Enviar pesquisa
Carregar
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
•
0 gostou
•
111 visualizações
Constantine Karbaliotis
Seguir
Presented at the Security and Privacy Academy 2015
Leia menos
Leia mais
Direito
Denunciar
Compartilhar
Denunciar
Compartilhar
1 de 24
Baixar agora
Baixar para ler offline
Recomendados
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Constantine Karbaliotis
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07
Constantine Karbaliotis
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
IISPEastMids
GDPR - a view for the non experts
GDPR - a view for the non experts
Claudio Bolla, CISM
GDPR 11/1/2017
GDPR 11/1/2017
isc2-hellenic
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash
Recomendados
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Impact of GDPR on Canada May 2016 - Presented at IAPP Canada Symposium
Constantine Karbaliotis
Privacy Access Letter I Feb 5 07
Privacy Access Letter I Feb 5 07
Constantine Karbaliotis
Data Privacy Trends in 2021: Compliance with New Regulations
Data Privacy Trends in 2021: Compliance with New Regulations
PECB
Teradata's approach to addressing GDPR
Teradata's approach to addressing GDPR
Paul O'Carroll
Be careful what you wish for: the great Data Protection law reform - Lilian E...
Be careful what you wish for: the great Data Protection law reform - Lilian E...
IISPEastMids
GDPR - a view for the non experts
GDPR - a view for the non experts
Claudio Bolla, CISM
GDPR 11/1/2017
GDPR 11/1/2017
isc2-hellenic
Gdpr overview ciso platform presentation
Gdpr overview ciso platform presentation
Priyanka Aash
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Anitafin
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
The GDPR for Techies
The GDPR for Techies
Lilian Edwards
Members evening - data protection
Members evening - data protection
MRS
GDPR-Overview
GDPR-Overview
Erica Walker
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
IISPEastMids
General Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
Saurabh Pandey
GDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
GDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
Gdpr action plan - ISSA
Gdpr action plan - ISSA
Ulf Mattsson
The Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
GDPR for Dummies
GDPR for Dummies
Caroline Boscher
Gdpr action plan
Gdpr action plan
Ulf Mattsson
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Qualsys Ltd
Get you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
Getting Ready for GDPR
Getting Ready for GDPR
Jessvin Thomas
What about GDPR?
What about GDPR?
Martin Hawksey
GDPR Demystified
GDPR Demystified
SPIN Chennai
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
TrustArc
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
Interaktiv
Mais conteúdo relacionado
Mais procurados
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Anitafin
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
Omo Osagiede
The GDPR for Techies
The GDPR for Techies
Lilian Edwards
Members evening - data protection
Members evening - data protection
MRS
GDPR-Overview
GDPR-Overview
Erica Walker
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
IISPEastMids
General Data Protection Regulation
General Data Protection Regulation
BCC - Solutions for IBM Collaboration Software
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
Saurabh Pandey
GDPR Introduction and overview
GDPR Introduction and overview
Jane Lambert
GDPR practical info session for development
GDPR practical info session for development
Tomppa Järvinen
Gdpr action plan - ISSA
Gdpr action plan - ISSA
Ulf Mattsson
The Essential Guide to GDPR
The Essential Guide to GDPR
Tim Hyman LLB
GDPR for Dummies
GDPR for Dummies
Caroline Boscher
Gdpr action plan
Gdpr action plan
Ulf Mattsson
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Jake DiMare
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Qualsys Ltd
Get you and your business GDPR ready
Get you and your business GDPR ready
Harrison Clark Rickerbys
Getting Ready for GDPR
Getting Ready for GDPR
Jessvin Thomas
What about GDPR?
What about GDPR?
Martin Hawksey
GDPR Demystified
GDPR Demystified
SPIN Chennai
Mais procurados
(20)
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
Privacy Practice Fundamentals: Understanding Compliance Regimes and Requirements
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
General Data Protection Regulation (GDPR) - Moving from confusion to readiness
The GDPR for Techies
The GDPR for Techies
Members evening - data protection
Members evening - data protection
GDPR-Overview
GDPR-Overview
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation: what do you need to do to get prepared? -...
General Data Protection Regulation
General Data Protection Regulation
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR- GENERAL DATA PROTECTION REGULATION
GDPR Introduction and overview
GDPR Introduction and overview
GDPR practical info session for development
GDPR practical info session for development
Gdpr action plan - ISSA
Gdpr action plan - ISSA
The Essential Guide to GDPR
The Essential Guide to GDPR
GDPR for Dummies
GDPR for Dummies
Gdpr action plan
Gdpr action plan
The Meaning and Impact of the General Data Protection Regulation
The Meaning and Impact of the General Data Protection Regulation
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Preparing for GDPR: General Data Protection Regulation - Stakeholder Presenta...
Get you and your business GDPR ready
Get you and your business GDPR ready
Getting Ready for GDPR
Getting Ready for GDPR
What about GDPR?
What about GDPR?
GDPR Demystified
GDPR Demystified
Semelhante a Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
TrustArc
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
Interaktiv
A Global Marketer's Guide to Privacy
A Global Marketer's Guide to Privacy
FLUZO
Protecting Donor Privacy
Protecting Donor Privacy
Raymond Cunningham
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Ulf Mattsson
Implementing an Information Security Program
Implementing an Information Security Program
Raymond Cunningham
Cyberinsurance 111006
Cyberinsurance 111006
JNicholson
Contracting for Better Cybersecurity
Contracting for Better Cybersecurity
Shawn Tuma
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
Dr. Donald Macfarlane
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Dr. Donald Macfarlane
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
evonnehoggarth79783
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundation
Bradley Arant Boult Cummings LLP
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Delphix
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Financial Poise
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
ICCA (International Congress and Convention Association)
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 States
TrustArc
[Webinar Slides] Privacy Shield is Here – What You Need to Know
[Webinar Slides] Privacy Shield is Here – What You Need to Know
TrustArc
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Shawn Tuma
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standards
automatskicorporation
Semelhante a Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
(20)
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy experience in Plone and other open source CMS
Privacy experience in Plone and other open source CMS
A Global Marketer's Guide to Privacy
A Global Marketer's Guide to Privacy
Protecting Donor Privacy
Protecting Donor Privacy
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
Francoise Gilbert Proposed EU Data Protection Regulation-20120214
New opportunities and business risks with evolving privacy regulations
New opportunities and business risks with evolving privacy regulations
Implementing an Information Security Program
Implementing an Information Security Program
Cyberinsurance 111006
Cyberinsurance 111006
Contracting for Better Cybersecurity
Contracting for Better Cybersecurity
Data protection & security breakfast briefing master slides 28 june-final
Data protection & security breakfast briefing master slides 28 june-final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
Data Protection & Security Breakfast Briefing - Master Slides_28 June_final
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
6102015 1 McGraw-Hill-Ryerson ©2015 The McGraw-Hill .docx
Data breach-response-planning-laying-the-right-foundation
Data breach-response-planning-laying-the-right-foundation
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Secure Your Enterprise Data Now and Be Ready for CCPA in 2020
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
Corporate & Regulatory Compliance Boot Camp - Data Privacy Compliance
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
57th ICCA Congress | 12.11.2018 | Data Protection - 150 days after GDPR
Nymity Framework: Privacy & Data Protection Update in 7 States
Nymity Framework: Privacy & Data Protection Update in 7 States
[Webinar Slides] Privacy Shield is Here – What You Need to Know
[Webinar Slides] Privacy Shield is Here – What You Need to Know
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Why Your Organization Must Have a Cyber Risk Management Program and How to De...
Automatski - The Internet of Things - Privacy Standards
Automatski - The Internet of Things - Privacy Standards
Mais de Constantine Karbaliotis
Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013
Constantine Karbaliotis
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011
Constantine Karbaliotis
International Perspectives on Data Breach
International Perspectives on Data Breach
Constantine Karbaliotis
Privacy issues in the cloud
Privacy issues in the cloud
Constantine Karbaliotis
Update on enterprise social media risks
Update on enterprise social media risks
Constantine Karbaliotis
Data Loss During Downsizing
Data Loss During Downsizing
Constantine Karbaliotis
Data Safety And Security
Data Safety And Security
Constantine Karbaliotis
Mais de Constantine Karbaliotis
(7)
Canadian Response to the Draft EU Regulation - May 2013
Canadian Response to the Draft EU Regulation - May 2013
The Value of Personal Information - IAPP Canada 2011
The Value of Personal Information - IAPP Canada 2011
International Perspectives on Data Breach
International Perspectives on Data Breach
Privacy issues in the cloud
Privacy issues in the cloud
Update on enterprise social media risks
Update on enterprise social media risks
Data Loss During Downsizing
Data Loss During Downsizing
Data Safety And Security
Data Safety And Security
Último
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Call Girls In Delhi Whatsup 9873940964 Enjoy Unlimited Pleasure
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
PamelaAbegailMonsant2
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
SS A
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
SHIVAMGUPTA671167
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
RRR Chambers
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
Delhi Call girls
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
laysamaeguardiano
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm
2020000445musaib
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
2020000445musaib
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
zainabbkhaleeq123
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
RRR Chambers
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
E LSS
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
filippoluciani9
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
Aurora Consulting
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
nyabatejosphat1
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
RRR Chambers
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
SS A
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
PoojaGadiya1
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
RRR Chambers
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubham Wadhonkar
Último
(20)
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
Sensual Moments: +91 9999965857 Independent Call Girls Vasundhara Delhi {{ Mo...
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
8. SECURITY GUARD CREED, CODE OF CONDUCT, COPE.pptx
一比一原版西澳大学毕业证学位证书
一比一原版西澳大学毕业证学位证书
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
Municipal-Council-Ratlam-vs-Vardi-Chand-A-Landmark-Writ-Case.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
KEY NOTE- IBC(INSOLVENCY & BANKRUPTCY CODE) DESIGN- PPT.pptx
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
WhatsApp 📞 8448380779 ✅Call Girls In Nangli Wazidpur Sector 135 ( Noida)
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
BPA GROUP 7 - DARIO VS. MISON REPORTING.pdf
Essentials of a Valid Transfer.pptxmmmmmm
Essentials of a Valid Transfer.pptxmmmmmm
Transferable and Non-Transferable Property.pptx
Transferable and Non-Transferable Property.pptx
Chp 1- Contract and its kinds-business law .ppt
Chp 1- Contract and its kinds-business law .ppt
PPT- Voluntary Liquidation (Under section 59).pptx
PPT- Voluntary Liquidation (Under section 59).pptx
一比一原版牛津布鲁克斯大学毕业证学位证书
一比一原版牛津布鲁克斯大学毕业证学位证书
Human Rights_FilippoLuciani diritti umani.pptx
Human Rights_FilippoLuciani diritti umani.pptx
CAFC Chronicles: Costly Tales of Claim Construction Fails
CAFC Chronicles: Costly Tales of Claim Construction Fails
INVOLUNTARY TRANSFERS Kenya school of law.pptx
INVOLUNTARY TRANSFERS Kenya school of law.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
IBC (Insolvency and Bankruptcy Code 2016)-IOD - PPT.pptx
一比一原版旧金山州立大学毕业证学位证书
一比一原版旧金山州立大学毕业证学位证书
Appeal and Revision in Income Tax Act.pdf
Appeal and Revision in Income Tax Act.pdf
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
COPYRIGHTS - PPT 01.12.2023 part- 2.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
Shubh_Burden of proof_Indian Evidence Act.pptx
Getting to Accountability Karbaliotis and Patrikios-Oct 22 2015
1.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Getting to Accountability Maximizing your Global Privacy Management Program Privacy & Security Forum, Washington DC - October 22, 2015
2.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Introductions CONSTANTINE KARBALIOTIS CIPM, CIPP/C, CIPP/E, CIPP/US, CIPT Vice President of Privacy Office Solutions – NYMITY and former CPO ANTONIS PATRIKIOS PhD, CIPM, CIPP/E Partner - Privacy, Security & Information Law, Fieldfisher
3.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM “an obligation or willingness to accept responsibility or to account for one's actions “ www.merriam-webster.com/dictionary/accountability “the obligation of an individual or organization to account for its activities, accept responsibility for them, and to disclose the results in a transparent manner” www.businessdictionary.com/definition/accountability.html Accountability Defined
4.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Evolution as a Privacy and Data Protection Principle 4 Guidelines on the Protection of Privacy and Transborder Flows of Personal Data Article 29 Data Protection Working Party Opinion 3/2010 on the Principle of Accountability PIPEDA Schedule 1 4.1 Principle 1: Accountability U.S. Federal Trade Commission Enforcement Actions APEC Privacy Framework Canada: Getting Accountability Right With a Privacy Management Program OECD Revised Guidelines Columbia: Guide for the Implementation of Accountability in Organizations EU: General Data Protection Regulation Hong Kong: Privacy Management Programme Best Practice Guide Australia: Privacy Management Framework EU: General Data Protection Regulation 1980 2000 2005 2010 2011 2012 2013 2014 2015
5.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM New kid on the block: Accountability à la européenne • Obligations for data “controllers” and data “processors” • Apply to any company that offers goods or services, or monitors the behavior of, EU residents • Not enough to be compliant, also be able to evidence compliance • As a minimum, this requires: – keeping extensive documentation and records; – implementing data security requirements; – performing data protection impact assessments (DPIAs) in certain cases; – prior authorisation / consultation with the supervisory authority in certain cases; and – compulsory designation of a Data Protection Officer in certain cases.
6.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM FTC – Elements of a Comprehensive Privacy Program • FTC has stated that the Google Order is intended to “serve as a guide” to industry Facebook Order similar • Requirement to establish and maintain a comprehensive privacy program: Designate an employee to be responsible for the privacy program Identify reasonably-foreseeable, material risks Design and implement reasonable privacy controls and procedures Regularly test or monitor the effectiveness of the safeguards’ key controls and procedures Manage third-party risk through due diligence and contractual obligations Evaluate and adjust privacy program on an ongoing basis
7.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Compliance – an Outcome of Accountability “An accountable organization must have in place appropriate policies and procedures that promote good practices which, taken as a whole, constitute a privacy management program. The outcome is a demonstrable capacity to comply, at a minimum, with applicable privacy laws.” The Office of the Privacy Commissioner of Canada (OPC), and the Offices of the Information and Privacy Commissioners (OIPCs) of Alberta and British Columbia https://www.priv.gc.ca/information/guide/2012/gl_acc_201204_e.pdf
8.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Accountability and Compliance The evolving privacy landscape COMPLIANCE ACCOUNTABILITY SHIFT TOWARD Privacy Program Outcomes Privacy Program Infrastructure Laws and regulations Enforcement actions Binding Corporate Rules Responsibility Ownership Evidence • Moving beyond simple compliance means a capacity to meet regulatory changes • Accountability means doing things that yield the right results
9.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Compliance on a global scale. Is it possible?
10.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM UK Data Protection Act Rule 4 Rule 1 Rule 2 Rule 3 Rule 5 Binding Corporate Rules Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 EU General Data Protection Reg. Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 Hong Kong Ordinance Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 Mexico Data Protection Act Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 Traditional Compliance Assessment Approach Assess compliance with each requirement individually PHI Policies & Procedures Audit and Monitoring Many Regulatory Requirements Many Privacy Programs & Activitiesto Training and Awareness Company Policies and Procedures Complaints and Investigations Records Management Information Security Vendor Management Human Resources Legal
11.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Fieldfisher’s principles of global privacy regulatory risk 1. The increasing value and production of data will inevitably lead to more, and stricter, regulation. 2. Technology will always evolve, and sometimes disrupt. 3. Law and regulation will never catch up with technology. 4. Technology is global. Law and regulation are not. 5. So technology will never stay in compliance with law and regulation. 6. The risk for businesses will increase. 7. Privacy regulators are resource-limited and cannot enforce all the regulations they create. 8. The perceived impossibility of compliance will give rise to a degree of tolerated non-compliance.
12.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Fieldfisher’s principles of risk-based approach to compliance 1. Transnational, principle-based, accountable approach 2. Don’t cross the red lines 3. Risk of harm to individuals v benefit for individuals 4. Transparency is key - no surprises 5. Choice (consent when required by law) 6. Proportionality 7. Security 8. Manage the flashpoints: incident response; access requests and other data subject rights; complaints; dispute resolution 9. Be prepared to justify and evidence your approach
13.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Accountability Based Approach Leverage evidence of accountability to demonstrate compliance Evidence of Privacy Management Activities exists throughout the organization (within the Privacy Program as well as Operations) Evidence is collected in a centralized repository, structured in line with the 13 Privacy Management Processes Evidence of Accountability is mapped to requirements, allowing the organization to Demonstrate Compliance with laws and regulations on-demand, supported by Evidence UK Data Protection Act Rule 4 Rule 1 Rule 2 Rule 3 Rule 5 Binding Corporate Rules Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 EU General Data Protection Reg. Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 Hong Kong Ordinance Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 Mexico Data Protection Act Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 One Accountable Privacy Program Many Regulatory Requirementsto
14.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM x = Law/regulation contains compliance requirements related to the Privacy Management Process Accountability Goes Above and Beyond Compliance Accountability Compliance Privacy Management Processes BCR UK South Korea Mexico 1 Maintain Governance Structure X X X X 2 Maintain Personal Data Inventory X X X X 3 Maintain Data Privacy Policy X X X X 4 Embed Data Privacy into Operations X X X X 5 Maintain Training and Awareness Program X X X 6 Manage Information Security Risk X X X X 7 Manage Third-Party Risk X X X X 8 Maintain Notices X X X X 9 Maintain Procedures for Inquiries and Complaints X X X X 10 Monitor for New Operational Practices X X 11 Maintain a Data Privacy Breach Management Program X X 12 Monitor Data Handling Practices X X 13 Track External Criteria X
15.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM
16.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Nymity’s Accountability Approach https://www.nymity.com/getting-to-accountability.aspx Nymity Accountability Status Workbook Nymity Privacy Management Accountability Framework™ Privacy Management Processes and Activities Status Owner(s) Resources to Implement Resources to Maintain Business Case Core? (Y/N) Description/ Comment Evidence 8. Maintain Notices Maintain notices to individuals consistent with the data privacy policy, legal requirements, and operational risk tolerance Maintain a data privacy notice that details the organisation’s personal data handling policies Implemented Privacy Office Compliance Y Privacy Notice Provide data privacy notice at all points where personal data is collected Implemented Business Units Identify all forms and contracts that collect personal data Compliance Y PIA Guidelines, Templates Provide notice by means of on-location signage, posters N/A Provide notice in marketing communications (e.g. emails, flyers, offers) Implemented Marketing Compliance Y Provide notice in all forms, contracts and terms Desired Business Units Periodically review. Have a process for new forms. Compliance Y Marketing Guidelines Maintain scripts for use by employees to provide the data privacy notice Desired Privacy Office Process update from Customer Service/ Call Centre Team Risk Management N Sample Language Maintain a data privacy notice for employees (processing of employee personal data) N/A Scripts Maintain a privacy Seal or Trustmark to increase customer trust N/A Call Centre Work Flow Provide data privacy education to individuals (e.g. preventing identity theft) Implemented Business Units Alignment with Business Objectives N Web Application Content
17.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Accountability as a Framework for Privacy & Security • For security, a basis for ‘talking’ to privacy – Activities focused – CIA+A – accountability • Provides a structure for linking security and privacy organizations • Increasingly important as part of joint goal of security and privacy to get organizational accountability for data protection
18.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Privacy Management Program Strategies
19.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Documentation as Evidence • The documentation to be used as evidence already exists: documentation is a by-product of implemented privacy management activities. • You don’t create evidence just for the sake of demonstrating accountability/ compliance. You just identify and log the evidence that already exists. Privacy Management Activities Evidence/ Documentation Maintain a data privacy policy Data Privacy Policy Integrate data privacy into e- mail monitoring practices E-mail monitoring policy and procedure Measure comprehension of data privacy concepts using exams System generated report of data privacy exam scores Provide notice in all marketing communications (e.g. emails, flyers, offers) Examples of e-mail marketing communications
20.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Planning: Selection and Prioritization of Activities which demonstrate Accountability Compliance with Laws and Regulations Privacy Risk Management Select Activities Based on Business Objectives Prioritize Based on Resources Understanding Expectations from Privacy and Data Protection Regulators Understanding the Law • Risk of harm to the individual data subject • Risk of enforcement due to non-compliance or complaints • Risk of unauthorized use of personal data • Risk of loss to the organization • Risk of breach due to stolen data • Risk of misuse of personal data • Risk of class-action lawsuit • And others (see page 48) Align privacy management program strategy with organizational objectives such as: • Global expansion goals • Moving to paperless record keeping • Mergers and acquisitions • Competitive advantage • Product innovation • Cloud computing • Others? • Determine your resource profile • Leverage existing resources • Prioritize what can be supported • Prioritize what can be maintained
21.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Use case • You are the CPO of a US data analytics company with a global customer base. • Following the invalidation of the EU- US Safe Harbor by the CJEU, the business has come under intense pressure by its EU customers and prospects to provide an alternative solution. • Negotiations on new deals have frozen and a key client has said they will not commission new projects unless your company can keep their data in the EU. • Your CEO wants to hear the plan of action this evening. • Use the Nymity workbook to solve the problem.
22.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Application of Accountability Approach: Service Provider 2. Maintain Personal Data Inventory Status Owner(s) Core? (Y/N) Resources to Implement Resources to Maintain Business Case Evidence Maintain an inventory of key personal data holdings (what personal data is held and where) Desired Records Management Y Internal FTE/External Consultant, technology to survey or scan Internal FTE/External Consultant, technology to survey or scan Risk identification & mitigation; compliance; Prerequisite to other activities Inventory Classify personal data holdings by type (e.g. sensitive, confidential, public) Implement- ed Risk & Compliance Y Internal FTE Internal FTE Supports business processes; risk mitigation; contract Data Classification Policy Sample documents Obtain approval for data processing (where prior approval is required) N/A Register databases with data protection authority (where registration is required) N/A Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) Desired Information Technology Y Internal FTE, technology to survey or scan Internal FTE, technology to survey or scan Risk identification & mitigation; prerequisite to other activities Flow Charts Maintain documentation for all cross- border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities) Desired Information Technology Y Internal FTE, business processes Internal FTE, business processes Risk identification & mitigation; prerequisite to other activities Data Transfer Agreements (model clause); Use Binding Corporate Rules as a data transfer mechanism N/A Use Standard Contractual Clauses as a data transfer mechanism Implement- ed Legal Y Research subscriptions, internal FTE Research subscriptions, internal FTE Compliance; contract Templates Procedural documents Repository of contracts Use Cross-Border Privacy Rules as a data transfer mechanism
23.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Application of Accountability Approach: EU based customer 2. Maintain Personal Data Inventory Status Owner(s) Core? (Y/N) Resources to Implement Resources to Maintain Business Case Evidence Maintain an inventory of key personal data holdings (what personal data is held and where) Desired Records management / privacy function Y Internal FTE External consultant Technology Internal FTE External consultant Technology Understanding of information assets; Risk mitigation; Compliance; Prerequisite Inventory Classify personal data holdings by type (e.g. sensitive, confidential, public) Implemente d Privacy function Legal; Risk & Compliance Y Internal FTE Internal FTE Understanding of information assets; Exploitation; Risk Data classification policy Obtain approval for data processing (where prior approval is required) N/A Register databases with data protection authority (where registration is required) Implemente d Privacy function Legal; Y Internal FTE Internal FTE Compliance DPA registration certificate Maintain flow charts for key data flows (e.g. between systems, between processes, between countries) Desired Privacy function; Information Technology Y Internal FTE Technology Internal FTE Technology Risk identification & mitigation; data security; Prerequisite Flow charts Maintain documentation for all cross- border data flows (e.g. country, mechanism used as a basis for the transfer such as Safe Harbor, model clauses, binding corporate rules, or approvals from data protection authorities) Desired Privacy function Legal; Y Internal FTE External Legal Internal FTE External Legal Risk identification & mitigation; Compliance Prerequisite PIA Report; Data Processing Agreements (Model Clauses) Use Binding Corporate Rules as a data transfer mechanism Desired Privacy function Legal; N Internal FTE External Legal Internal FTE External Legal Data exploitation; Compliance BCR business case; BCR Gap Analysis; BCR documentation Use Standard Contractual Clauses as a data transfer mechanism Desired Privacy function Legal; Y Internal FTE External Legal Internal FTE External Legal Data exploitation; Compliance Data Processing Agreements Use Cross-Border Privacy Rules as a data transfer mechanism
24.
Copyright © 2015
by Nymity Inc. All rights reserved | WWW.NYMITY.COM Conclusions • Accountability yields a capacity to meet compliance and program objectives that is inherently more flexible and powerful than ‘mere’ compliance • Accountability is determined by what the organization prioritizes and resources – not by an external standard of ‘what ought to be’ • Accountability helps the organization by ‘getting credit’ for establishing a framework to yield the right results – even where there are individual failures, it can be demonstrated they are not systemic • Accountability provides a common framework, language for security and privacy professionals to enhance their respective programs • Accountability is therefore the main tool for taking a global risk- based approach to privacy and data protection compliance
Baixar agora