Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
SlideShare a Scribd company logo

Building Consumer Trust through Individual Rights / DSAR Management

TrustArc
TrustArc

Perhaps the most customer facing and public compliance requirements for GDPR, CCPA and LGPD are around the rights of the data subject, often referred to as individual rights or data subject access requests (DSARs). These regulations have significantly increased the requirements on businesses regarding how they address individual rights and related requests, specifically the type of requests they need to address and the timeline and process they need to follow in order to fulfill the requests. In order to build consumer trust and fulfil data subject rights requirements, organizations must have a consistent and streamlined process for the intake and management of consumer requests. This webinar will review: -Summary of data subject rights requirements for GDPR, CCPA & LGPD -Best practices and tips to comply -Practical steps for implementing a Data Subject Rights -Management program along with sample case studies

Related slideshows

LGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement actionLGPD is Here: What to know to understand compliance and enforcement action
LGPD is Here: What to know to understand compliance and enforcement action
 
Privacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy ProgramPrivacy Frameworks: The Foundation for Every Privacy Program
Privacy Frameworks: The Foundation for Every Privacy Program
 
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
The Court Speaks: Privacy Shield, Standard Contractual Clauses and Cookie Con...
 
1 of 37
Download to read offline
© 2020 TrustArc Inc. Proprietary and Confidential Information. Building Consumer Trust through Individual Rights / DSAR Management October 14, 2020
Speakers 2 K Royal FIP, CIPP/US / E, CIPM, CDPSE Associate General Counsel, Privacy Intelligence TrustArc Maggie Gloeckle FIP CIPP/US/E, CIPM, CIPT, CDPSE, PMP VP, Privacy and Compliance Counsel A&E Networks
Agenda 3 ● Data subject rights under GDPR, CCPA, & LGPD ● Recommended practices and tips to comply ● Practical steps for implementing a Data Subject Rights Management program
Quick Review 4 GDPR European Union’s General Data Protection Regulation, passed in 2016, effective 2018 CCPA California Consumer Privacy Act, process started in 2017, passed 2018, amended 2019, regulations 2020, plus new proposed modifications and looming California Privacy Rights Act (CPRA) LGPD Brazil’s Lei Geral de Proteção de Dados, passed in 2018 to be effective in 2020, and then this year - not delayed, pushing enforcement out to 2021
Poll 1 5 What are you most interested in learning about today? 1. Specifics on laws and individual rights 2. Case studies / practical examples 3. How to operationalize managing individual rights 4. All of the above
© 2019 TrustArc Inc Proprietary and Confidential Information Individual Rights under GDPR, CCPA, and LGPD
7 What are Individual Rights? https://app.sli.do/event/d7d2fkix/embed/polls/fdf9f038-95ab-4660-96cc-0f5857f69223
Individual Rights Mapped to Other Regulations 8 GDPR CCPA LGPD NZ Privacy Act 2020 Japan LPPI* China Civil Code Dubai DPL 2020 Egypt LPPD Privacy Shield Access X X X X X X X X X Correction X Z* X X X X X X X Erasure X X X X X X X Object, Opt-Out X X X X X X X Portability X X** X X
GDPR Individual Rights 9 Article Right of the Data Subject 15 Right of access 16 Right to rectification 17 Right to erasure (‘right to be forgotten’) 18 Right to restriction of processing 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing 20 Right to data portability 21 Right to object 22 Automated individual decision-making, including profiling
Individual Rights Articles 15 - 22 10 Credit to the brilliance of Ashley Slavik Chief Privacy Office, Lead Data Counsel Veeva Systems
CCPA Individual Rights 11 CCPA Section Right of the Consumer § 1798.100 Right to access, notice, and data portability § 1798.105 Right to deletion § 1798.110 Right to disclosures of personal information § 1798.115 Right to disclosures of personal information sold § 1798.120 Right to opt-out of sales § 1798.125 Right to nondiscrimination
CCPA Individual Rights: Third set of proposed modifications - Oct. 12 12 Collection of personal data (999.306) ● Interacting with consumers offline Must provide an offline method that the consumer is aware of so they can exercise their right to opt out ● Over the phone May provide the notice orally during the call where the information is collected Opting out (999.315) ● Must be easy for the consumer and require minimal amount of steps to do so Examples: Don’t ask for unnecessary information for process request AND scrolling through a page = bad Authorized Agent (999.326) ● Clarifies the proof that a business may require an authorized agent to provide, as well as ● What the business may require a consumer to do to verify their request
LGPD Individual Rights 13 Art. 18 Right of the Consumer I Confirmation of the existence of the processing II Access to the data III Correction of incomplete, inaccurate or out-of-date data IV Anonymization, blocking or deletion of unnecessary/excessive data or data processed in noncompliance with the law V Portability to another provider, by express request, subject to commercial and industrial secrecy VI Deletion of personal data processed with consent of the data subject VII Information on public/private entities where controller shared data VIII Information about denying consent and the consequences IX Revocation of consent as provided in §5 of Art. 8
Poll Question 14 Where would you categorize your individual rights management program? 1. Initial / ad hoc - respond as arises 2. Repeatable - some processes 3. Defined - policies in place 4. Managed 5. Optimized
Compliance Requirements 15 Element GDPR CCPA LGPD Method of request Not addressed Two or more methods, including a toll-free phone and online Not addressed Delivery of request Must be concise, transparent, intelligible, easily accessible, using clear and plain language, especially to a child. in writing, electronically, or orally if identity verified. Electronic requests = electronic delivery Through consumer account if one exists or by mail or electronically at consumer’s option (not allowed to require an account to be created for this purpose) Printed or electronic, per data subject, in safe and suitable means Number of requests permitted Not addressed (if excessive, because repetitive nature, may charge or refuse to act) May limit to 2 in a 12-month period Not addressed Limitation time frame Not addressed Applies to information collected in the preceding 12 months Not addressed
Compliance Requirements 16 Element GDPR CCPA LGPD Identity verification May refuse to act if not able to identify; May verify identity if reasonable doubt exists Verifiable request required, but time to verify identity does not extend time to respond Not addressed, but does have “express consent” Timeframe to respond Without undue delay and in any event within one month 45 days Confirmation & access 15 days if not simple, all other immediately Extension of response time Two-month extension where necessary for complexity and # of requests; inform within first month with reason for delay 45 days extension if inform consumer during first 45 days Not addressed Charge Free unless manifestly unfounded or excessive - then reasonable fee Free except for multiple copies - then administrative costs. Free Training for processing requests DPO advises on obligations and monitors compliance, including awareness- raising and training All individuals responsible for handling inquiries must be trained. DPO orients employees and contractors regarding practices to be taken in relation to personal data protection
© 2019 TrustArc Inc Proprietary and Confidential Information Recommended Practices
Poll Question 18 How many individual rights requests do you receive in total (that require some level of management)? 1. less than 10 a month 2. between 11 - 100 a month 3. between 101 - 500 a month 4. between 501 - 999 a month 5. more than 1,000 a month
Key Individual Right: The Right to Access 19 GDPR Article 15: Allows various methods, includes confirmation data is processed ● Exception: Aside from the uniform exception for manifestly unfounded or excessive requests, the right to access should only be limited to the extent it adversely affects the rights and freedoms of others. CCPA Section 1798.100: Right to know ● Exception: The CCPA regulations make an exception for disclosure where there is a conflict with state or federal law, and prohibits businesses from disclosing certain data elements like government-issued identification numbers, financial account numbers, account passwords, security questions and answers, health insurance or medical ID numbers, and unique biometric information. LGPD Article 18, II: Right to Access ● Exception: the LGPD does not provide a list of exceptions to the right to access, but does state that access should be provided taking into consideration trade and commercial secrecy and LGPD does not apply to data processed exclusively for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses
Practical Example: The Right to Access 20 ● Request for video inside a store (or employer) to identify who may have stolen something or did a particular action or what about in a parking lot, (a crime seems logical, but what about leaving a note?)
GDPR: Key Individual Right: The Right to Erasure (‘Right to be Forgotten’) 21 Eligible only if: ● personal data are no longer necessary for purposes they were collected or otherwise processed; ● DS withdraws consent and where there is no other legal ground for the processing; ● DS objects to processing (marketing, public interest) and no overriding legitimate grounds exist ● the personal data have been unlawfully processed; ● the personal data have to be erased for compliance with a legal obligation; or ● the personal data have been collected in relation to the offer of information society services Exceptions: ● exercising the right of freedom of expression and information; ● compliance with a legal obligation by law, public interest or official authority task; ● public interest in the area of public health; ● archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or ● establishment, exercise or defence of legal claims
CCPA: Key Individual Right: The Right to Erasure 22 Exception: Businesses may decline to delete a customer’s personal information when a business requires the personal information at issue in order to: ■ Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. ■ Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. ■ Debug to identify and repair errors that impair existing intended functionality. ■ Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law. ■ Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code. ■ Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
LGPD: Key Individual Right: The Right to Erasure 23 Article 8 VI deletion of personal data processed with the consent of the data subject, except in the situations provided in Article 16 (Termination of Data Processing ) or unnecessary or excessive data Exceptions: Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, unless retention is authorized for the following purposes: ● compliance with a legal or regulatory obligation by the controller; ● study by a research entity, ensuring, whenever possible, the anonymization of the personal data; ● transfer to third parties provided that the requirements for data processing as provided in this Law are obeyed; or ● exclusive use of the controller, with prohibited access by third parties and provided the data has been anonymized. And keep in mind, LGPD does not apply to data processed exclusively for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses (Article 4)
Practical Example: The Right to Erasure (‘Right to be Forgotten’) 24 Common examples we seen: ● Drug screens ● Prior applications for jobs ● Annual reviews ● Social media posts ● Internet search history ● Movie rental history ● Hotel stays ● Visits to restaurants ● Church records ● Grades / school records
Key Individual Right: The Right to Restriction of Processing 25 GDPR Article 18: Individuals may, in certain circumstances, have their personal data excluded from processing. This right prevents the personal data from being used for most processing purposes, other than simply storing the data (with exceptions). Once the processing has ceased, the controller must notify an individual before processing resumes. Data subjects may request and obtain cessation of processing (Article 18(1)). ● Exception: If processing has been restricted, it may only be processed with “the data subject’s consent, or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another person”. CCPA Section: The CCPA does not have an analogous right. LGPD Article 18 IV and IX: Blocking and also revocation of consent as provided in §5 of Article 8 of this Law. §2 The data subject may oppose the processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of this Law.
Practical Example: The Right to Restriction of Processing (and Blocking) 26 ● Request for deletion denied, requests restriction of processing while awaiting resolution
Key Individual Right: The Right to Data Portability 27 GDPR Article 20: The right to data portability is under the GDPR. This right supports the free flow of information, provides user control and empowerment, and fosters competition and development of new services. ● Exception: This right does not apply to processing necessary data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right is also limited if it adversely affects the rights and freedoms of others. CCPA, this right is included in the right to access in section 1798.100(d) and simply requires that if the data is "provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance". LGPD, in Article 18, V, provides portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency; In addition, Article 11 prohibits sharing sensitive data between controllers to obtain an economic advantage, except portability consented by the data subject. Also, anonymized data is exempted
Practical Examples: The Right to Data Portability 28 ● Porting contracts from one contract manager solution to another ● Books from reading services or movies from providers? ● Medical records Notes: GDPR Recital 68 “The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.” LGPD - commercial secrecy
Steps to Comply 29 Ensure understanding of what data you collect, the collection process, and where it resides. Establish a process to intake individual rights requests that is easy the individual, and ensure this process is well- communicated throughout the organization. A request may come in from many routes and the person receiving that request needs to understand that a request is being made. Individuals typically won’t understand or use the exact verbiage in the law. Validate the individual's identity. Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data, and evaluate any exceptions. Have a response process. Put in place an appeals process for denied requests. Retain documentation throughout the process.
Best Practice Tips 30 Incorporate these rights into your privacy program and ensure there is an established process from beginning to end. Take your data inventory and data processing records a step further to envision requests made for that data. Work with your vendors to ensure that these rights can be honored their side and get documentation to validate that ability. Be helpful. This is not an adversarial process. These are rights provided to individuals to protect their freedoms and right to privacy.
Simple Flow Chart 31
Case Study 32 Ann worked at a large grocery store chain (Food-n-More, HQ in California) and was also both a customer and a rewards member. She was honored to be profiled in their public blog as the employee of the month. Food-n-More provided great benefits, including tuition reimbursement. After she resigned to attend college full-time in Arizona, she worked for them during seasonal busy times, such as Christmas. Ann used Food-n-More’s online individual rights form to request access to her information. She received a response back that they determined the only information they have on her is her email subscription. Ann contacted the email this response came from stating that she was a past employee and in fact, still worked for them seasonally. No response. Ann looked up the contact information online and called the number listed. It went to the general answering service. She explained the purpose of her call and was routed to the HR hotline. She left a message, but also called a number listed for customer service. She explained what she wanted and the person asked her to hold. After coming back on, the person routed her to a voicemail that instructed her to leave details for her inquiry. After multiple back-and-forth communications with both HR and the privacy department over about 4 months, Ann finally received information on her employment dates, role, pay rate, and that she could request benefit information for her FT employment. *This fictitious case study was written to highlight the best practice tips.
Case Study Continued 33 What went wrong here? The company did not: ● Response was not inclusive ● Have a process to clarify responses ● Train all people who manage responses ● Have a process to receive or evaluate requests within the required timeframes ● Have a plan for communication or response in a timely fashion What went right? The Company did: ● Had an individual rights form ● Did have someone in privacy ● Did provide information…. If the company had an Individual Rights program in place, the process could have been smoother. Efficiently managing numerous requests per month can be further enhanced through a technology solution designed to automate and streamline requests processing.
Automate the data subject request lifecycle TrustArc Individual Rights Manager enables organizations to efficiently and securely respond to data subject requests at scale. With the ability to configure and automate workflows, combined with our unique privacy intelligence solution, organizations can meet global regulatory requirements, reduce cost, and build customer trust. Confidently Maintain Global Compliance Receive contextualized up- to-date regulatory guidance to ensure workflows are always aligned with the latest privacy regulations Tailor Workflows to Meet Every Need Address business requirements by customizing automated workflows to streamline end-to-end request fulfillment Streamline Verification Process Configure identity verification workflows based on regulatory requirements by leveraging our suite of validation approaches and integrated partner solutions Deliver a Branded Experience Create an on-brand privacy experience through customizable intake forms, landing pages, and email templates
© 2019 TrustArc Inc Proprietary and Confidential Information Questions?
Upcoming Webinars 36 Schrems II: Practical Considerations from a Legal Process and Technology Perspective October 27, 2020 @ 9:00 PST How to Manage Vendors and Third Parties to Minimize Privacy Risk October 28, 2020 @ 9:00 PST Post 'Schrems II': Examining Your Options and How to Action the Ruling October 29, 2020 @ 9:00 PST
© 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.

More Related Content

Building Consumer Trust through Individual Rights / DSAR Management

  • 1. © 2020 TrustArc Inc. Proprietary and Confidential Information. Building Consumer Trust through Individual Rights / DSAR Management October 14, 2020
  • 2. Speakers 2 K Royal FIP, CIPP/US / E, CIPM, CDPSE Associate General Counsel, Privacy Intelligence TrustArc Maggie Gloeckle FIP CIPP/US/E, CIPM, CIPT, CDPSE, PMP VP, Privacy and Compliance Counsel A&E Networks
  • 3. Agenda 3 ● Data subject rights under GDPR, CCPA, & LGPD ● Recommended practices and tips to comply ● Practical steps for implementing a Data Subject Rights Management program
  • 4. Quick Review 4 GDPR European Union’s General Data Protection Regulation, passed in 2016, effective 2018 CCPA California Consumer Privacy Act, process started in 2017, passed 2018, amended 2019, regulations 2020, plus new proposed modifications and looming California Privacy Rights Act (CPRA) LGPD Brazil’s Lei Geral de Proteção de Dados, passed in 2018 to be effective in 2020, and then this year - not delayed, pushing enforcement out to 2021
  • 5. Poll 1 5 What are you most interested in learning about today? 1. Specifics on laws and individual rights 2. Case studies / practical examples 3. How to operationalize managing individual rights 4. All of the above
  • 6. © 2019 TrustArc Inc Proprietary and Confidential Information Individual Rights under GDPR, CCPA, and LGPD
  • 7. 7 What are Individual Rights? https://app.sli.do/event/d7d2fkix/embed/polls/fdf9f038-95ab-4660-96cc-0f5857f69223
  • 8. Individual Rights Mapped to Other Regulations 8 GDPR CCPA LGPD NZ Privacy Act 2020 Japan LPPI* China Civil Code Dubai DPL 2020 Egypt LPPD Privacy Shield Access X X X X X X X X X Correction X Z* X X X X X X X Erasure X X X X X X X Object, Opt-Out X X X X X X X Portability X X** X X
  • 9. GDPR Individual Rights 9 Article Right of the Data Subject 15 Right of access 16 Right to rectification 17 Right to erasure (‘right to be forgotten’) 18 Right to restriction of processing 19 Notification obligation regarding rectification or erasure of personal data or restriction of processing 20 Right to data portability 21 Right to object 22 Automated individual decision-making, including profiling
  • 10. Individual Rights Articles 15 - 22 10 Credit to the brilliance of Ashley Slavik Chief Privacy Office, Lead Data Counsel Veeva Systems
  • 11. CCPA Individual Rights 11 CCPA Section Right of the Consumer § 1798.100 Right to access, notice, and data portability § 1798.105 Right to deletion § 1798.110 Right to disclosures of personal information § 1798.115 Right to disclosures of personal information sold § 1798.120 Right to opt-out of sales § 1798.125 Right to nondiscrimination
  • 12. CCPA Individual Rights: Third set of proposed modifications - Oct. 12 12 Collection of personal data (999.306) ● Interacting with consumers offline Must provide an offline method that the consumer is aware of so they can exercise their right to opt out ● Over the phone May provide the notice orally during the call where the information is collected Opting out (999.315) ● Must be easy for the consumer and require minimal amount of steps to do so Examples: Don’t ask for unnecessary information for process request AND scrolling through a page = bad Authorized Agent (999.326) ● Clarifies the proof that a business may require an authorized agent to provide, as well as ● What the business may require a consumer to do to verify their request
  • 13. LGPD Individual Rights 13 Art. 18 Right of the Consumer I Confirmation of the existence of the processing II Access to the data III Correction of incomplete, inaccurate or out-of-date data IV Anonymization, blocking or deletion of unnecessary/excessive data or data processed in noncompliance with the law V Portability to another provider, by express request, subject to commercial and industrial secrecy VI Deletion of personal data processed with consent of the data subject VII Information on public/private entities where controller shared data VIII Information about denying consent and the consequences IX Revocation of consent as provided in §5 of Art. 8
  • 14. Poll Question 14 Where would you categorize your individual rights management program? 1. Initial / ad hoc - respond as arises 2. Repeatable - some processes 3. Defined - policies in place 4. Managed 5. Optimized
  • 15. Compliance Requirements 15 Element GDPR CCPA LGPD Method of request Not addressed Two or more methods, including a toll-free phone and online Not addressed Delivery of request Must be concise, transparent, intelligible, easily accessible, using clear and plain language, especially to a child. in writing, electronically, or orally if identity verified. Electronic requests = electronic delivery Through consumer account if one exists or by mail or electronically at consumer’s option (not allowed to require an account to be created for this purpose) Printed or electronic, per data subject, in safe and suitable means Number of requests permitted Not addressed (if excessive, because repetitive nature, may charge or refuse to act) May limit to 2 in a 12-month period Not addressed Limitation time frame Not addressed Applies to information collected in the preceding 12 months Not addressed
  • 16. Compliance Requirements 16 Element GDPR CCPA LGPD Identity verification May refuse to act if not able to identify; May verify identity if reasonable doubt exists Verifiable request required, but time to verify identity does not extend time to respond Not addressed, but does have “express consent” Timeframe to respond Without undue delay and in any event within one month 45 days Confirmation & access 15 days if not simple, all other immediately Extension of response time Two-month extension where necessary for complexity and # of requests; inform within first month with reason for delay 45 days extension if inform consumer during first 45 days Not addressed Charge Free unless manifestly unfounded or excessive - then reasonable fee Free except for multiple copies - then administrative costs. Free Training for processing requests DPO advises on obligations and monitors compliance, including awareness- raising and training All individuals responsible for handling inquiries must be trained. DPO orients employees and contractors regarding practices to be taken in relation to personal data protection
  • 17. © 2019 TrustArc Inc Proprietary and Confidential Information Recommended Practices
  • 18. Poll Question 18 How many individual rights requests do you receive in total (that require some level of management)? 1. less than 10 a month 2. between 11 - 100 a month 3. between 101 - 500 a month 4. between 501 - 999 a month 5. more than 1,000 a month
  • 19. Key Individual Right: The Right to Access 19 GDPR Article 15: Allows various methods, includes confirmation data is processed ● Exception: Aside from the uniform exception for manifestly unfounded or excessive requests, the right to access should only be limited to the extent it adversely affects the rights and freedoms of others. CCPA Section 1798.100: Right to know ● Exception: The CCPA regulations make an exception for disclosure where there is a conflict with state or federal law, and prohibits businesses from disclosing certain data elements like government-issued identification numbers, financial account numbers, account passwords, security questions and answers, health insurance or medical ID numbers, and unique biometric information. LGPD Article 18, II: Right to Access ● Exception: the LGPD does not provide a list of exceptions to the right to access, but does state that access should be provided taking into consideration trade and commercial secrecy and LGPD does not apply to data processed exclusively for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses
  • 20. Practical Example: The Right to Access 20 ● Request for video inside a store (or employer) to identify who may have stolen something or did a particular action or what about in a parking lot, (a crime seems logical, but what about leaving a note?)
  • 21. GDPR: Key Individual Right: The Right to Erasure (‘Right to be Forgotten’) 21 Eligible only if: ● personal data are no longer necessary for purposes they were collected or otherwise processed; ● DS withdraws consent and where there is no other legal ground for the processing; ● DS objects to processing (marketing, public interest) and no overriding legitimate grounds exist ● the personal data have been unlawfully processed; ● the personal data have to be erased for compliance with a legal obligation; or ● the personal data have been collected in relation to the offer of information society services Exceptions: ● exercising the right of freedom of expression and information; ● compliance with a legal obligation by law, public interest or official authority task; ● public interest in the area of public health; ● archiving purposes in the public interest, scientific or historical research purposes or statistical purposes; or ● establishment, exercise or defence of legal claims
  • 22. CCPA: Key Individual Right: The Right to Erasure 22 Exception: Businesses may decline to delete a customer’s personal information when a business requires the personal information at issue in order to: ■ Complete the transaction for which the personal information was collected, provide a good or service requested by the consumer, or reasonably anticipated within the context of a business’s ongoing business relationship with the consumer, or otherwise perform a contract between the business and the consumer. ■ Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity; or prosecute those responsible for that activity. ■ Debug to identify and repair errors that impair existing intended functionality. ■ Exercise free speech, ensure the right of another consumer to exercise his or her right of free speech, or exercise another right provided for by law. ■ Comply with the California Electronic Communications Privacy Act pursuant to Chapter 3.6 (commencing with Section 1546) of Title 12 of Part 2 of the Penal Code. ■ Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the businesses’ deletion of the information is likely to render impossible or seriously impair the achievement of such research, if the consumer has provided informed consent.
  • 23. LGPD: Key Individual Right: The Right to Erasure 23 Article 8 VI deletion of personal data processed with the consent of the data subject, except in the situations provided in Article 16 (Termination of Data Processing ) or unnecessary or excessive data Exceptions: Personal data shall be deleted following the termination of their processing, within the scope and technical limits of the activities, unless retention is authorized for the following purposes: ● compliance with a legal or regulatory obligation by the controller; ● study by a research entity, ensuring, whenever possible, the anonymization of the personal data; ● transfer to third parties provided that the requirements for data processing as provided in this Law are obeyed; or ● exclusive use of the controller, with prohibited access by third parties and provided the data has been anonymized. And keep in mind, LGPD does not apply to data processed exclusively for purposes of: a) public safety; b) national defense; c) state security; or d) activities of investigation and prosecution of criminal offenses (Article 4)
  • 24. Practical Example: The Right to Erasure (‘Right to be Forgotten’) 24 Common examples we seen: ● Drug screens ● Prior applications for jobs ● Annual reviews ● Social media posts ● Internet search history ● Movie rental history ● Hotel stays ● Visits to restaurants ● Church records ● Grades / school records
  • 25. Key Individual Right: The Right to Restriction of Processing 25 GDPR Article 18: Individuals may, in certain circumstances, have their personal data excluded from processing. This right prevents the personal data from being used for most processing purposes, other than simply storing the data (with exceptions). Once the processing has ceased, the controller must notify an individual before processing resumes. Data subjects may request and obtain cessation of processing (Article 18(1)). ● Exception: If processing has been restricted, it may only be processed with “the data subject’s consent, or for the establishment, exercise, or defense of legal claims or for the protection of the rights of another person”. CCPA Section: The CCPA does not have an analogous right. LGPD Article 18 IV and IX: Blocking and also revocation of consent as provided in §5 of Article 8 of this Law. §2 The data subject may oppose the processing carried out based on one of the situations of waiver of consent, if there is noncompliance with the provisions of this Law.
  • 26. Practical Example: The Right to Restriction of Processing (and Blocking) 26 ● Request for deletion denied, requests restriction of processing while awaiting resolution
  • 27. Key Individual Right: The Right to Data Portability 27 GDPR Article 20: The right to data portability is under the GDPR. This right supports the free flow of information, provides user control and empowerment, and fosters competition and development of new services. ● Exception: This right does not apply to processing necessary data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The right is also limited if it adversely affects the rights and freedoms of others. CCPA, this right is included in the right to access in section 1798.100(d) and simply requires that if the data is "provided electronically, the information shall be in a portable and, to the extent technically feasible, in a readily useable format that allows the consumer to transmit this information to another entity without hindrance". LGPD, in Article 18, V, provides portability of the data to another service or product provider, by means of an express request and subject to commercial and industrial secrecy, pursuant to the regulation of the controlling agency; In addition, Article 11 prohibits sharing sensitive data between controllers to obtain an economic advantage, except portability consented by the data subject. Also, anonymized data is exempted
  • 28. Practical Examples: The Right to Data Portability 28 ● Porting contracts from one contract manager solution to another ● Books from reading services or movies from providers? ● Medical records Notes: GDPR Recital 68 “The data subject's right to transmit or receive personal data concerning him or her should not create an obligation for the controllers to adopt or maintain processing systems which are technically compatible.” LGPD - commercial secrecy
  • 29. Steps to Comply 29 Ensure understanding of what data you collect, the collection process, and where it resides. Establish a process to intake individual rights requests that is easy the individual, and ensure this process is well- communicated throughout the organization. A request may come in from many routes and the person receiving that request needs to understand that a request is being made. Individuals typically won’t understand or use the exact verbiage in the law. Validate the individual's identity. Once the request is validated, have a process to review it, evaluate the data referenced, the reasons for processing the data, and evaluate any exceptions. Have a response process. Put in place an appeals process for denied requests. Retain documentation throughout the process.
  • 30. Best Practice Tips 30 Incorporate these rights into your privacy program and ensure there is an established process from beginning to end. Take your data inventory and data processing records a step further to envision requests made for that data. Work with your vendors to ensure that these rights can be honored their side and get documentation to validate that ability. Be helpful. This is not an adversarial process. These are rights provided to individuals to protect their freedoms and right to privacy.
  • 32. Case Study 32 Ann worked at a large grocery store chain (Food-n-More, HQ in California) and was also both a customer and a rewards member. She was honored to be profiled in their public blog as the employee of the month. Food-n-More provided great benefits, including tuition reimbursement. After she resigned to attend college full-time in Arizona, she worked for them during seasonal busy times, such as Christmas. Ann used Food-n-More’s online individual rights form to request access to her information. She received a response back that they determined the only information they have on her is her email subscription. Ann contacted the email this response came from stating that she was a past employee and in fact, still worked for them seasonally. No response. Ann looked up the contact information online and called the number listed. It went to the general answering service. She explained the purpose of her call and was routed to the HR hotline. She left a message, but also called a number listed for customer service. She explained what she wanted and the person asked her to hold. After coming back on, the person routed her to a voicemail that instructed her to leave details for her inquiry. After multiple back-and-forth communications with both HR and the privacy department over about 4 months, Ann finally received information on her employment dates, role, pay rate, and that she could request benefit information for her FT employment. *This fictitious case study was written to highlight the best practice tips.
  • 33. Case Study Continued 33 What went wrong here? The company did not: ● Response was not inclusive ● Have a process to clarify responses ● Train all people who manage responses ● Have a process to receive or evaluate requests within the required timeframes ● Have a plan for communication or response in a timely fashion What went right? The Company did: ● Had an individual rights form ● Did have someone in privacy ● Did provide information…. If the company had an Individual Rights program in place, the process could have been smoother. Efficiently managing numerous requests per month can be further enhanced through a technology solution designed to automate and streamline requests processing.
  • 34. Automate the data subject request lifecycle TrustArc Individual Rights Manager enables organizations to efficiently and securely respond to data subject requests at scale. With the ability to configure and automate workflows, combined with our unique privacy intelligence solution, organizations can meet global regulatory requirements, reduce cost, and build customer trust. Confidently Maintain Global Compliance Receive contextualized up- to-date regulatory guidance to ensure workflows are always aligned with the latest privacy regulations Tailor Workflows to Meet Every Need Address business requirements by customizing automated workflows to streamline end-to-end request fulfillment Streamline Verification Process Configure identity verification workflows based on regulatory requirements by leveraging our suite of validation approaches and integrated partner solutions Deliver a Branded Experience Create an on-brand privacy experience through customizable intake forms, landing pages, and email templates
  • 35. © 2019 TrustArc Inc Proprietary and Confidential Information Questions?
  • 36. Upcoming Webinars 36 Schrems II: Practical Considerations from a Legal Process and Technology Perspective October 27, 2020 @ 9:00 PST How to Manage Vendors and Third Parties to Minimize Privacy Risk October 28, 2020 @ 9:00 PST Post 'Schrems II': Examining Your Options and How to Action the Ruling October 29, 2020 @ 9:00 PST
  • 37. © 2019 TrustArc Inc Proprietary and Confidential Information Thank You! See http://www.trustarc.com/insightseries for the 2020 Privacy Insight Series and past webinar recordings. If you would like to learn more about how TrustArc can support you with compliance, please reach out to sales@trustarc.com for a free demo.