On November 8th in sunny San Jose, TrustArc was pleased to take part at the California Lawyers Association’s annual IP Institute. Speaking on a panel entitled GDPR: Lessons Learned from the Front Line, TrustArc shared tips and insights both for organizations still working towards GDPR compliance, and for those seeking to take their privacy programs to the next level, including for interoperability with other global privacy laws and frameworks.
Not lost in the discussion was the fact that many law firms, of all sizes, are likewise still looking to their own GDPR/privacy compliance, which is critical to their being viewed as trustworthy stewards of confidential client information.
During a discussion-based panel with lively audience questions, TrustArc Senior Counsel, Darren Abernethy, offered observations for companies and law firms based on TrustArc’s unique position in the privacy and data protection ecosystem–as a provider of privacy technology platform solutions, privacy consulting services, and certifications/verifications.
Some of the practical topics discussed included:
- Tips around successful internal data protection preparation strategies seen with TrustArc customers–from identifying privacy stakeholders to updating contracts.
- The criticality of thinking through all of an organization’s business process activities in order to map data flows and prepare GDPR Article 30 records of processing–while automating risk evaluations for possible Article 35 data protection impact assessments (DPIAs).
- Individual rights management issues, tips on setting up a program for data subject access requests (using centralized technology to do so), and verifications.
- Likely early GDPR enforcement issues from EU authorities, and how regulators around the world keep track more than ever of their counterparts’ privacy actions.
- How to manage records of consent across an org, whether via webform, cookie consent or other methods, such as in the Internet of Things environment. And, how consent records are increasingly important in mergers & acquisitions.
To learn more about how TrustArc can assist your company with technology solutions, consulting, privacy assurance programs, or the California Consumer Privacy Act contact TrustArc today for more information or to set up a demo.
TrustArc has announced several exciting enhancements to our Privacy Platform! These new capabilities will help companies better manage their privacy programs.
The Privacy Platform helps provide end to end privacy management through a series of modules designed to address a wide range of privacy functions, including data inventory and mapping; privacy risk assessments; consent management; and individual rights and data subject rights requests.
The new privacy assessments include:
- Inherent Risk
- DPIA Controls
- Legitimate Interests
- Right to Object
- Third Party Risk
- International Data Transfer
- Automated Decision Making
These new assessments feature a revolutionary modular design that intelligently matches the assessments to the unique requirements of a business in real time, significantly reducing the amount of time required to complete the compliance review process. Developed by TrustArc privacy experts in conjunction with input from leading privacy organizations, the assessments include remediation guidance to address any identified gaps.
Along with these assessments, the Assessment Manager module of the platform now includes a comprehensive, highly visual GDPR Article 35 DPIA report that contains:
- Risk heat map
- Controls effectiveness score
- Inherent risk
- Residual risk
- Summary of processing purposes and data types
The report is intelligently calculated, assembled from various data sources, and exportable into a PDF format, which can be easily shared with internal stakeholders and regulators.
To see these new enhancements and learn how they can help your company manage privacy compliance, click here.
TrustArc Chief Data Governance Officer and General Counsel Hilary Wandall and Information Accountability Foundation (IAF) Executive Director and Chief Strategist Marty Abrams held a webinar where they spoke about the background, requirements, and examples of DPIAs, available on demand here.
First, they reviewed how the first privacy assessment methodology was developed and how comprehensive data impact assessments originated to illustrate the evolution of privacy assessments.
Then, they went on to explain how the newly required DPIAs differ from traditional PIAs. While traditional PIAs focus on technical requirements for compliance, DPIAs bring in larger ethical issues. Technical requirements focus on the risk to the organization by looking at whether the organization is complying with the technical implementation requirements of privacy laws and frameworks. The risks could be reputational losses, breaches, or reputational hits by the media. Some examples of the technical implementations to avoid these risks include: privacy notices, honoring opt outs, having a security program, and having a program to deal with security breaches. Larger ethical issues go beyond the technical requirements and take into consideration whether the processing of the data will create value for others in addition to the organization.
The GDPR links the fundamental rights of the individual to data protection because it provides individuals the right to autonomy where it is appropriate, and the right to fair processing. It requires organizations to have a legitimate interest for processing data, which requires the organizations to balance their interests with those of the data subjects.
To help organizations deal with the new concept of benefits being balanced against risk, TrustArc is working with the IAF to develop a DPIA construct. It will help organizations understand the benefits that come with the processing. The DPIA process will be powered by the TrustArc Platform providing a systematic scalable approach and workflow for completing DPIAs and creating the documentation required to track issues, mitigate risk, and demonstrate what protections are in place to protect the rights of individuals in the event the organization must consult with an EU DPA.
Finally, the webinar wrapped up by showing how the DPIA process can fit into a larger enterprise risk management program by using the real life example of employee monitoring.
If you were unable to attend the webinar, you can still watch it on demand. To learn more about TrustArc DPIA solution or GDPR solutions, contact us.
EU General Data Protection Regulation (GDPR)
The EU GDPR is a law designed to enhance data protection for EU residents and provide a consolidated framework to guide business usage of personal data across the EU, replacing the patchwork of existing regulations and frameworks. The 200-plus page GDPR replaces the 20 year old Directive (95/46/EC). This new law has received a lot of attention due to its complexity and the associated penalties for noncompliance. Fines can be up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year (whichever is higher).
As a result, many organizations are making significant changes to their privacy programs. To help with these changes, the Article 29 Working Party (WP29) has provided guidance on several of the requirements, summarized below.
1) Right to Data Portability
Article 20 provides data subjects with the right to data portability. The WP29 opinion on this Article helps data controllers understand what their obligations are and provides best practices and tools to help meet compliance obligations for this requirement.
2) Identifying Lead Supervisory Authority
If your organization conducts cross-border data processing, or is unsure whether it does, this guidance provides examples, key concepts to identifying a key supervisory authority, and even questions to guide the identification of the lead supervisory authority.
3) Data Protection Officer
WP29 helped clarify some terms used in Article 37(1), which lists the situations where a DPO would be required:
a) where the processing is carried out by a public authority or body
WP29 guides that “such a notion is to be determined under national law.”
b) where the core activities of the controller or the processor consist of processing operations, which require regular and systematic monitoring of data subjects on a large scale
WP29 clarified that “core activities” means “key operations necessary to achieve the controller’s or processor’s goals” or in other words “an inextricable part of the controller’s or processor’s activity.”
c) where the core activities of the controller or the processor consist of processing on a large scale of special categories of data or personal data relating to criminal convictions and offenses. While clarification on what “large scale” means is summarized below, WP29 also gave guidance on the meaning of “Regular and Systematic Monitoring” as well as the expertise and skills that a DPO should possess.
These factors should be considered when determining whether the “large scale” threshold is met:
– The number of data subjects concerned – either as a specific number or as a proportion of the relevant population
– The volume of data and/or the range of different data items being processed
– The duration, or permanence, of the data processing activity
– The geographical extent of the processing activity
This guidance goes through when DPIAs should be conducted, beyond the official text: “likely to result in a high risk to the rights and freedoms of natural persons” (Article 35(1), illustrated by Article 35(3) and complemented by Article 35(4)). WP29 provides these example categories:
- Evaluation or scoring
- Automated-decision making with legal or similar significant effect
- Systematic monitoring
- Sensitive data
- Data processed on a large scale
- Data sets that have been matched or combined
- Data concerning vulnerable data subjects
- Innovative use or applying technological or organisational solutions
- Data transfer across borders outside the European Union
- When the processing in itself “prevents data subjects from exercising a right or using a service or a contract” (Article 22 and recital 91)
While they suggest that a processing operation meeting less than two criteria may not require a DPIA due to the lower level of risk, and processing operations which meet at least two of these criteria will require a DPIA, organization must still use their judgement because two is only a suggested rule of thumb.
The guidance also goes through what should be included in a DPIA, and when an organization should consult a supervisory authority.
To help organizations deal with the new concept introduced by DPIAs, namely benefits being balanced against risk, TRUSTe is working with the Information Accountability Foundation (IAF) to develop a DPIA construct. It will help organizations understand the benefits that come with the processing. It will also be automated so that organizations can scale their DPIA process, and create the documentation needed for support in case the organization must go to a regulator.
TRUSTe has developed comprehensive solutions to help organizations comply with the GDPR. All solutions are backed by our technology platform so that implementations to comply with the GDPR will be sustainable and scalable. To learn more about TRUSTe EU GDPR solutions, or to speak with a consultant, contact us.
While some organizations have written about the impending GDPR deadline and potential fines, or re-printed an exact copy of the text itself, TRUSTe has taken the 200+ pages of the GDPR and translated it into practical implementation steps for an organization of any size or maturity.
The implementation steps are grouped into five actionable phases:
- Building a Program and Team
- Assessing Risks and Creating Awareness
- Designing and Implementing Operational Controls
- Managing and Enhancing Controls
- Demonstrating Ongoing Compliance
A sample implementation step is developing a DPIA program, which includes creating templates, conducting DPIAs, managing remediation, and providing compliance reports.
The guide also includes references to specific articles, best practices tips, and which stakeholders in your organization should be involved with each implementation step. Because involving stakeholders outside of the privacy office can sometimes require speaking the language of the department you are trying to engage, the guide also includes examples of how compliance can benefit various departments:
- Information Technology: identifying storage redundancies can reduce IT complexity and save IT dollars.
- Information Security: understanding what data reside in which systems can help Security prioritize their protection efforts and establish appropriate access controls.
- Operations: visualizing flows and uses of data throughout the company can help Operations identify redundancies and improve efficiencies.
- Procurement: identifying points at which the company shares information with third party vendors and understanding the sensitivity of the data being shared can help procurement approach third party management and contracts in a risk-based, efficient approach.
Tips like these will enable your organization to begin implementation items today. Everything you put in place ahead of the deadline will enhance your overall privacy program and further your efforts to minimize risk, ensure compliance, build trust, and protect your brand.
Get this GDPR Essential Guide to help you on your path to GDPR compliance.
If you need technology solutions backed by expert privacy consultants that can help your organization with its GDPR needs, contact us today to learn more.