, and/or DPAs as Required
7
Privacy Insight Series - truste.com/insightseries v
7 Š TRUSTe Inc., 2017
Practical Considerations and Challenges • • • • •
• • • •
8
Understanding the Privacy Shield Framework Understanding your business operations Developing compliant privacy statements and notices Developing privacy program governance, policies, and procedures Verification of privacy practices and monitoring of compliance Keeping records of Privacy Shield Principles implementation Employee training and awareness Dealing with onward transfer issues Dealing with data subject access requests and privacy complaints
Privacy Insight Series - truste.com/insightseries v
8 © TRUSTe Inc., 2017
Privacy Shield Self-Certification
Companies that had EU/US Safe Harbor • Filed by September 30, 2016 • 9 months to come into compliance - June 30, 2017 • Posted: 1705 What about those that did not certify? What about those who were not in Safe Harbor?
Privacy Insight Series - truste.com/insightseries v
9 © TRUSTe Inc., 2017
Privacy Shield Updates
What’s the future for Privacy Shield? • Brexit • Irish lawsuit • French lawsuits • Executive orders What about other Data Transfer Compliance Mechanisms?
Privacy Insight Series - truste.com/insightseries v
10 © TRUSTe Inc., 2017
Frameworks
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 11 © TRUSTe Inc., 2017
Privacy Shield vs. the GDPR
Privacy Insight Series - truste.com/insightseries v
12 © TRUSTe Inc., 2017
General Data Protection Regulation
European law • From Directive 95 to GDPR • Address societal and technological changes May 25, 2018 Stats • Companies impacted • Privacy jobs
Privacy Insight Series - truste.com/insightseries v
13 © TRUSTe Inc., 2017
Cross Border Data Transfers
Adequacy • Privacy Shield Binding Corporate Rules • Controllers and Processors Standard Contractual Clauses Under GDPR – codes of conduct
Privacy Insight Series - truste.com/insightseries v
14 © TRUSTe Inc., 2017
Binding Corporate Rules
Intergroup agreement • Group – defined Transfer mechanism • Specifically mentioned in GDPR Considered “gold standard” Companies: Binding Safe Processing Rules • BCRs for Controllers and Processors
Privacy Insight Series - truste.com/insightseries v
15 © TRUSTe Inc., 2017
Cross Border Privacy Rules
• • • • •
Asia-Pacific Economic Cooperation Voluntary program 2011 Independent accountability agent required 4 economies so far - USA, Mexico, Japan and Canada • Crosswalk published BCRs/CBPRs - Merck
Privacy Insight Series - truste.com/insightseries v
16 © TRUSTe Inc., 2017
Leveraging Privacy Shield
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 17 © TRUSTe Inc., 2017
What should a company do?
• • • • •
Data Policies Practices Legal/Compliance Specific Consider certification programs
Privacy Insight Series - truste.com/insightseries v
18 © TRUSTe Inc., 2017
Data To-Dos
Data • inventory • classification • minimization • record retention • destruction
Privacy Insight Series - truste.com/insightseries v
19 © TRUSTe Inc., 2017
Policy To-Dos
Information security policies • training • monitor compliance Privacy policies • easily accessible • clear and plain language • full disclosure of data collection and processing
Privacy Insight Series - truste.com/insightseries v
20 © TRUSTe Inc., 2017
Practices To-Dos
PIAs Complaint process (must be easy) Review and revise methods of obtaining consent Data portability and erasure processes Update incident response plans • notice to supervisory agencies within 72 hours
Privacy Insight Series - truste.com/insightseries v
21 Š TRUSTe Inc., 2017
Legal-Specific To-Dos
• DPO (Data Protection Officer) authority and independence, monitor compliance, perform training, and conduct internal audits. • Accountability: detailed records of the processing performed on personal data • Review BCRs (or SCCs) for compliance w/ GDPR • Addendums for onward transfer requirements • Vendor oversight and accountability • Insurance policies global or enterprise coverage, types of data issues, and increased costs and liabilities
Privacy Insight Series - truste.com/insightseries v
22 © TRUSTe Inc., 2017
Questions?
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 23 © TRUSTe Inc., 2017
Contacts K Royal Amanda Gratchner David Fowler
Privacy Insight Series - truste.com/insightseries v
kroyal@truste.com agratchner@navexglobal.com david.fowler@act-on.net
v
© TRUSTe Inc., 2017 24 © TRUSTe Inc., 2017
Thank You! Register now for the next webinar in our 2017 Winter/Spring Webinar Series on March 23 “Privacy Program Management: A Framework for Success” See http://www.truste.com/insightseries for the 2017 Privacy Insight Series and past webinar recordings.
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 25 © TRUSTe Inc., 2017