Scribd Logo
Upload

Welcome to Scribd!

  • Building Your DPIA/PIA Program: Tips & Case Studies - TrustArc Webinar

    Uploaded by

    TrustArc
    166 views24 pages
    Watch the webinar on-demand: https://info.trustarc.com/building-pia-dpia-program-webinar.html DPIA/PIA guidance, tips for success and case studies from the field. The GDPR mandates Privacy by Design and requires documented Data Protection Impact Assessments (DPIAs) for high-risk processing. How can you build this into a sustainable program across your business? Having a good understanding of what DPIA/PIAs are and how to implement them can be the key to embedding privacy in the heart of your organization as well as achieving GDPR compliance. Watch this webinar on-demand to: - Hear PIA best practices - Review GDPR compliance requirements - Receive a range of tips and tools to help streamline and embed the process - Hear how Volvo Financial Services has approached assessments across their organization To register for upcoming/on-demand webinars visit: https://www.trustarc.com/events/webinar-schedule/

    Original Title

    Building Your DPIA/PIA Program: Tips & Case Studies | TrustArc Webinar

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Watch the webinar on-demand: https://info.trustarc.com/building-pia-dpia-program-webinar.html DPIA/PIA guidance, tips for success and case studies from the field. The GDPR mandates Privacy by Design and requires documented Data Protection Impact Assessments (DPIAs) for high-risk processing. How can you build this into a sustainable program across your business? Having a good understanding of what DPIA/PIAs are and how to implement them can be the key to embedding privacy in the heart of your organization as well as achieving GDPR compliance. Watch this webinar on-demand to: - Hear PIA best practices - Review GDPR compliance requirements - Receive a range of tips and tools to help streamline and embed the process - Hear how Volvo Financial Services has approached assessments across their organization To register for upcoming/on-demand webinars visit: https://www.trustarc.com/events/webinar-schedule/

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    166 views24 pages

    Building Your DPIA/PIA Program: Tips & Case Studies - TrustArc Webinar

    Uploaded by

    TrustArc
    Watch the webinar on-demand: https://info.trustarc.com/building-pia-dpia-program-webinar.html DPIA/PIA guidance, tips for success and case studies from the field. The GDPR mandates Privacy by Design and requires documented Data Protection Impact Assessments (DPIAs) for high-risk processing. How can you build this into a sustainable program across your business? Having a good understanding of what DPIA/PIAs are and how to implement them can be the key to embedding privacy in the heart of your organization as well as achieving GDPR compliance. Watch this webinar on-demand to: - Hear PIA best practices - Review GDPR compliance requirements - Receive a range of tips and tools to help streamline and embed the process - Hear how Volvo Financial Services has approached assessments across their organization To register for upcoming/on-demand webinars visit: https://www.trustarc.com/events/webinar-schedule/

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    PRIVACY INSIGHT SERIES

    Summer / Fall 2017 Webinar Program

    Building Your DPIA/PIA Program:


    Tips & Case Studies

    September 12, 2017

    2017 TrustArc Inc Proprietary and Confidential Information


    Todays Speakers

    Alexia Maas
    SVP - General Counsel, Volvo Financial Services

    Beth Sipula
    Sr. Privacy Consultant, TrustArc

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    Todays Agenda

    Welcome & Introductions


    GDPR compliance requirements
    Essential elements for building your program
    Recommendations for success
    Q&A

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    Poll Question
    Do you have an internal PIA or DPIA process in place?

    A. Yes
    B. No
    4%

    TrustArc / Dimensional Research 2017

    4 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    PRIVACY INSIGHT SERIES
    Summer / Fall 2017 Webinar Program

    GDPR Requirements for DPIAs

    2017 TrustArc Inc Proprietary and Confidential Information


    The EU GDPR May 25, 2018 Deadline
    Significant Compliance Requirements

    6 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    GDPR Requirements for DPIAs (Articles 35 and 36)

    Processing likely to
    result in high risk
    DPIA Required
    Article 35(1)
    Systematic description of the processing
    Assessment of necessity and
    proportionality
    Assessment of the risks to the rights and
    No freedoms of data subjects
    Measures to address the risks

    Is residual risk high?


    No DPIA Required

    No

    No DPA Consult DPA Consult Required


    Required
    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc
    PIAs and DPIAs: Similarities and Differences
    The terms PIA and DPIA are used interchangeably by many
    organizations. An organization may use a DPIA, even if a DPIA is
    not required, to conduct an assessment to ensure the required data
    protection controls are in place and to demonstrate compliance with
    GDPR requirements.

    DPIAs are required of organizations acting as Data Controllers.


    Data Processors may also use DPIAs to assess whether they are
    processing data in a manner that supports the Controller in meeting
    its compliance obligations under the GDPR.

    Both PIAs and DPIAs enable organizations to identify the controls


    needed to address and reduce riskbe it a risk to the rights of
    individuals, a compliance risk of the organization, or both.

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    Processing Likely to Result in High Risk Key Criteria
    Based on Article 29 Working Party Guidelines WP 248 (4 Apr 2017)

    Automated-decision making with legal or similar significant effect


    Evaluation or scoring
    Systematic monitoring
    Sensitive data
    Data processed on a large scale
    Datasets that have been matched or combined
    Data concerning vulnerable subjects
    Data transfer across borders outside of the EU
    Innovative use or applying technological or organizational
    solutions
    Where the processing itself prevents individuals from exercising a
    right or using a service or a contract

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    Poll Question #2
    How many PIAs will your organization complete in
    2017?

    A. Less than 10
    B. 11 - 50
    C. 51-100
    D. 100+
    E. I have no idea

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    PRIVACY INSIGHT SERIES
    Summer / Fall 2017 Webinar Program

    Essential Elements for Building Your


    Program

    2017 TrustArc Inc Proprietary and Confidential Information


    Build Your Program 6 Essential Elements
    Integrated Identify stakeholders. Establish
    Governance program leadership and governance.
    Define program mission, vision and
    Build goals.
    Establish, maintain Risk Identify, assess and classify data-
    and evolve an Assessment related strategic, operational, legal
    integrated privacy compliance and financial risks.
    and data governance
    Resource Establish budgets. Define roles and
    program aligned with
    Allocation responsibilities. Assign competent
    other data
    personnel.
    management and
    information risk Policies & Develop policies, procedures and
    functions such as Standards guidelines to define and deploy
    security, IP, trade effective and sustainable governance
    secret protection and and controls for managing data-
    e-discovery related risks.
    Processes Establish, manage, measure and
    continually improve processes for
    PIAs, vendor assessments, incident
    Learn and Evolve Over Time management and breach notification,
    complaint handling and individual
    rights management.
    Awareness & Communicate expectations. Provide
    Training general & contextual training.

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    1. Integrated Governance
    Identify your key stakeholders: Establish program leadership and
    governance. Define program mission, vision and goals.
    Leverage relationships with key internal stakeholders (and build new ones) to
    drive change and adoption

    Key Stakeholders Key Area (examples)

    IT/Security Responsible for data protection and securing


    internal systems
    Human Resources Responsible for HR data and systems

    Marketing Responsible for services to customers (both


    internal and external)
    Legal Responsible for ensuring legal requirements are
    met
    Internal Audit Responsible for managing an audit trail

    Procurement Responsible for vetting and contracting with


    vendors and third parties

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    2. Risk Assessment
    Identify and assess risk: Classify data-related strategic, operational,
    legal compliance and financial risks.

    Key Risks (examples)

    Significant infrastructure or systems changes

    New Product development where data is collected; changes to existing


    products new uses for data collected
    New regulations and compliance requirements (GDPR)

    Mergers and acquisitions

    New vendors and third party business partners

    Ongoing HR related data requirements (example: employee monitoring)

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    3. Resource Allocation
    Identify resource needs: Establish budgets. Define roles and
    responsibilities. Assign knowledgeable and trained personnel.

    Resource Needs to Consider

    Executive Champion; top down support essential to success

    Training and knowledgeable personnel needed to manage PIA/DPIA


    process; Define roles and responsibilities
    Systems needed to support the program; automation

    New regulations and compliance requirements (monitoring)

    Outside consulting and legal resources

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    4. Policies and Standards
    Develop policies and standards: Procedures and guidelines
    to define and deploy effective and sustainable governance and
    controls for managing data-related risks.

    IT Security, Data Security


    and Acceptable Use
    Privacy Notices and Policies
    Data Use, Retention and
    Disposal
    Data Classification
    Marketing Operations
    Product Development

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    5. Processes
    Establish, manage, measure and continually improve processes:
    Ensure a unified approach to PIAs/DPIAs, vendor assessments,
    incident management and breach notification, complaint handling and
    individual rights management.

    Build Assess Implement Manage Demonstrate

    One size does not fit all. Organizations should develop and follow a
    process that makes sense for their size, type of processing, and
    resources
    PIAs/DPIAs need to be conducted according to a documented process
    to ensure consistency
    Documentation to demonstrate accountability is also critical (on
    demand)

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    6. Awareness & Training

    Communicate
    expectations

    Embed in Provide
    established general &
    training contextual
    cycles training

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    PRIVACY INSIGHT SERIES
    Summer / Fall 2017 Webinar Program

    Recommendations

    2017 TrustArc Inc Proprietary and Confidential Information


    Recommendations for Success
    Assign clearly defined roles for all stages
    Having an Executive Champion or Sponsor
    PIA/DPIA processes need to be simple, repeatable, concise, and they
    need to map to the GDPR requirements
    One size does not fit all consider the level of risk
    Also consider a process with traditional PIAs for all projects and EU
    DPIAs for projects that trigger EU DP rules
    Build a robust process with scalability in mind
    Consider the system you are using, what itll take to make the
    process more efficient and automate
    Over communicate and reinforce training at every opportunity

    Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    Additional Resources

    www.trustarc.com/resources

    21 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    PRIVACY INSIGHT SERIES
    Summer / Fall 2017 Webinar Program

    Contacts

    Alexia Maas alexia.maas@vfsco.com


    Beth Sipula bsipula@trustarc.com

    2017 TrustArc Inc Proprietary and Confidential Information


    Privacy Insight Series 2017 Calendar

    www.trustarc.com/insightseries

    23 Privacy Insight Series - trustarc.com/insightseries 2017 TrustArc Inc


    PRIVACY INSIGHT SERIES
    Summer / Fall 2017 Webinar Program

    Thank You!
    Register for the next webinar in our Series October 11th

    Profiling, Big Data & Consent Under the GDPR


    For full Summer/Fall schedule and past webinar recordings
    visit: http://www.trustarc.com/insightseries

    2017 TrustArc Inc Proprietary and Confidential Information

    You might also like