IMPACT OF INTERNATIONAL PRIVACY REGULATIONS Michelle Caswell, Coalfire Julia Jacobson, K&L Gates
Introduction to International Privacy Law General Data Protection Regulation 2 2018 HITRUST Alliance
What is General Data Protection Regulation (GDPR)? Intended to harmonize data protection laws among EU Member States BUT, EU Member States still can implement laws on certain data protection matters Requires a culture of compliance Adopted on 27 April 2016; In force as of 25 May 2018 3 2018 HITRUST Alliance
What is General Data Protection Regulation (GDPR)? Applies to any organization that: o o o has employees in the EU offers goods or services to EU residents (even if no payment is required) monitors behavior of an EU resident Applies to personal data of EU resident 4 2018 HITRUST Alliance
What is General Data Protection Regulation (GDPR)? Fines for non-compliance are hefty: up to greater of 2% of annual global revenue or 10m. or up to greater of 4% of annual global revenue or 20m. Can EU regulators reach a US-based company with no operations in EU? 5 2018 HITRUST Alliance
GDPR Lingo Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Controller means the person or entity that determines the purposes and means of the processing of personal data. Processor means a person or entity that processes personal data on behalf of a controller. Personal Data next slide 6 2018 HITRUST Alliance
What are GDPR s Key Differences for US Companies? US FTC: not yet linked to a particular consumer, computer, or device but that may reasonably become so CaCPA: identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. State Data Breach Law: first name or first initial with last name PLUS SSN, D.L./gov t ID card, bank account/ credit/debit card, or health insurance information. Some states: biometric data, health data. GDPR Personal data is data relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person 7 2018 HITRUST Alliance
What are GDPR s Key Differences for US Companies? Requires lawful basis for processing personal data Requires Data Protection Impact Assessment (DPIA) when high risk processing, e.g., when data is processed by new technology Requires Lead Supervisory Authority or Representative May require a Data Protection Officer (who has expert knowledge, directly reports to highest management level and no conflict of interest) and/or Record of Processing 8 2018 HITRUST Alliance
What are GDPR s Key Differences for US Companies? New and Enhanced Rights of Data Subjects Right to Erasure (a.k.a. Right to be Forgotten) - Right to request erasure of personal data without undue delay if the data is no longer needed, the data subject objects to the processing or the processing was unlawful. Data Portability - Right to receive personal data processed through automated means in a commonly used and machine-readable format Right of Access - Right to know what personal data is processed and why Right of Rectification Right to Restrict Processing Right to Object to Processing 9 2018 HITRUST Alliance
What are GDPR s Key Differences for US Companies? Personal Data Breach 10 2018 HITRUST Alliance
What are GDPR s Key Differences for US Companies? Personal Data Breach Involve legal team early to help determine whether an incident is a personal data breach; if yes, then must immediately assess whether an incident requires notification to supervisory authority ( risk ) and individuals ( high risk ). If a processor, understand and operationalize contractual notification obligations for response without undue delay. Be prepared for accountability - keep records of all personal data breaches and be ready to justify incident response plan to supervisory authorities. 11 2018 HITRUST Alliance
Other EU Laws eprivacy Directive (revisions in process for 2019) Cookie Directive - obtain consent to place and access data (like cookies) on a computer or other internet-connected device UK Data Protection Act 2018 - after BREXIT in April 2019 Germany s GDPR-implementing Law 12 2018 HITRUST Alliance
Introduction to International Privacy Law Other International Privacy Laws 13 2018 HITRUST Alliance
Countries with Laws like GDPR Countries with adequacy determinations (EU designation) o Andorra, Argentina, Canada (commercial organisations only), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay and U.S. (limited to the Privacy Shield framework) o Japan just announced Brazil NEW - applies to the personal data of Brazilians regardless of the location of the entity collecting the data India PROPOSED 14 2018 HITRUST Alliance
AsiaPac Countries with Data Protection Laws 15 2018 HITRUST Alliance
Introduction to International Privacy Law Security & International Privacy Laws 16 2018 HITRUST Alliance
GDPR s Security Requirements appropriate technical and organisational measures to ensure a level of security appropriate to the risk include: o o o o o Encryption Pseudonymization Business Continuity/Disaster Recovery Regularly testing, assessing and evaluating the effectiveness of technical and organisational measures Evaluating processors 17 2018 HITRUST Alliance
Security Requirements in Other Countries Canada PIPEDA Principle 4.7 requires that personal information be protected by safeguards appropriate to the sensitivity of the information; PIPEDA Principle 4.7.1 requires security safeguards to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use or modification. New data breach notification law effective November 1, 2018. China s Personal Information Security Specification a data controller must implement adequate technical and organizational measures to ensure data security. (Section 4) Singapore An organisation shall protect personal data in its possession or under its control by making reasonable security arrangements to prevent unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks. (PDPA Section 24) 18 2018 HITRUST Alliance
What are Reasonable Security Requirements? Flexibility of approach: (1) Covered entities and business associates may use any security measures that allow the covered entity or business associate to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity or business associate must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity or business associate. (ii) The covered entity's or the business associate's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risks to electronic protected health information. 45 C.F.R. 164.306(b)(1)(2) 19 2018 HITRUST Alliance
Cybersecurity Frameworks HITRUST NIST ISO 27001/27002 COBIT CIS Critical Security Controls 20 2018 HITRUST Alliance
NIST Risk Management Framework for Information Systems and Organizations A System Life Cycle Approach for Security and Privacy 1. Prepare Categorize (Overview provided next slides) 2. Select - (Overview provided next slides) 3. Implement 4. Assess 5. Authorize 6. Monitor - (Overview provided next slides) https://csrc.nist.gov/csrc/media/publications/sp/800-37/rev-2/draft/documents/sp800-37r2-draft-ipd.pdf 21 2018 HITRUST Alliance
Overview - Step 1 - Risk Management Organizational Risk Management Roles Risk Management Strategy Risk Assessment Organization-Wide Tailored Control Baselines and Profiles Common Control Identification 22 2018 HITRUST Alliance
Overview - Step 2 - Risk Management System Level Mission or Business Focus Organizational Stakeholders Asset Identification Authorization Boundary Information Types Information Life Cycle Risk Assessment (System) Enterprise Architecture System Registry 23 2018 HITRUST Alliance
Overview Step 6 - Monitor System and Environment Changes Ongoing Assessments Ongoing Risk Response Authorization Updates Security and Privacy Reporting Ongoing Authorization System Disposal 24 2018 HITRUST Alliance
Security Simplified Involve the right team members Know what data is flowing in and out of your organization Maintain inventory of your assets Develop your organization s risk appetite Understand your legal obligations Perform non-technical and technical evaluations Stay up-to-date on the latest technologies Get involved in information security and privacy groups 25 2018 HITRUST Alliance
Visit www.hitrustalliance.net for more information To view our latest documents, visit the Content Spotlight 26 2018 HITRUST Alliance