Scribd Logo
Upload

Welcome to Scribd!

  • Managing Multiple Compliance Priorities Seris - TrustArc

    Uploaded by

    TrustArc
    104 views25 pages
    While the GDPR has dominated the compliance agenda for the past two years and will continue to be a major focus of attention for the foreseeable future, the reality is most companies have to address a wide range of other privacy regulations encompassing multiple jurisdictions and sectors. This webinar includes some review of the top global compliance priorities and provides insights and best practices into how to balance multiple, complex compliance priorities across your organization. Learn More: https://info.trustarc.com/california-consumer-privacy-act-webinar.html Watch the webinar: https://info.trustarc.com/managing-gdpr-hipaa-apec-iso27001-compliance-webinar.html

    Original Title

    Managing Multiple Compliance Priorities Seris | TrustArc

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    While the GDPR has dominated the compliance agenda for the past two years and will continue to be a major focus of attention for the foreseeable future, the reality is most companies have to address a wide range of other privacy regulations encompassing multiple jurisdictions and sectors. This webinar includes some review of the top global compliance priorities and provides insights and best practices into how to balance multiple, complex compliance priorities across your organization. Learn More: https://info.trustarc.com/california-consumer-privacy-act-webinar.html Watch the webinar: https://info.trustarc.com/managing-gdpr-hipaa-apec-iso27001-compliance-webinar.html

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    104 views25 pages

    Managing Multiple Compliance Priorities Seris - TrustArc

    Uploaded by

    TrustArc
    While the GDPR has dominated the compliance agenda for the past two years and will continue to be a major focus of attention for the foreseeable future, the reality is most companies have to address a wide range of other privacy regulations encompassing multiple jurisdictions and sectors. This webinar includes some review of the top global compliance priorities and provides insights and best practices into how to balance multiple, complex compliance priorities across your organization. Learn More: https://info.trustarc.com/california-consumer-privacy-act-webinar.html Watch the webinar: https://info.trustarc.com/managing-gdpr-hipaa-apec-iso27001-compliance-webinar.html

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 25

    PRIVACY INSIGHT SERIES

    Summer / Fall 2018 Webinar Program

    Managing Multiple Compliance


    Priorities - GDPR, HIPAA, APEC, ISO
    27001, etc.
    August 22, 2018

    © 2018 TrustArc Inc Proprietary and Confidential Information


    Today’s Speakers

    K Royal, CIPP/US, CIPP/E, CIPM, FIP


    Privacy Consulting Director, US West
    TrustArc

    Hilary Wandall, CIPP/US, CIPP/E, CIPM, FIP


    Chief Data Governance Officer, General Counsel &
    Corporate Secretary
    TrustArc

    2 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


    Today’s Agenda

    • Welcome & Introductions


    • The Primary Driver
    • Aligning for Simplification
    • Establishing your Baseline
    • Putting it into Practice
    • Questions?

    3 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


    PRIVACY INSIGHT SERIES
    Summer / Fall 2018 Webinar Program

    Thanks for your interest in our webinar slides!

    Click here to watch the on-demand recording.

    4 © 2018 TrustArc Inc Proprietary and Confidential Information


    PRIVACY INSIGHT SERIES
    Summer / Fall 2018 Webinar Program

    The Primary Driver

    5 © 2018 TrustArc Inc Proprietary and Confidential Information


    Poll 1
    What was the primary regulatory driver for your company to start a privacy
    program?

     EU Data Protection Directive 95/46/EC


     GDPR
     HIPAA
     U.S. State Breach Notification laws
     EU-U.S. Privacy Shield

    6 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


    Starting with your primary driver
    • One customer expects you to self-certify to the Privacy
    Shield Frameworks
    • A business partner views you as a HIPAA business
    associate
    • Another customer expects you to sign a GDPR DPA and
    Standard Contractual Clauses
    • Still another customer wants you supports its efforts in
    Asia and would like you to seek APEC Privacy Rules for
    Processors (PRP) certification.
    • Your board is worried about public trust and confidence.

    Where do you start?

    7 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


    PRIVACY INSIGHT SERIES
    Summer / Fall 2018 Webinar Program

    Aligning for Simplification

    8 © 2018 TrustArc Inc Proprietary and Confidential Information


    Poll 2
    Does your company have any of the following programs in place?

     Corporate Compliance Program


     Information Risk Management Program
     Data Governance Program
     Trade Secret Protection Program
     No

    9 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


    Our model for aligning regulatory requirements
    Integrating Privacy and Data Governance
    We Start with 3 Pillars

    Build Implement Demonstrate


    Program Strategy, PIAs, DPIAs, Consent, Compliance Reports,
    Governance, Processes Individual Rights, Data Certification,
    and Policies, Data Transfer Verification, Ongoing
    Inventory Management

    TrustArc Privacy & Data Governance Framework

    Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


    The 3 Pillars are Supported by 16 Standards
    Build Your Program Integrated Governance Identify stakeholders. Establish program leadership and governance. Define
    program mission, vision and goals.
    • Establish and maintain an Risk Assessment Identify, assess and classify data-related strategic, operational, legal compliance and
    integrated data governance financial risks.
    program aligned with other Resource Allocation Establish budgets. Define roles and responsibilities. Assign personnel.
    information risk management
    Policies & Standards Develop policies, procedures and guidelines to define and deploy effective and
    functions such as security, IP sustainable governance and controls for managing data-related risks.
    and trade secret protection and
    e-discovery Processes Establish, manage, measure and continually improve processes for PIAs, vendor
    assessments, incident management and breach notification, complaint handling and
    individual rights management.
    Awareness & Training Communicate expectations. Provide general & contextual training.

    Implement Your Program Data Necessity Optimize data value by collecting and retaining only the data necessary for strategic
    goals. Leverage anonymization, de-identification, pseudonymization and coding to
    Across Products, mitigate data storage-related risks.
    Processes and Use, Retention & Ensure data are used solely for purposes that are relevant to and compatible with the
    Technologies Disposal purposes for which it was collected.
    Disclosure to 3rd Parties Preserve the standards and protections for data when it is transferred to third party
    • Design and/or engineer effective & Onward Transfer organizations and / or across country borders.
    privacy and data governance Choice & Consent Enable individuals to choose whether personal data about them is processed. Obtain
    controls into organizational and document prior permission where necessary and appropriate, and enable
    processes, products and individual to opt-out of ongoing processing.
    technologies and maintain and Access & Individual Enable individuals to access information about themselves, to amend, correct, and
    enhance those controls Rights as appropriate, delete information that is inaccurate, incomplete or outdated.
    throughout the lifecycle for the Data Integrity & Quality Assure that data are kept sufficiently accurate, complete, relevant and current
    product, process or technology consistent with its intended use.
    Security Protect data from loss, misuse and unauthorized access, disclosure, alteration or
    destruction.
    Transparency Inform individuals about the ways in which data about them are processed and how
    to exercise their data-related rights.

    Demonstrate Your Program Monitoring & Assurance Evaluate and audit effectiveness of controls and risk mitigation initiatives.
    Reporting & Demonstrate the effectiveness of your program and controls to management, the
    Privacy
    11 TrustArc.
    © 2018, Insight
    All rights Series
    reserved. - trustarc.com/insightseries
    Certification © 2018
    board of directors, employees, customers, TrustArcand
    regulators Inc the public.
    Interoperability in Practice
    3 Pillars and 16 Standards are Operationalized with 55 Core Controls
    Mapping alignment across regulatory controls
    Program Element TrustArc Framework Privacy Shield APEC CBPRs GDPR ISO 27001 HIPAA

    Build

    Integrated Governance

    Risk Assessment
    Resource Allocation

    Policies and Standards

    Processes

    Awareness and Training

    Implement

    Data Necessity

    Use, Retention, Disposal

    Third Parties and Onward


    Transfer

    Choice and Consent

    Individual Rights

    Data Quality and Integrity

    Security

    Transparency

    Demonstrate

    Monitoring and
    Assurance
    Reporting & Certification

    © 2018 TrustArc Inc Proprietary and Confidential Information


    PRIVACY INSIGHT SERIES
    Summer / Fall 2018 Webinar Program

    Establishing Your Baseline

    13 © 2018 TrustArc Inc Proprietary and Confidential Information


    Poll 3
    What kind of “internal” privacy policy does your company have?

     We have a global privacy policy for our entire company


     We have different policies for each functional area of our company
     We have different policies for each region of our company
     We have a policy only for parts of our company in scope of GDPR
     We don’t have an internal policy

    14 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


    The 3 Pillars are Supported by 16 Standards
    Build Your Program Integrated Governance Identify stakeholders. Establish program leadership and governance. Define
    program mission, vision and goals.
    • Establish and maintain an Risk Assessment Identify, assess and classify data-related strategic, operational, legal compliance and
    integrated data governance financial risks.
    program aligned with other Resource Allocation Establish budgets. Define roles and responsibilities. Assign personnel.
    information risk management
    Policies & Standards Develop policies, procedures and guidelines to define and deploy effective and
    functions such as security, IP sustainable governance and controls for managing data-related risks.
    and trade secret protection and
    e-discovery Processes Establish, manage, measure and continually improve processes for PIAs, vendor
    assessments, incident management and breach notification, complaint handling and
    individual rights management.
    Awareness & Training Communicate expectations. Provide general & contextual training.

    Implement Your Program Data Necessity Optimize data value by collecting and retaining only the data necessary for strategic
    goals. Leverage anonymization, de-identification, pseudonymization and coding to
    Across Products, mitigate data storage-related risks.
    Processes and Use, Retention & Ensure data are used solely for purposes that are relevant to and compatible with the
    Technologies Disposal purposes for which it was collected.
    Disclosure to 3rd Parties Preserve the standards and protections for data when it is transferred to third party
    • Design and/or engineer effective & Onward Transfer organizations and / or across country borders.
    privacy and data governance Choice & Consent Enable individuals to choose whether personal data about them is processed. Obtain
    controls into organizational and document prior permission where necessary and appropriate, and enable
    processes, products and individual to opt-out of ongoing processing.
    technologies and maintain and Access & Individual Enable individuals to access information about themselves, to amend, correct, and
    enhance those controls Rights as appropriate, delete information that is inaccurate, incomplete or outdated.
    throughout the lifecycle for the Data Integrity & Quality Assure that data are kept sufficiently accurate, complete, relevant and current
    product, process or technology consistent with its intended use.
    Security Protect data from loss, misuse and unauthorized access, disclosure, alteration or
    destruction.
    Transparency Inform individuals about the ways in which data about them are processed and how
    to exercise their data-related rights.

    Demonstrate Your Program Monitoring & Assurance Evaluate and audit effectiveness of controls and risk mitigation initiatives.
    Reporting & Demonstrate the effectiveness of your program and controls to management, the
    Privacy
    15 TrustArc.
    © 2018, Insight
    All rights Series
    reserved. - trustarc.com/insightseries
    Certification © 2018
    board of directors, employees, customers, TrustArcand
    regulators Inc the public.
    Developing the Policy
    1. Start with your company’s goals for
    data – how does data drive your
    business
    2. Select the core privacy and data
    protection principles that will serve as
    your baseline (e.g., OECD, APEC,
    HIPAA, GDPR, Privacy Shield)
    3. Add considerations for special cases or
    Build more stringent laws
    4. Develop the core standards that will
    operationalize your principles
    5. Build in exceptions or an exceptions
    process
    6. Validate your principles and standards
    against the laws and regulations that
    apply to your business

    16 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


    PRIVACY INSIGHT SERIES
    Summer / Fall 2018 Webinar Program

    Putting it into Practice

    17 © 2018 TrustArc Inc Proprietary and Confidential Information


    Poll 4
    Which requirements do you find most difficult to harmonize?

     Contracts (DPAs, BAAs, SCCs, Onward Transfer Agreements)


     Privacy Notices and/or Consent
     Data Inventory / Records of Processing Management
     Individual Rights Requests
     Vendor Assessments

    18 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc


    Spotlight on Implementation
    Managing Individual Rights
    1. Request received
    2. Validate the request
    3. Determine which requirements
    apply
    (a) Law or regulation
    Implement (b) Legal basis of processing
    4. Retrieve the data
    5. Validate the data against your
    records of processing, retention
    schedules, and your privacy notice
    disclosures
    6. Timely respond to the request
    7. Update records as applicable
    19 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc
    Interoperability in Practice
    Mapping alignment across frameworks for certification and validation

    © 2018 TrustArc Inc Proprietary and Confidential Information


    Spotlight on Demonstration
    Certification and Validation
    1. Identify your certification or validation
    goals
    – Public trust
    – Customer trust
    – Business partner trust
    Demonstrate – Simplified cross-border transfers
    2. Select your certification or validation
    standard
    3. Submit your application to your certifying
    authority (external reviewer)
    4. Demonstrate your controls
    5. Complete remediation, if needed
    6. Obtain, publicize and maintain certification
    7. Respond to disputes, upon request
    21 Privacy Insight Series - trustarc.com/insightseries © 2018 TrustArc Inc
    PRIVACY INSIGHT SERIES
    Summer / Fall 2018 Webinar Program

    Thanks for your interest in our webinar slides!

    Click here to watch the on-demand recording.

    22 © 2018 TrustArc Inc Proprietary and Confidential Information


    PRIVACY INSIGHT SERIES
    Summer / Fall 2018 Webinar Program

    Questions?

    23 © 2018 TrustArc Inc Proprietary and Confidential Information


    PRIVACY INSIGHT SERIES
    Summer / Fall 2018 Webinar Program

    Contacts
    K Royal kroyal@trustarc.com
    Hilary Wandall hilary@trustarc.com

    24 © 2018 TrustArc Inc Proprietary and Confidential Information


    PRIVACY INSIGHT SERIES
    Summer / Fall 2018 Webinar Program

    Thank You!
    Our Next Webinar will be on September 19, 2018:
    Data Breach Management Requirements and Best Practices

    See http://www.trustarc.com/insightseries to register and to access


    past Privacy Insight Series webinar recordings.

    25 © 2018 TrustArc Inc Proprietary and Confidential Information

    You might also like