On November 8th in sunny San Jose, TrustArc was pleased to take part at the California Lawyers Association’s annual IP Institute. Speaking on a panel entitled GDPR: Lessons Learned from the Front Line, TrustArc shared tips and insights both for organizations still working towards GDPR compliance, and for those seeking to take their privacy programs to the next level, including for interoperability with other global privacy laws and frameworks.
Not lost in the discussion was the fact that many law firms, of all sizes, are likewise still looking to their own GDPR/privacy compliance, which is critical to their being viewed as trustworthy stewards of confidential client information.
During a discussion-based panel with lively audience questions, TrustArc Senior Counsel, Darren Abernethy, offered observations for companies and law firms based on TrustArc’s unique position in the privacy and data protection ecosystem–as a provider of privacy technology platform solutions, privacy consulting services, and certifications/verifications.
Some of the practical topics discussed included:
- Tips around successful internal data protection preparation strategies seen with TrustArc customers–from identifying privacy stakeholders to updating contracts.
- The criticality of thinking through all of an organization’s business process activities in order to map data flows and prepare GDPR Article 30 records of processing–while automating risk evaluations for possible Article 35 data protection impact assessments (DPIAs).
- Individual rights management issues, tips on setting up a program for data subject access requests (using centralized technology to do so), and verifications.
- Likely early GDPR enforcement issues from EU authorities, and how regulators around the world keep track more than ever of their counterparts’ privacy actions.
- How to manage records of consent across an org, whether via webform, cookie consent or other methods, such as in the Internet of Things environment. And, how consent records are increasingly important in mergers & acquisitions.
To learn more about how TrustArc can assist your company with technology solutions, consulting, privacy assurance programs, or the California Consumer Privacy Act contact TrustArc today for more information or to set up a demo.
TrustArc has announced several exciting enhancements to our Privacy Platform! These new capabilities will help companies better manage their privacy programs.
The Privacy Platform helps provide end to end privacy management through a series of modules designed to address a wide range of privacy functions, including data inventory and mapping; privacy risk assessments; consent management; and individual rights and data subject rights requests.
The new privacy assessments include:
- Inherent Risk
- DPIA Controls
- Legitimate Interests
- Right to Object
- Third Party Risk
- International Data Transfer
- Automated Decision Making
These new assessments feature a revolutionary modular design that intelligently matches the assessments to the unique requirements of a business in real time, significantly reducing the amount of time required to complete the compliance review process. Developed by TrustArc privacy experts in conjunction with input from leading privacy organizations, the assessments include remediation guidance to address any identified gaps.
Along with these assessments, the Assessment Manager module of the platform now includes a comprehensive, highly visual GDPR Article 35 DPIA report that contains:
- Risk heat map
- Controls effectiveness score
- Inherent risk
- Residual risk
- Summary of processing purposes and data types
The report is intelligently calculated, assembled from various data sources, and exportable into a PDF format, which can be easily shared with internal stakeholders and regulators.
To see these new enhancements and learn how they can help your company manage privacy compliance, click here.
In Part I of this two-part blog series we provided an introduction and background to EU GDPR Article 35 – Data protection impact assessment (DPIA).
Now, in Part II we will share some best practices and helpful tips on implementing a DPIA program. These tips were shared by Beth Sipula, Senior Privacy Consultant at TrustArc and Alexia Maas, SVP & General Counsel at Volvo Financial Services in our Privacy Insight Series webinar, “Building Your DPIA/PIA Program: Tips & Case Studies.”
Part II: DPIA Program Essential Elements
The six essential elements that make up a sustainable DPIA program are: integrated governance, risk assessment, resource allocation, policies & standards, processes, and awareness & training.
- Integrated Governance. The first step in building a sustainable program is establishing program leadership. Depending upon your organization’s goals, the structure may vary. For example, a global corporation may have one global stakeholder along with several regional stakeholders.
- Risk Assessment. Classifying data-related risks will require taking a collaborative approach because stakeholders view risk differently. Do not forget to consider unstructured data when assessing risk.
- Resource Allocation. Assign knowledgeable and trained personnel to defined roles and responsibilities. Outlining the resources needed will help establish a budget.
- Policies and Standards. Set procedures and guidelines to define and deploy effective and sustainable governance and controls for managing data-related risks. The assessment process will help determine whether there are any gaps between the standards and the implemented practices.
- Processes. Develop a process that fits the organization’s size and privacy maturity level. Following a documented process, especially for PIAs/DPIAs will ensure consistency.
- Awareness & Training. This step is crucial to ensure that the program continually evolves and improves. Communicate expectations to the stakeholders and organization, provide contextual training, and establish training cycles.
For additional guidance on conducting DPIAs, and more information on TrustArc DPIA solutions, contact us today.
In Part I of this two-part blog series we will give an introduction to EU GDPR Article 35 – Data Protection Impact Assessment (DPIA) and some best practices for conducting them. In Part II we will summarize the six essential elements of a DPIA program.
Part I: Data Protection Impact Assessment Introduction & Background
The General Data Protection Regulation (GDPR) compliance deadline of May 25, 2018, has passed, so organizations should have a documented process for conducting Privacy Impact Assessment (PIAs) and Data Protection Impact Assessment’s (DPIAs). However, before building a DPIA program, it is useful to review and understand what a DPIA is and when it is needed and how it should be conducted.
What is Data Protection Impact Assessment (DPIA)?
A DPIA is designed to help an organization with risk assessment associated with data processing activities that may pose a threat or high risk to the rights and freedoms of individuals. A privacy impact assessment helps to identify privacy risks during the development of a program life cycle. A PIA outlines how personal information will be handled and secured to maintain privacy.
When is a DPIA required?
The GDPR requires that DPIAs shall be conducted before a processing activity takes place that may pose a “high risk” to the rights and freedoms of individuals.
The GDPR does not define the types of processing that are likely to result in such a risk. The Article 29 Working Party has, however, provided sample categories of high-risk processing which can serve as a guide. The categories include profiling and predictive processing, automated-decision making that has legal effects, systematic monitoring, the processing of sensitive data, and processing that relies on new technology. One example of high-risk processing in the evaluation or scoring category would be conducting credit checks.
While the GDPR does not dictate the specific requirements of how organizations are supposed to conduct DPIAs, it does provide four elements that a DPIA assessment must contain:
- a systematic description of the processing operations and their purposes;
- an assessment of the necessity and proportionality;
- an assessment of the risks; and
- the measures needed to address the risks.
Benefits of privacy by design or embedding data privacy features early in design:
- Early identification of potential threats and problems.
- Early reduction of problems can save time and money.
- Increased privacy and data protection across the organization.
- GDPR compliancy.
DPIA Best Practices
Data Flow Mapping & Data Inventory
Before creating a DPIA process, it is useful to have a picture of what information your organization has, where the data is located, and how it flows through the organization. With that in mind, it is essential to develop a data inventory and map the organization’s business process flows or systems.
Use Assessments Appropriate for Processing Risk
Not all systems and processes require the same type of assessment. The type of assessment conducted is dependent on the type of processing activity assessed, and the privacy and data protection compliance goals of an organization.
To address varying levels of data processing risk and complexity, TrustArc offers the following GDPR-focused solutions:
- Privacy Impact Assessment
- GDPR Standard Data Protection Impact Assessment
- GDPR Legitimate Interest Assessment
- Comprehensive Data Protection Impact Assessment
Personal data processing where a DPIA is likely required:
- Hospital processing -patients’ genetic and health data.
- Personal sensitive data from research projects or clinical trials.
- An organization using an intelligent video analysis system to single out cars and automatically recognize registration plates.
- An organization that monitors publicly accessible areas via CCTV, body-devices, CCTV.
- Companies that monitor employees’ activities, including their workstations and Internet activity.
- Gathering of public social media data for generating profiles.
- Institutions that create national-level credit rating or fraud databases.
- Organizations that process large-scale special categories of data (e.g. health, religion or ethnic origin)
- Legal processing of personal data relating to criminal convictions and offenses.
- Evaluation of personal data based on automated decisions such as a denial of online credit applications or e-recruiting without a human based decision.
Who should conduct a DPIA?
A designated data controller, data protection officer, or someone with data protection knowledge and expertise should be responsible for the DPIA. If that does not apply to your organization, you should think about bringing in TrustArc GDPR, DPIA and PIA Consulting Solutions.
TrustArc DPIA Solutions are a part of our leading technology platform and can be augmented by our expert team of consultants to help build a customized DPIA process. For additional guidance on conducting DPIAs and more information on TrustArc DPIA solution, contact us today.