Scribd Logo
Upload

Welcome to Scribd!

  • GDPR: DPIAs & Risk - TRUSTe Privacy Insight Series Webinar

    Uploaded by

    TrustArc
    195 views28 pages
    Watch the webinar on-demand: https://info.truste.com/gdpr-dpia-data-breach-requirements-webinar.html In this Privacy Insight Series webinar, our speakers discussed GDPR (General Data Protection Regulation) and DPIAs (Data Protection Impact Assessment) covering the following: - How to determine when a DPIA is required under GDPR - Risk assessment - evaluating likelihood and severity - Evaluating safeguards and other measures to mitigate the risks - Related risk assessment considerations under GDPR, such as legitimate interests and breach notifications To register for upcoming/on-demand webinars visit: https://www.truste.com/events/privacy-insight-webinar-schedule/

    Original Title

    GDPR: DPIAs & Risk | TRUSTe Privacy Insight Series Webinar

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Watch the webinar on-demand: https://info.truste.com/gdpr-dpia-data-breach-requirements-webinar.html In this Privacy Insight Series webinar, our speakers discussed GDPR (General Data Protection Regulation) and DPIAs (Data Protection Impact Assessment) covering the following: - How to determine when a DPIA is required under GDPR - Risk assessment - evaluating likelihood and severity - Evaluating safeguards and other measures to mitigate the risks - Related risk assessment considerations under GDPR, such as legitimate interests and breach notifications To register for upcoming/on-demand webinars visit: https://www.truste.com/events/privacy-insight-webinar-schedule/

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    195 views28 pages

    GDPR: DPIAs & Risk - TRUSTe Privacy Insight Series Webinar

    Uploaded by

    TrustArc
    Watch the webinar on-demand: https://info.truste.com/gdpr-dpia-data-breach-requirements-webinar.html In this Privacy Insight Series webinar, our speakers discussed GDPR (General Data Protection Regulation) and DPIAs (Data Protection Impact Assessment) covering the following: - How to determine when a DPIA is required under GDPR - Risk assessment - evaluating likelihood and severity - Evaluating safeguards and other measures to mitigate the risks - Related risk assessment considerations under GDPR, such as legitimate interests and breach notifications To register for upcoming/on-demand webinars visit: https://www.truste.com/events/privacy-insight-webinar-schedule/

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 28

    GDPR: DPIAs & Risk

    May 23, 2017

    v TRUSTe Inc., 2017


    Privacy Insight Series
    v - truste.com/insightseries 1
    TRUSTe Inc., 2017
    Thank you for joining the webinar
    GDPR: DPIAs & Risk

    We will be starting a couple minutes after the hour

    This webinar will be recorded and the recording and slides sent out
    later today

    Please use the GotoWebinar control panel on the right hand side to
    submit any questions for the speakers

    v TRUSTe Inc., 2017


    Privacy Insight Series
    v - truste.com/insightseries 2
    TRUSTe Inc., 2017
    Todays Speakers

    Marty Abrams
    Executive Director & Chief Strategist
    Information Accountability Foundation (IAF)

    Hilary Wandall (Moderator)


    General Counsel & Chief Data Governance Officer
    TRUSTe

    Privacy Insight Series


    v - truste.com/insightseries 3
    TRUSTe Inc., 2017
    Todays Agenda

    Welcome & Introductions


    The role of DPIAs
    Development of privacy assessment methodology
    GDPR and DPIAs
    Risky processing under GDPR
    IAF-TRUSTe DPIA approach
    Privacy risk and enterprise risk management
    Q&A

    Privacy Insight Series


    v - truste.com/insightseries 4
    TRUSTe Inc., 2017
    Webinar Poll

    Do you have an internal PIA or DPIA process?


    yes
    no

    Privacy Insight Series


    v - truste.com/insightseries 5
    TRUSTe Inc., 2017
    The Role of DPIAs

    v TRUSTe Inc., 2017


    Privacy Insight Series
    v - truste.com/insightseries 6
    TRUSTe Inc., 2017
    Build Your Program 6 Essential Elements
    Integrated Identify stakeholders. Establish
    Governance program leadership and governance.
    Define program mission, vision and
    goals.
    Risk Identify, assess and classify data-
    Build Assessment related strategic, operational, legal
    Establish, maintain compliance and financial risks.
    and evolve an Resource Establish budgets. Define roles and
    integrated privacy Allocation responsibilities. Assign competent
    and data governance personnel.
    program aligned with
    Policies & Develop policies, procedures and
    other data
    Standards guidelines to define and deploy
    management and effective and sustainable governance
    information risk and controls for managing data-
    functions such as related risks.
    security, IP, trade
    secret protection and Processes Establish, manage, measure and
    e-discovery continually improve processes for
    PIAs, vendor assessments, incident
    management and breach notification,
    Learn and Evolve Over Time complaint handling and individual
    rights management.
    Awareness & Communicate expectations. Provide
    Training general & contextual training.
    Privacy Insight Series
    v - truste.com/insightseries 7
    TRUSTe Inc., 2017
    Development of Privacy Assessment
    Methodology

    v TRUSTe Inc., 2017


    Privacy Insight Series
    v - truste.com/insightseries 8
    TRUSTe Inc., 2017
    How has assessment methodology developed in
    the privacy field?

    Privacy Insight Series


    v - truste.com/insightseries 9
    TRUSTe Inc., 2017
    How did comprehensive data impact assessments
    originate?

    Privacy Insight Series


    v - truste.com/insightseries 10
    TRUSTe Inc., 2017
    Genesis of Ethical Assessments

    2013 - Challenge by HP, Merck, Intuit and Acxiom to


    develop a means to make big data processing defendable
    2014 - Unified Ethical frame developed and presented at
    the International Conference of Data Protection and Privacy
    Commissioners
    Ethical assessments the key
    Embraced by numerous regulators
    The golden rule became the proxy for ethics

    2015 Oversight and framework for assessment


    Multi-stakeholder oversight
    Link to legitimate interests established
    Digital marketing assessment framework developed

    2016 Canadian project


    Privacy Insight Series
    v - truste.com/insightseries 11
    TRUSTe Inc., 2017
    Canadian Project
    Canadian law, in most cases requires consent
    Raised the question of how big data might be done in Canada as a
    link to accountability
    IAF received a grant from Office of the Privacy
    Commissioner to explore the concept of ethical
    assessments
    Recruited 20 Canadian companies and a lead Canadian
    lawyer/expert to work with us
    Took the Canadian framework to a multi-stakeholder group
    that included regulators
    End products a framework that includes the legal and
    ethical discussion and an assessment framework
    Participants pleased with the outcome
    OPC pleased with the work product

    Privacy Insight Series


    v - truste.com/insightseries 12
    TRUSTe Inc., 2017
    Key Findings

    A customized linkage to local law and culture is


    necessary
    The assessment framework can be used globally
    Assessing stakeholder benefits and risks was break
    through for companies
    This methodology is useful everywhere
    Legal, fair and just - which puts people first - is a great
    proxy for ethics
    Automating the process would lead to scalability

    Privacy Insight Series


    v - truste.com/insightseries 13
    TRUSTe Inc., 2017
    How does the ethical assessment methodology
    align with the GDPR expectations for DPIAs?

    Privacy Insight Series


    v - truste.com/insightseries 14
    TRUSTe Inc., 2017
    IAF-TRUSTe DPIA Strategy

    v TRUSTe Inc., 2017


    Privacy Insight Series
    v - truste.com/insightseries 15
    TRUSTe Inc., 2017
    GDPR Requirements for DPIAs (Articles 35 and 36)

    Processing likely to
    result in high risk
    DPIA Required
    Article 35(1)
    Systematic description of the processing
    Assessment of necessity and
    proportionality
    Assessment of the risks to the rights and
    No
    freedoms of data subjects
    Measures to address the risks

    Is residual risk high?


    No DPIA Required

    No

    No DPA Consult
    DPA Consult Required
    Required
    Privacy Insight Series
    v - truste.com/insightseries 16
    TRUSTe Inc., 2017
    Processing Likely to Result in High Risk Key Criteria

    Based on Article 29 Working Party Guidelines WP 248 (4 Apr 2017)


    Evaluation or scoring
    Automated-decision making with legal or similar significant effect
    Systematic monitoring
    Sensitive data
    Data processed on a large scale
    Datasets that have been matched or combined
    Data concerning vulnerable subjects
    Innovative use or applying technological or organizational solutions
    Data transfer across borders outside of the EU
    Where the processing itself prevents individuals from exercising a right
    or using a service or a contract

    Privacy Insight Series


    v - truste.com/insightseries 17
    TRUSTe Inc., 2017
    IAF-TRUSTe DPIA Construct

    Part A Governance Part C Mitigations Part D Risk Outcomes


    and Accountability and Safeguards (Report)
    1. Organizational
    Accountability 10. Data Necessity 18. Mitigations and
    2. Purpose (DPbDesign/Default, Safeguard
    3. Data Data Minimization) Effectiveness
    4. Data Sources, Origins 11. Use, Retention and Evaluation (Scale)
    and Characteristics Disposal 19. Calculation of
    5. Legal Basis of 12. Disclosure to Third Residual Risk
    Processing Parties and Onward Severity and
    Transfer Likelihood
    13. Choice and Consent 20. Legitimate Interests
    Part B Risk, Impacts
    14. Access and Individual Balancing Test
    and Benefits
    Rights Outcomes
    6. High Risk Processing
    15. Data Integrity and 21. Where residual risks
    7. Value and Benefits of
    Quality are high, consultation
    the Processing
    16. Security of DPA and data
    8. Inherent Risk
    17. Transparency subjects
    Assessment
    9. Weighted Inherent
    Risk-Benefits

    Privacy Insight Series


    v - truste.com/insightseries 18
    TRUSTe Inc., 2017
    Webinar Poll

    Do you have an automated PIA or DPIA process?


    yes
    no

    Privacy Insight Series


    v - truste.com/insightseries 19
    TRUSTe Inc., 2017
    Automating the IAF-TRUSTe DPIA

    Privacy Insight Series


    v - truste.com/insightseries 20
    TRUSTe Inc., 2017
    Automating the IAF-TRUSTe DPIA

    Privacy Insight Series


    v - truste.com/insightseries 21
    TRUSTe Inc., 2017
    Automating the IAF-TRUSTe DPIA

    Privacy Insight Series


    v - truste.com/insightseries 22
    TRUSTe Inc., 2017
    Automating the IAF-TRUSTe DPIA

    Privacy Insight Series


    v - truste.com/insightseries 23
    TRUSTe Inc., 2017
    Webinar Poll

    Do you have an enterprise risk management (ERM)


    process?
    yes
    no

    Privacy Insight Series


    v - truste.com/insightseries 24
    TRUSTe Inc., 2017
    Integrating Privacy into Enterprise Risk Management

    Privacy Insight Series


    v - truste.com/insightseries 25
    TRUSTe Inc., 2017
    Questions?

    v TRUSTe Inc., 2017


    Privacy Insight Series
    v - truste.com/insightseries 26
    TRUSTe Inc., 2017
    Contacts
    Marty Abrams mabrams@informationaccountability.org
    Hilary Wandall hilary@truste.com

    v TRUSTe Inc., 2017


    Privacy Insight Series
    v - truste.com/insightseries 27
    TRUSTe Inc., 2017
    Thank You!
    Details and registration for our 2017 Summer/Fall Webinar Series will be
    published shortly.
    Register for our next live event the Privacy Risk Summit on June 6th 2017
    at https://www.truste.com/events/privacy-risk/

    See http://www.truste.com/insightseries for the 2017 Privacy Insight Series


    and past webinar recordings.
    v TRUSTe Inc., 2017
    Privacy Insight Series
    v - truste.com/insightseries 28
    TRUSTe Inc., 2017

    You might also like