You are on page 1of 24

PRIVACY INSIGHT SERIES

Summer / Fall 2017 Webinar Program

Building Your DPIA/PIA Program:


Tips & Case Studies

September 12, 2017

2017 TrustArc Inc Proprietary and Confidential Information


Todays Speakers

Alexia Maas
SVP - General Counsel, Volvo Financial Services

Beth Sipula
Sr. Privacy Consultant, TrustArc

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Todays Agenda

Welcome & Introductions


GDPR compliance requirements
Essential elements for building your program
Recommendations for success
Q&A

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Poll Question
Do you have an internal PIA or DPIA process in place?

A. Yes
B. No
4%

TrustArc / Dimensional Research 2017

4 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

GDPR Requirements for DPIAs

2017 TrustArc Inc Proprietary and Confidential Information


The EU GDPR May 25, 2018 Deadline
Significant Compliance Requirements

6 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


GDPR Requirements for DPIAs (Articles 35 and 36)

Processing likely to
result in high risk
DPIA Required
Article 35(1)
Systematic description of the processing
Assessment of necessity and
proportionality
Assessment of the risks to the rights and
No freedoms of data subjects
Measures to address the risks

Is residual risk high?


No DPIA Required

No

No DPA Consult DPA Consult Required


Required
Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc
PIAs and DPIAs: Similarities and Differences
The terms PIA and DPIA are used interchangeably by many
organizations. An organization may use a DPIA, even if a DPIA is
not required, to conduct an assessment to ensure the required data
protection controls are in place and to demonstrate compliance with
GDPR requirements.

DPIAs are required of organizations acting as Data Controllers.


Data Processors may also use DPIAs to assess whether they are
processing data in a manner that supports the Controller in meeting
its compliance obligations under the GDPR.

Both PIAs and DPIAs enable organizations to identify the controls


needed to address and reduce riskbe it a risk to the rights of
individuals, a compliance risk of the organization, or both.

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Processing Likely to Result in High Risk Key Criteria
Based on Article 29 Working Party Guidelines WP 248 (4 Apr 2017)

Automated-decision making with legal or similar significant effect


Evaluation or scoring
Systematic monitoring
Sensitive data
Data processed on a large scale
Datasets that have been matched or combined
Data concerning vulnerable subjects
Data transfer across borders outside of the EU
Innovative use or applying technological or organizational
solutions
Where the processing itself prevents individuals from exercising a
right or using a service or a contract

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Poll Question #2
How many PIAs will your organization complete in
2017?

A. Less than 10
B. 11 - 50
C. 51-100
D. 100+
E. I have no idea

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Essential Elements for Building Your


Program

2017 TrustArc Inc Proprietary and Confidential Information


Build Your Program 6 Essential Elements
Integrated Identify stakeholders. Establish
Governance program leadership and governance.
Define program mission, vision and
Build goals.
Establish, maintain Risk Identify, assess and classify data-
and evolve an Assessment related strategic, operational, legal
integrated privacy compliance and financial risks.
and data governance
Resource Establish budgets. Define roles and
program aligned with
Allocation responsibilities. Assign competent
other data
personnel.
management and
information risk Policies & Develop policies, procedures and
functions such as Standards guidelines to define and deploy
security, IP, trade effective and sustainable governance
secret protection and and controls for managing data-
e-discovery related risks.
Processes Establish, manage, measure and
continually improve processes for
PIAs, vendor assessments, incident
Learn and Evolve Over Time management and breach notification,
complaint handling and individual
rights management.
Awareness & Communicate expectations. Provide
Training general & contextual training.

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


1. Integrated Governance
Identify your key stakeholders: Establish program leadership and
governance. Define program mission, vision and goals.
Leverage relationships with key internal stakeholders (and build new ones) to
drive change and adoption

Key Stakeholders Key Area (examples)

IT/Security Responsible for data protection and securing


internal systems
Human Resources Responsible for HR data and systems

Marketing Responsible for services to customers (both


internal and external)
Legal Responsible for ensuring legal requirements are
met
Internal Audit Responsible for managing an audit trail

Procurement Responsible for vetting and contracting with


vendors and third parties

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


2. Risk Assessment
Identify and assess risk: Classify data-related strategic, operational,
legal compliance and financial risks.

Key Risks (examples)

Significant infrastructure or systems changes

New Product development where data is collected; changes to existing


products new uses for data collected
New regulations and compliance requirements (GDPR)

Mergers and acquisitions

New vendors and third party business partners

Ongoing HR related data requirements (example: employee monitoring)

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


3. Resource Allocation
Identify resource needs: Establish budgets. Define roles and
responsibilities. Assign knowledgeable and trained personnel.

Resource Needs to Consider

Executive Champion; top down support essential to success

Training and knowledgeable personnel needed to manage PIA/DPIA


process; Define roles and responsibilities
Systems needed to support the program; automation

New regulations and compliance requirements (monitoring)

Outside consulting and legal resources

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


4. Policies and Standards
Develop policies and standards: Procedures and guidelines
to define and deploy effective and sustainable governance and
controls for managing data-related risks.

IT Security, Data Security


and Acceptable Use
Privacy Notices and Policies
Data Use, Retention and
Disposal
Data Classification
Marketing Operations
Product Development

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


5. Processes
Establish, manage, measure and continually improve processes:
Ensure a unified approach to PIAs/DPIAs, vendor assessments,
incident management and breach notification, complaint handling and
individual rights management.

Build Assess Implement Manage Demonstrate

One size does not fit all. Organizations should develop and follow a
process that makes sense for their size, type of processing, and
resources
PIAs/DPIAs need to be conducted according to a documented process
to ensure consistency
Documentation to demonstrate accountability is also critical (on
demand)

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


6. Awareness & Training

Communicate
expectations

Embed in Provide
established general &
training contextual
cycles training

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Recommendations

2017 TrustArc Inc Proprietary and Confidential Information


Recommendations for Success
Assign clearly defined roles for all stages
Having an Executive Champion or Sponsor
PIA/DPIA processes need to be simple, repeatable, concise, and they
need to map to the GDPR requirements
One size does not fit all consider the level of risk
Also consider a process with traditional PIAs for all projects and EU
DPIAs for projects that trigger EU DP rules
Build a robust process with scalability in mind
Consider the system you are using, what itll take to make the
process more efficient and automate
Over communicate and reinforce training at every opportunity

Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


Additional Resources

www.trustarc.com/resources

21 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Contacts

Alexia Maas alexia.maas@vfsco.com


Beth Sipula bsipula@trustarc.com

2017 TrustArc Inc Proprietary and Confidential Information


Privacy Insight Series 2017 Calendar

www.trustarc.com/insightseries

23 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


PRIVACY INSIGHT SERIES
Summer / Fall 2017 Webinar Program

Thank You!
Register for the next webinar in our Series October 11th

Profiling, Big Data & Consent Under the GDPR


For full Summer/Fall schedule and past webinar recordings
visit: http://www.trustarc.com/insightseries

2017 TrustArc Inc Proprietary and Confidential Information