3: Privacy Prog Framework: Applicable Privacy Laws and Regs Flashcards
What is a major driver for compliance?
data protection laws and regulations. The laws and regs often overlap, so consult legal to make sure all the relevant areas are covered
Global Privacy Laws
enforcing how PI is collected and how data subjects are informed and have a right to decide how their PI is used.
New areas of data protection? (4)
AI
ML
Data security measures and controls on new tech, like quantum computing
handing data during pandemics
Omnibus laws (wrt other countries)
you have to abide by the laws of the country you are trying to do business in (not the country you are based in).
2 important privacy frameworks that many countries have based their data protection laws on?
- Organisation for Economic Co-operation and Development (OECD) guidelines on the protection of privacy and transborder flows of personal data & Asia-Pacific Economic Cooperation (APEC) privacy framework.
What concepts do the OECD and APEC cover?
- colleciton limitation
data quality
purpose specification
use limitation
security safeguards
openness
individual participation
accountability
Commonalities btwn global privacy & data protection laws, regulations and standards
requirements for ensuring individual rights (access, correction and deletion) and obligations (safeguarding data).
also, contractual requirements, audit protocol, self-regulatory regimes, and market place expectaiton
EU General Data Protection Regulation
GDPR - framework for data protection with increased accountability for organizations.
Has become the global standard for data protection
General Provisions of the GDPR (3)
Subject-matter and Objectives
- protection of people wrt processing, protection and movement of personal data
Material scope
- processing of personal data
Territorial Scope
- processor or controller in the Union, whether the processing takes place in the Union or not
CCPA
California Consumer Privacy Act
-privacy rights for Californians and significant new data protection obligations for businesses
Other PI and Data Protection law examples (2)
Brazil LGPD
China PIPL Personal Information Protection Law
for businesses it resembles the GDPR, does not prevent the PRC (People Republic of China) from accessing data
Sectoral Privacy Laws
Privacy and data protection addressed through laws that apply to market sectors and industries, like:
Health care (Protected Health Information in the US, special categories of data in the EU)
Financial
Telecom - includes communication, metadata and location information
Online
Government
Education
Video - including online streaming
Marketing
Energy
HR/Employment
Self-Regulation
Industry standards and codes of conduct
Voluntary and contractual initiatives
i.e. PCI DSS, Verisign, CARU (children’s advertising review unity)
Cross-Border Data Transfers
Protective measures required when data is crossing borders
EU has the strictest requirements, transfers outside EEA (European Economic Area) are ok if the countries are deemed to have adequate levels of data protection
Cross-Border Data Transfers with countries not deems to have adequate data protection…
SCC - Standard contractual clauses - valid method of data transfer
- assess on a case by case basis using a DTIA or TIA (Data transfer impact assessment or transfer impact assessment)
Steps for a DTIA or TIA
- Map where the data is and where it is transferred to
- identify the mechanisms used for the transfer
- assess effectiveness of transfer mech
- adopt additional safeguards as needed
- ensure additional measures align with business requirements
- monitor for ongoing compliance
Question for a DTIA or TIA
- Likelihood of government accessing data
- is the data within scope of intelligence and law enforcement activities?
- are proper protective measures in place?
- what are the applicable privacy and security standards of the receiving country?
- what are the general human rights ratings of the receiving country?
“Surprise Mimimization”
is the country to which you’re transferring personal data to likely equivalent in terms of privacy protections?
Would a person who has entrusted you with personal data be likely to object to their data traveling to that country?
Ensure the Privacy Program aligns with the Business Initiatives
- compliance should be the baseline
- PbD will further organizational goals and help strike a balance
- compliance creates an opportunities to reevaluate and improve data management practices (like data inventory and data access controls)
- compliance should be achieved with the least amount of business disruption
Penalties for Noncompliance
Legal and regulatory penalties are typically imposed by and industry to enforce behaviour modification due to previous neglect or improper protection of data
HIPAA Violation Penalties
4 tiers
$100 up to $1.5 million/year
GDPR Violation Penalties
two tiers of maximum fines, depends on:
Nature, gravity, and duration of infringement,
Nature, scope and purpose of processing
Number of data subjects concerned
Level of damage and damage mitigation
Intent or negligence
Degree of responsibility
Previous infringements
Degree of cooperation with a supervisory authority
Categories of personal data
Manner of notification
Compliance with measures ordered by supervisory authorities
Adherence to approved codes of conduct/certification mechanisms
Scope and Authority of Oversight Agencies
“watchful care, management, or supervision”
oversight agencies can fine or impose penalties, civil and criminal, based on laws and regulations
DPA - data protection agencies
Monitoring Laws and Regulations
Keep up to date on changes, new laws, changing regulations
Consider using a 3rd Party external privacy resource
