[GDPR Webinar Slides] Path to GDPR Compliance

1. 1 vPrivacy Insight Series - truste.com/insightseries v Path to GDPR Compliance June 29, 2016

2. 2 vPrivacy Insight Series - truste.com/insightseries v • We will be starting a couple minutes after the hour • This webinar will be recorded and the recording and slides sent out later today • Please use the GotoWebinar control panel on the right hand side to submit any questions for the speakers Thank you for joining the webinar

3. 3 vPrivacy Insight Series - truste.com/insightseries Today’s Speakers Eleanor Treharne-Jones, CIPP/E VP Consulting TRUSTe (moderator) Beth Sipula Senior Privacy Consultant TRUSTe Bojana Bellamy, CIPP/E President Hunton & Williams Centre for Information Policy Leadership (CIPL)

4. 4 vPrivacy Insight Series - truste.com/insightseries v The New EU Data Protection Regulation: A Catalyst for Sea Change for All? Bojana Bellamy, CIPP/E President, Hunton & Williams Centre for information Policy Leadership (CIPL)

5. 5 vPrivacy Insight Series - truste.com/insightseries Harmonisation and some progress •Harmonised rules, but not fully (e.g. employee data, children data) •One Stop Shop: Lead DPA for pan- European matters, in cooperation with other DPAs; Local DPA for local matters and redress for individuals •Risk-based approach •Some reduction of administrative burden (no national registration of processing. or prior authorisation) •BCR, seals and certifications •Greater cooperation and consistency by DP regulators Broader scope •Obligations on both controller and processor •Extraterritorial application to foreign controller and processor •Wider definition of personal data and sensitive data; anonymous data and pseudonymisation •Processing data of children under 16 requires parental consent Increased obligations •DP principles tightened (consent, transparency/notices) • Profiling rules •Privacy Impact Assessment •Privacy by Design •Breach notification - to DPAs and individuals •Direct obligations and liability for processor •Accountability - privacy program •Internal record of processing •DP Officer Strengthened rights of individuals •Right to erasure •Data portability •Right not to be subject to automated profiling / right to object Increased enforcement, fines, liability •Regulatory fines up to 4% of annual worldwide turnover •Individual action •Class action •Criminal sanctions (in national laws) •Larger role for European Data Protection Board (EDPB) EU Data Protection Regulation at a Glance

6. 6 vPrivacy Insight Series - truste.com/insightseries Accountability in GDPR – Privacy Programme Controllers must: •Be responsible for compliance with GDPR •Implement appropriate and effective technical and organisational measures to comply with the GDPR •Demonstrate compliance & effectiveness of the measures Taking into account: •The nature, scope, context, and purposes of the data processing •The risk for individuals - physical, moral, material damages

7. 7 vPrivacy Insight Series - truste.com/insightseries Accountability, Effective Compliance and Protection for Individuals Leadership and oversight Risk assessment Policies and Procedures Privacy by Design Transparency Training and awareness Monitoring and verification Response and enforcement Privacy Management Programme – Universal Elements

8. 8 vPrivacy Insight Series - truste.com/insightseries Internal privacy policies and procedures - compliance rules for DP principles and individual rights Security policies External transparency measures Measures to implement Privacy by Design/Default Maintaining internal records of processing Keeping documentation and evidence - consent, legitimate interest, notices, PIA, processing agreements, breach response Conducting Privacy Impact Assessments - for high risk processing Processor choice and management Documenting and notifying personal data breaches - to the DPA and individuals Maintaining transfer mechanisms for global data transfers Appointing a DP Officer, with independent status, protected employment and statutory responsibilities Co-operating with DPAs, on request 8 Accountability Measures Under GDPR

9. 9 vPrivacy Insight Series - truste.com/insightseries Accountability can be demonstrated via: •BCR •Approved Codes of Conduct •Approved certifications •Seals? •Other accountability frameworks – e.g. ISO Cloud Privacy and Security Standard? CBPR? Demonstrating Accountability under GDPR

10. 10 vPrivacy Insight Series - truste.com/insightseries Game Changer or Business as Usual? DP Program – Corporate Digital Responsibility DPO led, documented, risk-based, verified, demonstrated Data transfers strategy Big Data enablement DPIA Process Privacy Engineers Vendor management Breach management Relationship with DPAs Legal uncertainty and disputes management

11. 11 vPrivacy Insight Series - truste.com/insightseries Systematic Changes Ahead for Organisations Greater need for managing external engagement and relationships (DPAs, EDPB, individuals, media, privacy advocates) DP Officer (DPO) becomes a more strategic, senior and multi-skilled role Holistic and joined-up approach between CIO, CISO, CDO, CMO, CPO, Legal and communications / media relations DP becomes high-profile and board-level issue – higher enterprise risk; larger business, legal and compliance impact; security breach notification and management DP becomes a business issue - wide impact on company’s globalisation, digital transformation and data strategy GDPR Implementation - company-wide change management program required

12. 12 vPrivacy Insight Series - truste.com/insightseries WP29 Project Work Plan 2016 WP 29 Guidance Risk DPO Data Portability Certifications Main Establishment, Consistency Procedure, Governance and working of EDPB

13. 13 vPrivacy Insight Series - truste.com/insightseries Some examples of further rules and implementation Member States • Age of children (13- 16) • Rules for health, genetic, criminal convictions • Rules to authorise profiling / automated decision taking • Restrictions to rights / breach notifications • Responsibility of joint controllers • DPO appointment • Employee data • Statistical, scientific, historical purposes • National ID numbers Commission • Icons and standardised privacy policies • Technical standards for certifications / seals EDPB /DPAs • Standard processing contracts • List of high risk processing • Conditions for profiling • High risk re data breaches

14. 14 vPrivacy Insight Series - truste.com/insightseries Key Themes and Takeaways from CIPL GDPR Project Workshop I Report (1) Open engagement between industry, regulators, Member States and the Commission is essential for consistent implementation and interpretation of the GDPR. The successful GDPR implementation will require (1) taking into account the aims of the European Digital Single Market, (2) “future-proof” and technologically neutral interpretation and implementation guidance, (3) EU-wide harmonisation, and (4) consideration of other overlapping EU laws. “Accountability” is central to the GDPR (for both controllers and processors) and must be coherently understood and actively incentivised by the regulators. “Smart regulation” may enable European DPAs to discharge their GDPR roles more effectively and tackle the significant changes in their role, powers and national and pan-European operations. DPO is a cornerstone of organisational accountability and it is essential to clarify the functional and organisational aspects of the role of the DPO, to ensure effectiveness of the role.

15. 15 vPrivacy Insight Series - truste.com/insightseries Key Themes and Takeaways from CIPL GDPR Project Workshop I Report (2) The understanding of “risk” and “high risk” must be harmonized, and effective risk assessment methodologies that consider both the risks and the benefits of processing must be developed and agreed, without determining the definitive list of high risk processing. Codes of conduct, certifications, seals and BCR can be effective compliance and accountability tools; they must work at the “programmatic” level rather than at the product-level only and be incentivised by the relevant authorities. Implementing the right to data portability raises various problems, such as the interactions between data portability and other legal areas. Transparency to individuals is the other side to organisational accountability – the implementation of transparency requirements should minimise any tension between effective transparency and detailed legal notice requirements; industry queried whether icons are suitable and should be imposed top-down by the Commission The GDPR will raise specific challenges for start-ups and SMEs that need to be addressed, for example, by involving these organisations in the stakeholder engagement process and leveraging tool and processes of larger organisations.

16. 16 vPrivacy Insight Series - truste.com/insightseries v Beth Sipula Senior Privacy Consultant, TRUSTe GDPR: Your Path to Compliance

17. 17 vPrivacy Insight Series - truste.com/insightseries Your Path to GDPR Compliance TRUSTe has developed a four-step process designed to provide you with a path to achieving GDPR compliance. This multi-step program provides both guidance on what to do, along with options for how TRUSTe can help. Are you impacted? Where do you stand? What do I need to do to secure stakeholder commitment and resources for execution? How do I build a plan that’s prioritized based on risks? How do I efficiently implement all of the modules required in the GDPR program?

18. 18 vPrivacy Insight Series - truste.com/insightseries Step 1: Assess Readiness Are you impacted? • Do you “offer goods or services to EU residents”? • Do you “monitor the behavior of EU residents”? • Are you a “Data Processor” of EU resident personal data” (any information relating to an identified or identifiable natural person)? Where do you stand? • Use a controls checklist, build one yourself, or leverage the TRUSTe GDPR Readiness Assessment that guides you through core GDPR requirements: ✓ Transparency (i.e., Privacy Policy) ✓ Collection & Purpose Limitation ✓ Consent ✓ Data Quality ✓ Privacy Program Management ✓ Security in the Context of Privacy ✓ Data Breach Readiness & Response ✓ Individual Rights & Remedies

19. 19 vPrivacy Insight Series - truste.com/insightseries Step 2: Build Consensus What do I need to do to secure stakeholder commitment and resources for execution? Gather relevant info to present to others • Overview of the GDPR and its impact • Best practice frameworks / industry benchmarks • Scoreboard of where the company currently stands • Review of the company’s current gaps and risks • Summary of what it would take to close the gaps • Rough time and cost analysis of the work required Facilitate internal kickoff and on-going planning sessions with relevant stakeholders across the organization. Goals: • Formalize GDPR response team structure / roles / responsibilities • Agree on short, medium and long-term goals • Set measurable objectives with success criteria, key milestones • Secure commitment to, and budget for, the GDPR program

20. 20 vPrivacy Insight Series - truste.com/insightseries Step 3: Develop Plan How do I build a plan that’s prioritized based on risks? Data Collection Storage Processing Resources Involved Retention / Deletion • Map personal data flows across the business at each stage • Take into account broader definition of “personal data” (“any information concerning an identified or identifiable natural person”, e.g., geo, IP addresses) • Resources include all internal systems, 3rd party service providers, and cloud providers • For new products – review requirements, database schemas, third party integration agreements • For M&A situations - include data flow analysis for all new entities Conduct a data flow analysis to add to the initial gap analysis

21. 21 vPrivacy Insight Series - truste.com/insightseries Step 3: Develop Plan Build project timeline with commitment dates based on: • Privacy team’s goals – short, mid, long-term • Key milestones, e.g., 2018 GDPR enforcement start • Budget and people resources available • Remediation activities required from gap analysis • Prioritized areas for “high risk” and longer implementation times • Consider using the Privacy Shield to cover a large percentage quickly

22. 22 vPrivacy Insight Series - truste.com/insightseries Step 4: Implement Programs… Triage … conduct PIAs & remediate “high risk” areas • GDPR requires you to conduct PIAs for “high risk” activities and implement operational changes • Most common “high risk” areas tend to center around new products that change the way the business uses / collects / stores personal data • Put processes in place to conduct ongoing PIAs – templates, technology, training • Maintain record to demonstrate compliance Prioritize … implement components with “long timelines” • Search for qualified DPOs • New processes and tech capabilities to manage obligations around “Right to be Forgotten” and “Data Portability Rights” • Security – revise information security policies & deploy training • Data breach response plans – new 72 hour notification, “without undue delay” for breaches with potential for serious harm

23. 23 vPrivacy Insight Series - truste.com/insightseries • Conduct Final GDPR Assessment to ensure all gaps are closed • Leverage an assessment repository to house all past, present and future PIAs • Keep detailed records of any processing performed on personal data • Leverage template library for ongoing PIAs against the GDPR requirements along with any local or evolving requirements • Have a Findings Report ready that shows that all GDPR requirements have been met Step 4: Implement Programs continued … Demonstrate … build compliance audit trail and on-going PIA process

24. 24 vPrivacy Insight Series - truste.com/insightseries v How TRUSTe Can Help

25. 25 vPrivacy Insight Series - truste.com/insightseries GDPR Readiness Assessment • A comprehensive online tool to help assess readiness to meet GDPR requirements • Control questions mapped to GDPR requirements • Real-time gap analysis and recommendations • Remediation management • Centralized, on-demand reporting • Easy implementation (no software to install) Get visibility on where you stand with the IAPP GDPR Assessment Powered by TRUSTe

26. 26 vPrivacy Insight Series - truste.com/insightseries GDPR Priorities Assessment Gap Assessment and Findings Report provides a “heat map” and prioritized GDPR remediation plan followed by an onsite review with Key Stakeholders to build consensus • Summary of company’s current posture assessed against the GDPR and the desired position • “Heat map” identifying areas of high, mid, low risk • Level of effort assessment for all operational changes • Plan organized in immediate, mid-term and long-term priorities to get GDPR program completed • Onsite Review with Key Stakeholders to help build awareness, secure buy-in, and agreement on an initial program • The half day on-site interactive sessions led by a TRUSTe Privacy Consultant and custom- tailored to your organization

27. 27 vPrivacy Insight Series - truste.com/insightseries Implementation Programs Privacy Shield Assessment / Certification against Privacy Shield requirements Data Discovery & Classification Building data flow visualizations to understand associated privacy risks PIAs / Privacy Risk Assessments + PIA Program Development Assess specifically identified “high risk” activities against the GDPR requirements, remediate and develop a sustainable PIA program going forward. Consent Manager Technology implementation on your digital properties to meet explicit and implied consent requirements, whether in the context of Cookie Consent or Data Processing Ads Compliance Manager Technology implementation on your digital properties to meet consent and choice requirements for Interest Based Advertising (IBA) and Profiling TRUSTe has a suite of services that can help with all GDPR program implementation steps

28. 28 vPrivacy Insight Series - truste.com/insightseries Implementation Programs Assessment Manager & AM Managed Service TRUSTe has a suite of services that can help with all GDPR program implementation steps For companies that have robust in-house privacy assessment operations and want to further optimize, implement our SaaS-based Assessment Manager platform • Quickly streamline your privacy assessment process • Get a dashboard view of progress at the tactical level • Get an enterprise view of risk and mitigation at the Board-level

29. 29 vPrivacy Insight Series - truste.com/insightseries v Questions?

30. 30 vPrivacy Insight Series - truste.com/insightseries v Bojana Bellamy bbellamy@hunton.com Beth Sipula bsipula@truste.com Eleanor Treharne-Jones eleanor@truste.com Contacts

31. 31 vPrivacy Insight Series - truste.com/insightseries v Our 2016 Summer/Fall Webinar Series will be launched today. Look out for details and register for our next webinar on July 21 “Validating Vendor Assessments – Preparing for Privacy Shield” See http://www.truste.com/insightseries for the 2016 Privacy Insight Series and past webinar recordings. Thank You!

[GDPR Webinar Slides] Path to GDPR Compliance

TrustArc

[GDPR Webinar Slides] Path to GDPR Compliance