SlideShare uma empresa Scribd logo

Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015

Constantine Karbaliotis
Constantine Karbaliotis

Presented at the Security and Privacy Academy 2015

Direito
1 de 24
Baixar para ler offline
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Getting to Accountability Maximizing your Global Privacy Management Program Privacy & Security Forum, Washington DC - October 22, 2015
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Introductions CONSTANTINE KARBALIOTIS CIPM, CIPP/C, CIPP/E, CIPP/US, CIPT Vice President of Privacy Office Solutions – NYMITY and former CPO ANTONIS PATRIKIOS PhD, CIPM, CIPP/E Partner - Privacy, Security & Information Law, Fieldfisher
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM “an obligation or willingness to accept responsibility or to account for one's actions “ www.merriam-webster.com/dictionary/accountability “the obligation of an individual or organization to account for its activities, accept responsibility for them, and to disclose the results in a transparent manner” www.businessdictionary.com/definition/accountability.html Accountability Defined
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Evolution as a Privacy and Data Protection Principle 4 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Article 29 Data Protection Working Party Opinion 3/2010 on the Principle of Accountability PIPEDA Schedule 1 4.1 Principle 1: Accountability U.S. Federal Trade Commission Enforcement Actions APEC Privacy Framework Canada: Getting Accountability Right With a Privacy Management Program OECD Revised Guidelines Columbia: Guide for the Implementation of Accountability in Organizations EU: General Data Protection Regulation Hong Kong: Privacy Management Programme Best Practice Guide Australia: Privacy Management Framework EU: General Data Protection Regulation 1980 2000 2005 2010 2011 2012 2013 2014 2015
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM New kid on the block: Accountability à la européenne • Obligations for data “controllers” and data “processors” • Apply to any company that offers goods or services, or monitors the behavior of, EU residents • Not enough to be compliant, also be able to evidence compliance • As a minimum, this requires: – keeping extensive documentation and records; – implementing data security requirements; – performing data protection impact assessments (DPIAs) in certain cases; – prior authorisation / consultation with the supervisory authority in certain cases; and – compulsory designation of a Data Protection Officer in certain cases.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM FTC – Elements of a Comprehensive Privacy Program • FTC has stated that the Google Order is intended to “serve as a guide” to industry  Facebook Order similar • Requirement to establish and maintain a comprehensive privacy program:  Designate an employee to be responsible for the privacy program  Identify reasonably-foreseeable, material risks  Design and implement reasonable privacy controls and procedures  Regularly test or monitor the effectiveness of the safeguards’ key controls and procedures  Manage third-party risk through due diligence and contractual obligations  Evaluate and adjust privacy program on an ongoing basis
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Compliance – an Outcome of Accountability “An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.” The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia https://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.pdf
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Accountability and Compliance The evolving privacy landscape COMPLIANCE ACCOUNTABILITY SHIFT TOWARD Privacy Program Outcomes Privacy Program Infrastructure  Laws and regulations  Enforcement actions  Binding Corporate Rules  Responsibility  Ownership  Evidence • Moving beyond simple compliance means a capacity to meet regulatory changes • Accountability means doing things that yield the right results
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Compliance on a global scale. Is it possible?
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM UK Data Protection Act  Rule 4  Rule 1  Rule 2  Rule 3  Rule 5 Binding Corporate Rules  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 EU General Data Protection Reg.  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Hong Kong Ordinance  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Mexico Data Protection Act  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Traditional Compliance Assessment Approach Assess compliance with each requirement individually PHI Policies & Procedures Audit and Monitoring Many Regulatory Requirements Many Privacy Programs & Activitiesto Training and Awareness Company Policies and Procedures Complaints and Investigations Records Management Information Security Vendor Management Human Resources Legal
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Fieldfisher’s principles of global privacy regulatory risk 1. The increasing value and production of data will inevitably lead to more, and stricter, regulation. 2. Technology will always evolve, and sometimes disrupt. 3. Law and regulation will never catch up with technology. 4. Technology is global. Law and regulation are not. 5. So technology will never stay in compliance with law and regulation. 6. The risk for businesses will increase. 7. Privacy regulators are resource-limited and cannot enforce all the regulations they create. 8. The perceived impossibility of compliance will give rise to a degree of tolerated non-compliance.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Fieldfisher’s principles of risk-based approach to compliance 1. Transnational, principle-based, accountable approach 2. Don’t cross the red lines 3. Risk of harm to individuals v benefit for individuals 4. Transparency is key - no surprises 5. Choice (consent when required by law) 6. Proportionality 7. Security 8. Manage the flashpoints: incident response; access requests and other data subject rights; complaints; dispute resolution 9. Be prepared to justify and evidence your approach
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Accountability Based Approach Leverage evidence of accountability to demonstrate compliance Evidence of Privacy Management Activities exists throughout the organization (within the Privacy Program as well as Operations) Evidence is collected in a centralized repository, structured in line with the 13 Privacy Management Processes Evidence of Accountability is mapped to requirements, allowing the organization to Demonstrate Compliance with laws and regulations on-demand, supported by Evidence UK Data Protection Act  Rule 4  Rule 1  Rule 2  Rule 3  Rule 5 Binding Corporate Rules  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 EU General Data Protection Reg.  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Hong Kong Ordinance  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Mexico Data Protection Act  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 One Accountable Privacy Program Many Regulatory Requirementsto
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM x = Law/regulation contains compliance requirements related to the Privacy Management Process Accountability Goes Above and Beyond Compliance Accountability Compliance Privacy Management Processes BCR UK South Korea Mexico 1 Maintain Governance Structure X X X X 2 Maintain Personal Data Inventory X X X X 3 Maintain Data Privacy Policy X X X X 4 Embed Data Privacy into Operations X X X X 5 Maintain Training and Awareness Program X X X 6 Manage Information Security Risk X X X X 7 Manage Third-Party Risk X X X X 8 Maintain Notices X X X X 9 Maintain Procedures for Inquiries and Complaints X X X X 10 Monitor for New Operational Practices X X 11 Maintain a Data Privacy Breach Management Program X X 12 Monitor Data Handling Practices X X 13 Track External Criteria X
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Nymity’s Accountability Approach https://www.nymity.com/getting-to-accountability.aspx Nymity Accountability Status Workbook Nymity Privacy Management Accountability Framework™ Privacy Management Processes and Activities Status Owner(s) Resources to Implement Resources to Maintain Business Case Core? (Y/N) Description/ Comment Evidence 8. Maintain Notices Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance Maintain a data privacy notice that details the organisation’s personal data handling policies Implemented Privacy Office Compliance Y Privacy Notice Provide data privacy notice at all points where personal data is collected Implemented Business Units Identify all forms and contracts that collect personal data Compliance Y PIA Guidelines, Templates Provide notice by means of on-location signage, posters N/A Provide notice in marketing communications (e.g. emails, flyers, offers) Implemented Marketing Compliance Y Provide notice in all forms, contracts and terms Desired Business Units Periodically review. Have a process for new forms. Compliance Y Marketing Guidelines Maintain scripts for use by employees to provide the data privacy notice Desired Privacy Office Process update from Customer Service/ Call Centre Team Risk Management N Sample Language Maintain a data privacy notice for employees (processing of employee personal data) N/A Scripts Maintain a privacy Seal or Trustmark to increase customer trust N/A Call Centre Work Flow Provide data privacy education to individuals (e.g. preventing identity theft) Implemented Business Units Alignment with Business Objectives N Web Application Content
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Accountability as a Framework for Privacy & Security • For security, a basis for ‘talking’ to privacy – Activities focused – CIA+A – accountability • Provides a structure for linking security and privacy organizations • Increasingly important as part of joint goal of security and privacy to get organizational accountability for data protection
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Privacy Management Program Strategies
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Documentation as Evidence • The documentation to be used as evidence already exists: documentation is a by-product of implemented privacy management activities. • You don’t create evidence just for the sake of demonstrating accountability/ compliance. You just identify and log the evidence that already exists. Privacy Management Activities Evidence/ Documentation Maintain a data privacy policy Data Privacy Policy Integrate data privacy into e- mail monitoring practices E-mail monitoring policy and procedure Measure comprehension of data privacy concepts using exams System generated report of data privacy exam scores Provide notice in all marketing communications (e.g. emails, flyers, offers) Examples of e-mail marketing communications
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Planning: Selection and Prioritization of Activities which demonstrate Accountability Compliance with Laws and Regulations Privacy Risk Management Select Activities Based on Business Objectives Prioritize Based on Resources Understanding Expectations from Privacy and Data Protection Regulators Understanding the Law • Risk of harm to the individual data subject • Risk of enforcement due to non-compliance or complaints • Risk of unauthorized use of personal data • Risk of loss to the organization • Risk of breach due to stolen data • Risk of misuse of personal data • Risk of class-action lawsuit • And others (see page 48) Align privacy management program strategy with organizational objectives such as: • Global expansion goals • Moving to paperless record keeping • Mergers and acquisitions • Competitive advantage • Product innovation • Cloud computing • Others? • Determine your resource profile • Leverage existing resources • Prioritize what can be supported • Prioritize what can be maintained
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Use case • You are the CPO of a US data analytics company with a global customer base. • Following the invalidation of the EU- US Safe Harbor by the CJEU, the business has come under intense pressure by its EU customers and prospects to provide an alternative solution. • Negotiations on new deals have frozen and a key client has said they will not commission new projects unless your company can keep their data in the EU. • Your CEO wants to hear the plan of action this evening. • Use the Nymity workbook to solve the problem.
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Application of Accountability Approach: Service Provider 2. Maintain Personal Data Inventory Status Owner(s) Core? (Y/N) Resources to Implement Resources to Maintain Business Case Evidence Maintain an inventory of key personal data holdings (what personal data is held and where) Desired Records Management Y Internal FTE/External Consultant, technology to survey or scan Internal FTE/External Consultant, technology to survey or scan Risk identification & mitigation; compliance; Prerequisite to other activities Inventory Classify personal data holdings by type (e.g. sensitive, confidential, public) Implement- ed Risk & Compliance Y Internal FTE Internal FTE Supports business processes; risk mitigation; contract Data Classification Policy Sample documents Obtain approval for data processing (where prior approval is required) N/A Register databases with data protection authority (where registration is required) N/A Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) Desired Information Technology Y Internal FTE, technology to survey or scan Internal FTE, technology to survey or scan Risk identification & mitigation; prerequisite to other activities Flow Charts Maintain documentation for all cross- border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities) Desired Information Technology Y Internal FTE, business processes Internal FTE, business processes Risk identification & mitigation; prerequisite to other activities Data Transfer Agreements (model clause); Use Binding Corporate Rules as a data transfer mechanism N/A Use Standard Contractual Clauses as a data transfer mechanism Implement- ed Legal Y Research subscriptions, internal FTE Research subscriptions, internal FTE Compliance; contract Templates Procedural documents Repository of contracts Use Cross-Border Privacy Rules as a data transfer mechanism
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Application of Accountability Approach: EU based customer 2. Maintain Personal Data Inventory Status Owner(s) Core? (Y/N) Resources to Implement Resources to Maintain Business Case Evidence Maintain an inventory of key personal data holdings (what personal data is held and where) Desired Records management / privacy function Y Internal FTE External consultant Technology Internal FTE External consultant Technology Understanding of information assets; Risk mitigation; Compliance; Prerequisite Inventory Classify personal data holdings by type (e.g. sensitive, confidential, public) Implemente d Privacy function Legal; Risk & Compliance Y Internal FTE Internal FTE Understanding of information assets; Exploitation; Risk Data classification policy Obtain approval for data processing (where prior approval is required) N/A Register databases with data protection authority (where registration is required) Implemente d Privacy function Legal; Y Internal FTE Internal FTE Compliance DPA registration certificate Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) Desired Privacy function; Information Technology Y Internal FTE Technology Internal FTE Technology Risk identification & mitigation; data security; Prerequisite Flow charts Maintain documentation for all cross- border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities) Desired Privacy function Legal; Y Internal FTE External Legal Internal FTE External Legal Risk identification & mitigation; Compliance Prerequisite PIA Report; Data Processing Agreements (Model Clauses) Use Binding Corporate Rules as a data transfer mechanism Desired Privacy function Legal; N Internal FTE External Legal Internal FTE External Legal Data exploitation; Compliance BCR business case; BCR Gap Analysis; BCR documentation Use Standard Contractual Clauses as a data transfer mechanism Desired Privacy function Legal; Y Internal FTE External Legal Internal FTE External Legal Data exploitation; Compliance Data Processing Agreements Use Cross-Border Privacy Rules as a data transfer mechanism
Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Conclusions • Accountability yields a capacity to meet compliance and program objectives that is inherently more flexible and powerful than ‘mere’ compliance • Accountability is determined by what the organization prioritizes and resources – not by an external standard of ‘what ought to be’ • Accountability helps the organization by ‘getting credit’ for establishing a framework to yield the right results – even where there are individual failures, it can be demonstrated they are not systemic • Accountability provides a common framework, language for security and privacy professionals to enhance their respective programs • Accountability is therefore the main tool for taking a global risk- based approach to privacy and data protection compliance

Recomendados

Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Constantine Karbaliotis
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPRPaul O'Carroll
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non expertsClaudio Bolla, CISM
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017isc2-hellenic
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 

Recomendados

Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumImpact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada SymposiumConstantine Karbaliotis
 
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07Constantine Karbaliotis
 
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsData Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New RegulationsPECB
 
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPRTeradata's approach to addressing GDPR
Teradata's approach to addressing GDPRPaul O'Carroll
 
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...IISPEastMids
 
GDPR - a view for the non experts
GDPR - a view for the non expertsGDPR - a view for the non experts
GDPR - a view for the non expertsClaudio Bolla, CISM
 
GDPR 11/1/2017
GDPR 11/1/2017GDPR 11/1/2017
GDPR 11/1/2017isc2-hellenic
 
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentationGdpr overview ciso platform presentation
Gdpr overview ciso platform presentationPriyanka Aash
 
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsAnitafin
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for TechiesLilian Edwards
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protectionMRS
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-OverviewErica Walker
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection RegulationBCC - Solutions for IBM Collaboration Software
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for developmentTomppa Järvinen
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSAUlf Mattsson
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for DummiesCaroline Boscher
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan Ulf Mattsson
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationJake DiMare
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR readyHarrison Clark Rickerbys
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?Martin Hawksey
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR DemystifiedSPIN Chennai
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramTrustArc
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSInteraktiv
 

Mais conteúdo relacionado

Mais procurados

Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsAnitafin
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessOmo Osagiede
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protectionMRS
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...IISPEastMids
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONSaurabh Pandey
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overviewJane Lambert
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for developmentTomppa Järvinen
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSAUlf Mattsson
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPRTim Hyman LLB
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationJake DiMare
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Qualsys Ltd
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPRJessvin Thomas
 

Mais procurados (20)

Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and RequirementsPrivacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
 
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readinessGeneral Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
 
The GDPR for Techies
The GDPR for TechiesThe GDPR for Techies
The GDPR for Techies
 
Members evening - data protection
Members evening - data protectionMembers evening - data protection
Members evening - data protection
 
GDPR-Overview
GDPR-OverviewGDPR-Overview
GDPR-Overview
 
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
 
General Data Protection Regulation
General Data Protection RegulationGeneral Data Protection Regulation
General Data Protection Regulation
 
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATIONGDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
 
GDPR Introduction and overview
GDPR Introduction and overviewGDPR Introduction and overview
GDPR Introduction and overview
 
GDPR practical info session for development
GDPR practical info session for developmentGDPR practical info session for development
GDPR practical info session for development
 
Gdpr action plan - ISSA
Gdpr action plan - ISSAGdpr action plan - ISSA
Gdpr action plan - ISSA
 
The Essential Guide to GDPR
The Essential Guide to GDPRThe Essential Guide to GDPR
The Essential Guide to GDPR
 
GDPR for Dummies
GDPR for DummiesGDPR for Dummies
GDPR for Dummies
 
Gdpr action plan
Gdpr action plan Gdpr action plan
Gdpr action plan
 
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection RegulationThe Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
 
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
 
Get you and your business GDPR ready
Get you and your business GDPR readyGet you and your business GDPR ready
Get you and your business GDPR ready
 
Getting Ready for GDPR
Getting Ready for GDPRGetting Ready for GDPR
Getting Ready for GDPR
 
What about GDPR?
What about GDPR?What about GDPR?
What about GDPR?
 
GDPR Demystified
GDPR DemystifiedGDPR Demystified
GDPR Demystified
 

Semelhante a Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015

Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramTrustArc
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSInteraktiv
 
A Global Marketer's Guide to Privacy
A Global Marketer's Guide to PrivacyA Global Marketer's Guide to Privacy
A Global Marketer's Guide to PrivacyFLUZO
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsUlf Mattsson
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security ProgramRaymond Cunningham
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006JNicholson
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better CybersecurityShawn Tuma
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalDr. Donald Macfarlane
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalDr. Donald Macfarlane
 
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docxevonnehoggarth79783
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Delphix
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceFinancial Poise
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesTrustArc
 
[Webinar Slides] Privacy Shield is Here – What You Need to Know
[Webinar Slides] Privacy Shield is Here – What You Need to Know[Webinar Slides] Privacy Shield is Here – What You Need to Know
[Webinar Slides] Privacy Shield is Here – What You Need to KnowTrustArc
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Shawn Tuma
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standardsautomatskicorporation
 

Semelhante a Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015 (20)

Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
 
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMSPrivacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
 
A Global Marketer's Guide to Privacy
A Global Marketer's Guide to PrivacyA Global Marketer's Guide to Privacy
A Global Marketer's Guide to Privacy
 
Protecting Donor Privacy
Protecting Donor PrivacyProtecting Donor Privacy
Protecting Donor Privacy
 
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
 
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulationsNew opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
 
Implementing an Information Security Program
Implementing an Information Security ProgramImplementing an Information Security Program
Implementing an Information Security Program
 
Cyberinsurance 111006
Cyberinsurance 111006Cyberinsurance 111006
Cyberinsurance 111006
 
Contracting for Better Cybersecurity
Contracting for Better CybersecurityContracting for Better Cybersecurity
Contracting for Better Cybersecurity
 
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-finalData protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
 
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_finalData Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
 
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
 
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundationData breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundation
 
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
 
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy ComplianceCorporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
 
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
 
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 StatesNymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 States
 
[Webinar Slides] Privacy Shield is Here – What You Need to Know
[Webinar Slides] Privacy Shield is Here – What You Need to Know[Webinar Slides] Privacy Shield is Here – What You Need to Know
[Webinar Slides] Privacy Shield is Here – What You Need to Know
 
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
 
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy StandardsAutomatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standards
 

Mais de Constantine Karbaliotis

Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Constantine Karbaliotis
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011Constantine Karbaliotis
 
International Perspectives on Data Breach
International Perspectives on Data BreachInternational Perspectives on Data Breach
International Perspectives on Data BreachConstantine Karbaliotis
 
Update on enterprise social media risks
Update on enterprise social media risks Update on enterprise social media risks
Update on enterprise social media risks Constantine Karbaliotis
 

Mais de Constantine Karbaliotis (7)

Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013
 
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011
 
International Perspectives on Data Breach
International Perspectives on Data BreachInternational Perspectives on Data Breach
International Perspectives on Data Breach
 
Privacy issues in the cloud
Privacy issues in the cloudPrivacy issues in the cloud
Privacy issues in the cloud
 
Update on enterprise social media risks
Update on enterprise social media risks Update on enterprise social media risks
Update on enterprise social media risks
 
Data Loss During Downsizing
Data Loss During DownsizingData Loss During Downsizing
Data Loss During Downsizing
 
Data Safety And Security
Data Safety And SecurityData Safety And Security
Data Safety And Security
 

Último

8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptxPamelaAbegailMonsant2
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书SS A
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxSHIVAMGUPTA671167
 
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxKEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxRRR Chambers
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)Delhi Call girls
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdflaysamaeguardiano
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm2020000445musaib
 
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx2020000445musaib
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptzainabbkhaleeq123
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxRRR Chambers
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书E LSS
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxfilippoluciani9
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsAurora Consulting
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxnyabatejosphat1
 
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxIBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxRRR Chambers
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书SS A
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfPoojaGadiya1
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxRRR Chambers
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubham Wadhonkar
 

Último (20)

Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
 
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
 
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书 一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
 
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptxMunicipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
 
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptxKEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
 
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
 
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdfBPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
 
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmmEssentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm
 
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptxTransferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
 
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .pptChp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
 
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptxPPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
 
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
 
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptxHuman Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
 
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction FailsCAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
 
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptxINVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
 
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptxIBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
 
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书 一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
 
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdfAppeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
 
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptxCOPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
 
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptxShubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
 

Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015

  • 1. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Getting to Accountability Maximizing your Global Privacy Management Program Privacy & Security Forum, Washington DC - October 22, 2015
  • 2. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Introductions CONSTANTINE KARBALIOTIS CIPM, CIPP/C, CIPP/E, CIPP/US, CIPT Vice President of Privacy Office Solutions – NYMITY and former CPO ANTONIS PATRIKIOS PhD, CIPM, CIPP/E Partner - Privacy, Security & Information Law, Fieldfisher
  • 3. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM “an obligation or willingness to accept responsibility or to account for one's actions “ www.merriam-webster.com/dictionary/accountability “the obligation of an individual or organization to account for its activities, accept responsibility for them, and to disclose the results in a transparent manner” www.businessdictionary.com/definition/accountability.html Accountability Defined
  • 4. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Evolution as a Privacy and Data Protection Principle 4 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Article 29 Data Protection Working Party Opinion 3/2010 on the Principle of Accountability PIPEDA Schedule 1 4.1 Principle 1: Accountability U.S. Federal Trade Commission Enforcement Actions APEC Privacy Framework Canada: Getting Accountability Right With a Privacy Management Program OECD Revised Guidelines Columbia: Guide for the Implementation of Accountability in Organizations EU: General Data Protection Regulation Hong Kong: Privacy Management Programme Best Practice Guide Australia: Privacy Management Framework EU: General Data Protection Regulation 1980 2000 2005 2010 2011 2012 2013 2014 2015
  • 5. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM New kid on the block: Accountability à la européenne • Obligations for data “controllers” and data “processors” • Apply to any company that offers goods or services, or monitors the behavior of, EU residents • Not enough to be compliant, also be able to evidence compliance • As a minimum, this requires: – keeping extensive documentation and records; – implementing data security requirements; – performing data protection impact assessments (DPIAs) in certain cases; – prior authorisation / consultation with the supervisory authority in certain cases; and – compulsory designation of a Data Protection Officer in certain cases.
  • 6. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM FTC – Elements of a Comprehensive Privacy Program • FTC has stated that the Google Order is intended to “serve as a guide” to industry  Facebook Order similar • Requirement to establish and maintain a comprehensive privacy program:  Designate an employee to be responsible for the privacy program  Identify reasonably-foreseeable, material risks  Design and implement reasonable privacy controls and procedures  Regularly test or monitor the effectiveness of the safeguards’ key controls and procedures  Manage third-party risk through due diligence and contractual obligations  Evaluate and adjust privacy program on an ongoing basis
  • 7. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Compliance – an Outcome of Accountability “An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.” The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia https://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.pdf
  • 8. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Accountability and Compliance The evolving privacy landscape COMPLIANCE ACCOUNTABILITY SHIFT TOWARD Privacy Program Outcomes Privacy Program Infrastructure  Laws and regulations  Enforcement actions  Binding Corporate Rules  Responsibility  Ownership  Evidence • Moving beyond simple compliance means a capacity to meet regulatory changes • Accountability means doing things that yield the right results
  • 9. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Compliance on a global scale. Is it possible?
  • 10. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM UK Data Protection Act  Rule 4  Rule 1  Rule 2  Rule 3  Rule 5 Binding Corporate Rules  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 EU General Data Protection Reg.  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Hong Kong Ordinance  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Mexico Data Protection Act  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Traditional Compliance Assessment Approach Assess compliance with each requirement individually PHI Policies & Procedures Audit and Monitoring Many Regulatory Requirements Many Privacy Programs & Activitiesto Training and Awareness Company Policies and Procedures Complaints and Investigations Records Management Information Security Vendor Management Human Resources Legal
  • 11. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Fieldfisher’s principles of global privacy regulatory risk 1. The increasing value and production of data will inevitably lead to more, and stricter, regulation. 2. Technology will always evolve, and sometimes disrupt. 3. Law and regulation will never catch up with technology. 4. Technology is global. Law and regulation are not. 5. So technology will never stay in compliance with law and regulation. 6. The risk for businesses will increase. 7. Privacy regulators are resource-limited and cannot enforce all the regulations they create. 8. The perceived impossibility of compliance will give rise to a degree of tolerated non-compliance.
  • 12. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Fieldfisher’s principles of risk-based approach to compliance 1. Transnational, principle-based, accountable approach 2. Don’t cross the red lines 3. Risk of harm to individuals v benefit for individuals 4. Transparency is key - no surprises 5. Choice (consent when required by law) 6. Proportionality 7. Security 8. Manage the flashpoints: incident response; access requests and other data subject rights; complaints; dispute resolution 9. Be prepared to justify and evidence your approach
  • 13. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Accountability Based Approach Leverage evidence of accountability to demonstrate compliance Evidence of Privacy Management Activities exists throughout the organization (within the Privacy Program as well as Operations) Evidence is collected in a centralized repository, structured in line with the 13 Privacy Management Processes Evidence of Accountability is mapped to requirements, allowing the organization to Demonstrate Compliance with laws and regulations on-demand, supported by Evidence UK Data Protection Act  Rule 4  Rule 1  Rule 2  Rule 3  Rule 5 Binding Corporate Rules  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 EU General Data Protection Reg.  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Hong Kong Ordinance  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 Mexico Data Protection Act  Rule 1  Rule 2  Rule 3  Rule 4  Rule 5 One Accountable Privacy Program Many Regulatory Requirementsto
  • 14. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM x = Law/regulation contains compliance requirements related to the Privacy Management Process Accountability Goes Above and Beyond Compliance Accountability Compliance Privacy Management Processes BCR UK South Korea Mexico 1 Maintain Governance Structure X X X X 2 Maintain Personal Data Inventory X X X X 3 Maintain Data Privacy Policy X X X X 4 Embed Data Privacy into Operations X X X X 5 Maintain Training and Awareness Program X X X 6 Manage Information Security Risk X X X X 7 Manage Third-Party Risk X X X X 8 Maintain Notices X X X X 9 Maintain Procedures for Inquiries and Complaints X X X X 10 Monitor for New Operational Practices X X 11 Maintain a Data Privacy Breach Management Program X X 12 Monitor Data Handling Practices X X 13 Track External Criteria X
  • 15. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM
  • 16. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Nymity’s Accountability Approach https://www.nymity.com/getting-to-accountability.aspx Nymity Accountability Status Workbook Nymity Privacy Management Accountability Framework™ Privacy Management Processes and Activities Status Owner(s) Resources to Implement Resources to Maintain Business Case Core? (Y/N) Description/ Comment Evidence 8. Maintain Notices Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance Maintain a data privacy notice that details the organisation’s personal data handling policies Implemented Privacy Office Compliance Y Privacy Notice Provide data privacy notice at all points where personal data is collected Implemented Business Units Identify all forms and contracts that collect personal data Compliance Y PIA Guidelines, Templates Provide notice by means of on-location signage, posters N/A Provide notice in marketing communications (e.g. emails, flyers, offers) Implemented Marketing Compliance Y Provide notice in all forms, contracts and terms Desired Business Units Periodically review. Have a process for new forms. Compliance Y Marketing Guidelines Maintain scripts for use by employees to provide the data privacy notice Desired Privacy Office Process update from Customer Service/ Call Centre Team Risk Management N Sample Language Maintain a data privacy notice for employees (processing of employee personal data) N/A Scripts Maintain a privacy Seal or Trustmark to increase customer trust N/A Call Centre Work Flow Provide data privacy education to individuals (e.g. preventing identity theft) Implemented Business Units Alignment with Business Objectives N Web Application Content
  • 17. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Accountability as a Framework for Privacy & Security • For security, a basis for ‘talking’ to privacy – Activities focused – CIA+A – accountability • Provides a structure for linking security and privacy organizations • Increasingly important as part of joint goal of security and privacy to get organizational accountability for data protection
  • 18. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Privacy Management Program Strategies
  • 19. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Documentation as Evidence • The documentation to be used as evidence already exists: documentation is a by-product of implemented privacy management activities. • You don’t create evidence just for the sake of demonstrating accountability/ compliance. You just identify and log the evidence that already exists. Privacy Management Activities Evidence/ Documentation Maintain a data privacy policy Data Privacy Policy Integrate data privacy into e- mail monitoring practices E-mail monitoring policy and procedure Measure comprehension of data privacy concepts using exams System generated report of data privacy exam scores Provide notice in all marketing communications (e.g. emails, flyers, offers) Examples of e-mail marketing communications
  • 20. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Planning: Selection and Prioritization of Activities which demonstrate Accountability Compliance with Laws and Regulations Privacy Risk Management Select Activities Based on Business Objectives Prioritize Based on Resources Understanding Expectations from Privacy and Data Protection Regulators Understanding the Law • Risk of harm to the individual data subject • Risk of enforcement due to non-compliance or complaints • Risk of unauthorized use of personal data • Risk of loss to the organization • Risk of breach due to stolen data • Risk of misuse of personal data • Risk of class-action lawsuit • And others (see page 48) Align privacy management program strategy with organizational objectives such as: • Global expansion goals • Moving to paperless record keeping • Mergers and acquisitions • Competitive advantage • Product innovation • Cloud computing • Others? • Determine your resource profile • Leverage existing resources • Prioritize what can be supported • Prioritize what can be maintained
  • 21. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Use case • You are the CPO of a US data analytics company with a global customer base. • Following the invalidation of the EU- US Safe Harbor by the CJEU, the business has come under intense pressure by its EU customers and prospects to provide an alternative solution. • Negotiations on new deals have frozen and a key client has said they will not commission new projects unless your company can keep their data in the EU. • Your CEO wants to hear the plan of action this evening. • Use the Nymity workbook to solve the problem.
  • 22. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Application of Accountability Approach: Service Provider 2. Maintain Personal Data Inventory Status Owner(s) Core? (Y/N) Resources to Implement Resources to Maintain Business Case Evidence Maintain an inventory of key personal data holdings (what personal data is held and where) Desired Records Management Y Internal FTE/External Consultant, technology to survey or scan Internal FTE/External Consultant, technology to survey or scan Risk identification & mitigation; compliance; Prerequisite to other activities Inventory Classify personal data holdings by type (e.g. sensitive, confidential, public) Implement- ed Risk & Compliance Y Internal FTE Internal FTE Supports business processes; risk mitigation; contract Data Classification Policy Sample documents Obtain approval for data processing (where prior approval is required) N/A Register databases with data protection authority (where registration is required) N/A Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) Desired Information Technology Y Internal FTE, technology to survey or scan Internal FTE, technology to survey or scan Risk identification & mitigation; prerequisite to other activities Flow Charts Maintain documentation for all cross- border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities) Desired Information Technology Y Internal FTE, business processes Internal FTE, business processes Risk identification & mitigation; prerequisite to other activities Data Transfer Agreements (model clause); Use Binding Corporate Rules as a data transfer mechanism N/A Use Standard Contractual Clauses as a data transfer mechanism Implement- ed Legal Y Research subscriptions, internal FTE Research subscriptions, internal FTE Compliance; contract Templates Procedural documents Repository of contracts Use Cross-Border Privacy Rules as a data transfer mechanism
  • 23. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Application of Accountability Approach: EU based customer 2. Maintain Personal Data Inventory Status Owner(s) Core? (Y/N) Resources to Implement Resources to Maintain Business Case Evidence Maintain an inventory of key personal data holdings (what personal data is held and where) Desired Records management / privacy function Y Internal FTE External consultant Technology Internal FTE External consultant Technology Understanding of information assets; Risk mitigation; Compliance; Prerequisite Inventory Classify personal data holdings by type (e.g. sensitive, confidential, public) Implemente d Privacy function Legal; Risk & Compliance Y Internal FTE Internal FTE Understanding of information assets; Exploitation; Risk Data classification policy Obtain approval for data processing (where prior approval is required) N/A Register databases with data protection authority (where registration is required) Implemente d Privacy function Legal; Y Internal FTE Internal FTE Compliance DPA registration certificate Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) Desired Privacy function; Information Technology Y Internal FTE Technology Internal FTE Technology Risk identification & mitigation; data security; Prerequisite Flow charts Maintain documentation for all cross- border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities) Desired Privacy function Legal; Y Internal FTE External Legal Internal FTE External Legal Risk identification & mitigation; Compliance Prerequisite PIA Report; Data Processing Agreements (Model Clauses) Use Binding Corporate Rules as a data transfer mechanism Desired Privacy function Legal; N Internal FTE External Legal Internal FTE External Legal Data exploitation; Compliance BCR business case; BCR Gap Analysis; BCR documentation Use Standard Contractual Clauses as a data transfer mechanism Desired Privacy function Legal; Y Internal FTE External Legal Internal FTE External Legal Data exploitation; Compliance Data Processing Agreements Use Cross-Border Privacy Rules as a data transfer mechanism
  • 24. Copyright © 2015 by Nymity Inc. All rights reserved | WWW.NYMITY.COM Conclusions • Accountability yields a capacity to meet compliance and program objectives that is inherently more flexible and powerful than ‘mere’ compliance • Accountability is determined by what the organization prioritizes and resources – not by an external standard of ‘what ought to be’ • Accountability helps the organization by ‘getting credit’ for establishing a framework to yield the right results – even where there are individual failures, it can be demonstrated they are not systemic • Accountability provides a common framework, language for security and privacy professionals to enhance their respective programs • Accountability is therefore the main tool for taking a global risk- based approach to privacy and data protection compliance