1.
1
vPrivacy Insight Series - truste.com/insightseries
v
Preparing for the GDPR – the
Compliance Countdown Begins
April 14, 2016

2.
2
vPrivacy Insight Series - truste.com/insightseries
Today’s Speakers
Barbara Mangan Sondag,
Privacy Counsel, North
America, eBay Inc
Paul Lanois
Counsel, Cross-border Legal
Credit Suisse
Ralph T O’Brien,
Principal Consultant EU,
TRUSTe

3.
3
vPrivacy Insight Series - truste.com/insightseries
v
The GDPR – Story so Far
Ralph T O’Brien, Principal Consultant EU, TRUSTe

4.
4
vPrivacy Insight Series - truste.com/insightseries
• GOAL: One single law for the EU
• Previous Directive of 1995 and national laws to be repealed
• Member scope needs enabling legislation (with some ability to vary)
• 50/99 articles have scope for variance.
• Interpreted nationally by “supervisory authorities”
• Consistency brought by a European Data Protection Board (EDPB)
• Organizations have a lead authority…
• …based on the organizations “main establishment” (EU HQ)
Why and what is the GDPR?

5.
5
vPrivacy Insight Series - truste.com/insightseries
• Applicability now extra territorial
• Based on “residency of individuals in EU”
• Offering goods or services
• Monitoring of behavior (such as internet tracking and profiling)
• Where the organization is processing personal data
• Data that relates to an individual who can be identified from it (or other data
you have)
• Regardless of format (digital, paper, audio, video etc)
• Doesn’t have to be names (ID by picture, IP addresses, devices IDs, Cookies
etc)
• Sets up Consistency Mechanisms and EDPB
• Supports Codes of Conduct, Seals and Certifications as evidence of compliance
Applicability

6.
6
vPrivacy Insight Series - truste.com/insightseries
• Political agreement reached between Council and Parliament
December 2015
• Final text 6 April 2016 from Technical drafting committees
• The text of the regulation will be sent to the European Parliament
where it will first be approved by the Civil Liberties, Justice and Home
Affairs (LIBE) committee in an extraordinary session
• It has been adopted in plenary on 14 April 2016 (Today!)
• It will then be published in the Official Journal of the European Union
(OJEU)
• Exactly two years after the date of publication in the OJEU, the
Regulation will enter into force (April/May 2018?)
Timeline

7.
7
vPrivacy Insight Series - truste.com/insightseries
Privacy under the EU Model
Data Protection Authority
(supervising authority, based on main establishment)
Data Controller
(organisations)
Data Subject
(individuals)
Data
Processor
Third
Countries
Third
Parties
Duties
Rights
Disclosure?
Inform?
Security?
Guarantees?
Advisory and
Enforcement
European Data Protection Board
(consistency mechanism) EU Courts National Courts
Complain?

8.
8
vPrivacy Insight Series - truste.com/insightseries
•Access to data
•Remedy from supervisory
body/court
•Compensation for Damage
•Compensation for Distress
•Rectification (NEW)
•Objection
–Absolute for direct marketing
•Erasure (NEW)
•Data Portability (NEW)
•Restrict processing (put on hold)
•Automated decisions and profiling
Increased Individual Rights Increased Obligations
•Consent harder to obtain/prove
•Privacy notices more
detailed/clearer
•Proactively Demonstrate
Compliance
•Breach Notification (72 hours)
-To individual and regulator
•Appointment of Data Protection
Officer (250+, or high risk
processing)
•Privacy by Design
•Privacy Impact Assessments
•More obligations for Processors
(Joint Controllership)
Key Requirements

9.
9
vPrivacy Insight Series - truste.com/insightseries
• Lawful basis
• Fair processing
• Specify Purposes
• (Limitation)
• Adequate, relevant, not excessive
• (Minimization)
• Accuracy
• Retention
• Rights of Individuals
• Appropriate Security
• International Transfer adequacy
Privacy Principles Remain consistent

10.
10
vPrivacy Insight Series - truste.com/insightseries
• National Laws may set up additional penalties (enforced
audit, reprimand, criminal sanctions)
• Fines
• Increased Consumer awareness
• Increased activism
• Courts now finding for individual more often (courts as
activists)
• Greater “visibility” of privacy in the media
• Ethical business practices (“creepiness”)
• Reputational harm
• Decreased Consumer Trust
Key Privacy Risks

11.
11
vPrivacy Insight Series - truste.com/insightseries
Fines
Up to 10m EUR or
2% world annual
turnover of last FY
Up to 20m EUR or
4% world annual
turnover of last FY

12.
12
vPrivacy Insight Series - truste.com/insightseries
•How prepared is your organization with the European Union's
upcoming General Data Protection Regulation (the "GDPR")?
1. Sorry, GDPR? Any connection with the Gross Domestic Product?
2. We are already prepared, ready and waiting. Bring it on!
3. We have already begun work and expect to be in time.
4. We are not sure we will be ready by the deadline.
5. We have not started anything yet.
POLL:

13.
13
vPrivacy Insight Series - truste.com/insightseries
v
Paul Lanois
Legal Counsel, Cross-border Legal, Credit Suisse
GDPR: what you can do now to
prepare yourself
Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.

14.
14
vPrivacy Insight Series - truste.com/insightseries
Scope
The scope of application of the GDPR is broader than the EU current data
protection regime:
• Under the current regime, organizations are in scope if they are located
within the EU or make use of (automated) equipment located within the EU.
• With the GDPR, the legislation extends to all organizations offering goods
or services to EU citizens, irrespective of whether connected to a payment
and organizations that monitor (online) behavior of EU citizens, in so far as
the behavior takes place in the EU.
Even if your organization does not have any branches or processing
equipment in the EU, it could still fall within the scope of the GDPR! Any
entity holding or using European personal data will be impacted.

15.
15
vPrivacy Insight Series - truste.com/insightseries
Start building awareness now
Change is coming… and your staff needs to know about it sooner rather than
later! But an implementation timeframe of 2 years is plenty of time, right?
• French “Digital Republic” bill anticipating the GDPR.
• Some obligations are new and will take time to implement, for example:
o Subject access requests: Processes may need to be created to be
able to respond to requests from individuals without undue delay
and at the latest within one month.
o Data Portability: GDPR gives individuals the right to receive their
personal data in a structured, commonly-used and machine-
readable format. Individuals may also request, where technically
feasible, that the controller send the personal data to another
controller.
o Privacy by Design: embed privacy into the design specifications of
technologies, business practices, and physical infrastructures.

16.
16
vPrivacy Insight Series - truste.com/insightseries
How to raise awareness
o This is a big and serious change from the current regime.
o "Data protection will be the new anti-trust" - Giovanni Butarelli,
European Data Protection Supervisor.
Ensure that decision makers and key people in your organization are
now aware that the law is changing so that they can start identifying
the areas that will have the biggest impact on them.
• Right to compensation: “Any person who has suffered material or non-
material damage as a result of an infringement of the Regulation has the
right to receive compensation for the damage suffered.”
• Sanctions : fines can amount to EUR 20 million or up to 4% of the total
worldwide annual turnover of the preceding financial year, whichever is
higher.

17.
17
vPrivacy Insight Series - truste.com/insightseries
Some less known points to consider
• With the GDPR, additional points must be covered in the privacy notice: for
example, you will need to explain your legal basis for processing the data,
your data retention periods and that individuals have a right to complain if
they think there is a problem with the way you are handling their data.
• Information must be provided “in a concise, transparent, intelligible and
easily accessible form, using clear and plain language.”
• Restrictions surrounding automated data processing and decisions based
upon such processing (i.e. profiling).
• Parental consent will be needed to process personal data of children under
16 (Member States may bring this down to 13).

18.
18
vPrivacy Insight Series - truste.com/insightseries
v
Barbara Mangan Sondag,
Privacy Counsel, North America, eBay
GDPR: Privacy Impact
Assessments
Note: the views expressed are mine alone and do not necessarily reflect the views of my employer.

19.
19
vPrivacy Insight Series - truste.com/insightseries
Privacy Impact Assessments (PIAs) at a glance
Privacy Impact Assessment a.k.a. Data Protection Impact Assessment (DPIA)
• No definition in GDPR text
• Regarded as a systematic assessment of a project that identifies the impact that
the project might have on the privacy of individuals, and sets out
recommendations for managing, minimizing or eliminating that impact.
• Plays an important role in the overall risk management and planning processes
of a company
PIAs can assist businesses with:
• Describing how personal information flows in a project
• Analyzing the possible impacts on individuals’ privacy
• Identifying and recommending options for avoiding, minimizing or mitigating
negative privacy impacts
• Building privacy considerations into the design of a project
• Achieving the project’s goals while minimizing the negative and enhancing the
positive privacy impacts.

20.
20
vPrivacy Insight Series - truste.com/insightseries
Privacy Impact Assessments (PIAs) at a glance
Benefits of PIAs:
• demonstrating that a project is compliant with privacy laws
• reducing future costs in management time, legal expenses and potential
negative publicity by considering privacy issues early in a project
• identifying strategies to achieve the project’s goals without impacting on
privacy
• promoting awareness and understanding of privacy issues inside the
organization or agency
• contributing to broader organizational or agency risk management processes.
Risks of not undertaking a PIA include:
• non-compliance with the letter or the spirit of relevant privacy laws, potentially
leading to a privacy breach and/or negative publicity
• loss of credibility by the entity through lack of transparency in response to
public concern about handling personal information
• damage to an entity’s reputation if the project fails to meet expectations about
how personal information will be protected
• identification of privacy risks at a late stage in the project development or
implementation, resulting in unnecessary costs or inadequate solutions.

21.
21
vPrivacy Insight Series - truste.com/insightseries
GDPR Requirements
Applicable GDPR Text Obligations
Data Protection Impact
Assessments (DPIAs)
(Sect. 3, Art. 35)
The supervisory authority shall
establish and make public a list of
the types of processing
operations that require a DPIA.
They may also establish and
make public a list of the types of
processing operations that do not
require a DPIA.
Lists shall be communicated to
EUDPB.
Penalty, Art. 83: Administrative
fines up to 10,000,000 EUR, or in
case of an undertaking, up to 2%
of the total worldwide annual
turnover of the preceding financial
year, whichever is higher
DPIAs are required for any
processing that may result in
“high risk”, and for:
• Systematic and extensive
automated processing,
including profiling, if the
decisions produce legal
effects or significantly affect
the individual
Example: Making predictions
based on a person’s behavior,
economic situation, health,
location
• Processing special
categories of data (ie. genetic
or biometric data) or criminal
records on a large scale
• Systematic monitoring of a
publicly accessible area on a
large scale
• As indicated by the DPAs or
EUDPB
Each DPIA shall contain at least:
• A systematic description of
the processing operations
and the purposes of the
processing, including where
applicable the legitimate
interest of the controller
• An assessment of the
necessity and
proportionality of the
processing operations in
relation to the purposes;
• An assessment of the risks
to the rights and freedoms of
data subjects, and
• The measures needed
address the risks, including
safeguards, security
measures and mechanisms to
demonstrate compliance

22.
22
vPrivacy Insight Series - truste.com/insightseries
GDPR Requirements
Implementation Considerations
Evaluate existing PIA processes against PIA
requirements, particularly events that may
constitute high risk:
• Conversion of records from paper-based
to electronic form;
• Conversion of information from
anonymous to identifiable form;
• System management changes involving
significant new uses and/or application of
new technologies;
• Significant merging, matching or other
manipulation of multiple databases
containing personal data;
• Incorporation into existing databases of
personal data obtained from commercial or
public sources;
• Alteration of a business process resulting
in significant new collection, use and/or
disclosure of personal data
• Consider risk definitions and evaluation
criteria used within the business
• A single DPIA may address a set of
processing operations that present similar
high risks.
• Where appropriate, seek the views of data
subjects on the intended processing.
• Conduct audits to verify that processing is
performed in compliance with the DPIA, at
least when there is a change of the risk
represented by the processing operations.
• Where a DPIA indicates high risk: If the
controller cannot mitigate by appropriate
measures in terms of available technology
and costs of implementation, a
consultation of the supervisory
authority should take place prior to the
processing.

23.
23
vPrivacy Insight Series - truste.com/insightseries
Practical Points for PIAs
• Build, implement and be able to document a robust PIA process
• Your company’s core business drivers influences the content of a
PIA (for example, eBay’s PIA would likely look very different from
American Express’ PIA because of the products/services they offer).
• A single assessment may involve many people in multiple
geographies. It can cross various business units and be reviewed by
several internal and external stakeholders.
• Systematically evaluate how personally identifiable information is
collected, used, shared and maintained by your organization in the
context of business change
• What areas of your program should you address? At what level?
Privacy Notice? Large-scale strategic projects? Individual use
cases?

24.
24
vPrivacy Insight Series - truste.com/insightseries
Practical Points for PIAs (2)
• Consider a bifurcated PIA process, with traditional PIAs for all
projects and EU DPIAs for projects that trigger these rules
• Documentation requirements may impose a burden on development
teams using agile and similar methods – additional resources may
have to be added to manage recordkeeping
• Consider advantages and risks of maintaining DPIA records with
records of processing activities required by Art. 30.
• Where possible, automate parts of the PIA, standardize reviews, and
obtain metrics on PIAs.
• Your Information Security Team is a great partner!
• PIAs should be an integral part of the project planning process,
not an afterthought.

25.
25
vPrivacy Insight Series - truste.com/insightseries
Case Study: eBay Vendor Assessments
• Global Privacy partnered with Information Security team to build out
a ticketing system for vendor security assessments
• Security + Privacy questions to comprehensively assess risk
• Share body of knowledge in one system; align resources between
teams; quickly prompt the preparation of the right type of Data
Protection Requirements Addendum (DPRA)
• Business notified of if further information required
• Executed DPRA attached to ticket for future reference
• Save time for Business, Legal, Privacy and Information Security
 One time ticket completion, Business can communicate
project details to InfoSec and Privacy simultaneously.
 Everyone wins – save time for future lookup
 The project details and assessment are documented in ticketing
system, not in emails.

26.
26
vPrivacy Insight Series - truste.com/insightseries
Sample

27.
27
vPrivacy Insight Series - truste.com/insightseries
v
Questions?

28.
28
vPrivacy Insight Series - truste.com/insightseries
v
Ralph T O’Brien robrien@truste.com
Barbara Mangan Sondag bmangan@ebay.com
Paul Lanois planois@alumni.law.upenn.edu
Contacts

29.
29
vPrivacy Insight Series - truste.com/insightseries
v
Don’t miss the next webinar in the Series – “Global Privacy Enforcement
Priorities” on May 19 featuring Chris Hoofnagle, Adjunct Full Professor,
University of California, Berkeley
See http://www.truste.com/insightseries for details of our 2016 Privacy
Insight Series and past webinar recordings.
Thank You!