In this session you'll learn multiple data regulations and multiple differences, eight fair information practices and principles, additional data protection principles, as well as interesting and fun GDPR points.

1. Killing Multiple Privacy Birds with
One Stone
Greg Reid
AIIM Board of Directors

2. Agenda
• Multiple Data Protection Regulations and Multiple
Differences
• Eight Fair Information Practices and Principles
• Additional Data Protection Principles
• And there really isn’t anything new…
• Interesting and FUN GDPR Points

3. The greatest challenge in Privacy and establishing a environment to legally
support it is the greatly divergent laws, regulations, and expectations:
• Industries / Federal: e.g. HIPAA / HITECH (Healthcare), Gramm-Leach-Bliley Act (Financial),
FERPA (Education)
• Other / Federal: e.g. CAN-SPAM, COPPA
• US States: e.g. Massachusetts (201 CMR 17.00), California (numerous…)
• US Regulatory Bodies: e.g. Federal Trade Commission, Federal Communications Commission
• Other Countries and Regions: e.g. EU Directive and GDPR, Canadian PIPEDA, China’s CPL

4. So Many, Many Differences Across Regulations
• The definition of ‘Personal’ data
• The definition of ‘Sensitive Personal’ data
• The definition of ‘Anonymized’ data (v. Pseudonymized)
• The definition of data ‘processing’ versus simply storing / managing personal data
• Pre-emption Focus (i.e. Who wins: State or Federal law?)
• The definition of a ‘Breach’ and what constitutes Breach Notification and Timing (and what
has to be included (or not) included in Breach notifications)
• The definition of ‘Secure’ and ‘Security’
• GDPR-specific requirements: Right to Erasure, Right to Halt Processing, Right to Transfer
between Data Controllers, etc.
• And so on…and on.

5. Eight Fair Information Practices and Principles
OECD (Organisation for Economic Co-Operation): Guidelines on the Protection of Privacy and Trans-border Flows
of Personal Data
- Annex to the Recommendation of the Council of 23rd September 1980
1. Collection Limitation Principle
There should be limits to the collection of personal data and any such data should be obtained by lawful (legitimate means) and fair
means and, where appropriate, with the knowledge or consent of the data subject.
2. Data Quality Principle
Personal data should be relevant to the purposes for which they are to be used, and, to the extent necessary for those purposes,
should be accurate, complete and kept up-to-date.
3. Purpose Specification Principle
The purposes for which personal data are collected (e.g. ‘processed’) … and the subsequent use(s) (are) limited to the fulfilment of
those purposes … and as are specified on each occasion of change of purpose.
4. Use Limitation Principle
Personal data should not be disclosed, made available or otherwise used (and processed) for purposes except:
• with the consent of the data subject; or
• by the authority of law.

6. Eight Fair Information Practices and Principles, cont.
5. Security Safeguards Principle
Personal data should be protected by reasonable security safeguards against such risks as loss or unauthorised access, destruction, use,
modification or disclosure of data.
6. Openness Principle
There should be a general policy of openness about developments, practices and policies with respect to personal data. Means should be
readily available of establishing the existence and nature of personal data, and the main purposes of their use, as well as the identity and
usual residence of the data controller.
7. Individual Participation Principle: An individual should have the right to:
• Obtain from a data controller, or otherwise, confirmation of whether or not the data controller has data relating to him;
• Have communicated to him, data relating to him within a reasonable time … in a reasonable manner; and in a form that is readily
intelligible to him;
• Be given reasons if a request is denied, and to be able to challenge such denial; and
• To challenge data relating to him and, if the challenge is successful to have the data erased, rectified, completed or amended.
8. Accountability Principle
A data <owner> should be accountable for complying with measures which give effect to the principles stated above.
• That is, have an effective data protection / privacy compliance program.

7. Some Other Common Privacy Regulatory Threads
1. Breach Handling
• Encryption (in transit/at rest): Your Get Out of Jail Free breach card!
2. Obligations of 3rd Party Processors
3. Enforcement and Penalties

8. Data Protection and Privacy. Nada New!
Data protection and privacy are the operationalization of:
• Information management
• Information governance
• Records Management
• Information Security
• (Very) standard compliance approaches
• Some IT functionality
• Good stewardship and Open Communications
• Which are all nothing new to anyone in this room
And if you need budget for data/content inventories, records management, security and
controls, etc.
Privacy is a great place to look for it.

9. Some Interesting GDPR Facts
1. A simple business email address or business phone number of an individual is considered personal information
under the GDPR. The US (federal or state-based laws) has no such rigorous standards.
2. The GDPR is different from most US privacy regulations in that it constrains how companies ‘process’ data on
the data subject, not just the data maintained/stored reagarding that data subject.
3. ‘Blinded data’ (defined as ‘Pseudonymized’ data in the GDPR) still falls under GDPR obligations. Anonymized data
does not.
4. There are numerous similarities between HIPAA and GDPR privacy obligations; if a HIPAA compliance program
exists, then a GDPR effort could leverage those efforts and resources.
5. A data breach notification timeframe under the GDPR, especially of sensitive data, provides for only 72 hours.
6. The GDPR has enormous impacts on IT systems’ functionalities. However, those impacts may be mitigated
through business processes based on risk tolerance and incident volumes.
7. Many of the channels of information transfer to the US (e.g. SCCs) will most likely be challenged in the CJEU in the
future.

10. Some Interesting GDPR Facts, cont.
8. Simply viewing EU resident personal data from the US (e.g. via a web browser) invokes the GDPR if that data is
stored in the EU.
9. Like many US regulations (e.g. HIPAA, again), the GDPR is the ‘ground floor’ of data protection regulations.
Individual member states will add their own data protection obligations, as well.
10. Information processing is not grandfathered. Data processing acceptable today may not be after May 25th 2018.
11. With all of this said, there are many derogations and exceptions to the GDPR requirements and obligations.
12. When an American travels to the EU after May 25th, they are covered by the GDPR!