IMPACT OF INTERNATIONAL PRIVACY REGULATIONS. Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

Transcription

1 IMPACT OF INTERNATIONAL PRIVACY REGULATIONS Michelle Caswell, Coalfire Julia Jacobson, K&L Gates

2 Introduction to International Privacy Law General Data Protection Regulation HITRUST Alliance

3 What is General Data Protection Regulation (GDPR)? Intended to harmonize data protection laws among EU Member States BUT, EU Member States still can implement laws on certain data protection matters Requires a culture of compliance Adopted on 27 April 2016; In force as of 25 May HITRUST Alliance

4 What is General Data Protection Regulation (GDPR)? Applies to any organization that: o o o has employees in the EU offers goods or services to EU residents (even if no payment is required) monitors behavior of an EU resident Applies to personal data of EU resident HITRUST Alliance

5 What is General Data Protection Regulation (GDPR)? Fines for non-compliance are hefty: up to greater of 2% of annual global revenue or 10m. or up to greater of 4% of annual global revenue or 20m. Can EU regulators reach a US-based company with no operations in EU? HITRUST Alliance

6 GDPR Lingo Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Controller means the person or entity that determines the purposes and means of the processing of personal data. Processor means a person or entity that processes personal data on behalf of a controller. Personal Data next slide HITRUST Alliance

7 What are GDPR s Key Differences for US Companies? US FTC: not yet linked to a particular consumer, computer, or device but that may reasonably become so CaCPA: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. State Data Breach Law: first name or first initial with last name PLUS SSN, D.L./gov t ID card, bank account/ credit/debit card, or health insurance information. Some states: biometric data, health data. GDPR Personal data is data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person HITRUST Alliance

8 What are GDPR s Key Differences for US Companies? Requires lawful basis for processing personal data Requires Data Protection Impact Assessment (DPIA) when high risk processing, e.g., when data is processed by new technology Requires Lead Supervisory Authority or Representative May require a Data Protection Officer (who has expert knowledge, directly reports to highest management level and no conflict of interest) and/or Record of Processing HITRUST Alliance

9 What are GDPR s Key Differences for US Companies? New and Enhanced Rights of Data Subjects Right to Erasure (a.k.a. Right to be Forgotten) - Right to request erasure of personal data without undue delay if the data is no longer needed, the data subject objects to the processing or the processing was unlawful. Data Portability - Right to receive personal data processed through automated means in a commonly used and machine-readable format Right of Access - Right to know what personal data is processed and why Right of Rectification Right to Restrict Processing Right to Object to Processing HITRUST Alliance

10 What are GDPR s Key Differences for US Companies? Personal Data Breach HITRUST Alliance

11 What are GDPR s Key Differences for US Companies? Personal Data Breach Involve legal team early to help determine whether an incident is a personal data breach; if yes, then must immediately assess whether an incident requires notification to supervisory authority ( risk ) and individuals ( high risk ). If a processor, understand and operationalize contractual notification obligations for response without undue delay. Be prepared for accountability - keep records of all personal data breaches and be ready to justify incident response plan to supervisory authorities HITRUST Alliance

12 Other EU Laws eprivacy Directive (revisions in process for 2019) Cookie Directive - obtain consent to place and access data (like cookies) on a computer or other internet-connected device UK Data Protection Act after BREXIT in April 2019 Germany s GDPR-implementing Law HITRUST Alliance

13 Introduction to International Privacy Law Other International Privacy Laws HITRUST Alliance

14 Countries with Laws like GDPR Countries with adequacy determinations (EU designation) o Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and U.S. (limited to the Privacy Shield framework) o Japan just announced Brazil NEW - applies to the personal data of Brazilians regardless of the location of the entity collecting the data India PROPOSED HITRUST Alliance

15 AsiaPac Countries with Data Protection Laws HITRUST Alliance

16 Introduction to International Privacy Law Security & International Privacy Laws HITRUST Alliance

17 GDPR s Security Requirements appropriate technical and organisational measures to ensure a level of security appropriate to the risk include: o o o o o Encryption Pseudonymization Business Continuity/Disaster Recovery Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures Evaluating processors HITRUST Alliance

18 Security Requirements in Other Countries Canada PIPEDA Principle 4.7 requires that personal information be protected by safeguards appropriate to the sensitivity of the information; PIPEDA Principle requires security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. New data breach notification law effective November 1, China s Personal Information Security Specification a data controller must implement adequate technical and organizational measures to ensure data security. (Section 4) Singapore An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. (PDPA Section 24) HITRUST Alliance

19 What are Reasonable Security Requirements? Flexibility of approach: (1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity or business associate. (ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information. 45 C.F.R (b)(1)(2) HITRUST Alliance

20 Cybersecurity Frameworks HITRUST NIST ISO 27001/27002 COBIT CIS Critical Security Controls HITRUST Alliance

21 NIST Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy 1. Prepare Categorize (Overview provided next slides) 2. Select - (Overview provided next slides) 3. Implement 4. Assess 5. Authorize 6. Monitor - (Overview provided next slides) HITRUST Alliance

22 Overview - Step 1 - Risk Management Organizational Risk Management Roles Risk Management Strategy Risk Assessment Organization-Wide Tailored Control Baselines and Profiles Common Control Identification HITRUST Alliance

23 Overview - Step 2 - Risk Management System Level Mission or Business Focus Organizational Stakeholders Asset Identification Authorization Boundary Information Types Information Life Cycle Risk Assessment (System) Enterprise Architecture System Registry HITRUST Alliance

24 Overview Step 6 - Monitor System and Environment Changes Ongoing Assessments Ongoing Risk Response Authorization Updates Security and Privacy Reporting Ongoing Authorization System Disposal HITRUST Alliance

25 Security Simplified Involve the right team members Know what data is flowing in and out of your organization Maintain inventory of your assets Develop your organization s risk appetite Understand your legal obligations Perform non-technical and technical evaluations Stay up-to-date on the latest technologies Get involved in information security and privacy groups HITRUST Alliance

26 Visit for more information To view our latest documents, visit the Content Spotlight HITRUST Alliance