🔒 Setting up a Privacy Program in an ever changing global landscape

Hi everyone and welcome to our session on setting up a fibresy programme in an ever -changing global landscape.

First of all, I have the great honour of welcoming Paul Breitbarth to speak to us on this matter.

He's a Director of European Policy and Strategy at TrustArk and also a Senior Visiting Fellow of the European Centre of Privacy and Cybersecurity at Maastricht University.

Welcome, Paul, and thank you for joining.

Good afternoon. Thank you for having me. No problem. I know we've got a lot to talk about in our 30 minutes session that we're going through at the moment.

But first of all, I was just wondering if you'd be so kind to kind of walk us through what are the essential aspects of a privacy programme, and what you think is key for your customers and clients to think about when starting off on this journey of setting up a privacy programme.

Of course. Well, first of all, it's good to realise that there are currently well over a thousand privacy laws that apply around the world.

And some of those are the very large ones that we know about, like the General Data Protection Regulation here in the European Union or the California Consumer Privacy Act or the LGPD in Brazil.

But there is also a lot of sectoral legislation at state level in the United States or at provincial level in Canada.

So there are many laws around the world. So the first thing I would do if I would start developing a privacy programme right now is to gain understanding of which are the laws that I would be subject to.

Where does my organisation operate?

In which countries do I have offices? Where do I have staff?

Where do I have customers? And also in which sectors would that apply so that you can actually take a look at all of those laws?

That would, for me, be step one.

Step two is to understand what it is that you are actually doing with personal data across the globe.

What kind of personal data are you processing? Is it just names and addresses, maybe some basic contact details or is it more sensitive information?

Are you, for example, processing health data or religious data or things about people's sex life or union membership or political convictions?

Those are typically protected at a much higher level.

Financial data in many countries as well.

And where is that data stored? Is it all within the same country? Is it flowing around the world?

Who has access to it within your organisation or outside? Is any data shared with other parties?

So you will need to develop an overview of all your data flows within the organisation and outside.

And that is what we call a processing activities register.

It is mandatory in many jurisdictions now. For example, in Europe, under the GDPR, Article 30 requires you to maintain such a register.

Brazil has a similar requirement for a register. Turkey, I believe, as well.

And there are other laws coming that also require you to do that or that imply that you need such a register.

For example, in California, I mentioned the Consumer Privacy Act already.

And you see that if you look at that legislation, you have a lot of transparency requirements.

You need to be able to explain to individuals what you are doing with that personal data.

But to be able to explain that, you need to understand first what it is that you are doing with the data yourself.

So how are you processing it? And also from that angle, the processing activities register is invaluable.

So those are the two starting points. And from there, you need to develop all your policies and procedures.

So you need to have a policy for how you collect personal information because you need a legal basis to do so.

What data are you collecting? Is all of that necessary? And can you demonstrate that?

You need to provide notice. You need to be transparent about what it is that you are doing with data.

And inform people about the fact that you are processing that data before you get hold of the data.

And that also means that that notice needs to be detailed enough, but also understandable.

Needs to be written in clear and plain language so that everybody can understand and not just the lawyers.

And it can certainly not be written as just a liability waiver where you have a lot of legal text and that nobody understands and just has to click yes at the end.

That is not what the privacy notice is for. And so you go through all the obligations of those laws that you are dealing with to find out what other policies and procedures you might need.

You may need some to deal with individual rights like access or correction or deletion.

You may need some to deal with possible data breaches and security and so on and so on.

And what sort of key tips would you give the privacy professionals out there listening that are kind of going through this process regarding internal engagements within their organizations?

And how to obtain and get the buy-in from the senior leadership team, but also from colleagues in other core functions that they need to work closely with?

And the messaging around that? Well, I would say that the buy-in from your top management, your senior leadership is vital.

Because if the right examples are given at the top of the organization, then you will also be pretty sure that it will be able to trickle down to the workflow.

Whereas if the management gives the impression that they don't really care about privacy, why would your colleagues care about privacy either?

So that is the most important. Make sure that you have buy-in at management level.

And one of the ways to do that is show the increased risk of noncompliance.

There are hefty fines nowadays for privacy contraventions.

It is also a very sensitive issue in the public eye. So if you want to ensure that you retain the consumer's trust, you also need to be careful about how you process their personal data.

And if you don't, then consumers are gone very quickly, which is, of course, as a business, something that you would want to avoid.

So it is the risk. It is best practices. A lot of companies nowadays also try to use privacy as a unique selling point to show, well, we know what to do with your data and we care about your data.

So trust us. Of course, if you want to make that claim, you need to be sure that you can actually make through on those words.

But that, I believe, is the starting point. Make sure that you have that senior level buy-in.

And from there, explain what you're doing, train your colleagues, make them aware of what they can do themselves by very basic trainings and by also giving them responsibilities.

The register that I referred to before is not something that the privacy team can develop alone.

You need the assistance of the whole organization to get that done.

Perfect. And just going along the theme of the global changing privacy landscape, we both know there's been a wave of new privacy legislation coming in globally and around the world.

And sort of from your experience and also from what you're seeing with clients, what are your key tips for incorporating and also how to prioritize and actually align a lot of these privacy laws that are coming in and make sure that your privacy program is where it needs to be when these laws come into force?

Well, first of all, let me say that I hope that a lot of the people watching have already started developing their privacy program because it is very likely that they will be subject to multiple privacy laws already.

But if they haven't, then now is indeed a very good time to start because the world is changing very rapidly.

GDPR was probably the trigger for a whole new wave of privacy legislation around the world because it sets new standards.

GDPR entered into application on the 25th of May 2018, so just over two and a half years ago.

And since we've seen a lot of countries update their privacy laws to a new higher standard, not all similar to GDPR, but they have been set to think about their own privacy laws as well.

And you can see cultural differences around the world when it comes to privacy and data protection.

Here in Europe, privacy and data protection are considered as fundamental rights.

They are part of our fundamental rights agreement of our constitutions, both at national and at European level.

But that is not the same all around the world. Sometimes it's more of a cultural right, sometimes it's more of an economic right.

But privacy and data protection does exist almost in every single country around the world.

And in the coming years, we'll see some major developments again, because both India and China are on the verge of developing omnibus privacy legislation.

In India, Parliament is already discussing a draft privacy bill.

And the hope is that that can be adopted in the course of 2021.

In China, it may take a little bit more time. But a law that has a lot of similarities with the GDPR was presented to the People's Congress a few months ago and is currently in a consultation phase.

It will mainly apply to the private sector, not to the public sector, not to the government.

But still, it is an important step forward.

So for organizations that want to comply with all of those laws, my best recommendation would be not to start looking and inventorying every single requirement in all those laws that you are subject to, and instead to start using a framework.

There are many privacy frameworks around the world.

At TrustArc, we have developed our own privacy and data governance accountability framework, which gives an overview of all the steps that you can take to build, implement, and maintain a privacy program.

But you can also use ISO standards, you can use a NIST framework, or you can use the Fair Information Protection Principles that are to be found in the OECD privacy guidelines.

Basically, every privacy law around the world has similar principles included.

So if you use a framework approach, you can then develop your privacy program based on those common standards that you find in privacy legislation, build your policies and procedures around those, and from there, make the link to the legislation and see what the outliers are.

It could be that maybe just the timeframes are different.

For example, when you are dealing with fundamental rights under the GDPR, you have a month to deal with the initial request without undue delay, the legislation says, but that is specified as no later than one month from the moment you get the request.

Whereas in California, you have 45 days, and in some other jurisdictions, you just have two weeks.

So those timeframes are different, but the way you would deal with the request would be the same wherever you are located, what kind of information to provide and how to involve your colleagues, for example.

Perfect. And I think it's important as well to kind of also, like you said, and mentioned in the first part of our session is, it's really, really key to make sure to know and have your data flows mapped and know exactly where your organization is processing data and the according flows there.

So thank you for that. And of course, I want to bring it a bit closer to home as well in terms of what's going on in Europe.

I'm in London, I know that you're in the Netherlands, and of course, the topic of Brexit is coming up a lot, if not daily, if not with new updates almost on the hour, every hour, especially with sort of the transition period coming to an end at the end of the month.

So I'd just like to sort of ask you what you see the biggest challenges, but also areas that privacy professionals need to look at with Brexit on the horizon.

And again, what changes organizations should make to their programs in light of Brexit?

Well, from a privacy and data protection perspective, Brexit is very concerning.

Because as long as the UK was part of the European Union, GDPR applied in full, without any challenges.

And that meant that there was a free flow of personal data between the continent and the British Islands.

And after January 1, the way things stand now, data will continue to flow freely to Ireland, but not to the United Kingdom anymore.

And there will be a digital border between the two as well.

We had hoped that there would be a trade agreement in place by the end of the month.

I understand the deadline has now been pushed to Sunday, midnight Brussels time.

So who knows, maybe a trade deal is still possible with some arrangement for what we call under the GDPR, an adequacy decision.

And that would be the European Union, the European Commission, saying that UK has a level of data protection that is essentially equivalent to that in the European Union.

And that would be obvious for many people, it would be obvious to say, well, what the UK is doing, they have the GDPR, they have implemented the GDPR as is, they have even created a UK GDPR, which is a literal version of the GDPR, only with the word Europe replaced by the United Kingdom.

So that would be considered as essentially equivalent.

The problem is with the UK no longer be part of the European Union, that requires a formal legal decision.

It requires legal certainty that the British government would need to provide to their European counterparts.

But it also requires an assessment of all the other laws in the United Kingdom that could have an impact on privacy and data protection.

And then you also come into the realm of national security legislation and the so -called Trump's two decision that we saw on the 16th of July of this year.

And I'm sure you were hinting a little about that as well.

In that decision, the Court of Justice of the European Union determined with regard to the United States that their surveillance laws, so the government surveillance, government interference with personal data, interception maybe, that those laws go beyond what can be regarded as necessary and proportionate in a democratic society.

Because the laws were insufficiently clear, they were too broad, they were collecting too much information that was insufficient to address possible for Europeans.

And that assessment also needs to be undertaken for the United Kingdom.

And we all know that your security services have a lot of possibilities to intercept personal information, that in the past they have also targeted some of the EU member states in their activities.

And that is a concern for the EU27. So that will need to be assessed thoroughly, not only by the European Commission, but also by the other member states and by the European Data Protection Authorities.

And the time is running out to be able to do that, given that the European Commission and the UK government have not reached agreement yet.

There is no draft agreement published so far.

And it usually takes six to 12 months to assess a third country for its legislation, including on surveillance.

And with maybe three weeks to go until the end of the transition period, time really is running out.

Earlier this morning, the Commission has published some contingency measures in case there is a no-deal Brexit.

But there is no contingency for data as far as I could see. Thank you for that.

And then you did touch upon the Schrems judgment that came out earlier in the year.

And also, I was wondering if you'd be able to elaborate for our audience the impact of the Schrems 2 judgment and also the relevance of the EDPB guidance, which has recently been issued, and how that kind of needs to be digested.

And also sort of aligned as well with individuals or companies' privacy programs and key sort of takeaways and steps to prepare for.

Absolutely. So the Schrems 2 decision, as the name implies, follows the Schrems 1 decision from 2015, so from five and a half years ago.

And both cases evolve around the same legal matter.

Can Facebook transfer personal data from their subsidiary in Ireland to their headquarters in the United States?

And if so, under what legal instruments? The European legislation, both the previous one and the current one, has three possibilities.

Basically, that is an adequacy decision that we just discussed also for the UK.

That is by means of appropriate safeguards, which basically means that you can put contracts in place that should offer sufficient protection to keep the data that is collected in Europe safe, like a bubble traveling with the data around the world.

And then as a third option, there are some derogations, but they can only be used in incidental cases, so in one-offs and not for continuous or large-scale data transfers.

And five years ago, the question was if the so-called safe harbor arrangement would stand the test of the court.

It did not. Again, because of all the U.S.

surveillance laws, the court concluded that the interference with the fundamental rights to privacy and data protection of Europeans would be too big if the data were going to the United States under that arrangement.

So additional protections should be put in place before data could travel.

And basically, in the Schrems 2 decision, the court had made the same conclusion.

There were new protections in place, and the court has once again said, no, those protections are insufficient.

That was for the so-called privacy shield. At the same time, in the same decision, the court has also looked at what we call standard contractual clauses.

And those are model contracts that can be used to transfer personal data from any country in the EU to any country outside of the European Union.

And that would also be a possible solution to continue transferring personal data to the UK post-Brexit.

The court has said the instrument, the standard contractual clauses, that is a valid instrument, can remain in force.

But also when using those standard contractual clauses, the data exporters, so the company based in the European Union, should make sure that an essentially equivalent level of data protection can be offered in the country of destination.

And that means that you would need to add a lot of additional safeguards in your contract to ensure personal data can continue to flow around the world.

And to some extent, you can question whether it would be possible at all to implement so -called supplemental safeguards.

For example, if you are dealing with government surveillance, is there any contractual safeguard that you can put in place?

Some people claim that encryption can do a lot and that data localization might be able to be part of the solution.

That you can have contractual commitments to fight any government request to hand over personal data in the highest courts to find out whether it is indeed necessary and proportionate to hand over those data.

But it is not a given that those suggestions would be enough.

And the European Data Protection Board, which unites all the data protection authorities from around the European Union, has also said that for those kind of data transfers, for example, to store data in the cloud where it would be accessible around the world or to allow your employees in countries all around the world to access data that is stored here in Europe, that for those two scenarios, basically there is no proper safeguard to be implemented.

And that basically that should no longer be allowed.

That is, of course, pretty inconvenient to say very kindly in a globalized digital economy that we know today.

So the practical implications of that guidance and also of that court decision is that if that guidance is upheld, the international data traffic will grind to a halt because there is no way you can do this legally anymore or it will continue.

But then all the companies doing so, more than 70 percent of which are small and medium sized companies, would suddenly be under immense pressure and immense risk of fines and compliance orders from the data protection authorities.

And the data protection authorities who are already overflowing with work would even have more work on their plate.

So that is another problem that needs to be taken into consideration. So at the moment, there is a consultation period ongoing for that ADPB guidance.

And hopefully come January, we'll see that there is a bit of change to those guidelines that facilitates that would allow a bit more data flows.

But it is very clear that here in Europe, the courts and the data protection authorities take the fundamental rights approach very seriously.

And that also new international arrangements are needed to determine what is and isn't allowed from a government surveillance perspective.

And how do we share information? How do we allow access to information, especially between democratic countries?

Perfect. And you mentioned as well, there's a new set of standard contractual clauses which are currently out for consultation.

And I was wondering if you'd be able just to provide sort of the audience an overview of the changes and the new standard contractual clauses compared to kind of the older version.

And also sort of where we're looking for those standard contractual clauses to be to be put in place.

Yes, absolutely.

So the standard contractual clauses, the new version is basically an update of that model contract under the GDPR.

Before, actually until today, the old version of the SEC, the standard contractual clauses apply, but those have been developed under the old legislation.

So it was about time that they would be updated to the GDPR.

That has now been done in the proposal put on the table by the European Commission.

So that is the first major change. The text of the contracts has been modernized and aligned with the GDPR and all the requirements that the regulation provides.

Then there are more scenarios. The old model contracts only saw two scenarios from controller to controller.

So company A sending data to company B where each would process their personal information for their own purpose or from a controller to a processor, so to a service provider, for example, your cloud storage provider.

But there was never a scenario where your cloud service provider would also have their own processors, their own service providers that might also be involved in the data transfer.

And that has now been added.

So you now also have processor to processor standard contractual clauses. And there was also a scenario for non-EU companies using a service provider in the European Union where that data needs to flow back to the third country.

So instead of two scenarios, we now have four.

And also the European Commission makes very clear that you will need to do that third country assessment for surveillance legislation and that it could very well be that you need to put in place those supplemental safeguards that I referred to earlier.

And on top of the contractual clauses.

So where in the past, you could just take the model contract, fill it out and sign it.

Now you first have to do a full assessment of the legislation of the third country, which means an increased administrative burden, especially for SMEs that may not be able to afford any legal counsel.

So that is another big change. And also the scope of application is a change because the Commission seems to imply that it is no longer necessary to sign standard contractual clauses if the company with whom you are sharing personal data or to whom you are sending personal data are themselves also subject to the GDPR.

That is a very legal technical discussion and the Commission has been asked to confirm that that is actually the case, that this is the intention.

But if that is confirmed, it will make life a little bit more easy again, because then the administrative burden would be reduced because then in not all of the situations, those contracts would be required.

Perfect.

Well, thank you so much for running us through basics. I know it's a lot to cover in 30 minutes, but I think you've done a fantastic job of giving us an overview of exactly what's needed to set up a privacy program and also to keep an eye on the ever changing landscape.

But I think just to wrap up, if you could give the audience sort of your top three tips to start with and also just keep abreast of regarding their privacy programs.

Absolutely. And first of all, it's my pleasure to be here today.

The three tips, indeed, make sure that you implement that processing activities register and that you keep it up to date.

Make sure you develop policies and procedures for at least all the main points that you need to do under a privacy law from individual rights to data breaches to providing proper notice.

Make sure you keep up to date also with enforcement by the regulators, interpretation by the regulators, because that can also be very valuable for you for your own privacy program.

At TrustTalk, we try to share all that information with our subscribers, also a lot of information on our blogs, through our webinars and podcasts.

So try to stay abreast of what is happening within the privacy community.

Perfect. So thank you very much again. And we look forward to keeping this conversation going, especially as new jurisdictions come out with new pieces of legislation.

And as both of us know, the privacy world is definitely keeping us busy.

So thank you very much for joining us. My pleasure. Thank you.

Thank you.