1

Kickstart Your GDPR ReadinessFebruary 28, 2017

2

Eleanor Treharne-Jones, VP Consulting, TRUSTe

Speakers

Lewis Barr, General Counsel and VP Privacy, Janrain

3

“It is what you read when you don’t have to that determines what you will be when you can’t help it.” — Oscar Wilde

Getting to know the GDPR

4

• Uniform law to replace EU Directive (94/46/EC) on May 25, 2018.

• Significantly expands:

• Reach of EU privacy law,

• Data subject rights,

• Data controller and processor obligations, and

• Liability exposure for data processor as well as controller.

• Data controllers and processors must be able to demonstrate compliance.

• Establishes best practices globally.

GDPR: A Sea Change in Personal Data Protection

5

• Applies to each company controlling or processing personal data of EU residents, no matter where the company is located.

• Scope includes:• Companies processing personal data when offering

EU residents goods or services.• Companies monitoring the behaviour of EU

residents on websites hosted in EU.

Territorial Scope: EU Law with Global Reach

6

“‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person.” Art.4(1).

Subject Matter (SM) Scope: Personal Data

7

Pseudonymous Data• Personal data from which individuals cannot be identified without a

separate secure key that permits re-identification. • Pseudonymization is a recommended safeguard. (See Article 4(5) for

“pseudonymization” definition.)

Anonymous Data• “ personal data rendered anonymous is such a fashion that the data

subject is not or no longer identifiable.” Recital 26.• GDPR does not apply to anonymous data!

SM Scope: Pseudonymous in and Anonymous out

8

Controller means the party that determines the purpose (the why) and the means by which (the how) personal data are processed and the Processor acts on the Controller’s behalf.

Processing means any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.

Key Definitions: Controller, Processor, and Processing

9

• Right of Access• Right to confirmation from controller whether data subject’s personal

data is being processed.• Right to copy of the personal data being processed in commonly used

electronic form.• Right to detailed information regarding the processing, including

safeguards involved in any transfer to a country outside the EU.

• Data Portability • Right to obtain personal data in industry portable format for personal

use or to transfer to new service provider.

Enhanced Data Subject Rights: 1

10

• Right to withdraw consent• Must be as easy to withdraw consent as to give it. (Right to use same

mechanism by which consent was given.)• Prohibits further processing after withdrawal.

• Rights to rectification • Right to correction and to stop processing until correction.

• Right of erasure• Right to personal data deletion when controller no longer has a reason

to process data. • Right to be forgotten

• Right to have links to certain public data removed and controller’s obligations to inform others.

• Right to object to certain automated decision making

Enhanced Data Subject Rights: 2

11

• Lawful grounds for Processing• Need “freely given, specific, informed and unambiguous” consent to

purpose (can be gained with informed checking of box or click) and• Legitimate interests - set out in privacy statement/notice

• Processing for direct marketing or to prevent fraud. • Processing to ensure network security.

• “Appropriate technical and organizational measures”:• “to integrate the necessary safeguards into the processing in order to

meet the requirements of this Regulation and protect the rights of data subjects,” Art. 21(1), and

• “for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.” Art. 21(2).

Key Principles and Controller Obligations: 1

12

• Consent and purpose limitation• Separate consent required for different processing purpose.• Further processing permitted as compatible with original purpose under

certain circumstances/protections. • e.g., anonymization of data to compile segments for client use.

• Transparency • Clear, concise, and timely notice, including retention periods.• Ability to answer what, where and why questions.

• Data minimization, accuracy, and storage limitation• Take only data needed for time needed to meet permitted purpose.

• Data protection by design and default• At both the product formation and implementation stages.

Key Principles and Controller Obligations: 2

13

• Personal Data Breach Notification• Required for “a breach of security leading to the accidental or unlawful

destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

• Processor must notify Controller.• Controller to notify supervisory authority generally within 72 hours after

having become aware of it, if there is risk to data subjects.• Notice not required if “the personal data breach is unlikely to result

in a risk to affected data subjects (such as if data is encrypted). Article 33(1).

• Controller to notify affected data subjects “without undue delay” if controller determines the breach “is likely to result in a high risk to the rights and freedoms of individuals.” Article 34.

Key Principles and Controller Obligations: 3

14

• Assist the controller in meeting its obligations to honor data subject rights.

• “Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. . ..” Art.28,32.

• Processor must make available “to the controller all information necessary to demonstrate compliance with the obligations laid down in [Art. 28] and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.” Art. 28.

• Impose same data protection obligations (of processor to controller) on any subcontractor used to process data.

Significant Processor Obligations

15

Preparing for the GDPR

16

Your Path to GDPR ComplianceTRUSTe has an established four-step press designed to provide you with a path to achieving GDPR compliance.

Are you impacted? Where do you stand?

What do I need to do to secure stakeholder commitment and resources for execution? How do I build a plan that’s

prioritized based on risks?

How do I efficiently implement all of the modules required in the GDPR program?

17

Step 1: Assess ReadinessAre you impacted?• Do you “offer goods or services to EU residents”?• Do you “monitor the behavior of EU residents”?• Are you a “Data Processor” of EU resident personal data” (any information relating to an

identified or identifiable natural person)?Where do you stand?• Use a controls checklist, build one yourself, or leverage the TRUSTe GDPR Readiness

Assessment that guides you through core GDPR requirements:

✓ Transparency (i.e., Privacy Policy)✓ Collection & Purpose Limitation✓ Consent✓ Data Quality✓ Privacy Program Management✓ Security in the Context of Privacy✓ Data Breach Readiness & Response✓ Individual Rights & Remedies

Learn More: Blog Post 1

18

Step 2: Build ConsensusWhat’s needed to secure stakeholder commitment & resources for execution?

Gather relevant info to present to others

• Overview of the GDPR and its impact• Best practice frameworks / industry benchmarks• Scoreboard of where the company currently stands• Review of the company’s current gaps and risks• Summary of what it would take to close the gaps• Rough time and cost analysis of the work required

Facilitate internal kickoff and on-going planning sessions with relevant stakeholders across the organization. Goals:

• Formalize GDPR response team structure / roles / responsibilities• Agree on short, medium and long-term goals• Set measurable objectives with success criteria, key milestones• Secure commitment to, and budget for, the GDPR program

19

Step 3: Develop PlanBuild project timeline with commitment dates based on:• Privacy team’s goals – short, mid, long-term• Key milestones, e.g., 2018 GDPR enforcement start• Budget and people resources available• Remediation activities required from gap analysis• Prioritized areas for “high risk” and longer implementation times• Consider using the Privacy Shield to cover a large percentage quickly

20

Step 4: Implement Programs…Triage … conduct PIAs & remediate “high risk” areas• GDPR requires you to conduct PIAs for “high risk” activities and implement operational

changes• Most common “high risk” areas tend to center around new products that change the way

the business uses / collects / stores personal data• Put processes in place to conduct ongoing PIAs – templates, technology, training

Prioritize … implement components with “long timelines”• Search for qualified DPOs• Develop comprehensive data inventory and Mapping to comply with Article 30• Data breach response plans – new 72 hour notification, “without undue delay” for

breaches with potential for serious harm• Identify way to keep a record and demonstrate compliance moving forward

21

22

• GDPR Priorities Assessment

• GDPR Compliance Guide (solutions brief)

• GDPR Roadmap

• The General Data Protection Regulation

• Official EU Data Protection website

• Article 29 Working Party website

• Top 10 Operational Impacts of GDPR (from IAPP)

Additional resources

23

Thank you!

Lewis BarrGeneral Counsel and VP Privacy, Janrainlewis@janrain.com

Eleanor Treharne-JonesVP Consulting, TRUSTeeleanor@truste.com