Global Data Privacy Law and Practice - Looking Around the Corners

Bojana Bellamy, President, Centre for Information Policy Leadership NIST, December 2014

2www.informationpolicycentre.com

Data Privacy - a raising legal and business challenge for organisations

Raising and conflicting regulation

Data location and regulated transfers -

require strategic thinking and tactical

support

Inherent security risks in data and technology

Privacy v. security tension

Digital business and datafication

challenging compliance

Raising global enforcement

Delivering Privacy by Design internally and in

ecosystem

Expectation of effective and evidenced

corporate compliance

3www.informationpolicycentre.com

Harmonised rules

• Higher level of data protection

• Single law (not for employee data processing)

• One Stop Shop with Lead DPA, for business, but with local DPA redress for individuals

Wider scope

• Controller and processor

• Extraterritorial application to foreign controller

• Wider definition of personal data and sensitive data

Increased obligations

• DP Principles tightened

• Privacy Impact Assessment

• Privacy by Design• Notify breaches to

regulators and individuals

• More obligations on processor

• Accountability • Mandatory DP

Officer

Strengthened rights of individuals

• Right to be forgotten• Data portability • Object to profiling

Increased enforcement, fines,

liability

• Regulatory fines up to 2% or 5%

• Individual action • Class action • Criminal sanctions

Proposed EU DP Regulation – rethinking global privacy strategy and compliance

4www.informationpolicycentre.com

Looking beyond the law and risk

Operational efficiencies

Business generator and

enabler

Trust and brand enhancer

Competitive differentiator

Data privacy is more then just legal compliance; it is a business opportunity and business imperative

5www.informationpolicycentre.com

Finding the balance

Data is toxic - it carries risks,

compliance costs and burdens

Data is the 21st century oil - fuelling

growth and innovation and a

major company asset

Requires senior leadership visibility, strategic approach and vision

6www.informationpolicycentre.com

Proactive data privacy management that embeds privacy into corporate DNA

Legal compliance

and effective protection

Risk mitigation

Business and growth enabler

Organisations seeking enlightened self-interest

7www.informationpolicycentre.com

Global Data Privacy - Convergence or Divergence?

Nature of privacy protection and regulation• horizontal v. sectoral; • harm based v.

fundamental right

Growing commonalities in DP principles, yet

the devil in the detail

Raising political stakes complicate

existing legal complexity

Globalisation and technology will

require harmonised

approaches - Big Data, Internet of

Things

8www.informationpolicycentre.com

Creating bridges - converging trends in global privacy law, policy and practice

Accountability – Corporate

Privacy Programs

Privacy Risk Management

Privacy by Design

Evolving interpretation

of DP principles

9www.informationpolicycentre.com

The global rise of accountability

Thought leadership

Rise of accountability models in corporate practices

Regulators’ requirements post enforcement

New laws incorporating accountability obligation and regulators issuing guidance

Expectation of comprehensive, effective and evidenced privacy compliance programs with C-suit oversight and corporate DP Officers

Requires continuous and serious commitment and resources

10www.informationpolicycentre.com

Substantive rules, Implementation infrastructure, Verification, Demonstration

Many faces of Accountability

Corporate Privacy

Programs

Binding Corporate

Rules (BCR)

APEC Cross Border Privacy Rules

(CBPR)

Safe Harbour

Codes of Conduct

Certifications & Seals

ISO Standards

11www.informationpolicycentre.com

Organisational Accountability andPrivacy Management Program

Accountability and Effective Compliance

Leadership & Oversight

Risk Assessment

Policies & Procedures

Privacy by Design

Training & Communication

Verification and Audits

Response and Enforcement

12www.informationpolicycentre.com

Why is privacy risk management“In”?

It has always been “in”, but with a different focus – Risk to organisations v. Risk to individuals (tangible and non-tangible harms /negative impact from data processing)

Modern information age requires an evolved interpretation and implementation of privacy principles and innovative models of co-regulation and compliance

The need and translate abstract goals of privacy and fundamental right into more understandable, concrete and implementable steps to non-experts

Risk-based approach does not replace existing law, privacy principles, accountability and regulatory supervision, but calibrates compliance – based on context , severity, likelihood

Risk assessment is an increasing legal requirement and an element of organisational accountability

The need to prioritize and ensure effectiveness

13www.informationpolicycentre.com

Benefits of a risk-based approachto privacy

Effec

tiven

ess

Organisations Prioritisation; predictability; ROI in

compliance; protection of reputation and shareholder value

DP regulators Prioritisation in oversight, enforcement, sanction

Law and policy makersSmart regulation = calibrated and context driven; outcome based;

technology neutral

Individuals Real protection

Society Enables economic growth, societal

benefits and protection of fundamental right

Prospects to improve global interoperability by creating common expectations, common best practices and common outcomes

14www.informationpolicycentre.com

Risk assessment calibrates privacy program and compliance

Risk Assessment

At privacy program level

Determines the program

and its elements

Periodic program

assessment v. internal and

external risks

Adjusting elements of the program

At privacy program element and requirement level

PIA and PbD for new product, service,

technology

Legitimate Interest

ProcessingSecurity Data Breach

15www.informationpolicycentre.com

Privacy Impact Assessment

Privacy by Design

Identify and address risks to individuals

Implement privacy & security requirements in

development and design to mitigate risks

Requires organisations to: Embed early, expert and multifunctional review in project lifecycle.

Think about risk in a novel way

Risk management is linked to Privacy by Design

Version 1.0       DRAFT - Risk Matrix        

06/2014 Unjustifiable Collection Inappropriate

Use/Sharing Security Breach Aggregate     Inaccuracies   Lost Data        Not Expected by individual Stolen Data        Viewed as Unreasonable Access Violation            Viewed as Unjustified        

Risks Likely Serious Score Likely Serious Score Likely Serious Score Risk RankTangible Harm                     Bodily Harm 0 0 0 0 0 0 0 0 0 0 Loss of liberty or freedom 0 0 0 0 0 0 0 0 0 0 Financial loss 0 0 0 0 0 0 0 0 0 0 Other tangible loss 0 0 0 0 0 0 0 0 0 0Intangible Distress                   Excessive surveillance 0 0 0 0 0 0 0 0 0 0 Suppress free speech 0 0 0 0 0 0 0 0 0 0 Suppress associations 0 0 0 0 0 0 0 0 0 0 Embarrassment/anxiety 0 0 0 0 0 0 0 0 0 0 Discrimination 0 0 0 0 0 0 0 0 0 0 Excessive state power 0 0 0 0 0 0 0 0 0 0 Loss of social trust 0 0 0 0 0 0 0 0 0 0

Legend:

Rank 'Likely' from 10 (high) to 1 (low) based on the highest score for any component Rank 'Serious' from 10 (high) to 1 (low) based on the highest score for any component

Aggregate Risk Rank:

Highest score is 300 Lowest score is 0

www.informationpolicycentre.com 16

A possible risk matrix?

17www.informationpolicycentre.com

Scope of regulated personal data

Consent and legitimate interest

for processing Notice Fair processing

Purpose specification and

compatibility

Data minimisation and deletion Data quality

Profiling and automated

decision taking

Data security Rights of Individuals

Evolving DP principles in the world of Big Data and Internet of Things

18www.informationpolicycentre.com

• Robust de-identification technology• Intent, commitment and internal measures not to re-identify data• Contractual obligations with third parties not to re-identify

Preserving qualified anonymisation

• More use of legitimate interests, balanced with interests of individuals, coupled with ability to demonstrate and defend

Move from consent to legitimate interests, subject to safeguards

• Managing individuals’ expectations and concerns, with focus on unexpected uses of data

Move from legalistic notices to new transparency - dashboards,

icons, layered notices

• New purposes must not be “incompatible”, incorporates risk consideration and reasonable expectations of individualsStretching purpose limitation

Keeping focus individuals, with organisational accountability and responsibility