SlideShare uma empresa Scribd logo

Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430

Jean-François LOMBARDO
Jean-François LOMBARDO

What is coming after GDPR in the US? a take on CCPA and CDPA and how it scores/hits vs GDPR

Tecnologia
1 de 24
Baixar para ler offline
Munich, May 2019 The Ripple Effect of GDPR in North America: What’s Ahead of us with CxPA?
Munich, May 2019 The Ripple Effect of GDPR in North America: What’s Ahead of us with CxPA? To keep in touch: https://twitter.com/IdentityMonk https://ca.linkedin.com/in/jflombardo Or as a member of: 14 years of expertise in Data Protection 40+ projects establishing trusted ecosystems: ▪ Strong Authentication, ▪ Identity Management, ▪ Access Governance, ▪ Information Protection. Security specialist @ , R&D
Welcome I consent First you need some information about my presentation: This presentation is brought to you by me It does not represent the views of my past/present employers It does not represent the views of past/present associations I’m/was a part of Any legislative citation come from the public repository of the legal frameworks Anything else is cited if not from me.      • CaCPA: https://leginfo.legislature.ca.go v/faces/billTextClient.xhtml?bill _id=201720180AB375 • CDPA: https://www.wyden.senate.gov /imo/media/doc/Wyden Privacy Bill Discussion Draft Nov 1.pdf • Vermont’s Act 171: https://ago.vermont.gov/wp- content/uploads/2018/12/2018 -12-11-VT-Data-Broker- Regulation-Guidance.pdf • GDPR: https://gdpr.eu/tag/gdpr/
2017 was: Be ready for ripples GDPR is just a first step… Russia Data Privacy Laws are operational Australia Data Privacy Laws are operational <Insert your country> Data Laws are coming China Data Privacy Laws are drafted
(*) If you want to build a ship, don’t drum up the men to gather wood, divide the work and give orders. Instead, teach them to yearn for the vast and endless sea. —Antoine de Saint-Exupéry If you want to build Digital Economy, don't drum up the men to write code, do it Agile and SCRUM. Instead, teach them to yearn for the secure by design and privacy by default benefits. —Some inspired* Privacy Practitioner
As regulation dated back from 2010, enforcement started for a 1st phase with Banks in 2019. Telcos will be next. Rapidly growing its cybersecurity law framework, it officially covers eCommerce since January 1st 2019 Reestablishing ruling from 2014, GDPR enactment saw the more stringent controls from the Russian Federation Growing on top of GDPR, EU is looking at guidelines on GDPR’s territorial scope, guidance on certifications and cross border transfers, and regulations on non-personal data
In the meantime, in the US… things were more complicated As regulation dated back from 2010, enforcement started for a 1st phase with Banks in 2019. Telcos will be next. Rapidly growing its cybersecurity law framework, it officially covers eCommerce since January 1st 2019 Reestablishing ruling from 2014, GDPR enactment saw the more stringent controls from the Russian Federation Growing on top of GDPR, EU is looking at guidelines on GDPR’s territorial scope, guidance on certifications and cross border transfers, and regulations on non-personal data
My team will get back to you Senator Ron Wyden (Oregon) and his bill for “Consumer Data Protection Act” [I want to know more] 2018’s “California Consumer Privacy Act” enforceable on January 1st 2020 [I want to know more] Vermont’s Act 171 of 2018 on Data Broker Regulation [I want to know more] Getty images
CDPA CaCPA GDPR What defines personal data? Household data Names Race Color National Origin Religion Trade union membership Genetic Data Biometric data Health Gender Gender History Sexuality Criminal convictions Arrests Identification number (permanent or transient) Location data physical but also transient like GPS) Online activity (IP address, cookie, etc.) Inferred information that can reasonably identify History of purchased goods or services Employment Data Audio, electronic, visual, thermal. olfactory information ChildrenLegal Persons Deceased Persons Education Data Publicly available information Reidentifiable data
CDPACaCPA GDPR European resident Any individual consumer or device People and Households resident of the state of California Which data subject is concerned?
Which Org must comply? Any Org that Controls and/or Processes of protected subjects A person, partnership, corporation under the Federal Trade Commission, that had a 3 year gross revenue of at least 50 000 000$, PII that concerns 1 000 000+ data subjects For profit entities that has at least an annual gross revenue of 25 000 000$, does 50% of it from PII selling, PII that concerns 50 000+ data subjects CDPACaCPA GDPR
Which Operations are controlled? CDPA CaCPA GDPR Data Selling Data Processing Explicit Data Processing Non automated Processing Non automated Processing Sharing with 3rd party CaCPA does not regulate data sharing following an opt-out or if a natural requirement for the product/service to be delivered GDPR and CDPA recognize exceptions for some organizations: with no profit oriented business, nor being a data broker / commercial entity Historical, statistical oriented entities Inferred Data Processing High risk automated decision system Lease/ rental
Who are the concerned actors? Data ControllerFor profit business Data ProcessorA Service Provider State Privacy AgencyCa Attorney General DPO Consumer Privacy Fund Federal Trade Commission Executive Capacity Third Party Covered Entity CDPACaCPA GDPR
How to manage consent? Is Opt-out by default, and must propose a simple, understandable, enlightened consent collection [renewed every 6 months] Is Opt-out by default, and must propose a simple, understandable, enlightened consent collection [renewed every 2 years] Is Opt-in by default, and must propose Opt-out [but only for selling of data] CDPACaCPA GDPR
Is documentation mandatory? Data Processing must be described and assessed in terms of risks and impacts. Data Processing must be explained to the Data Subject Data Processing must be described and assessed in terms of risks and impacts. No Data Processing documentation is explicitly required, but data processing events must be logged CDPACaCPA GDPR
Is there a right to data export? Data can be exported upon a subject request Data should be humanly readable and portable Export is… Export shall be done under: CaCPA: 45-90 days GDPR: 30-90 days CDPA: 30 days CaCPA: free, max twice/year, 365 days history, limited to Controller GDPR: potentially free, unlimited CDPA: free, unlimited CaCPA GDPRCDPA CaCPA GDPRCDPA
What about the right to be forgotten? Data must be erased upon request of the data subject Controller must govern the global erasure process Controller must comply within CaCPA GDPR CaCPA: 45-90 days GDPR: 30-90 days CDPA: 0(new)-30(existing) days Erasure shall be free of charge CaCPA GDPR CaCPA GDPR
Is breach notification mandatory? Under 72 hours after detection Through the Annual reporting to the FTC Such requirements are not covered by CaCPA but Ca Civil code CDPACaCPA GDPR
Depending of the violation between 2% global annual turnover/10M€ or between 4% global annual turnover/20M€ 50 000$ for each violation as a sum or 4% of the annual gross revenue 2 500$ for each violation, 7 500$ for each intentional violation How much for a penalty? CDPACaCPA GDPR
Some specificities of CaCPA Subject has a right to equal service and price even if opting-out Ammonization / Deidentification of the data is not mandatory if reidentification mechanisms are in place Child data processed by Controller without its knowledge is covered by an exception Processors must notify the Data Subject if they sell their data
Some specificities of CDPA Explicitly targets machine learning/artificial intelligence processing Sees in the future by identifying covered assets as soon as they represent a high risk for the privacy or security of PII Enforces the publication of an annual report to the FTC for all covered entities Enforces criminal penalties for the signee of the report (CIO, CISO, CTO, and/or CFO) up to 5 000 000$ or 25% of the salary over the last 3 years
Even if there will be specificities to deal with This will also ease the complexity of the US market until a Federal law emerge DPO is a great role that should be a part of every Organization under GDPR scope or not Being Compliant with GDPR is always an helper for new privacy regulations Assume the most stringent requirements to ease your global compliance CIO, CISO, CTO, and CFO won’t be able to exonerate themselves from the compliance process 1 2 3
CDPA is still a Draft that has a long way to go to reach the federal scope it aims to CaCPA is challenged by the GAFA, ingesting amendments that undermines the initial purpose
Munich, May 2019 The Ripple Effect of GDPR in North America: What’s Ahead of us with CxPA? 14 years of expertise in Data Protection 40+ projects establishing trusted ecosystems: ▪ Strong Authentication, ▪ Identity Management, ▪ Access Governance, ▪ Information Protection. Security specialist @ EXFO, R&D To keep in touch: https://twitter.com/IdentityMonk https://ca.linkedin.com/in/jflombardo Or as a member of:

Recomendados

The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR Regulations
Elliot Reeman
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Dieter Hovorka
 
GDPR FAQ'S
GDPR FAQ'SGDPR FAQ'S
GDPR FAQ'S
Morgan McKinley
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Clio - Cloud-Based Legal Technology
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
Matthew Butler
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and Solutions
Ulf Mattsson
 

Recomendados

The Countdown to the GDPR Regulations
The Countdown to the GDPR RegulationsThe Countdown to the GDPR Regulations
The Countdown to the GDPR Regulations
Elliot Reeman
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
GDPR Overview
GDPR OverviewGDPR Overview
GDPR Overview
Dieter Hovorka
 
GDPR FAQ'S
GDPR FAQ'SGDPR FAQ'S
GDPR FAQ'S
Morgan McKinley
 
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond ConfidentialityPrivacy Compliance for Law Firms: Moving Beyond Confidentiality
Privacy Compliance for Law Firms: Moving Beyond Confidentiality
Clio - Cloud-Based Legal Technology
 
Gdpr in a nutshell
Gdpr in a nutshellGdpr in a nutshell
Gdpr in a nutshell
Matthew Butler
 
Cognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdprCognizant business consulting the impacts of gdpr
Cognizant business consulting the impacts of gdpr
audrey miguel
 
IoT - Attacks and Solutions
IoT - Attacks and SolutionsIoT - Attacks and Solutions
IoT - Attacks and Solutions
Ulf Mattsson
 
GDPR
GDPRGDPR
GDPR
Gopi PD
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
Ulf Mattsson
 
GDPR
GDPRGDPR
GDPR
Sebastian Dramburg
 
An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)
Madhumita Mantri
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
Sudarsan Reddy
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
Tinuiti
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
"John "Jeb"" Beckwith
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
"John "Jeb"" Beckwith
 
The 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data SecurityThe 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data Security
Kegler Brown Hill + Ritter
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
Ulf Mattsson
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
Zuckerman Law Whistleblower Protection Law Firm
 
Bridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and RetentionBridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and Retention
InfoGoTo
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
The Pathway Group
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
TrustArc
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
legalandgeneral
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
Ulf Mattsson
 
2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business
TrustArc
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
Ogilvy Consulting
 
"If we're leaving the EU, does GDPR even matter?" And other FAQs
"If we're leaving the EU, does GDPR even matter?" And other FAQs"If we're leaving the EU, does GDPR even matter?" And other FAQs
"If we're leaving the EU, does GDPR even matter?" And other FAQs
Tech Data
 
Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must Know
Integrate
 
DATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERDATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPER
YashiVaidya
 

Mais conteúdo relacionado

Mais procurados

The 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data SecurityThe 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data Security
Kegler Brown Hill + Ritter
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
TrustArc
 
2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business
TrustArc
 

Mais procurados (20)

GDPR
GDPRGDPR
GDPR
 
Do You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? ArticleDo You Have a Roadmap for EU GDPR Compliance? Article
Do You Have a Roadmap for EU GDPR Compliance? Article
 
GDPR
GDPRGDPR
GDPR
 
An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)An Overview Of GDPR (General Data Protection Regulation)
An Overview Of GDPR (General Data Protection Regulation)
 
Gdpr presentation
Gdpr presentationGdpr presentation
Gdpr presentation
 
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
Symantec Webinar: Preparing for the California Consumer Privacy Act (CCPA)
 
California Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to ComplianceCalifornia Consumer Privacy Act (CCPA): Countdown to Compliance
California Consumer Privacy Act (CCPA): Countdown to Compliance
 
Fasten Your Belts for GDPR
Fasten Your Belts for GDPRFasten Your Belts for GDPR
Fasten Your Belts for GDPR
 
Fasten Your Belts for #GDPR
Fasten Your Belts for #GDPRFasten Your Belts for #GDPR
Fasten Your Belts for #GDPR
 
The 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data SecurityThe 5 Things All In-House Counsel Need to Know about Privacy + Data Security
The 5 Things All In-House Counsel Need to Know about Privacy + Data Security
 
Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?Do You Have a Roadmap for EU GDPR Compliance?
Do You Have a Roadmap for EU GDPR Compliance?
 
Cybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower ProtectionsCybersecurity and Data Privacy Whistleblower Protections
Cybersecurity and Data Privacy Whistleblower Protections
 
Bridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and RetentionBridging the Gap Between Privacy and Retention
Bridging the Gap Between Privacy and Retention
 
An Overview of GDPR
An Overview of GDPR An Overview of GDPR
An Overview of GDPR
 
2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide2019 10-23 ccpa survival guide
2019 10-23 ccpa survival guide
 
GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands GDPR: data needs to be in safe hands
GDPR: data needs to be in safe hands
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business2019-06-11 What New US State Laws Mean For Your Business
2019-06-11 What New US State Laws Mean For Your Business
 
What's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) ChangesWhat's Next - General Data Protection Regulation (GDPR) Changes
What's Next - General Data Protection Regulation (GDPR) Changes
 
"If we're leaving the EU, does GDPR even matter?" And other FAQs
"If we're leaving the EU, does GDPR even matter?" And other FAQs"If we're leaving the EU, does GDPR even matter?" And other FAQs
"If we're leaving the EU, does GDPR even matter?" And other FAQs
 

Semelhante a Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430

Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must Know
Integrate
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
Dmcenter
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
 
PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011
Kimberly Verska
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
Jim Kaplan CIA CFE
 
GDPR & Demand Generation: What Your Team Needs To Know
GDPR & Demand Generation: What Your Team Needs To KnowGDPR & Demand Generation: What Your Team Needs To Know
GDPR & Demand Generation: What Your Team Needs To Know
Hannah Flynn
 
Implementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramImplementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy Program
MSpadea
 
Records Management and ediscovery as Risk
Records Management and ediscovery as RiskRecords Management and ediscovery as Risk
Records Management and ediscovery as Risk
MSpadea
 

Semelhante a Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430 (20)

Preparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must KnowPreparing for GDPR: What Every B2B Marketer Must Know
Preparing for GDPR: What Every B2B Marketer Must Know
 
DATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPERDATA SAFEGUARD INC.- WHITE PAPER
DATA SAFEGUARD INC.- WHITE PAPER
 
CSR PII White Paper
CSR PII White PaperCSR PII White Paper
CSR PII White Paper
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
The GDPR - A data revolution
The GDPR - A data revolutionThe GDPR - A data revolution
The GDPR - A data revolution
 
PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011PBPATL - Privacy Seminar 2011
PBPATL - Privacy Seminar 2011
 
NetSquared London - GDPR for charities
NetSquared London - GDPR for charitiesNetSquared London - GDPR for charities
NetSquared London - GDPR for charities
 
Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10) Implementing and Auditing GDPR Series (3 of 10)
Implementing and Auditing GDPR Series (3 of 10)
 
GDPR & Demand Generation: What Your Team Needs To Know
GDPR & Demand Generation: What Your Team Needs To KnowGDPR & Demand Generation: What Your Team Needs To Know
GDPR & Demand Generation: What Your Team Needs To Know
 
Acc 675 control audit final project
Acc 675 control audit final projectAcc 675 control audit final project
Acc 675 control audit final project
 
GDPR Briefing for marketers
GDPR Briefing for marketersGDPR Briefing for marketers
GDPR Briefing for marketers
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
Implementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy ProgramImplementing And Managing A Multinational Privacy Program
Implementing And Managing A Multinational Privacy Program
 
What is GDPR Data Flow Mapping
What is GDPR Data Flow MappingWhat is GDPR Data Flow Mapping
What is GDPR Data Flow Mapping
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...The california consumer privacy act (ccpa) is in effect starting on january 1...
The california consumer privacy act (ccpa) is in effect starting on january 1...
 
GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.GDPR: A Threat or Opportunity? www.normanbroadbent.
GDPR: A Threat or Opportunity? www.normanbroadbent.
 
Ekwensi ACC article
Ekwensi ACC articleEkwensi ACC article
Ekwensi ACC article
 
Records Management and ediscovery as Risk
Records Management and ediscovery as RiskRecords Management and ediscovery as Risk
Records Management and ediscovery as Risk
 

Mais de Jean-François LOMBARDO

Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jean-François LOMBARDO
 

Mais de Jean-François LOMBARDO (10)

SEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdfSEC301 - New AWS security services for container threat detection - final.pdf
SEC301 - New AWS security services for container threat detection - final.pdf
 
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdfJeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
Jeff Lombardo - Enforcing access control in depth with AWS - v1.2.pdf
 
Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022 Amazon EKS - security best practices - 2022
Amazon EKS - security best practices - 2022
 
Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609Yul identity in depth identity enforcement with jwap - 20200609
Yul identity in depth identity enforcement with jwap - 20200609
 
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
Identiverse 2019-navigating nist sp-800-63-3 -x a-ls cheat sheets-rev20190624
 
IdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategyIdentityNorth Montreal - Furture Proof your Digital Identity strategy
IdentityNorth Montreal - Furture Proof your Digital Identity strategy
 
CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102CPA - Introduction to Digital Identity - rev20171102
CPA - Introduction to Digital Identity - rev20171102
 
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
KuppingerCole CIWUSA17 - Chaining Identity Blocks to boost your UX and KYC st...
 
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
Session 2017 CASB: the Swiss army knife that wants to be a magic wand - en re...
 
Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...Synposium gia quebec setting the new course for digital identity- en rev 20...
Synposium gia quebec setting the new course for digital identity- en rev 20...
 

Último

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 

Eic munich-2019-ripple effect of gdpr in na- cx pa-rev20190430

  • 1. Munich, May 2019 The Ripple Effect of GDPR in North America: What’s Ahead of us with CxPA?
  • 2. Munich, May 2019 The Ripple Effect of GDPR in North America: What’s Ahead of us with CxPA? To keep in touch: https://twitter.com/IdentityMonk https://ca.linkedin.com/in/jflombardo Or as a member of: 14 years of expertise in Data Protection 40+ projects establishing trusted ecosystems: ▪ Strong Authentication, ▪ Identity Management, ▪ Access Governance, ▪ Information Protection. Security specialist @ , R&D
  • 3. Welcome I consent First you need some information about my presentation: This presentation is brought to you by me It does not represent the views of my past/present employers It does not represent the views of past/present associations I’m/was a part of Any legislative citation come from the public repository of the legal frameworks Anything else is cited if not from me.      • CaCPA: https://leginfo.legislature.ca.go v/faces/billTextClient.xhtml?bill _id=201720180AB375 • CDPA: https://www.wyden.senate.gov /imo/media/doc/Wyden Privacy Bill Discussion Draft Nov 1.pdf • Vermont’s Act 171: https://ago.vermont.gov/wp- content/uploads/2018/12/2018 -12-11-VT-Data-Broker- Regulation-Guidance.pdf • GDPR: https://gdpr.eu/tag/gdpr/
  • 4. 2017 was: Be ready for ripples GDPR is just a first step… Russia Data Privacy Laws are operational Australia Data Privacy Laws are operational <Insert your country> Data Laws are coming China Data Privacy Laws are drafted
  • 5. (*) If you want to build a ship, don’t drum up the men to gather wood, divide the work and give orders. Instead, teach them to yearn for the vast and endless sea. —Antoine de Saint-Exupéry If you want to build Digital Economy, don't drum up the men to write code, do it Agile and SCRUM. Instead, teach them to yearn for the secure by design and privacy by default benefits. —Some inspired* Privacy Practitioner
  • 6. As regulation dated back from 2010, enforcement started for a 1st phase with Banks in 2019. Telcos will be next. Rapidly growing its cybersecurity law framework, it officially covers eCommerce since January 1st 2019 Reestablishing ruling from 2014, GDPR enactment saw the more stringent controls from the Russian Federation Growing on top of GDPR, EU is looking at guidelines on GDPR’s territorial scope, guidance on certifications and cross border transfers, and regulations on non-personal data
  • 7. In the meantime, in the US… things were more complicated As regulation dated back from 2010, enforcement started for a 1st phase with Banks in 2019. Telcos will be next. Rapidly growing its cybersecurity law framework, it officially covers eCommerce since January 1st 2019 Reestablishing ruling from 2014, GDPR enactment saw the more stringent controls from the Russian Federation Growing on top of GDPR, EU is looking at guidelines on GDPR’s territorial scope, guidance on certifications and cross border transfers, and regulations on non-personal data
  • 8. My team will get back to you Senator Ron Wyden (Oregon) and his bill for “Consumer Data Protection Act” [I want to know more] 2018’s “California Consumer Privacy Act” enforceable on January 1st 2020 [I want to know more] Vermont’s Act 171 of 2018 on Data Broker Regulation [I want to know more] Getty images
  • 9. CDPA CaCPA GDPR What defines personal data? Household data Names Race Color National Origin Religion Trade union membership Genetic Data Biometric data Health Gender Gender History Sexuality Criminal convictions Arrests Identification number (permanent or transient) Location data physical but also transient like GPS) Online activity (IP address, cookie, etc.) Inferred information that can reasonably identify History of purchased goods or services Employment Data Audio, electronic, visual, thermal. olfactory information ChildrenLegal Persons Deceased Persons Education Data Publicly available information Reidentifiable data
  • 10. CDPACaCPA GDPR European resident Any individual consumer or device People and Households resident of the state of California Which data subject is concerned?
  • 11. Which Org must comply? Any Org that Controls and/or Processes of protected subjects A person, partnership, corporation under the Federal Trade Commission, that had a 3 year gross revenue of at least 50 000 000$, PII that concerns 1 000 000+ data subjects For profit entities that has at least an annual gross revenue of 25 000 000$, does 50% of it from PII selling, PII that concerns 50 000+ data subjects CDPACaCPA GDPR
  • 12. Which Operations are controlled? CDPA CaCPA GDPR Data Selling Data Processing Explicit Data Processing Non automated Processing Non automated Processing Sharing with 3rd party CaCPA does not regulate data sharing following an opt-out or if a natural requirement for the product/service to be delivered GDPR and CDPA recognize exceptions for some organizations: with no profit oriented business, nor being a data broker / commercial entity Historical, statistical oriented entities Inferred Data Processing High risk automated decision system Lease/ rental
  • 13. Who are the concerned actors? Data ControllerFor profit business Data ProcessorA Service Provider State Privacy AgencyCa Attorney General DPO Consumer Privacy Fund Federal Trade Commission Executive Capacity Third Party Covered Entity CDPACaCPA GDPR
  • 14. How to manage consent? Is Opt-out by default, and must propose a simple, understandable, enlightened consent collection [renewed every 6 months] Is Opt-out by default, and must propose a simple, understandable, enlightened consent collection [renewed every 2 years] Is Opt-in by default, and must propose Opt-out [but only for selling of data] CDPACaCPA GDPR
  • 15. Is documentation mandatory? Data Processing must be described and assessed in terms of risks and impacts. Data Processing must be explained to the Data Subject Data Processing must be described and assessed in terms of risks and impacts. No Data Processing documentation is explicitly required, but data processing events must be logged CDPACaCPA GDPR
  • 16. Is there a right to data export? Data can be exported upon a subject request Data should be humanly readable and portable Export is… Export shall be done under: CaCPA: 45-90 days GDPR: 30-90 days CDPA: 30 days CaCPA: free, max twice/year, 365 days history, limited to Controller GDPR: potentially free, unlimited CDPA: free, unlimited CaCPA GDPRCDPA CaCPA GDPRCDPA
  • 17. What about the right to be forgotten? Data must be erased upon request of the data subject Controller must govern the global erasure process Controller must comply within CaCPA GDPR CaCPA: 45-90 days GDPR: 30-90 days CDPA: 0(new)-30(existing) days Erasure shall be free of charge CaCPA GDPR CaCPA GDPR
  • 18. Is breach notification mandatory? Under 72 hours after detection Through the Annual reporting to the FTC Such requirements are not covered by CaCPA but Ca Civil code CDPACaCPA GDPR
  • 19. Depending of the violation between 2% global annual turnover/10M€ or between 4% global annual turnover/20M€ 50 000$ for each violation as a sum or 4% of the annual gross revenue 2 500$ for each violation, 7 500$ for each intentional violation How much for a penalty? CDPACaCPA GDPR
  • 20. Some specificities of CaCPA Subject has a right to equal service and price even if opting-out Ammonization / Deidentification of the data is not mandatory if reidentification mechanisms are in place Child data processed by Controller without its knowledge is covered by an exception Processors must notify the Data Subject if they sell their data
  • 21. Some specificities of CDPA Explicitly targets machine learning/artificial intelligence processing Sees in the future by identifying covered assets as soon as they represent a high risk for the privacy or security of PII Enforces the publication of an annual report to the FTC for all covered entities Enforces criminal penalties for the signee of the report (CIO, CISO, CTO, and/or CFO) up to 5 000 000$ or 25% of the salary over the last 3 years
  • 22. Even if there will be specificities to deal with This will also ease the complexity of the US market until a Federal law emerge DPO is a great role that should be a part of every Organization under GDPR scope or not Being Compliant with GDPR is always an helper for new privacy regulations Assume the most stringent requirements to ease your global compliance CIO, CISO, CTO, and CFO won’t be able to exonerate themselves from the compliance process 1 2 3
  • 23. CDPA is still a Draft that has a long way to go to reach the federal scope it aims to CaCPA is challenged by the GAFA, ingesting amendments that undermines the initial purpose
  • 24. Munich, May 2019 The Ripple Effect of GDPR in North America: What’s Ahead of us with CxPA? 14 years of expertise in Data Protection 40+ projects establishing trusted ecosystems: ▪ Strong Authentication, ▪ Identity Management, ▪ Access Governance, ▪ Information Protection. Security specialist @ EXFO, R&D To keep in touch: https://twitter.com/IdentityMonk https://ca.linkedin.com/in/jflombardo Or as a member of: