Preparing for the GDPR the

Compliance Countdown Begins

April 14, 2016

Privacy Insight Series

- truste.com/insightseries
v

Todays Speakers
Ralph T OBrien,
Principal Consultant EU,
TRUSTe
Paul Lanois
Counsel, Cross-border Legal
Credit Suisse

Barbara Mangan Sondag,

Privacy Counsel, North
America, eBay Inc

Privacy Insight Series

- truste.com/insightseries
v

The GDPR Story so Far

Ralph T OBrien, Principal Consultant EU, TRUSTe

Privacy Insight Series

- truste.com/insightseries
v

Why and what is the GDPR?

GOAL: One single law for the EU
Previous Directive of 1995 and national laws to be repealed
Member scope needs enabling legislation (with some ability to vary)
50/99 articles have scope for variance.

Interpreted nationally by supervisory authorities

Consistency brought by a European Data Protection Board (EDPB)
Organizations have a lead authority
based on the organizations main establishment (EU HQ)

Privacy Insight Series

- truste.com/insightseries
v

Applicability
Applicability now extra territorial
Based on residency of individuals in EU
Offering goods or services
Monitoring of behavior (such as internet tracking and profiling)

Where the organization is processing personal data

Data that relates to an individual who can be identified from it (or other data
you have)
Regardless of format (digital, paper, audio, video etc)
Doesnt have to be names (ID by picture, IP addresses, devices IDs, Cookies
etc)
Sets up Consistency Mechanisms and EDPB
Supports Codes of Conduct, Seals and Certifications as evidence of compliance

Privacy Insight Series

- truste.com/insightseries
v

Timeline
Political agreement reached between Council and Parliament
December 2015
Final text 6 April 2016 from Technical drafting committees
The text of the regulation will be sent to the European Parliament
where it will first be approved by the Civil Liberties, Justice and Home
Affairs (LIBE) committee in an extraordinary session
It has been adopted in plenary on 14 April 2016 (Today!)
It will then be published in the Official Journal of the European Union
(OJEU)
Exactly two years after the date of publication in the OJEU, the
Regulation will enter into force (April/May 2018?)

Privacy Insight Series

- truste.com/insightseries
v

Privacy under the EU Model

European Data Protection Board
(consistency mechanism)

EU Courts

National Courts

Data Protection Authority

(supervising authority, based on main establishment)

Advisory and
Enforcement
Data
Processor

Security?

Complain?
Duties

Data Controller
(organisations)

Data Subject
(individuals)
Rights
Inform?

Third
Countries

Guarantees?

Privacy Insight Series

- truste.com/insightseries
v

Disclosure?

Third
Parties

Key Requirements
Increased Individual Rights

Increased Obligations

Access to data

Consent harder to obtain/prove

Remedy from supervisory

body/court

Privacy notices more

detailed/clearer

Compensation for Damage

Proactively Demonstrate
Compliance

Compensation for Distress

Rectification (NEW)

Objection

Breach Notification (72 hours)

-To individual and regulator

Erasure (NEW)

Appointment of Data Protection

Officer (250+, or high risk
processing)

Data Portability (NEW)

Privacy by Design

Restrict processing (put on hold)

Privacy Impact Assessments

Automated decisions and profiling

More obligations for Processors

(Joint Controllership)

Absolute for direct marketing

Privacy Insight Series

- truste.com/insightseries
v

Privacy Principles Remain consistent

Lawful basis
Fair processing
Specify Purposes
(Limitation)
Adequate, relevant, not excessive
(Minimization)
Accuracy
Retention
Rights of Individuals
Appropriate Security
International Transfer adequacy

Privacy Insight Series

- truste.com/insightseries
v

Key Privacy Risks

National Laws may set up additional penalties (enforced
audit, reprimand, criminal sanctions)
Fines
Increased Consumer awareness
Increased activism
Courts now finding for individual more often (courts as
activists)
Greater visibility of privacy in the media
Ethical business practices (creepiness)
Reputational harm
Decreased Consumer Trust

Privacy Insight Series

- truste.com/insightseries
v

10

Fines

Up to 10m EUR or
2% world annual
turnover of last FY

Up to 20m EUR or
4% world annual
turnover of last FY

Privacy Insight Series

- truste.com/insightseries
v

11

POLL:
How prepared is your organization with the European Union's
upcoming General Data Protection Regulation (the "GDPR")?
1. Sorry, GDPR? Any connection with the Gross Domestic Product?
2. We are already prepared, ready and waiting. Bring it on!
3. We have already begun work and expect to be in time.
4. We are not sure we will be ready by the deadline.
5. We have not started anything yet.

Privacy Insight Series

- truste.com/insightseries
v

12

GDPR: what you can do now to

prepare yourself
Paul Lanois
Legal Counsel, Cross-border Legal, Credit Suisse

Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.

Privacy Insight Series

- truste.com/insightseries
v

13

Scope
The scope of application of the GDPR is broader than the EU current data
protection regime:

Under the current regime, organizations are in scope if they are located
within the EU or make use of (automated) equipment located within the EU.
With the GDPR, the legislation extends to all organizations offering goods
or services to EU citizens, irrespective of whether connected to a payment
and organizations that monitor (online) behavior of EU citizens, in so far as
the behavior takes place in the EU.

Even if your organization does not have any branches or processing

equipment in the EU, it could still fall within the scope of the GDPR! Any
entity holding or using European personal data will be impacted.

Privacy Insight Series

- truste.com/insightseries
v

14

Start building awareness now

Change is coming and your staff needs to know about it sooner rather than
later! But an implementation timeframe of 2 years is plenty of time, right?
French Digital Republic bill anticipating the GDPR.
Some obligations are new and will take time to implement, for example:
o Subject access requests: Processes may need to be created to be
able to respond to requests from individuals without undue delay
and at the latest within one month.
o Data Portability: GDPR gives individuals the right to receive their
personal data in a structured, commonly-used and machinereadable format. Individuals may also request, where technically
feasible, that the controller send the personal data to another
controller.
o Privacy by Design: embed privacy into the design specifications of
technologies, business practices, and physical infrastructures.
Privacy Insight Series
- truste.com/insightseries
v

15

How to raise awareness

Right to compensation: Any person who has suffered material or nonmaterial damage as a result of an infringement of the Regulation has the
right to receive compensation for the damage suffered.
Sanctions : fines can amount to EUR 20 million or up to 4% of the total
worldwide annual turnover of the preceding financial year, whichever is
higher.

o This is a big and serious change from the current regime.

o "Data protection will be the new anti-trust" - Giovanni Butarelli,
European Data Protection Supervisor.

Ensure that decision makers and key people in your organization are
now aware that the law is changing so that they can start identifying
the areas that will have the biggest impact on them.
Privacy Insight Series
- truste.com/insightseries
v

16

Some less known points to consider

With the GDPR, additional points must be covered in the privacy notice: for
example, you will need to explain your legal basis for processing the data,
your data retention periods and that individuals have a right to complain if
they think there is a problem with the way you are handling their data.
Information must be provided in a concise, transparent, intelligible and
easily accessible form, using clear and plain language.
Restrictions surrounding automated data processing and decisions based
upon such processing (i.e. profiling).
Parental consent will be needed to process personal data of children under
16 (Member States may bring this down to 13).

Privacy Insight Series

- truste.com/insightseries
v

17

GDPR: Privacy Impact

Assessments
Barbara Mangan Sondag,
Privacy Counsel, North America, eBay

Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.

Privacy Insight Series

- truste.com/insightseries
v

18

Privacy Impact Assessments (PIAs) at a glance

Privacy Impact Assessment a.k.a. Data Protection Impact Assessment (DPIA)
No definition in GDPR text
Regarded as a systematic assessment of a project that identifies the impact that
the project might have on the privacy of individuals, and sets out
recommendations for managing, minimizing or eliminating that impact.
Plays an important role in the overall risk management and planning processes
of a company
PIAs can assist businesses with:
Describing how personal information flows in a project
Analyzing the possible impacts on individuals privacy
Identifying and recommending options for avoiding, minimizing or mitigating
negative privacy impacts
Building privacy considerations into the design of a project
Achieving the projects goals while minimizing the negative and enhancing the
positive privacy impacts.

Privacy Insight Series

- truste.com/insightseries
v

19

Privacy Impact Assessments (PIAs) at a glance

Benefits of PIAs:
demonstrating that a project is compliant with privacy laws
reducing future costs in management time, legal expenses and potential
negative publicity by considering privacy issues early in a project
identifying strategies to achieve the projects goals without impacting on
privacy
promoting awareness and understanding of privacy issues inside the
organization or agency
contributing to broader organizational or agency risk management processes.

Risks of not undertaking a PIA include:

non-compliance with the letter or the spirit of relevant privacy laws, potentially
leading to a privacy breach and/or negative publicity
loss of credibility by the entity through lack of transparency in response to
public concern about handling personal information
damage to an entitys reputation if the project fails to meet expectations about
how personal information will be protected
identification of privacy risks at a late stage in the project development or
implementation, resulting in unnecessary costs or inadequate solutions.
Privacy Insight Series
- truste.com/insightseries
v

20

GDPR Requirements
Applicable GDPR Text
Data Protection Impact
Assessments (DPIAs)
(Sect. 3, Art. 35)
The supervisory authority shall
establish and make public a list of
the types of processing
operations that require a DPIA.
They may also establish and
make public a list of the types of
processing operations that do not
require a DPIA.
Lists shall be communicated to
EUDPB.
Penalty, Art. 83: Administrative
fines up to 10,000,000 EUR, or in
case of an undertaking, up to 2%
of the total worldwide annual
turnover of the preceding financial
year, whichever is higher

Obligations
DPIAs are required for any
processing that may result in
high risk, and for:
Systematic and extensive
automated processing,
including profiling, if the
decisions produce legal
effects or significantly affect
the individual
Example: Making predictions
based on a persons behavior,
economic situation, health,
location

Each DPIA shall contain at least:

A systematic description of
the processing operations
and the purposes of the
processing, including where
applicable the legitimate
interest of the controller

An assessment of the
necessity and
proportionality of the
processing operations in
relation to the purposes;

An assessment of the risks

to the rights and freedoms of
data subjects, and

The measures needed

address the risks, including
safeguards, security
measures and mechanisms to
demonstrate compliance

Processing special
categories of data (ie. genetic
or biometric data) or criminal
records on a large scale
Systematic monitoring of a
publicly accessible area on a
large scale
As indicated by the DPAs or
EUDPB

Privacy Insight Series

- truste.com/insightseries
v

21

GDPR Requirements
Implementation Considerations

Evaluate existing PIA processes against PIA

requirements, particularly events that may
constitute high risk:
Conversion of records from paper-based
to electronic form;
Conversion of information from
anonymous to identifiable form;
System management changes involving
significant new uses and/or application of
new technologies;
Significant merging, matching or other
manipulation of multiple databases
containing personal data;
Incorporation into existing databases of
personal data obtained from commercial or
public sources;
Alteration of a business process resulting
in significant new collection, use and/or
disclosure of personal data

Privacy Insight Series

- truste.com/insightseries
v

Consider risk definitions and evaluation

criteria used within the business

A single DPIA may address a set of

processing operations that present similar
high risks.

Where appropriate, seek the views of data

subjects on the intended processing.

Conduct audits to verify that processing is

performed in compliance with the DPIA, at
least when there is a change of the risk
represented by the processing operations.

Where a DPIA indicates high risk: If the

controller cannot mitigate by appropriate
measures in terms of available technology
and costs of implementation, a
consultation of the supervisory
authority should take place prior to the
processing.
22

Practical Points for PIAs

Build, implement and be able to document a robust PIA process

Your companys core business drivers influences the content of a

PIA (for example, eBays PIA would likely look very different from
American Express PIA because of the products/services they offer).

A single assessment may involve many people in multiple

geographies. It can cross various business units and be reviewed by
several internal and external stakeholders.

Systematically evaluate how personally identifiable information is

collected, used, shared and maintained by your organization in the
context of business change

What areas of your program should you address? At what level?

Privacy Notice? Large-scale strategic projects? Individual use
cases?
Privacy Insight Series
- truste.com/insightseries
v

23

Practical Points for PIAs (2)

Consider a bifurcated PIA process, with traditional PIAs for all

projects and EU DPIAs for projects that trigger these rules

Documentation requirements may impose a burden on development

teams using agile and similar methods additional resources may
have to be added to manage recordkeeping

Consider advantages and risks of maintaining DPIA records with

records of processing activities required by Art. 30.

Where possible, automate parts of the PIA, standardize reviews, and

obtain metrics on PIAs.

Your Information Security Team is a great partner!

PIAs should be an integral part of the project planning process,

not an afterthought.
Privacy Insight Series
- truste.com/insightseries
v

24

Case Study: eBay Vendor Assessments

Global Privacy partnered with Information Security team to build out

a ticketing system for vendor security assessments
Security + Privacy questions to comprehensively assess risk
Share body of knowledge in one system; align resources between
teams; quickly prompt the preparation of the right type of Data
Protection Requirements Addendum (DPRA)
Business notified of if further information required
Executed DPRA attached to ticket for future reference
Save time for Business, Legal, Privacy and Information Security
One time ticket completion, Business can communicate
project details to InfoSec and Privacy simultaneously.
Everyone wins save time for future lookup
The project details and assessment are documented in ticketing
system, not in emails.

Privacy Insight Series

- truste.com/insightseries
v

25

Sample

Privacy Insight Series

- truste.com/insightseries
v

26

Questions?

Privacy Insight Series

- truste.com/insightseries
v

27

Contacts
Ralph T OBrien
Barbara Mangan Sondag
Paul Lanois

Privacy Insight Series

- truste.com/insightseries
v

robrien@truste.com
bmangan@ebay.com
planois@alumni.law.upenn.edu

28

Thank You!
Dont miss the next webinar in the Series Global Privacy Enforcement
Priorities on May 19 featuring Chris Hoofnagle, Adjunct Full Professor,
University of California, Berkeley
See http://www.truste.com/insightseries for details of our 2016 Privacy
Insight Series and past webinar recordings.
v
Privacy Insight Series
truste.com/insightseries
v

29