Privacy Shield Self-Certification – What's Next? [Webinar Slides]

1 v Privacy Insight Series - truste.com/insightseries © TRUSTe Inc., 2017

v © TRUSTe Inc., 2017

Privacy Shield Self-Certification –

What's Next?

February 23, 2017


Today’s Speakers

K Royal, JD, CIPP/E/US

Senior Privacy Consultant,

TRUSTe

Amanda Gratchner

Global Privacy Counsel,

NAVEX Global

David Fowler

Chief Privacy & Digital Compliance Officer,

Act-On Software


•Welcome & Introductions

•Privacy Shield

–Self-certification

–Updates

•Relationships

–Various frameworks

•Leveraging Privacy Shield

•Q&A

Today’s Agenda


Have you Self-certified for Privacy Shield?

• Yes

• No

• In Progress

Webinar Poll



Privacy Shield – One Year On


Understanding the Privacy Shield Framework

What’s different compared to Safe Harbor? • New Privacy Protections

• Notice requirements, accountability for onward transfer, purpose limitation and data retention

• Enhanced Complaint Resolution • Response time to EU individuals, free dispute

resolution, binding arbitration as last-resort option • Improved Cooperation and Transparency

• Monitoring and dispute resolution requires cooperation with International Trade Administration (ITA) Privacy Shield Team, ongoing requirements (if withdraw and maintain data), publication of FTC compliance reports (if subject to enforcement action)

6


Joining the Privacy Shield Program

1. Confirm Your Organization’s Eligibility to Participate

2. Develop a Compliant Privacy Policy 3. Establish an Independent Recourse Mechanism

(IRM) 4. Ensure a Verification Mechanism is in place 5. Identify your Privacy Shield Point of Contact 6. Self-certify Using the Privacy Shield Website 7. Reaffirm Self-certification Annually 8. Reply to Inquiries from EU citizens, IRM,

Commerce, and/or DPAs as Required

7


Practical Considerations and Challenges

• Understanding the Privacy Shield Framework

• Understanding your business operations

• Developing compliant privacy statements and notices

• Developing privacy program governance, policies, and

procedures

• Verification of privacy practices and monitoring of

compliance

• Keeping records of Privacy Shield Principles implementation

• Employee training and awareness

• Dealing with onward transfer issues

• Dealing with data subject access requests and privacy

complaints

8


Privacy Shield Self-Certification

Companies that had EU/US Safe Harbor

• Filed by September 30, 2016

• 9 months to come into compliance

- June 30, 2017

• Posted: 1705

What about those that did not certify?

What about those who were not in Safe Harbor?


Privacy Shield Updates

What’s the future for Privacy Shield?

• Brexit

• Irish lawsuit

• French lawsuits

• Executive orders

What about other Data Transfer Compliance

Mechanisms?



Frameworks


Privacy Shield vs.

the GDPR


General Data Protection Regulation

European law

• From Directive 95 to GDPR

• Address societal and technological changes

May 25, 2018

Stats

• Companies impacted

• Privacy jobs


Cross Border Data Transfers

Adequacy

• Privacy Shield

Binding Corporate Rules

• Controllers and Processors

Standard Contractual Clauses

Under GDPR – codes of conduct


Binding Corporate Rules

Intergroup agreement

• Group – defined

Transfer mechanism

• Specifically mentioned in GDPR

Considered “gold standard”

Companies:

Binding Safe Processing Rules

• BCRs for Controllers and Processors


Cross Border Privacy Rules

• Asia-Pacific Economic Cooperation

• Voluntary program

• 2011

• Independent accountability agent required

• 4 economies so far

- USA, Mexico, Japan and Canada

• Crosswalk published BCRs/CBPRs

- Merck



Leveraging Privacy Shield


What should a company do?

• Data

• Policies

• Practices

• Legal/Compliance Specific

• Consider certification programs


Data To-Dos

Data

• inventory

• classification

• minimization

• record retention

• destruction


Policy To-Dos

Information security policies

• training

• monitor compliance

Privacy policies

• easily accessible

• clear and plain language

• full disclosure of data collection and processing


Practices To-Dos

PIAs

Complaint process (must be easy)

Review and revise methods of obtaining consent

Data portability and erasure processes

Update incident response plans

• notice to supervisory agencies within 72 hours


Legal-Specific To-Dos

• DPO (Data Protection Officer) authority and independence, monitor compliance, perform training, and conduct internal audits. • Accountability: detailed records of the processing performed on personal data • Review BCRs (or SCCs) for compliance w/ GDPR • Addendums for onward transfer requirements • Vendor oversight and accountability • Insurance policies global or enterprise coverage, types of data issues, and increased costs and liabilities



Questions?



K Royal [email protected]

Amanda Gratchner [email protected]

David Fowler [email protected]

Contacts

mailto:[email protected]



Register now for the next webinar in our 2017 Winter/Spring Webinar Series

on March 23 “Privacy Program Management: A Framework for Success”

See http://www.truste.com/insightseries for the 2017 Privacy Insight Series

and past webinar recordings.

Thank You!

http://www.truste.com/insightseries

Privacy Shield Self-Certification – What's Next? [Webinar Slides]

Law

Transcript of Privacy Shield Self-Certification – What's Next? [Webinar Slides]