TrustArc was honored to be invited to serve as faculty for the Practicing Law Institute (PLI)’s 20th Annual Institute on Privacy and Data Security Law on May 6-7 in San Francisco. Before an audience of attorneys representing a wide array of industries and private practice, the days’ sessions covered topics ranging from complying with the California Consumer Privacy Act, to addressing cybersecurity readiness, to insights from regulators, to ethical considerations for privacy and info sec attorneys, to vendor risk management.
Hilary Wandall, SVP, Privacy Intelligence and General Counsel, presented on a panel entitled “Beyond GDPR – Privacy and Data Security Compliance Around the World.” The session featured a discussion of the privacy and security landscape outside the European Economic Area, addressing recent developments in Brazil and Latin America, India and Asia, Africa and the Near East, and other non-EU jurisdictions with new data protection laws.
Some of the topics addressed during the session involved data localization requirements in Russia and Belarus; non-EU laws in Europe that do not recognize legitimate interests; the fact that of the 23 privacy laws in the Africa/Near East region, half were revised or enacted within the last 5 years; the fact that of the 20 privacy laws in the Americas, two-thirds restrict cross-border transfers (and three of which provide for a “right to be forgotten”); and China’s approach to privacy and security with its numerous sector-specific laws plus the Cyber Security Law’s application to operators of “critical information infrastructure.” With these variations and others in mind, Hilary shared real-world insights on how to build, implement and demonstrate the effectiveness of a global privacy and data governance program for an organization of any size.
Darren Abernethy, Senior Counsel, presented on a panel entitled “GDPR: One Year Later.” The session looked at the major developments and takeaways from the first year of GDPR activity–and reading the tea leaves on what is likely to come. The session delved into clarifying extraterritorial reach, the status of available options for cross-border data transfers, enforcement trends and the current state of EU Member State GDPR implementations. Audience engagement was high, as participants brought their toughest home-grown questions to the panel.
Some of the topics addressed during the session included thinking through proportionality in authenticating the identity of a data subject access requestor by using information contained within Article 30 records of processing activities, and how to respond to a DSAR in the advertising technology industry where directly identifiable personal information is lacking; the latest interpretive guidance of the European Data Protection Board, including around the use of contractual necessity as a legal processing basis and the interplay between the GDPR and ePrivacy Directive; developments in how to understand the “one-stop shop” principle in light of recent enforcement cases; how to deal with “Brexit” with respect to Privacy Shield and GDPR compliance; and likely supervisory authority priorities for the rest of 2019.
For further practical privacy and risk management knowledge derived from TrustArc’s two-plus decades in the global privacy space, sign up for TrustArc’s free Privacy Insight Series educational resources, webinars and updates, or contact TrustArc to learn how our certifications/assurance programs, consulting services and privacy technology solutions can help improve and automate your privacy program today.