Understanding new EU Guidance on DPIA/PIA requirements November 10, 2016
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 1 © TRUSTe Inc., 2016
Today’s Speakers Beth Sipula Senior Privacy Consultant TRUSTe
Paul Iagnocco Chief Privacy Officer Kellogg
Privacy Insight Series - truste.com/insightseries v
2 © TRUSTe Inc., 2016
The GDPR and When to Use DPIAs/PIAs Beth Sipula, Senior Privacy Consultant TRUSTe
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 3 © TRUSTe Inc., 2016
PIA definition
A privacy impact assessment (PIA) is a tool or process for identifying and assessing privacy risks throughout the development life cycle of a program or system.
- Information Commissioner's Office
Privacy Insight Series - truste.com/insightseries v
4 Š TRUSTe Inc., 2016
Poll Question #1 Does your organization have a PIA process in place? 1. Yes 2. No
Privacy Insight Series - truste.com/insightseries v
5 Š TRUSTe Inc., 2016
Frameworks and Jurisdictions •Many countries and regions of the world have been using PIAs dating back to the mid 90’s –Papers published regarding PIAs often started in the private sector
•A handful of countries have the most presence; more countries are emerging in LATAM and APAC •The GDPR has drawn a spotlight onto DPIAs and adopting a framework as part of compliance •While there are differences in the methodologies, the goals are the same: to identify risks to privacy and determine ways of overcoming those risks •DPIAs/PIAs are not “one size fits all”
Privacy Insight Series - truste.com/insightseries v
6 © TRUSTe Inc., 2016
Poll Question #2 How many PIAs will your organization complete in 2016? 1. Less than 10 2. 11 - 50 3. 51-100 4. 100+ 5. I have no idea
Privacy Insight Series - truste.com/insightseries v
7 Š TRUSTe Inc., 2016
GDPR Triggers for DPIAa/PIAs DPIAs are required for any processing that may result in “high risk”, and for: • Systematic and extensive automated processing, including profiling, if the decisions produce legal effects or significantly affect the individual Example: Making predictions based on a person’s behavior, credit decisions, economic situation, location • Processing special categories of data (i.e. genetic or biometric data) or criminal records on a large scale
• Systematic monitoring of a publicly accessible area on a large scale • As otherwise indicated by the DPAs or EUDPB • GDPR requires you to conduct PIAs for “high risk” activities and implement operational changes Note: Most common “high risk” areas tend to center around new products/systems that change the way the business uses / collects / stores personal data.
Privacy Insight Series - truste.com/insightseries v
8 © TRUSTe Inc., 2016
Triggers for when to use a DPIA/PIA •Implementing a new system in your organization;
•Launching a new product or service; •Providing new third party provider with access to PI; •Conversion of records from paper-based to electronic form; •Conversion of information from anonymous to identifiable form; •System management changes involving significant new uses and/or application of new technologies; •Significant merging, matching or other manipulation of multiple databases containing personal data;
•Incorporation into existing databases of personal data obtained from commercial or public sources; •Alteration of a business process resulting in significant new collection, use and/or disclosure of personal data
Privacy Insight Series - truste.com/insightseries v
9 © TRUSTe Inc., 2016
Recommendations for Success •Assign clearly defined roles for all stages •Having an Executive “Champion” or Sponsor is critical •PIAs need to be simple, repeatable, concise, and they need to map to the GDPR requirements •One size does not fit all – consider the level of risk –Also consider a bifurcated PIA process, with traditional PIAs for all projects and EU DPIAs for projects that trigger EU DP rules
•Build a robust process with scalability in mind –Consider the system you are using, what it’ll take to make the process more efficient and automate
•Monitor - Article 29 Working Party will be releasing guidance for controllers and processors on high-risk assessments by end of 2016
Privacy Insight Series - truste.com/insightseries v
10 © TRUSTe Inc., 2016
Operationalizing a PIA Solution within the Enterprise Paul Iagnocco Chief Privacy Officer
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 11 © TRUSTe Inc., 2016
Privacy Overview at Kellogg
.
Global Privacy Office established in August 2015
4 Strategic Pillars Build a Global Capability
Types of Data Held Employee (PII, PFI, PHI)
Ensure Compliance & Education
Consumer (PII)
Champion Privacy Advocacy
Reporting Line A function within Global Legal & Compliance CPO reports directly to Chief Counsel (access to Global General Counsel & Vice Chair of Company)
Unlock Data Use
Privacy Insight Series - truste.com/insightseries v
12 Š TRUSTe Inc., 2016
Privacy Overview at Kellogg (continued) Kellogg employs a decentralized business model in addressing data protection and privacy matters.
IT Security Global Privacy Office •
strategy
•
training content
•
Defines the “what”
Determines the “how”
Regional/Local Business Functions •
execute strategy
•
conduct training
business compliance
•
Execute compliance
•
standards and best practices
•
•
common global tools
Implement standards and best practices
•
privacy impact assessments (PIAs)
•
Address PIA results
•
requests and complaints
•
data breach management
•
liaison with regulators
Privacy Insight Series - truste.com/insightseries v
Internal Audit
13 © TRUSTe Inc., 2016
Collaborative Approach Between Privacy & IT Security Acquisition and Use of Data Focus is on whether the Company is allowed to possess consumer or employee data and what we are allowed to do with it.
Notice Choice Use
Safeguards, Secured Storage and Proper Destruction of Data Focus is on the protection of the data stored, processed, transmitted and destroyed.
Access Confidentiality
Availability Integrity
IT Security
Privacy Insight Series - truste.com/insightseries v
14 Š TRUSTe Inc., 2016
5 Steps to Operationalizing PIAs
Know your key PIA stakeholders
Align on the role of a PIA
Privacy Insight Series - truste.com/insightseries v
Design the PIA workflow
Build and implement the PIA solution
Refine and scale the PIA Process
15 Š TRUSTe Inc., 2016
Know your key stakeholders Objective: Implementing anything new within an organization is challenging. People fear the uncertainty of change. Need to identify key stakeholders that that see value in a PIA. Recommendation: Leverage these stakeholders to drive change within their function. These are your early adopters (evangelists). Key Stakeholders
How would a PIA benefit their function?
Legal Counsel - Transactions
Provides intelligence to incorporate into MSA or SOW
Risk Management
Provides intelligence that may require change in risk policy
Procurement
Ensures that data protection and privacy are addressed
IT Security
Ensures that data protection and authorization is addressed
Human Resources
External data processors are vetted and deliver expected services for our employees
Marketing
External data processors are vetted and deliver expected services for our consumers
Internal Audit
Provides an audit trail
Outside Consultants
N/A
Privacy Insight Series - truste.com/insightseries v
16 Š TRUSTe Inc., 2016
Align on the role of the PIA Objective: With your key stakeholders, determine what you want to solve for using a PIA. Recommendation: Start small and scale. It might be easier to start leveraging PIAs externally since you will likely have less resistance to change. Common Components of a PIA
What are we assessing?
Internal Procedures and Policies
Overall program accountability
Data Collection
What data is collected?
Choice and Consent
How was the data collected?
Use, Retention and Disposal
What is the intended use, storage and purge of the collected data?
Disclosures to Third Parties
Are we sharing this data?
Access
Does the data subject have access?
Data Security
How is the data secured?
Privacy Insight Series - truste.com/insightseries v
17 Š TRUSTe Inc., 2016
Design the PIA workflow Objective: Leveraging the PIA alignment gained in step 2, now design the PIA workflow.
Where should a PIA be considered? Review existing vendor statement of work (SOW) New vendor set-up (MSA)
Recommendation: Again start small and scale. Look at how new data processes and vendor agreements/SOWs commence. Review existing workflows and determine best means to intersect without being disruptive.
Changes to internal data processing Significant IT infrastructure changes Mergers and acquisitions New product development (that engages data) Annual assessments To assess new regulations
Process starts in Contract Database
Privacy Threshold Questions Answered
New Vendor Set-up Workflow
Privacy Insight Series - truste.com/insightseries v
PIA Published and Vendor Responds
Responses Reviewed by Legal and IT Security
Additional Followups by Other Key Stakeholders
MSA Approved and Filed
Changes negotiated in MSA 18 Š TRUSTe Inc., 2016
Build and Implement the PIA Solution Objective: Identify what PIA solution needs to be built and eventually implemented. Recommendation: Review step 2 to ensure you are building a PIA solution that achieves your goal. Also, be mindful that of the expected annual volume. Do NOT over engineer. In addition, be sure to produce communication materials and a simple user-guide to facilitate adoption beyond the key stakeholders. You MUST be prepared to Sell, Sell, Sell. Simple PIA Solution 1. 2.
Build out content (questions and benchmarks) Load spreadsheet – use macros to create “flags”
3.
Develop Email Template with purpose, deadline, etc. along with spreadsheet
4.
Publish to XYZ, collect responses
5.
Review and analyze
6.
Take necessary action
7.
File
Privacy Insight Series - truste.com/insightseries v
Complex PIA Solution 1.
Conduct privacy threshold assessment
2.
Add Respondent to TRUSTe Assessment Manager
3.
Select or customize PIA
4.
Publish to XYZ, collect responses
5.
Centrally review and analyze
6.
Assign necessary follow-up action
7.
Archive and set calendar to automatically re-send in12 months
19 © TRUSTe Inc., 2016
Refine and scale the PIA Solution Objective: Identify what’s working and what’s not working and refine solution accordingly. What other areas (identified in Step 3) should we scale this PIA solution to address? Recommendation: Identify a means to gather on-going feedback on how to improve the solution. Always look for opportunities to further imbed the PIA into normal business operations. As you expand follow the process – Step and Repeat. Potential Refinements Customized PIA questions based on specific target audience (e.g., EU data processors) Implement for additional business scenarios (e.g., internal infrastructure or data processing changes) New PIA questions to assess internal or external compliance with new regulation (e.g., EU GDPR) Provide additional access to responses and analysis Add new functions to overall process Expand user-guides to reflect changes Expand communication plan – Sell, Sell, Sell
Privacy Insight Series - truste.com/insightseries v
20 © TRUSTe Inc., 2016
Summary 1. Cultivate evangelists for the PIA solution 2. Define value of the PIA solution 3. Align on initial PIA solution goals 4. Start small – scale later 5. Look for new opportunities
6. Listen to feedback 7. Keep it simple 8. Over communicate
Be sure to commit and start somewhere.
Privacy Insight Series - truste.com/insightseries v
21 Š TRUSTe Inc., 2016
Questions?
Privacy Insight Series - truste.com/insightseries v
v
© TRUSTe Inc., 2016 22 © TRUSTe Inc., 2016
Contacts Beth Sipula Paul Iagnocco
Privacy Insight Series - truste.com/insightseries v
bsipula@truste.com paul.iagnocco@kellogg.com
v
Š TRUSTe Inc., 2016 23 Š TRUSTe Inc., 2016
Thank You! Register now for the final webinar in our our 2016 Summer/Fall Webinar Series on December 8 “Metrics for Success: Quantifying the Value of the Privacy Function” See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. © TRUSTe Inc., 2016 v 24 Privacy Insight Series truste.com/insightseries v © TRUSTe Inc., 2016