Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

What does the Proposed EU General Data Protection Regulation (GDPR) mean for Business – TRUSTe

1.531 visualizaciones

Publicado el

We outline the proposed changes in the EU General Data Protection Regulation (GDPR) and its effect on the privacy of US-EU Data transfers.
Access the complete webinar on how the EU GDPR will affect your business https://info.truste.com/lp/truste/On-Demand-Webinar-Reg-Page.html?asset=J68IQUDK-565

Publicado en: Empresariales
  • -- DOWNLOAD THIS BOOKS INTO AVAILABLE FORMAT -- ......................................................................................................................... ......................................................................................................................... Download FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... (Unlimited)
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • If you want to download or read this book, copy link or url below in the New tab ......................................................................................................................... DOWNLOAD FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } .........................................................................................................................
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • If you want to download or read this book, Copy link or url below in the New tab ......................................................................................................................... DOWNLOAD FULL PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... .........................................................................................................................
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí
  • DOWNLOAD THI5 BOOKS INTO AVAILABLE FORMAT (Unlimited) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download Full EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ACCESS WEBSITE for All Ebooks ......................................................................................................................... Download Full PDF EBOOK here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download EPUB Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... Download doc Ebook here { http://bit.ly/2m6jJ5M } ......................................................................................................................... ......................................................................................................................... ......................................................................................................................... .............. Browse by Genre Available eBooks ......................................................................................................................... Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, Cookbooks, Crime, Ebooks, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult,
       Responder 
    ¿Estás seguro?    No
    Tu mensaje aparecerá aquí

What does the Proposed EU General Data Protection Regulation (GDPR) mean for Business – TRUSTe

  1. 1. 1 vPrivacy Insight Series v What Does the Proposed EU Regulation Mean for Business September 16, 2015
  2. 2. 2 vPrivacy Insight Series Today’s Speakers Dennis Dayman, Chief Privacy and Security Officer, Return Path Inc. Dr Kai Westerwelle, Partner, Taylor Wessing Mr Andrea Glorioso, Counselor, Digital Economy / Cyber Delegation of the European Union to the USA Eleanor Treharne-Jones, Director, EMEA & Global Communications, TRUSTe
  3. 3. 3 vPrivacy Insight Series Today’s Agenda • Welcome & Introductions Eleanor Treharne-Jones • Overview of the Main Changes in the Mr Andrea Glorioso General Data Protection Regulation • Key Areas in the Regulation - Dr Kai Westerwelle Legal perspective and Impact on Business • Actions to Prepare for the GDPR Dennis Dayman • Q&A All
  4. 4. 4 vPrivacy Insight Series v The General Data Protection Regulation (GDPR) – Overview of the main changes Mr Andrea Glorioso, Counselor, Digital Economy / Cyber Delegation of the European Union to the USA
  5. 5. 5 vPrivacy Insight Series The GDPR: timeline • January 2012: proposal of the European Commission (draft Regulation + draft Directive on the exchange of personal data for police and judicial cooperation) • March 2014: the European Parliament adopts its "first reading" position • June 2015: the Council of the European Union adopts its "general approach" • July 2015 / ongoing: "trialogues" among the European Commission, the European Parliament and the Council of the European Union • Expected adoption: end of 2015 / beginning of 2016?
  6. 6. 6 vPrivacy Insight Series The GDPR: what doesn't change • The core legal concepts (e.g. definition of "personal data", "data subject", "data controller", "data processor") do not massively change compared to the main existing EU legislation (1995 Directive) • You still need a "legitimate basis" to process personal data • The objective remains the same: minimize differences of legal treatment among EU Member States in order to safeguard the internal / common market and ensure a coherent (and high) level of protection of privacy and personal data across the European Union • Extra-EU data transfers still need a legal basis to take place
  7. 7. 7 vPrivacy Insight Series The GDPR: main changes • It's a Regulation, not a Directive: no need for Member States to "transpose" it in their national legal systems • "One-stop shop" system: organizations operating in multiple Member States are supposed to interact only with the Data Protection Authority in their "main place of establishment" • "Consistency mechanism": the "main" Data Protection Authority is responsible for interacting with other Member States' DPAs to ensure coherency and avoid multiple, contradicting decisions
  8. 8. 8 vPrivacy Insight Series The GDPR: main changes • "Information notices" will become much more detailed and will have to be in an "intelligible form, using clear and plain language, and adapted to the data subject". • "Data processors" (e.g. sub-contractors to the data controllers) are now subject to much stricter controls, responsibilities and potential penalties. • Principle of "accountability": data controllers / processors must demonstrate existence of appropriate internal and external processes, control systems, auditing checks, impact assessment procedures and (in some cases) appoint a Data Protection Officer. • "Privacy by design" and "privacy by default"
  9. 9. 9 vPrivacy Insight Series The GDPR: main changes • Certain "data processing" operations are now more strictly regulated • E.g. "profiling" which requires explicit consent when performed on "sensitive data" • Obligation to notify breaches that lead to the loss or unauthorized dissemination of personal data • Jurisdictional scope of application of the GDPR is now broader: new rules apply also to organizations which are based outside the EU but are offering goods and services to EU residents or "monitor the behavior" of EU residents • Penalties will in general be stiffer: maximum of 2-5% of the global turnover of a company, or EUR 1 Million, whichever is higher
  10. 10. 10 vPrivacy Insight Series The GDPR: the end of the Internet? • The GDPR raises the bar of privacy / personal data protection • The rules are non-discriminatory: non-EU companies are not penalized compared to EU companies • Is this the much needed incentive for "data hygiene" within data-intensive companies (e.g. nowadays, all companies)?
  11. 11. 11 vPrivacy Insight Series EU-US data transfers • Umbrella agreement (exchange of data for law enforcement purposes): agreement reached on September 8, waiting for "Judicial Redress Act" to be adopted in the U.S. • Safe Harbor discussions: final details on "national security exemption" and "onward transfers", but overall agreement on the 13 Recommendations of the European Commission • Extra-EU transfers of non-personal data was and is still valid in principle! • Safe Harbor is not the only mechanism: list of "legitimate bases" for transfers (e.g. consent, performance of contract), Binding Corporate Rules, standard contractual clauses
  12. 12. 12 vPrivacy Insight Series More information • General information: http://ec.europa.eu/justice/data- protection/ • Supporting documents (fact sheets, background studies, surveys): http://ec.europa.eu/justice/data- protection/document/index_en.htm • Extra-EU data transfers: http://ec.europa.eu/justice/data- protection/international-transfers/index_en.htm • Step-by-step timeline: http://eur- lex.europa.eu/procedure/EN/201286
  13. 13. 13 vPrivacy Insight Series v Dr Kai Westerwelle, Partner Taylor Wessing (US) Inc. Key Areas in the Regulation Legal perspective and impact on business
  14. 14. 14 vPrivacy Insight Series Harmonization • Actual  European privacy laws based on EU DP Directive (to be transferred into local law)  Result: different privacy laws in all European States (even within the states)  Result: different levels of data protection (UK vs. France vs. Germany)  Result: different regulatory requirements (e.g.: applications / registrations)  Result: data protection officers only in some Member States • Business Impact  European roll-out difficult, time consuming, and cost intensive  Idea: compliance with the strictest regime and roll out to “lower levels” (pyramid)  Highest level might not be required and is costly  Remaining uncertainties
  15. 15. 15 vPrivacy Insight Series Harmonization • Future  Regulation should create more harmonization (no transfer into local law)  Result: the same law in all European states  Result: the same regulatory requirements (e.g.: applications / registrations)  But: room for interpretation by local authorities ? • Business Impact  European roll-out easy as one-size fits all  One-stop shopping possible  Compliance with European law much less costly  Substantial business advantage (for EU and non-EU entities)
  16. 16. 16 vPrivacy Insight Series Harmonization • Level of data protection  Regulation creates the same level of data protection in all Member States  For most European countries: stricter data protection rules  For some European countries (e.g. Germany): lower standard  Again: room for interpretation by local authorities ? • Business Impact  Changes required if compliant with lower level (“upgrade” DP level)  Review and amend data protection policies  Review and amend data processing agreements  Install required positions (data protection officer ?)  Establish required data protection measures (e.g. TOMs / certificats)
  17. 17. 17 vPrivacy Insight Series Applicability • To non-EU companies  Non-EU company offering goods or services to an EU data subject  Non-EU company monitoring EU data subjects  Unclear: applicable only to data controllers or also to data processors • Direct relation  Companies having their seat outside the EU must name a contact person within the EU  Direct claims of EU data subjects in the US (umbrella agreement and US transfer)
  18. 18. 18 vPrivacy Insight Series No Changes • Prohibition with exemption  Collection and processing of personal data forbidden unless permitted  Legitimate basis for processing required (statutory exemptions or consent) • Group privilege  One of the most important issues in privacy  No exemption for a data transfer to group companies (HR, group services)  Every data transfer within the group is a transfer to a third party  Consequence: HR centralization, group services, etc. are an issue  Exemption has been highly discussed, seems not to be in the actual draft  Business impact: no facilitation – difficult status remains
  19. 19. 19 vPrivacy Insight Series Minor Changes • Commissioned data processing  Most important for any sort of outsourcing, cloud computing, services  The legal concept (no transfer to a third party or general allowance) will not change  Definition of “controller” and “processor” remain about the same  Obligations for “Data Processors” will be stricter (control and penalties, liability)  For Germany substantial change: limitation to the EU / EWR would be erased • Business Impact  Amendment to the actual processes  For Germany: major facilitation of all outsourcing processes !
  20. 20. 20 vPrivacy Insight Series Major Changes • Right to erasure of personal data / “Right to be Forgotten”  Data subjects have far-reaching rights to erasure of their data  “Right to be Forgotten”  Already somehow in place (Google Spain)  Additionally possible research and clean-up obligation of first publisher  Business impact: technical requirements to safeguard process (technically difficult) • Right to data transfer  Data subjects have a right to request data transfer to another service provider  Practical impact  Impact on business set-up and terms  Business impact: data might become less valuable
  21. 21. 21 vPrivacy Insight Series Major Changes • Data Protection Authorities  One-stop shopping: interaction between the authorities in the Member States  Main data protection authority clarifies and aligns decisions  Lead authority in case of establishments in different states (main establishment)  “Work behind the scenes” • Business Impact  Enormous business impact  Facilitation of processes (multi-jurisdictional projects)  Hopefully: speed-up international processes  May lead to substantial savings for companies dealing with international projects
  22. 22. 22 vPrivacy Insight Series Major Changes • Data Protection Officer  New concept to many Member States  Influenced by the strict German data protection law but higher level (50)  Might also have labor law implications  Needs awareness and implementation in company structure • Certificates (on Technical and Organizational Measures)  Data protection certificates, seals, and marks (unclear relation to ASA or ISO)  “One-stop approach” applies  Supports outsourcing processes (audit requirements)  Particularly supportive to data transfer to non-EU/EEA countries and cloud services  High business impact: enabling / savings / selling advantage / customer requirements
  23. 23. 23 vPrivacy Insight Series Data Transfer to non-EU Countries • No change  Remains generally forbidden  Unless “adequate level of data protection” • Exceptions  Consent of data subject  Binding Corporate Rules  EU Model Clauses (any changes ?)  USA: Safe Harbor (important for US companies: new umbrella agreement)  New: Data Protection Certificates
  24. 24. 24 vPrivacy Insight Series v Dennis Dayman, Chief Privacy and Security Officer, Return Path Inc. Actions to Prepare for the GDPR - Key Take-Aways
  25. 25. 25 vPrivacy Insight Series • Privacy Policies • Multiple policies for different product lines • https://returnpath.com/privacy-policy/ • Required languages for partners or 3rd party developers • TRUSTe • Auditor • Mediator • Easy to read • Smaller sections • Hyper-transparent • Express Opt-in model Actions to prepare for the GDPR
  26. 26. 26 vPrivacy Insight Series • Privacy by Design • Taken steps to make sure that our systems and processes, particularly new ones, deliver data protection compliance as a matter of course. • Involved development and program staff • Reviewing and classify the personal data we hold and why we hold it to ensure that we can meet the requirement for ‘data minimization’ • Privacy impact assessments • Performing them on new/old products Actions to prepare for the GDPR
  27. 27. 27 vPrivacy Insight Series • Consent, Control and insight • Give to visitors and customers 100% control over data / accountability • Security • SSAE16 and ISO 27001 audit(s) • Access limitations/security account based roles/2Fa/OKTA • Breach management • Response plan(s) • Staff • Education/Certification • Localization • Considering EU Data Centre’s • Admin staff in local countries. • Corporate data handling directives • Data treasure maps • Centralized record of authority which allows us to programmatically manage and perform compliance on how data is used in the org Actions to prepare for the GDPR
  28. 28. 28 vPrivacy Insight Series v Questions?
  29. 29. 29 vPrivacy Insight Series v Andrea Glorioso andrea.glorioso@eeas.europa.eu Kai Westerwelle k.westerwelle@taylorwessing.com Dennis Dayman @ddayman Eleanor Treharne-Jones eleanor@truste.com Contacts
  30. 30. 30 vPrivacy Insight Series v Don’t miss the next webinar in the Series – “Building an Effective Privacy Program – Six Practical Steps” on September 24th See http://www.truste.com/insightseries for details of future webinars and recordings. Thank You!

×