You are on page 1of 28

GDPR: DPIAs & Risk

May 23, 2017

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 1
TRUSTe Inc., 2017
Thank you for joining the webinar
GDPR: DPIAs & Risk

We will be starting a couple minutes after the hour

This webinar will be recorded and the recording and slides sent out
later today

Please use the GotoWebinar control panel on the right hand side to
submit any questions for the speakers

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 2
TRUSTe Inc., 2017
Todays Speakers

Marty Abrams
Executive Director & Chief Strategist
Information Accountability Foundation (IAF)

Hilary Wandall (Moderator)


General Counsel & Chief Data Governance Officer
TRUSTe

Privacy Insight Series


v - truste.com/insightseries 3
TRUSTe Inc., 2017
Todays Agenda

Welcome & Introductions


The role of DPIAs
Development of privacy assessment methodology
GDPR and DPIAs
Risky processing under GDPR
IAF-TRUSTe DPIA approach
Privacy risk and enterprise risk management
Q&A

Privacy Insight Series


v - truste.com/insightseries 4
TRUSTe Inc., 2017
Webinar Poll

Do you have an internal PIA or DPIA process?


yes
no

Privacy Insight Series


v - truste.com/insightseries 5
TRUSTe Inc., 2017
The Role of DPIAs

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 6
TRUSTe Inc., 2017
Build Your Program 6 Essential Elements
Integrated Identify stakeholders. Establish
Governance program leadership and governance.
Define program mission, vision and
goals.
Risk Identify, assess and classify data-
Build Assessment related strategic, operational, legal
Establish, maintain compliance and financial risks.
and evolve an Resource Establish budgets. Define roles and
integrated privacy Allocation responsibilities. Assign competent
and data governance personnel.
program aligned with
Policies & Develop policies, procedures and
other data
Standards guidelines to define and deploy
management and effective and sustainable governance
information risk and controls for managing data-
functions such as related risks.
security, IP, trade
secret protection and Processes Establish, manage, measure and
e-discovery continually improve processes for
PIAs, vendor assessments, incident
management and breach notification,
Learn and Evolve Over Time complaint handling and individual
rights management.
Awareness & Communicate expectations. Provide
Training general & contextual training.
Privacy Insight Series
v - truste.com/insightseries 7
TRUSTe Inc., 2017
Development of Privacy Assessment
Methodology

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 8
TRUSTe Inc., 2017
How has assessment methodology developed in
the privacy field?

Privacy Insight Series


v - truste.com/insightseries 9
TRUSTe Inc., 2017
How did comprehensive data impact assessments
originate?

Privacy Insight Series


v - truste.com/insightseries 10
TRUSTe Inc., 2017
Genesis of Ethical Assessments

2013 - Challenge by HP, Merck, Intuit and Acxiom to


develop a means to make big data processing defendable
2014 - Unified Ethical frame developed and presented at
the International Conference of Data Protection and Privacy
Commissioners
Ethical assessments the key
Embraced by numerous regulators
The golden rule became the proxy for ethics

2015 Oversight and framework for assessment


Multi-stakeholder oversight
Link to legitimate interests established
Digital marketing assessment framework developed

2016 Canadian project


Privacy Insight Series
v - truste.com/insightseries 11
TRUSTe Inc., 2017
Canadian Project
Canadian law, in most cases requires consent
Raised the question of how big data might be done in Canada as a
link to accountability
IAF received a grant from Office of the Privacy
Commissioner to explore the concept of ethical
assessments
Recruited 20 Canadian companies and a lead Canadian
lawyer/expert to work with us
Took the Canadian framework to a multi-stakeholder group
that included regulators
End products a framework that includes the legal and
ethical discussion and an assessment framework
Participants pleased with the outcome
OPC pleased with the work product

Privacy Insight Series


v - truste.com/insightseries 12
TRUSTe Inc., 2017
Key Findings

A customized linkage to local law and culture is


necessary
The assessment framework can be used globally
Assessing stakeholder benefits and risks was break
through for companies
This methodology is useful everywhere
Legal, fair and just - which puts people first - is a great
proxy for ethics
Automating the process would lead to scalability

Privacy Insight Series


v - truste.com/insightseries 13
TRUSTe Inc., 2017
How does the ethical assessment methodology
align with the GDPR expectations for DPIAs?

Privacy Insight Series


v - truste.com/insightseries 14
TRUSTe Inc., 2017
IAF-TRUSTe DPIA Strategy

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 15
TRUSTe Inc., 2017
GDPR Requirements for DPIAs (Articles 35 and 36)

Processing likely to
result in high risk
DPIA Required
Article 35(1)
Systematic description of the processing
Assessment of necessity and
proportionality
Assessment of the risks to the rights and
No
freedoms of data subjects
Measures to address the risks

Is residual risk high?


No DPIA Required

No

No DPA Consult
DPA Consult Required
Required
Privacy Insight Series
v - truste.com/insightseries 16
TRUSTe Inc., 2017
Processing Likely to Result in High Risk Key Criteria

Based on Article 29 Working Party Guidelines WP 248 (4 Apr 2017)


Evaluation or scoring
Automated-decision making with legal or similar significant effect
Systematic monitoring
Sensitive data
Data processed on a large scale
Datasets that have been matched or combined
Data concerning vulnerable subjects
Innovative use or applying technological or organizational solutions
Data transfer across borders outside of the EU
Where the processing itself prevents individuals from exercising a right
or using a service or a contract

Privacy Insight Series


v - truste.com/insightseries 17
TRUSTe Inc., 2017
IAF-TRUSTe DPIA Construct

Part A Governance Part C Mitigations Part D Risk Outcomes


and Accountability and Safeguards (Report)
1. Organizational
Accountability 10. Data Necessity 18. Mitigations and
2. Purpose (DPbDesign/Default, Safeguard
3. Data Data Minimization) Effectiveness
4. Data Sources, Origins 11. Use, Retention and Evaluation (Scale)
and Characteristics Disposal 19. Calculation of
5. Legal Basis of 12. Disclosure to Third Residual Risk
Processing Parties and Onward Severity and
Transfer Likelihood
13. Choice and Consent 20. Legitimate Interests
Part B Risk, Impacts
14. Access and Individual Balancing Test
and Benefits
Rights Outcomes
6. High Risk Processing
15. Data Integrity and 21. Where residual risks
7. Value and Benefits of
Quality are high, consultation
the Processing
16. Security of DPA and data
8. Inherent Risk
17. Transparency subjects
Assessment
9. Weighted Inherent
Risk-Benefits

Privacy Insight Series


v - truste.com/insightseries 18
TRUSTe Inc., 2017
Webinar Poll

Do you have an automated PIA or DPIA process?


yes
no

Privacy Insight Series


v - truste.com/insightseries 19
TRUSTe Inc., 2017
Automating the IAF-TRUSTe DPIA

Privacy Insight Series


v - truste.com/insightseries 20
TRUSTe Inc., 2017
Automating the IAF-TRUSTe DPIA

Privacy Insight Series


v - truste.com/insightseries 21
TRUSTe Inc., 2017
Automating the IAF-TRUSTe DPIA

Privacy Insight Series


v - truste.com/insightseries 22
TRUSTe Inc., 2017
Automating the IAF-TRUSTe DPIA

Privacy Insight Series


v - truste.com/insightseries 23
TRUSTe Inc., 2017
Webinar Poll

Do you have an enterprise risk management (ERM)


process?
yes
no

Privacy Insight Series


v - truste.com/insightseries 24
TRUSTe Inc., 2017
Integrating Privacy into Enterprise Risk Management

Privacy Insight Series


v - truste.com/insightseries 25
TRUSTe Inc., 2017
Questions?

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 26
TRUSTe Inc., 2017
Contacts
Marty Abrams mabrams@informationaccountability.org
Hilary Wandall hilary@truste.com

v TRUSTe Inc., 2017


Privacy Insight Series
v - truste.com/insightseries 27
TRUSTe Inc., 2017
Thank You!
Details and registration for our 2017 Summer/Fall Webinar Series will be
published shortly.
Register for our next live event the Privacy Risk Summit on June 6th 2017
at https://www.truste.com/events/privacy-risk/

See http://www.truste.com/insightseries for the 2017 Privacy Insight Series


and past webinar recordings.
v TRUSTe Inc., 2017
Privacy Insight Series
v - truste.com/insightseries 28
TRUSTe Inc., 2017