3: Privacy Prog Framework: Applicable Privacy Laws and Regs

Question 1

What is a major driver for compliance?

Answer 1

data protection laws and regulations. The laws and regs often overlap, so consult legal to make sure all the relevant areas are covered

Question 2

Global Privacy Laws

Answer 2

enforcing how PI is collected and how data subjects are informed and have a right to decide how their PI is used.

Question 3

New areas of data protection? (4)

Answer 3

AI
ML
Data security measures and controls on new tech, like quantum computing
handing data during pandemics

Question 4

Omnibus laws (wrt other countries)

Answer 4

you have to abide by the laws of the country you are trying to do business in (not the country you are based in).

Question 5

2 important privacy frameworks that many countries have based their data protection laws on?

Answer 5

• Organisation for Economic Co-operation and Development (OECD) guidelines on the protection of privacy and transborder flows of personal data & Asia-Pacific Economic Cooperation (APEC) privacy framework.

Question 6

What concepts do the OECD and APEC cover?

Answer 6

• colleciton limitation
  data quality
  purpose specification
  use limitation
  security safeguards
  openness
  individual participation
  accountability

Question 7

Commonalities btwn global privacy & data protection laws, regulations and standards

Answer 7

requirements for ensuring individual rights (access, correction and deletion) and obligations (safeguarding data).
also, contractual requirements, audit protocol, self-regulatory regimes, and market place expectaiton

Question 8

EU General Data Protection Regulation

Answer 8

GDPR - framework for data protection with increased accountability for organizations.
Has become the global standard for data protection

Question 9

General Provisions of the GDPR (3)

Answer 9

Subject-matter and Objectives
- protection of people wrt processing, protection and movement of personal data
Material scope
- processing of personal data
Territorial Scope
- processor or controller in the Union, whether the processing takes place in the Union or not

Question 10

CCPA

Answer 10

California Consumer Privacy Act
-privacy rights for Californians and significant new data protection obligations for businesses

Question 11

Other PI and Data Protection law examples (2)

Answer 11

Brazil LGPD
China PIPL Personal Information Protection Law
for businesses it resembles the GDPR, does not prevent the PRC (People Republic of China) from accessing data

Question 12

Sectoral Privacy Laws

Answer 12

Privacy and data protection addressed through laws that apply to market sectors and industries, like:
Health care (Protected Health Information in the US, special categories of data in the EU)
Financial
Telecom - includes communication, metadata and location information
Online
Government
Education
Video - including online streaming
Marketing
Energy
HR/Employment

Question 13

Self-Regulation

Answer 13

Industry standards and codes of conduct
Voluntary and contractual initiatives
i.e. PCI DSS, Verisign, CARU (children’s advertising review unity)

Question 14

Cross-Border Data Transfers

Answer 14

Protective measures required when data is crossing borders
EU has the strictest requirements, transfers outside EEA (European Economic Area) are ok if the countries are deemed to have adequate levels of data protection

Question 15

Cross-Border Data Transfers with countries not deems to have adequate data protection…

Answer 15

SCC - Standard contractual clauses - valid method of data transfer
- assess on a case by case basis using a DTIA or TIA (Data transfer impact assessment or transfer impact assessment)

Question 16

Steps for a DTIA or TIA

Answer 16

• Map where the data is and where it is transferred to
• identify the mechanisms used for the transfer
• assess effectiveness of transfer mech
• adopt additional safeguards as needed
• ensure additional measures align with business requirements
• monitor for ongoing compliance

Question 17

Question for a DTIA or TIA

Answer 17

• Likelihood of government accessing data
• is the data within scope of intelligence and law enforcement activities?
• are proper protective measures in place?
• what are the applicable privacy and security standards of the receiving country?
• what are the general human rights ratings of the receiving country?

Question 18

“Surprise Mimimization”

Answer 18

is the country to which you’re transferring personal data to likely equivalent in terms of privacy protections?
Would a person who has entrusted you with personal data be likely to object to their data traveling to that country?

Question 19

Ensure the Privacy Program aligns with the Business Initiatives

Answer 19

• compliance should be the baseline
• PbD will further organizational goals and help strike a balance
• compliance creates an opportunities to reevaluate and improve data management practices (like data inventory and data access controls)
• compliance should be achieved with the least amount of business disruption

Question 20

Penalties for Noncompliance

Answer 20

Legal and regulatory penalties are typically imposed by and industry to enforce behaviour modification due to previous neglect or improper protection of data

Question 21

HIPAA Violation Penalties

Answer 21

4 tiers
$100 up to $1.5 million/year

Question 22

GDPR Violation Penalties

Answer 22

two tiers of maximum fines, depends on:
Nature, gravity, and duration of infringement,
Nature, scope and purpose of processing
Number of data subjects concerned
Level of damage and damage mitigation
Intent or negligence
Degree of responsibility
Previous infringements
Degree of cooperation with a supervisory authority
Categories of personal data
Manner of notification
Compliance with measures ordered by supervisory authorities
Adherence to approved codes of conduct/certification mechanisms

Question 23

Scope and Authority of Oversight Agencies

Answer 23

“watchful care, management, or supervision”
oversight agencies can fine or impose penalties, civil and criminal, based on laws and regulations
DPA - data protection agencies

Question 24

Monitoring Laws and Regulations

Answer 24

Keep up to date on changes, new laws, changing regulations
Consider using a 3rd Party external privacy resource