global data privacy law and practice - looking around the corners bojana bellamy, president, centre...
TRANSCRIPT
Global Data Privacy Law and Practice - Looking Around the Corners
Bojana Bellamy, President, Centre for Information Policy Leadership NIST, December 2014
2www.informationpolicycentre.com
Data Privacy - a raising legal and business challenge for organisations
Raising and conflicting regulation
Data location and regulated transfers -
require strategic thinking and tactical
support
Inherent security risks in data and technology
Privacy v. security tension
Digital business and datafication
challenging compliance
Raising global enforcement
Delivering Privacy by Design internally and in
ecosystem
Expectation of effective and evidenced
corporate compliance
3www.informationpolicycentre.com
Harmonised rules
• Higher level of data protection
• Single law (not for employee data processing)
• One Stop Shop with Lead DPA, for business, but with local DPA redress for individuals
Wider scope
• Controller and processor
• Extraterritorial application to foreign controller
• Wider definition of personal data and sensitive data
Increased obligations
• DP Principles tightened
• Privacy Impact Assessment
• Privacy by Design• Notify breaches to
regulators and individuals
• More obligations on processor
• Accountability • Mandatory DP
Officer
Strengthened rights of individuals
• Right to be forgotten• Data portability • Object to profiling
Increased enforcement, fines,
liability
• Regulatory fines up to 2% or 5%
• Individual action • Class action • Criminal sanctions
Proposed EU DP Regulation – rethinking global privacy strategy and compliance
4www.informationpolicycentre.com
Looking beyond the law and risk
Operational efficiencies
Business generator and
enabler
Trust and brand enhancer
Competitive differentiator
Data privacy is more then just legal compliance; it is a business opportunity and business imperative
5www.informationpolicycentre.com
Finding the balance
Data is toxic - it carries risks,
compliance costs and burdens
Data is the 21st century oil - fuelling
growth and innovation and a
major company asset
Requires senior leadership visibility, strategic approach and vision
6www.informationpolicycentre.com
Proactive data privacy management that embeds privacy into corporate DNA
Legal compliance
and effective protection
Risk mitigation
Business and growth enabler
Organisations seeking enlightened self-interest
7www.informationpolicycentre.com
Global Data Privacy - Convergence or Divergence?
Nature of privacy protection and regulation• horizontal v. sectoral; • harm based v.
fundamental right
Growing commonalities in DP principles, yet
the devil in the detail
Raising political stakes complicate
existing legal complexity
Globalisation and technology will
require harmonised
approaches - Big Data, Internet of
Things
8www.informationpolicycentre.com
Creating bridges - converging trends in global privacy law, policy and practice
Accountability – Corporate
Privacy Programs
Privacy Risk Management
Privacy by Design
Evolving interpretation
of DP principles
9www.informationpolicycentre.com
The global rise of accountability
Thought leadership
Rise of accountability models in corporate practices
Regulators’ requirements post enforcement
New laws incorporating accountability obligation and regulators issuing guidance
Expectation of comprehensive, effective and evidenced privacy compliance programs with C-suit oversight and corporate DP Officers
Requires continuous and serious commitment and resources
10www.informationpolicycentre.com
Substantive rules, Implementation infrastructure, Verification, Demonstration
Many faces of Accountability
Corporate Privacy
Programs
Binding Corporate
Rules (BCR)
APEC Cross Border Privacy Rules
(CBPR)
Safe Harbour
Codes of Conduct
Certifications & Seals
ISO Standards
11www.informationpolicycentre.com
Organisational Accountability andPrivacy Management Program
Accountability and Effective Compliance
Leadership & Oversight
Risk Assessment
Policies & Procedures
Privacy by Design
Training & Communication
Verification and Audits
Response and Enforcement
12www.informationpolicycentre.com
Why is privacy risk management“In”?
It has always been “in”, but with a different focus – Risk to organisations v. Risk to individuals (tangible and non-tangible harms /negative impact from data processing)
Modern information age requires an evolved interpretation and implementation of privacy principles and innovative models of co-regulation and compliance
The need and translate abstract goals of privacy and fundamental right into more understandable, concrete and implementable steps to non-experts
Risk-based approach does not replace existing law, privacy principles, accountability and regulatory supervision, but calibrates compliance – based on context , severity, likelihood
Risk assessment is an increasing legal requirement and an element of organisational accountability
The need to prioritize and ensure effectiveness
13www.informationpolicycentre.com
Benefits of a risk-based approachto privacy
Effec
tiven
ess
Organisations Prioritisation; predictability; ROI in
compliance; protection of reputation and shareholder value
DP regulators Prioritisation in oversight, enforcement, sanction
Law and policy makersSmart regulation = calibrated and context driven; outcome based;
technology neutral
Individuals Real protection
Society Enables economic growth, societal
benefits and protection of fundamental right
Prospects to improve global interoperability by creating common expectations, common best practices and common outcomes
14www.informationpolicycentre.com
Risk assessment calibrates privacy program and compliance
Risk Assessment
At privacy program level
Determines the program
and its elements
Periodic program
assessment v. internal and
external risks
Adjusting elements of the program
At privacy program element and requirement level
PIA and PbD for new product, service,
technology
Legitimate Interest
ProcessingSecurity Data Breach
15www.informationpolicycentre.com
Privacy Impact Assessment
Privacy by Design
Identify and address risks to individuals
Implement privacy & security requirements in
development and design to mitigate risks
Requires organisations to: Embed early, expert and multifunctional review in project lifecycle.
Think about risk in a novel way
Risk management is linked to Privacy by Design
Version 1.0 DRAFT - Risk Matrix
06/2014 Unjustifiable Collection Inappropriate
Use/Sharing Security Breach Aggregate Inaccuracies Lost Data Not Expected by individual Stolen Data Viewed as Unreasonable Access Violation Viewed as Unjustified
Risks Likely Serious Score Likely Serious Score Likely Serious Score Risk RankTangible Harm Bodily Harm 0 0 0 0 0 0 0 0 0 0 Loss of liberty or freedom 0 0 0 0 0 0 0 0 0 0 Financial loss 0 0 0 0 0 0 0 0 0 0 Other tangible loss 0 0 0 0 0 0 0 0 0 0Intangible Distress Excessive surveillance 0 0 0 0 0 0 0 0 0 0 Suppress free speech 0 0 0 0 0 0 0 0 0 0 Suppress associations 0 0 0 0 0 0 0 0 0 0 Embarrassment/anxiety 0 0 0 0 0 0 0 0 0 0 Discrimination 0 0 0 0 0 0 0 0 0 0 Excessive state power 0 0 0 0 0 0 0 0 0 0 Loss of social trust 0 0 0 0 0 0 0 0 0 0
Legend:
Rank 'Likely' from 10 (high) to 1 (low) based on the highest score for any component Rank 'Serious' from 10 (high) to 1 (low) based on the highest score for any component
Aggregate Risk Rank:
Highest score is 300 Lowest score is 0
www.informationpolicycentre.com 16
A possible risk matrix?
17www.informationpolicycentre.com
Scope of regulated personal data
Consent and legitimate interest
for processing Notice Fair processing
Purpose specification and
compatibility
Data minimisation and deletion Data quality
Profiling and automated
decision taking
Data security Rights of Individuals
Evolving DP principles in the world of Big Data and Internet of Things
18www.informationpolicycentre.com
• Robust de-identification technology• Intent, commitment and internal measures not to re-identify data• Contractual obligations with third parties not to re-identify
Preserving qualified anonymisation
• More use of legitimate interests, balanced with interests of individuals, coupled with ability to demonstrate and defend
Move from consent to legitimate interests, subject to safeguards
• Managing individuals’ expectations and concerns, with focus on unexpected uses of data
Move from legalistic notices to new transparency - dashboards,
icons, layered notices
• New purposes must not be “incompatible”, incorporates risk consideration and reasonable expectations of individualsStretching purpose limitation
Keeping focus individuals, with organisational accountability and responsibility