GDPR: DPIAs & Risk May 23, 2017
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 1 © TRUSTe Inc., 2017
Thank you for joining the webinar “GDPR: DPIAs & Risk” • We will be starting a couple minutes after the hour • This webinar will be recorded and the recording and slides sent out later today • Please use the GotoWebinar control panel on the right hand side to submit any questions for the speakers Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 2 © TRUSTe Inc., 2017
Today’s Speakers
Marty Abrams Executive Director & Chief Strategist Information Accountability Foundation (IAF)
Hilary Wandall (Moderator) General Counsel & Chief Data Governance Officer TRUSTe
Privacy Insight Series - truste.com/insightseries v
3 © TRUSTe Inc., 2017
Today’s Agenda
• Welcome & Introductions • The role of DPIAs • Development of privacy assessment methodology
• GDPR and DPIAs • Risky processing under GDPR • IAF-TRUSTe DPIA approach • Privacy risk and enterprise risk management • Q&A
Privacy Insight Series - truste.com/insightseries v
4 © TRUSTe Inc., 2017
Webinar Poll
Do you have an internal PIA or DPIA process? • yes • no
Privacy Insight Series - truste.com/insightseries v
5 © TRUSTe Inc., 2017
The Role of DPIAs
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 6 © TRUSTe Inc., 2017
Build Your Program – 6 Essential Elements
Build Establish, maintain and evolve an integrated privacy and data governance program aligned with other data management and information risk functions such as security, IP, trade secret protection and e-discovery
Integrated Governance
Identify stakeholders. Establish program leadership and governance. Define program mission, vision and goals.
Risk Assessment
Identify, assess and classify datarelated strategic, operational, legal compliance and financial risks.
Resource Allocation
Establish budgets. Define roles and responsibilities. Assign competent personnel.
Policies & Standards
Develop policies, procedures and guidelines to define and deploy effective and sustainable governance and controls for managing datarelated risks.
Processes
Establish, manage, measure and continually improve processes for PIAs, vendor assessments, incident management and breach notification, complaint handling and individual rights management.
Awareness & Training
Communicate expectations. Provide general & contextual training.
Learn and Evolve Over Time
Privacy Insight Series - truste.com/insightseries v
7 Š TRUSTe Inc., 2017
Development of Privacy Assessment Methodology
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 8 © TRUSTe Inc., 2017
How has assessment methodology developed in the privacy field?
Privacy Insight Series - truste.com/insightseries v
9 Š TRUSTe Inc., 2017
How did comprehensive data impact assessments originate?
Privacy Insight Series - truste.com/insightseries v
10 Š TRUSTe Inc., 2017
Genesis of Ethical Assessments 2013 - Challenge by HP, Merck, Intuit and Acxiom to develop a means to make big data processing defendable 2014 - Unified Ethical frame developed and presented at the International Conference of Data Protection and Privacy Commissioners –Ethical assessments the key –Embraced by numerous regulators
–The “golden rule” became the proxy for ethics
2015 – Oversight and framework for assessment –Multi-stakeholder oversight –Link to legitimate interests established
–Digital marketing assessment framework developed
2016 – Canadian project Privacy Insight Series - truste.com/insightseries v
11 © TRUSTe Inc., 2017
Canadian Project •Canadian law, in most cases requires consent –Raised the question of how big data might be done in Canada as a link to accountability
•IAF received a grant from Office of the Privacy Commissioner to explore the concept of ethical assessments •Recruited 20 Canadian companies and a lead Canadian lawyer/expert to work with us
•Took the Canadian framework to a multi-stakeholder group that included regulators •End products a framework that includes the legal and ethical discussion and an assessment framework –Participants pleased with the outcome –OPC pleased with the work product Privacy Insight Series - truste.com/insightseries v
12 © TRUSTe Inc., 2017
Key Findings •A customized linkage to local law and culture is necessary •The assessment framework can be used globally •Assessing stakeholder benefits and risks was break through for companies
•This methodology is useful everywhere •Legal, fair and just - which puts people first - is a great proxy for ethics
•Automating the process would lead to scalability
Privacy Insight Series - truste.com/insightseries v
13 © TRUSTe Inc., 2017
How does the ethical assessment methodology align with the GDPR expectations for DPIAs?
Privacy Insight Series - truste.com/insightseries v
14 Š TRUSTe Inc., 2017
IAF-TRUSTe DPIA Strategy
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 15 © TRUSTe Inc., 2017
GDPR Requirements for DPIAs (Articles 35 and 36) Processing likely to result in high risk
DPIA Required
Article 35(1) • • No
• •
Systematic description of the processing Assessment of necessity and proportionality Assessment of the risks to the rights and freedoms of data subjects Measures to address the risks
Is residual risk high?
No DPIA Required No
No DPA Consult Required Privacy Insight Series - truste.com/insightseries v
DPA Consult Required 16 © TRUSTe Inc., 2017
Processing Likely to Result in High Risk – Key Criteria Based on Article 29 Working Party Guidelines WP 248 (4 Apr 2017) • Evaluation or scoring • Automated-decision making with legal or similar significant effect • Systematic monitoring • Sensitive data
• Data processed on a large scale • Datasets that have been matched or combined • Data concerning vulnerable subjects • Innovative use or applying technological or organizational solutions • Data transfer across borders outside of the EU • Where the processing itself prevents individuals from exercising a right or using a service or a contract Privacy Insight Series - truste.com/insightseries v
17 © TRUSTe Inc., 2017
IAF-TRUSTe DPIA Construct Part A – Governance and Accountability 1. Organizational Accountability 2. Purpose 3. Data 4. Data Sources, Origins and Characteristics 5. Legal Basis of Processing Part B – Risk, Impacts and Benefits 6. High Risk Processing 7. Value and Benefits of the Processing 8. Inherent Risk Assessment 9. Weighted Inherent Risk-Benefits
Part C – Mitigations and Safeguards
Part D – Risk Outcomes (Report)
10. Data Necessity (DPbDesign/Default, Data Minimization) 11. Use, Retention and Disposal 12. Disclosure to Third Parties and Onward Transfer 13. Choice and Consent 14. Access and Individual Rights 15. Data Integrity and Quality 16. Security 17. Transparency
18. Mitigations and Safeguard Effectiveness Evaluation (Scale) 19. Calculation of Residual Risk Severity and Likelihood 20. Legitimate Interests Balancing Test Outcomes 21. Where residual risks are high, consultation of DPA and data subjects
Privacy Insight Series - truste.com/insightseries v
18 © TRUSTe Inc., 2017
Webinar Poll
Do you have an automated PIA or DPIA process?
• yes • no
Privacy Insight Series - truste.com/insightseries v
19 © TRUSTe Inc., 2017
Automating the IAF-TRUSTe DPIA
Privacy Insight Series - truste.com/insightseries v
20 © TRUSTe Inc., 2017
Automating the IAF-TRUSTe DPIA
Privacy Insight Series - truste.com/insightseries v
21 © TRUSTe Inc., 2017
Automating the IAF-TRUSTe DPIA
Privacy Insight Series - truste.com/insightseries v
22 © TRUSTe Inc., 2017
Automating the IAF-TRUSTe DPIA
Privacy Insight Series - truste.com/insightseries v
23 © TRUSTe Inc., 2017
Webinar Poll
Do you have an enterprise risk management (ERM) process? • yes • no
Privacy Insight Series - truste.com/insightseries v
24 © TRUSTe Inc., 2017
Integrating Privacy into Enterprise Risk Management
Privacy Insight Series - truste.com/insightseries v
25 Š TRUSTe Inc., 2017
Questions?
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2017 26 © TRUSTe Inc., 2017
Contacts Marty Abrams Hilary Wandall
Privacy Insight Series - truste.com/insightseries v
mabrams@informationaccountability.org hilary@truste.com
v
Š TRUSTe Inc., 2017 27 Š TRUSTe Inc., 2017
Thank You! Details and registration for our 2017 Summer/Fall Webinar Series will be published shortly. Register for our next live event – the Privacy Risk Summit on June 6th 2017 at https://www.truste.com/events/privacy-risk/ See http://www.truste.com/insightseries for the 2017 Privacy Insight Series and past webinar recordings. © TRUSTe Inc., 2017 v 28 Privacy Insight Series truste.com/insightseries v © TRUSTe Inc., 2017