1.
• Overview Of Privacy & Data Protection (P&DP)
• Current Status on P&DP
• New and updated Privacy Legislations
• Commonalities between legislations
• What is the impact?
• Global P&DP trends
• Q & A
Agenda

2.
Introduction

3.
Before we start…

4.
Check the past webinars on the PECB website at
• https://pecb.com/past-webinars
Find all sessions with Q&A + collaterals (decks, recording) at:
http://ffwd2.me/PECB_ISO27001_webinars (short cut to LinkedIN page)
Previous sessions

5.
After the session, you can find the presentation and recording at
• https://pecb.com/past-webinars
Reference information + Q&A of this session:
https://www.linkedin.com/pulse/pecb-webinar-data-privacy-trends-2021-compliance-
new-peter-geelen-/
This session collaterals

6.
Overview Of Privacy & Data Protection
(P&DP)
What's in a word…

7.
Data Privacy Definition
Information privacy is the relationship between the collection and dissemination of
data, technology, the public expectation of privacy, and the legal and political
issues surrounding them.*
*https://en.wikipedia.org/wiki/Information_privacy

8.
Data Protection
GDPR Art. 1.1:
"protection of natural persons with regard to the
processing of personal data and rules relating to the
free movement of personal data"
*https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32016R0679

9.
GDPR and privacy
GDPR itself does not mention privacy…
except a footnote on Directive 2002/58/EC, the eCommunications
directive
In GDPR, it's about data protection, which means protecting your
data.
Privacy = "The right to be left alone"

10.
Some Stats – UN Conference on Trade & Development

11.
Privacy, data protection vs. cybersecurity
There is
No Privacy and data protection
Without
Cybersecurity
But you can have cybersecurity without the need of privacy or
data protection.

12.
Privacy & Data Protection vs Enterprise security
In many cases
• Privacy & data protection is targeted to people, persons and
their data
• Privacy & data protection is (mostly) not about company or
enterprise data (finance, operations, products, services…)
BUT
Data breaches of company data do have the same impact (so
treat and protect them equally)

13.
Current Status on P&DP
The battle for your personal data
and privacy

14.
North America - Canada
PIPEDA - Personal Information Protection and Electronic Documents Act
• Federal Legislation managed by the Office of the Privacy Commissioner of Canada
• An individual’s consent must be obtained for the collection, use or disclosure of their personal
information; individuals have the right to access their personal information and to challenge
any inaccuracies in it.
• Personal information can inly be used for the purposes for which it was collected otherwise
consent must be obtained again.
• Personal information must be appropriately protected.
• Applies to private sector organizations in Canada.
• Is supplemented by privacy laws at the Provincial level in Canada (e.g., laws in Ontario versus
Quebec, etc.).
• Data that crosses borders, whether within Canada or internationally, is a concern.
• Fines: up to $100,000 CAD

15.
North America - Canada
Other laws:
• CASL – Canada Anti Spam Legislation
• Federal law
• Requires individual’s expressed or implied consent, depending
upon the situation
• Requires unsubscribe mechanism
• Up to $1 million CAD fine per violation and up to $10 million CAD
fine for corporations
Each Province/Territory in Canada, has its own privacy and health data
protection laws but each aligns with PIPEDA and then augments
PIPEDA with regional guidance.

16.
North America - Canada
Multiple laws and legislations across Canada at the Provincial
level.

17.
North America - Canada
Advice:
• Become familiar with both the Federal and Provincial
laws and legislations before you assume that you are
managing personal data correctly
Important: better apply this to any privacy & data
protection implementation, not only to USA/CA region.

18.
North America - USA
E-Sign – Electronic Signatures in Global and National
Commerce Act
• Describes and validates electronic forms of data including e-
signatures
HIPAA – Health Insurance Portability and Accountability Act of
1996
• Protects privacy of personal health information
• Carries penalties of from $100 USD to $50,000 USD per record
violation

19.
North America - USA
California Consumer Privacy Act
• Applies to any organization that does business in California and which has
gross revenues in excess of $25 million USD or that has 50,000 or more
personal records or that earns ½+ of its revenue from selling personal
information
• Penalties of from $2,500 to $7,500 USD per violation
NY Shield Act
• If you hold any personal or private data of any New York resident, this applies
to you
• Penalties of $5,000 USD or $20 USD per violation up to $250,000 USD
Maximum

20.
Central and South America
Mexico - Federal Law on Personal Data Held by Private Parties (FLPPDPP)
• Applies to private sector
• Oddly, no need to inform any government body should a breach occur
Chile- Law No. 19.628 on the Protection of Private Life 1999
• Under development but will align with international privacy laws and standards
Brazil – Law No. 13.709 – General Personal Data Protection Law
• Into effect in September 2020 but will be enforced beginning August 2021
• Similar to GDPR with DPO’s required, data breach and transfer requirements, and privacy
impact assessments
• Established history of enforcement WRT privacy
Other Countries in Central and South America have currently implemented, draft or in progress
privacy laws with only a few countries/locations in Central & South America and the Caribbean with
no privacy laws (oddly, Puerto Rico has none).

21.
Europe
Type of law (Source: EC)
• Regulation
• Regulations are legal acts that apply automatically and uniformly to all EU
countries as soon as they enter into force,
• without needing to be transposed into national law.
• They are binding in their entirety on all EU countries.
• Directive
• Directives require EU countries to achieve a certain result, but leave them
free to choose how to do so. EU countries must adopt measures to
incorporate them into national law (transpose) in order to achieve the
objectives set by the directive.

22.
Europe
GDPR
• Data protection (not privacy)
• Regulation
• Tuned with national legislation

23.
Europe
Other legislation that impact privacy & data protection
• eCommunications & eCommerce
• ePrivacy directive (in review/update)
But also
• NIS (cybersecurity for public & critical infrastructure)
• NIS v2 coming up
• CyberAct

24.
New and updated Privacy Legislations
Keep an eye on…

25.
North America - Canada
CCPA – Consumer Privacy Protection Act
• Enhancement to PIPEDA
• Privacy and Data Protection Tribunal is established.
• Same acronym as the California Consumer Protection Act (also, CCPA) but
aims to be even stronger.
• Organizations must maintain a privacy management program; meaningful
consent must be obtained; deidentified data is covered; right to erasure;
enhanced enforcement.
• Private lawsuits for violations are permitted.
• Third-party service providers are in scope.
• Penalties for non-compliance: up to 3% of global revenue or $10 million CAD
OR up to 5% of global revenue or $25 million CAD for serious breaches.

26.
Europe
GDPR Processing principles
• eCommunications & eCommerce
• High impact on direct marketing
• ePrivacy directive (in review/update)
• Aligned with GDPR
• High impact on direct marketing
• NIS (cybersecurity for public & critical infrastructure)
• NIS v2 coming up
• CyberAct (Cyber certification, PPT, …)

27.
Commonalities between legislations
Comparing and understanding the context of
the legislations

28.
Some Common Features
• Privacy officer : Like the GDPR requirement, many privacy laws across the world are
looking to have a personal appointed in your organization who is accountable for
privacy.
• Penalties : As we have seen with GDPR and with HIPAA in the USA, financial
penalties for violations of privacy legislation or even for improper breach handling can
be costly both in terms of monetary cost as well as reputational impact.
• Privacy Program : Privacy legislations are increasingly looking for organizations to
have a privacy program in place (e.g., privacy policy(ies), breach management plan,
privacy awareness training for staff, etc.).
• Breach Management and Notification : It is critical to have a documented data
breach management plan that also includes a breach notification process.
• Consent : Consent for the collection of personal data that includes a precise
description of the planned use for the data is critical.
• Note that many privacy or data protection laws include the publishing of data breaches
or infractions of the privacy legislation. (“Name and Shame”)

29.
North America - Canada
CCPA – Consumer Privacy Protection Act
• Enhancement to PIPEDA
• Privacy and Data Protection Tribunal is established.
• Same acronym as the California Consumer Protection Act (also, CCPA) but
aims to be even stronger.
• Organizations must maintain a privacy management program; meaningful
consent must be obtained; deidentified data is covered; right to erasure;
enhanced enforcement.
• Private lawsuits for violations are permitted.
• Third-party service providers are in scope.
• Penalties for non-compliance: up to 3% of global revenue or $10 million CAD
OR up to 5% of global revenue or $25 million CAD for serious breaches.

30.
Europe
GDPR Processing principles
• Principles (Art. 5) (lawful, fairly, transparent, …)
• Lawfulness of processing Art. 6
consent,
Contract,
legal oblication,
vital interest,
public interest,
legitimate interest

31.
Europe
GDPR Subject Rights
• Conditions for consent (incl. minors/children)
• Special categories of data
• Rights
Right of access
Right to rectification
Right to be forgotten
Right to restrict processing
Right to notification
Right to data portability
Right to object

32.
Europe
GDPR Obligations - Data controllers & data processors
• Data protection by default
• Data protection by design
• Joint controllers
• Record of processing (processing register)
• Data breach management (incl. notifications)
• Security of processing
• DPIA

33.
Europe
GDPR Obligations - Data controllers & data processors
• DPO (data protection officer)
Designation (public authoriticy, large scale, sensitive data)
Position (independent, advisory, …)
Tasks
Inform & advice
Monitor compliance
Cooperate with DPA
SoD: NOT responsible/accountable for DC/DP tasks

34.
Europe
GDPR Fines
• Purpose: in each individual case , to be
effective,
proportionate and
dissuasive
• Depending the nature, gravity and duration of the infringement
infringement
2% or €10M
4% or €20M

35.
What is the impact?

36.
Europe
Data protection authorities in action… a trend.
There are various sites that follow up on the GDPR fines
For example:
• https://www.enforcementtracker.com/
• https://www.coreview.com/blog/alpin-gdpr-fines-list/
• https://www.privacyaffairs.com/gdpr-fines/
• …

37.
In general
• Powerful subject
• Data controllers balancing between
• Subject rights
• Government
• Commercial interest
• Cross border impact of legislation
GDPR is not only for EU companies or EU citizens

38.
P&DP new trends

39.
Privacy & Data protection is HOT
• Driver: Cybercrime/breach impact grows
• Commercial impact vs subjects
• Existing Social media platforms have difficulties to find the
new way of working aligned with regulations
• New platforms don't get it always right
• Take back privacy
Very low level of protection of internet data
Free flow of data, now issue…

40.
Privacy & Data protection is HOT
• Cookies management
• Dark patterns ("Accept All", before you find the "configure button")
• Cookie psychology
• Direct marketing
Data brokers position
Collection of data vs obligations of transparency
Public data vs purpose definitions
• Cross border, international impact
Data brokers out of reach

41.
Privacy & Data protection is HOT
And also…
• IoT Security impact on P&DP
• Camera's
• Cars
• Toys
• …

42.
References
Interesting information sources

43.
Reference material
Collateral references and additional info posted on
• https://www.linkedin.com/pulse/pecb-webinar-data-privacy-trends-
2021-compliance-new-peter-geelen-/

44.
ISO/IEC 27701
Training Courses
• ISO/IEC 27701 Foundation
2 Day Course
• ISO/IEC 27701 Lead Implementer
5Days Course
Exam and certification fees are included in the training price.
https://pecb.com/en/education-and-certification-for-individuals/iso-
27701
www.pecb.com/events

45.
Appendix

46.
Ramping up…
Relevant PECB Training courses

47.
Relevant Training
PIMS
• PECB ISO 27701 Foundation
• PECB ISO 27701 LI
• PECB ISO 27701 LA
Information Security
• PECB ISO 27001 LI
• PECB ISO 27001 LA
• PECB ISO 27002 LM

48.
Relevant Training
Data protection
• PECB Certified Data protection Officer (GDPR)
Privacy
• PECB ISO29100 LI

49.
Other Relevant Training
Incident Management
• PECB ISO 27035 LI
Risk Management
• PECB ISO 27005 LI

50.
Check the PECB agenda, select the ISO/IEC 27701 Lead
Implementer
https://pecb.com/en/partnerEvent/event_schedule_list
Training Events
For full detailed information about an event click on the ‘View’ button on the right hand
side under ‘View full details’.
Note: Before applying for any training courses listed below, please make sure you are
registered to PECB
Training Agenda

51.
THANK YOU
?
info@cyberminute.com CyberMinute
asenglish@hotmail.com BOT Security Solutions