the evergreen privacy program: how to move beyond the ccpa ...€¦ · information gdpr and...
TRANSCRIPT
![Page 1: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/1.jpg)
The Evergreen Privacy
Program: How to Move
Beyond the CCPA and
GDPR Compliance Dates
and Structure More Everlasting Programs
![Page 2: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/2.jpg)
Speakers
TERESA TROESTER-FALK
Chief Global Privacy Strategist,
Facilitator & Speaker
Nymity
RACHEL GLASSER
Chief Privacy Officer
Wunderman
BRITTANIE HALL
Senior Associate
Hogan Lovells, Privacy and
CyberSecurity
![Page 3: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/3.jpg)
Takeaways
• Identify the privacy initiatives that will lay the groundwork for ongoing compliance
• Leverage existing privacy law initiatives and project workstreams into sustainable business processes by finding a home for those workstreams in a privacy management accountability framework
• Learn how to effectively report on key compliance requirements so that you can communicate with key stakeholders and are “regulator-ready”
![Page 4: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/4.jpg)
Agenda• The state of the States
• What is an “evergreen” privacy program
• Panel Discussion
• Case Study – turning a privacy compliance initiative into a sustainable business process
• Questions
![Page 5: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/5.jpg)
CCPA OVERVIEW
![Page 6: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/6.jpg)
Main Individual Rights
1. RIGHT TO KNOW
2. RIGHT OF DELETION
3. RIGHT TO OPT-OUT FROM SALE
4. RIGHT TO NO DISCRIMINATION
5. PRIVATE RIGHT OF ACTION (breaches)
Rights mainly apply to data collected in the
12 months preceding the request and can be
exercised free of charge.
CALIFORNIA CONSUMER PRIVACY ACT (CCPA)
• Applies in the State of California and
to organizations doing business there
• Legislation focuses on data subject
rights
• Rights only extended to California
residents
• Will apply as of 1 January 2020
6
![Page 7: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/7.jpg)
Thinking Ahead – California is Not the Only Law
![Page 8: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/8.jpg)
The US Consumer Privacy Laws and Bills
Parallels
• Individual can
request
information
about data
sales
• Individual has
the right to opt-
out of data
sales
• Organization
has the
obligation to
display opt-out
link or button
• Individual has
the right of
access to his/her
data
• Individual can
request
correction or
deletion of data
• Attorneys-
General in
charge of
enforcement
• Possibility to
impose
penalties or hold
organizations
liable
• Prohibition to
discriminate
against
consumers
exercising their
rights
STRONGENFORCEMENT
EQUALTREATMENT
“DO NOT SELL” PERSONAL INFORMATION
GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS
8
![Page 9: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/9.jpg)
ACCOUNTABILITY VS.
COMPLIANCE
![Page 10: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/10.jpg)
2010 2011 2014 2015 2018
Guidelines on the Protection of Privacy
and Transborder Flows of Personal Data
2013
PIPEDA Schedule 14.1 Principle 1: Accountability
APEC Privacy Framework
Article 29 Data Protection Working Party
Opinion 3/2010 on the Principle of Accountability
U.S. Federal Trade Commission Enforcement
ActionsOECD Revised
Guidelines
Hong Kong:
Privacy
Management Program
Best Practice Guide
Columbia: Guide for the Implementation of Accountability in
Organizations
Australia: Privacy
Management Framework
EU: GeneralData Protection
RegulationPhilippines
Privacy Accountability
and Compliance Framework
Singapore PDPC
2012
Canada: Getting Accountability Right With
a Privacy Management Program
1980 2000 2005
Development of Accountability as a Privacy and Data Protection Principle
2009
The Madrid Resolution –International Standards on the
Protection of Personal Data and Privacy
![Page 11: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/11.jpg)
Operationalizing Accountability
A proven method for putting in place appropriate technical and organisational measures and demonstrating compliance
Accountability is embedding ongoing technical and organisational measures throughout the organisation, resulting in the ability to demonstrate accountability and compliance with evidence.
Appropriate Technical and organisational measures have been identified and are implemented and maintained on an ongoing basis
RESPONSIBILITY
An individual (or function or business unit) is answerable for the management and monitoring of technical and organizational measures
OWNERSHIP
Documentation is produced as a result of implementing technical or organisational measure and that can be used as Evidence of accountability and compliance (board reporting, regulators)
EVIDENCE
![Page 12: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/12.jpg)
Traditional Compliance Assessment Approach
EU GDPR
✓ Rule 4
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 5
Brazil LGPD
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 4
✓ Rule 5
California CCPA
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 4
✓ Rule 5
Hong Kong
Ordinance
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 4
✓ Rule 5
Mexico Data
Protection Act
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 4
✓ Rule 5
PHI Policies & Procedures
Audit and Monitoring
Many Regulatory Requirements Many Privacy Programs & Activitiesto
Training and Awareness
Company Policies and Procedures
Complaints and Investigations
Records Management
Information Security
Vendor Management
Human Resources
Legal
12
![Page 13: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/13.jpg)
Many Regulatory Requirements Many Privacy Programs & Activitiesto
Brazil LGPD
GDPR
MexicoPrivacy
Law
HKPDPO
California CCPA
✓ Rule 1
✓ Rule 2
✓ Rule 1
✓ Rule 2
✓ Rule 1
✓ Rule 2
✓ Rule 1
✓ Rule 2
Rationalized Rule Set ✓ Rule A
✓ Rule B
✓ Rule C
✓ Rule D
✓ Rule E
EU GDPR
✓ Rule 4
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 5
Brazil LGPD
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 4
✓ Rule 5
California CCPA
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 4
✓ Rule 5
Hong Kong
Ordinance
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 4
✓ Rule 5
Mexico Data
Protection Act
✓ Rule 1
✓ Rule 2
✓ Rule 3
✓ Rule 4
✓ Rule 5
13
Traditional Compliance Assessment Approach
![Page 14: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/14.jpg)
Accountability Based ApproachLeverage existing activities to comply with many laws and evidence of accountability to demonstrate compliance
MANY REGULATORY REQUIREMENTS
ONE ACCOUNTABLE PRIVACY PROGRAM
ResponsibilityOwnershipEvidence
Evidence of accountability is mapped to requirements, allowing the organization to demonstrate compliance with laws and regulations on-demand, supported by evidence.
14
![Page 15: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/15.jpg)
Maintain procedures to respond to requests for access to personal data
Responsible Measures (policies, procedures, processes) GDPR CCPA Nevada
✓ ✓
Maintain procedures to respond opt-out of, restrict or object to processing ✓ ✓
Maintain procedures to respond to requests for data portability ✓ ✓
Maintain procedures to respond to requests to be forgotten or for erasure of data ✓ ✓
Provide data privacy notice at all point where personal data is collected
✓
✓ ✓ ✓
Maintain technical security measures ✓
Maintain a data privacy incident/response plan ✓
![Page 16: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/16.jpg)
Privacy Frameworks
NIST Privacy Framework Nymity Privacy Management Accountability Framework
ISO/IEC 27701: 2019
Extension to ISP 27001 for privacy information management
![Page 17: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/17.jpg)
PANEL DISCUSSION
17
![Page 18: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/18.jpg)
THE EVERGREEN PRIVACY PROGRAM
PAGE 18
![Page 19: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/19.jpg)
PAGE 19
![Page 20: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/20.jpg)
The evergreen privacy program
START WITH BEST PRACTICES
PAGE 20
Transparency
Data quality
Collection limitation
Use limitation
Accountability
Individual participation
![Page 21: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/21.jpg)
The evergreen privacy program
BUILD INTO EVERYDAY PROCESSES
PAGE 21
Know what data you have
Know where that data is
What tools/platforms do you use?
Who do you share data with, what do you share and why?
![Page 22: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/22.jpg)
22The Evergreen Privacy Program
![Page 23: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/23.jpg)
CASE STUDY – FROM PROJECT TO PROGRAM
23
![Page 24: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/24.jpg)
How will we demonstrate compliance?
Request No. Date of RequestHow the Request was Made
Identity of applicant verified Status
Employee Assigned
Nature of the Request
Search for Records (where, when and by who)
Request was granted (how, date)
Request was denied (reasons, legal provision, date)
Data Subject Communication Sent
Statement outlining disagreement or complaint Final Outcome
Electronic file for every
request with the evidence
Upon request, write
a formal report
Demonstrating Compliance
– Regulator and Audit Ready
![Page 25: The Evergreen Privacy Program: How to Move Beyond the CCPA ...€¦ · INFORMATION GDPR AND CCPA-LIKE RIGHTS & OBLIGATIONS 8. ACCOUNTABILITY VS. COMPLIANCE. ... Information Security](https://reader034.vdocuments.net/reader034/viewer/2022042308/5ed4604405beeb3a300884cb/html5/thumbnails/25.jpg)
Questions and Contact
TERESA TROESTER-FALK
Chief Global Privacy Strategist,
Facilitator & Speaker
Nymity
RACHEL GLASSER
Chief Privacy Officer
Wunderman
BRITTANIE HALL
Senior Associate
Hogan Lovells, Privacy and
CyberSecurity