You are on page 1of 24

Understanding new EU Guidance

on DPIA/PIA requirements
November 10, 2016

Privacy Insight Series


- truste.com/insightseries
v

TRUSTe Inc., 2016


1
TRUSTe Inc., 2016

Todays Speakers
Beth Sipula
Senior Privacy Consultant
TRUSTe

Paul Iagnocco
Chief Privacy Officer
Kellogg

Privacy Insight Series


- truste.com/insightseries
v

2
TRUSTe Inc., 2016

The GDPR and When to Use


DPIAs/PIAs
Beth Sipula, Senior Privacy Consultant TRUSTe

Privacy Insight Series


- truste.com/insightseries
v

TRUSTe Inc., 2016


3
TRUSTe Inc., 2016

PIA definition

A privacy impact assessment (PIA) is a


tool or process for identifying and
assessing privacy risks throughout the
development life cycle of a program or
system.

- Information Commissioner's Office

Privacy Insight Series


- truste.com/insightseries
v

4
TRUSTe Inc., 2016

Poll Question #1
Does your organization have a PIA process in place?
1. Yes
2. No

Privacy Insight Series


- truste.com/insightseries
v

5
TRUSTe Inc., 2016

Frameworks and Jurisdictions


Many countries and regions of the world have been
using PIAs dating back to the mid 90s
Papers published regarding PIAs often started in the private
sector

A handful of countries have the most presence; more


countries are emerging in LATAM and APAC
The GDPR has drawn a spotlight onto DPIAs and
adopting a framework as part of compliance
While there are differences in the methodologies, the
goals are the same: to identify risks to privacy and
determine ways of overcoming those risks
DPIAs/PIAs are not one size fits all

Privacy Insight Series


- truste.com/insightseries
v

6
TRUSTe Inc., 2016

Poll Question #2
How many PIAs will your organization complete in 2016?
1. Less than 10
2. 11 - 50
3. 51-100
4. 100+
5. I have no idea

Privacy Insight Series


- truste.com/insightseries
v

7
TRUSTe Inc., 2016

GDPR Triggers for DPIAa/PIAs


DPIAs are required for any processing that may result in high risk, and for:
Systematic and extensive automated processing, including profiling, if the
decisions produce legal effects or significantly affect the individual
Example: Making predictions based on a persons behavior, credit decisions,
economic situation, location
Processing special categories of data (i.e. genetic or biometric data) or
criminal records on a large scale

Systematic monitoring of a publicly accessible area on a large scale


As otherwise indicated by the DPAs or EUDPB
GDPR requires you to conduct PIAs for high risk activities and implement
operational changes
Note: Most common high risk areas tend to center around new products/systems
that change the way the business uses / collects / stores personal data.

Privacy Insight Series


- truste.com/insightseries
v

8
TRUSTe Inc., 2016

Triggers for when to use a DPIA/PIA


Implementing a new system in your organization;

Launching a new product or service;


Providing new third party provider with access to PI;
Conversion of records from paper-based to electronic form;
Conversion of information from anonymous to identifiable form;
System management changes involving significant new uses and/or
application of new technologies;
Significant merging, matching or other manipulation of multiple databases
containing personal data;

Incorporation into existing databases of personal data obtained from


commercial or public sources;
Alteration of a business process resulting in significant new collection, use
and/or disclosure of personal data

Privacy Insight Series


- truste.com/insightseries
v

9
TRUSTe Inc., 2016

Recommendations for Success


Assign clearly defined roles for all stages
Having an Executive Champion or Sponsor is critical
PIAs need to be simple, repeatable, concise, and they need to map to
the GDPR requirements
One size does not fit all consider the level of risk
Also consider a bifurcated PIA process, with traditional PIAs for all projects and
EU DPIAs for projects that trigger EU DP rules

Build a robust process with scalability in mind


Consider the system you are using, what itll take to make the process more
efficient and automate

Monitor - Article 29 Working Party will be releasing guidance for


controllers and processors on high-risk assessments by end of 2016

Privacy Insight Series


- truste.com/insightseries
v

10
TRUSTe Inc., 2016

Operationalizing a PIA Solution


within the Enterprise
Paul Iagnocco
Chief Privacy Officer

Privacy Insight Series


- truste.com/insightseries
v

TRUSTe Inc., 2016


11
TRUSTe Inc., 2016

Privacy Overview at Kellogg

Global Privacy
Office
established in
August 2015

4 Strategic Pillars
Build a Global
Capability

Types of Data
Held
Employee
(PII, PFI, PHI)

Ensure Compliance
& Education

Consumer
(PII)

Champion Privacy
Advocacy

Reporting Line
A function within
Global Legal &
Compliance
CPO reports directly
to Chief Counsel
(access to Global
General Counsel & Vice
Chair of Company)

Unlock Data Use

Privacy Insight Series


- truste.com/insightseries
v

12
TRUSTe Inc., 2016

Privacy Overview at Kellogg (continued)


Kellogg employs a decentralized business model in addressing
data protection and privacy matters.

IT Security
Global
Privacy
Office

strategy

training content

Defines
the
what

Determines
the
how

Regional/Local
Business
Functions

execute strategy

conduct training

business compliance

Execute compliance

standards and best practices

common global tools

Implement standards and best


practices

privacy impact assessments (PIAs)

Address PIA results

requests and complaints

data breach management

liaison with regulators

Privacy Insight Series


- truste.com/insightseries
v

Internal
Audit

13
TRUSTe Inc., 2016

Collaborative Approach Between Privacy & IT Security


Acquisition and Use of Data
Focus is on whether the
Company is allowed to possess
consumer or employee data
and what we are allowed to do
with it.

Notice
Choice
Use

Safeguards, Secured Storage


and Proper Destruction of Data
Focus is on the protection of
the data stored, processed,
transmitted and destroyed.

Access
Confidentiality

Availability
Integrity

IT Security

Privacy Insight Series


- truste.com/insightseries
v

14
TRUSTe Inc., 2016

5 Steps to Operationalizing PIAs

Know your
key PIA
stakeholders

Align on the
role of a PIA

Privacy Insight Series


- truste.com/insightseries
v

Design the
PIA workflow

Build and
implement
the PIA
solution

Refine and
scale the
PIA Process

15
TRUSTe Inc., 2016

Know your key stakeholders


Objective:
Implementing anything new within an organization is challenging. People fear the uncertainty of
change. Need to identify key stakeholders that that see value in a PIA.
Recommendation:
Leverage these stakeholders to drive change within their function. These are your early adopters
(evangelists).
Key Stakeholders

How would a PIA benefit their function?

Legal Counsel - Transactions

Provides intelligence to incorporate into MSA or SOW

Risk Management

Provides intelligence that may require change in risk policy

Procurement

Ensures that data protection and privacy are addressed

IT Security

Ensures that data protection and authorization is addressed

Human Resources

External data processors are vetted and deliver expected


services for our employees

Marketing

External data processors are vetted and deliver expected


services for our consumers

Internal Audit

Provides an audit trail

Outside Consultants

N/A

Privacy Insight Series


- truste.com/insightseries
v

16
TRUSTe Inc., 2016

Align on the role of the PIA


Objective:
With your key stakeholders, determine what you want to solve for using a PIA.
Recommendation:
Start small and scale. It might be easier to start leveraging PIAs externally since you will likely have
less resistance to change.
Common Components of a PIA

What are we assessing?

Internal Procedures and Policies

Overall program accountability

Data Collection

What data is collected?

Choice and Consent

How was the data collected?

Use, Retention and Disposal

What is the intended use, storage and purge of


the collected data?

Disclosures to Third Parties

Are we sharing this data?

Access

Does the data subject have access?

Data Security

How is the data secured?

Privacy Insight Series


- truste.com/insightseries
v

17
TRUSTe Inc., 2016

Design the PIA workflow


Objective:
Leveraging the PIA alignment gained in step 2,
now design the PIA workflow.

Where should a PIA be considered?


Review existing vendor statement of work (SOW)
New vendor set-up (MSA)

Recommendation:
Again start small and scale. Look at how new
data processes and vendor agreements/SOWs
commence. Review existing workflows and
determine best means to intersect without being
disruptive.

Changes to internal data processing


Significant IT infrastructure changes
Mergers and acquisitions
New product development
(that engages data)
Annual assessments
To assess new regulations

Process starts in
Contract
Database

Privacy
Threshold
Questions
Answered

New Vendor Set-up Workflow

Privacy Insight Series


- truste.com/insightseries
v

PIA Published
and Vendor
Responds

Responses
Reviewed by
Legal and IT
Security

Additional Followups by Other Key


Stakeholders

MSA Approved
and Filed

Changes
negotiated in
MSA
18
TRUSTe Inc., 2016

Build and Implement the PIA Solution


Objective:
Identify what PIA solution needs to be built and eventually implemented.
Recommendation:
Review step 2 to ensure you are building a PIA solution that achieves your goal. Also, be mindful that
of the expected annual volume. Do NOT over engineer. In addition, be sure to produce communication
materials and a simple user-guide to facilitate adoption beyond the key stakeholders. You MUST be
prepared to Sell, Sell, Sell.
Simple PIA Solution
1.
2.

Build out content (questions and


benchmarks)
Load spreadsheet use macros to
create flags

3.

Develop Email Template with purpose,


deadline, etc. along with spreadsheet

4.

Publish to XYZ, collect responses

5.

Review and analyze

6.

Take necessary action

7.

File

Privacy Insight Series


- truste.com/insightseries
v

Complex PIA Solution


1.

Conduct privacy threshold assessment

2.

Add Respondent to TRUSTe


Assessment Manager

3.

Select or customize PIA

4.

Publish to XYZ, collect responses

5.

Centrally review and analyze

6.

Assign necessary follow-up action

7.

Archive and set calendar to


automatically re-send in12 months

19
TRUSTe Inc., 2016

Refine and scale the PIA Solution


Objective:
Identify whats working and whats not working and refine solution accordingly. What other areas
(identified in Step 3) should we scale this PIA solution to address?
Recommendation:
Identify a means to gather on-going feedback on how to improve the solution. Always look for
opportunities to further imbed the PIA into normal business operations. As you expand follow the
process Step and Repeat.
Potential Refinements
Customized PIA questions based on specific target audience (e.g., EU data processors)
Implement for additional business scenarios (e.g., internal infrastructure or data processing changes)
New PIA questions to assess internal or external compliance with new regulation (e.g., EU GDPR)
Provide additional access to responses and analysis
Add new functions to overall process
Expand user-guides to reflect changes
Expand communication plan Sell, Sell, Sell

Privacy Insight Series


- truste.com/insightseries
v

20
TRUSTe Inc., 2016

Summary
1. Cultivate evangelists for the PIA solution
2. Define value of the PIA solution
3. Align on initial PIA solution goals
4. Start small scale later
5. Look for new opportunities

6. Listen to feedback
7. Keep it simple
8. Over communicate

Be sure to commit and start somewhere.

Privacy Insight Series


- truste.com/insightseries
v

21
TRUSTe Inc., 2016

Questions?

Privacy Insight Series


- truste.com/insightseries
v

TRUSTe Inc., 2016


22
TRUSTe Inc., 2016

Contacts
Beth Sipula
Paul Iagnocco

Privacy Insight Series


- truste.com/insightseries
v

bsipula@truste.com
paul.iagnocco@kellogg.com

TRUSTe Inc., 2016


23
TRUSTe Inc., 2016

Thank You!
Register now for the final webinar in our our 2016 Summer/Fall Webinar
Series on December 8 Metrics for Success: Quantifying the Value of the
Privacy Function
See http://www.truste.com/insightseries for the 2016 Privacy Insight Series
and past webinar recordings.
TRUSTe Inc., 2016
v
24
Privacy Insight Series
truste.com/insightseries
v
TRUSTe Inc., 2016

You might also like