PRIVACY INSIGHT SERIES

Winter / Spring 2018 Webinar Program

One Week to Go:

Are you Ready for May 25th?

May 16, 2018

© 2018 TrustArc Inc Proprietary and Confidential Information

Today’s Speaker

Paul Iagnocco
Mid-West Consulting Director &
Senior Privacy Consultant
TrustArc

2 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Today’s Agenda

• Welcome & Introduction

• Status of GDPR Compliance

• GDPR Enforcement

• GDPR Ongoing Risk Management

• Demonstrating Compliance

• Questions?

3 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

© 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Status of GDPR Compliance

5 © 2018 TrustArc Inc Proprietary and Confidential Information

Poll #1

6 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

 November 2017 Research
IAPP & TrustArc: How Far Towards GDPR Compliance

48.62%
0= 100 =
haven’t started fully compliant

Expect To Be GDPR Compliant By…

Overall U.S. EU
By end of 2017 7% 7% 7%

By end of March 2018 29% 36% 24%

By May 25, 2018 41% 41% 41%

After May 25, 2018 17% 9% 24%

Not sure 6% 7% 4%

7 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

 April 2018 Research
How Far Towards GDPR Compliance

• Only 7% compliant in April

• 33% expect to be compliant by May 25th
• 60% not ready for GDPR

• Only 13% compliant in April

• 23% somewhat compliant by May 25th
• 52% not ready for GDPR

8 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

 For most of us …

9 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

What
solutions did
companies
invest in to
address the
GDPR?

Getting to GDPR Compliance

TrustArc & IAPP Research –
Nov 2017

10 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

What We are Seeing:
Actual Compliance Status of Businesses
• Most organizations now have now:
– Identified Subject Matter Experts and/or DPO or lead
– Developed a plan of action
– Updated outward facing privacy notices
– Understood their data flows and created a data inventory
– Prioritized high risk data
– Established legal basis for processing, revised consent
mechanisms where necessary
– Identified means to address individual rights requests
• But there is still a long way to go…
– Pushing the plans out to the business
– Updating technology and culture takes time
11 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc
What Now?

• Privacy doesn’t go away!

• May 25th is NOT about checking a box
– not a “yes/no” answer, but a risk management approach
• The laws will change (ePrivacy Regulation will replace ePrivacy
Directive)
• Case law will evolve
• Technology will continue to disrupt
• Business will find new ways to harness the power of data
• Accountability processes are ongoing, and need maintenance
• Privacy compliance of the company and partners will need
monitoring and measuring
• Documents and records of evidence will need updates

12 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Article 25 – Transforms How We Go Forward

13 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

GDPR Enforcement

14 © 2018 TrustArc Inc Proprietary and Confidential Information

What the “Enforcers” are Saying?

“there will be fines, and they will be

significant….”

“…make sure that this question of

compliance is not focused on the
legal departments, but throughout
company.”

15 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

What the “Enforcers” are Saying?

“Voluntary compliance is still the

preferred route, but we will back up
with tough action where it’s
necessary.”

“It’s NOT our first task to fine, it’s our

first task to see if you’re compliant,
and if you’re not compliant it will be a
problem.”

16 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

But are They Ready to Enforce?
Reuters surveyed all EU regulators on May 8th and 24 disclosed the following:

21% 71% 46%

fully lack funding expect to have
enforcement and local both funding
ready legislation and local
to act legislation to
act in near
future
17 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc
GDPR Enforcement Actions
When will the regulators show up?

1. Data Subject (complaints)

2. Data Breach (notifications)
3. Media Report (publicity)
4. Invitation (audit)

Potential GDPR enforcement actions

and penalties
Data Subject individual right for
compensation
Industry predictions as to GDPR
enforcement actions

18 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Goodbye WP29, Hello EDPB

• As of May 25th, the European Data Protection Board is

established, replacing Working Party 29.
• GDPR Article 68: establishes the EDPB, contains general
rules regarding composition and function.
• GDPR Article 69: emphasizes the independence of the
EDPB, in the exercise of its powers it doesn’t seek nor
take instructions for anyone.
• GDPR Article 70: describes the many tasks of the EDPB.
• EDPB Website forthcoming as well.

19 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Poll #2

20 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

GDPR Ongoing Risk Management

21 © 2018 TrustArc Inc Proprietary and Confidential Information

What is the Ongoing Risk Management Role?
Ensure timely
most organizations
reporting of data Build are here
breaches and Program
response
to data subject
requests, etc.
Improve Deliver Review and
Actions Controls adapt controls
Be as needed
Vigilant

Demon- Ensure
Assess, strate
Test compliance Monitor, compliance
Measure Compli- records are
framework ance maintained

22 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Ongoing GDPR Accountability Areas

Privacy by Information
Monitoring
Design and Privacy Impact Lifecycle/Records
Compliance and
Default Assessments Management
Assurance
Processes Updates

Information Data Breach Individual Rights Data Processor/

Security Notification Responses Vendor Audits

Ensuring New Regulator Employee

Updating Data
Processes and Registrations/ Training and
Inventories
Tech Complies Notifications Certifications

23 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Liaison with Board Audit Committees
& Support of Data Protection Officers (DPOs)
• Partner with audit teams to
ensure ongoing compliance
(e.g., data subject consents,
processing accountabilities)
• Build GDPR Portals
• Policies and Procedures
• Employee Training
• Summary Due Diligence
Consultants and projects Records
may get you “there”, but
• Internal Presentations
the challenge is to keep it
“there”! • Impact on Financials
• Find Evangelists

24 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Demonstrating Compliance

25 © 2018 TrustArc Inc Proprietary and Confidential Information

Poll #3

26 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Importance of Demonstrating Compliance

• Come May 25th: Readiness will no longer be enough.

• Huge Fines: Regulators will be able to fine companies up
to 4% of their annual revenue for non-compliance.
• Lost Customers: Companies may lose existing
customers for failure to show they can comply with GDPR.
• Lost Deals: Companies may lose new deals if they
cannot show they are compliant with GDPR.
• Lawsuits: Companies may have legal actions brought
directly against them under GDPR.

Demonstrating GDPR compliance at any time will be

critical to managing these risks in a GDPR world.

27 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

Sorry No Such Thing as “GDPR Certified”

• Articles 40 (codes of conduct), 41 (Monitoring of

approved codes of conduct), 42 (certification)
and 43 (certification bodies) have not been
established quite yet – NO GDPR
CERTIFICATION AVAILABLE TODAY
• Companies can ready themselves for this future
certification by independently validating their
GDPR efforts and status that can be shared with
both internal and external stakeholders.

28 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

In the absence of an official GDPR certification, what does it mean
for a company to say that it is GDPR-compliant?

Regulators
Regulators Customers
Customers Prospects
Prospects Individuals

Process/
Company-Wide
Product Specific
Requirements
Requirements

29 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

TrustArc GDPR Validation

Visit: https://www.trustarc.com/products/gdpr-validation/

30 Privacy Insight Series - trustarc.com/insightseries #trustarcGDPRevents © 2018 TrustArc Inc

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Thanks for your interest in the webinar slides!

To watch the on-demand recording please CLICK HERE.

31 © 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Questions?

32 © 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Contact
Paul Iagnocco email: piagnocco@trustarc.com

33 © 2018 TrustArc Inc Proprietary and Confidential Information

PRIVACY INSIGHT SERIES
Winter / Spring 2018 Webinar Program

Thank You!
Details of our Summer/Fall Privacy Insight Series will be announced
shortly. Look out for details on email.

See http://www.trustarc.com/insightseries for the 2018

Privacy Insight Series and past webinar recordings.

34 © 2018 TrustArc Inc Proprietary and Confidential Information