applicable privacy Laws and Regulations

How to document.
1. Create a spreadsheet with a tab for each applicable law
2. Identify all the applicable laws by industry, regulation, or
3. Categories
  1. General Laws/Regulations per region
    1. GDPR
    2. Argentina
  2. State/Provincial Laws
    1. CCPA
  3. Health/Privacy Laws
    1. HIPAA
  4. Financial
  5. Online (COPPA) - don’t scrape unnecessary records of people online
  6. Communication
  7. Information
  8. Education
    1. FERPA - Schools that receive federal funds for students
4. US Specific Concerns
  1. Federal Privacy Act
  2. GLB - Financial records and anti terrorism
  3. FERPA Educadtion records abot minors
  4. FTC - Federal Trade Commission
  5. CAN-SPAM
  6. Fair Credit Reporting Act
  7. Video - protect movie rental purchasing records
  8. Marketing - new area
  9. Energy - smart grid technology
5. Self Regulation - Industry standards and codes of conduct
  1. PCI-DSS
  2. Trust (Verisign, Trustmark)
  3. Children’s Advertising Revenue Unit
Global Privacy Laws
1. Europe
  1. GDPR
2. OECD
  1. Transborder privacy and the protection of personal data flows - transborder
3. APEC
  1. Member economies undertake commitments on a regular basis
4. Bermuda
5. Brazil - LGPD
6. Canada PIPEDA
7. Chile
8. China - Cybersecurity law of the people of China
9. Many more….
GDPR
1. Overview
  1. Every working professional needs to know this
2. Article 1 Subject - Matter objectives
  1. Subject’s personal data and data flows is under control
  2. Every Day your data is under control
  3. Free movement not restricted nor prohibited
3. Article 2 Scope
  1. Applies to all personal data processed under automated means
4. Article 3 Territorizl Scope
  1. All data with controller or processor in EU
  2. All data subjects that are a member of the EU

Commonalities in International Privacy Laws
1. Privacy managers must know the similarities and differences in the different privacy laws.
  1. Audit protocols
  2. Contractual requirements
  3. Expectations
Cross Border data transfers
1. When - HR Data may flow cross the borders from Japan to US which is a cross border data
2. Russia - Doesn’t allow cross border transfer of data
3. How do you decide whether Cross Border Transfer is allowed:
  1. Adequacy - Must have level of protection equivalent to EU Level
  2. Appropriate Safequards
    1. Binding Corporate Rules - create rules for handing personal data
    2. Standard Clauses
    3. Codes of Conduct
    4. Terms may change from one region to another
Organizational Balance and Support
1. Compliance should be the baseline
2. Compliance allows you to improve the business and other aspects of personal data management.
  1. Data Inventory
  2. Data Access Controls
Understand Penalties for Non Compliance With Laws and Regulations
1. HIPAA Violation Penalties based on HITECH penalties

1. GDPR
  1. 4% of annual revenue or 20M whichever is greater
2. Examples
  1. Use high profile breaches to support the budget you need to support it.
Scope Oversight Authorities - Limit on Data Protection Authorities
1. China has limit on fines and penalties
2. Refer on criminal penalties
3. Singapore
4. Hong Kong
5. Thailand Indonesia
6. EU
7. Canada
Other Privacy Related Matters to Consider
1. Frameworks provide the high level detail of necessary to understand the regulation but other things need to be considered.
Monitoring laws and regulations
1. Regular monitor the laws and regulations to stay engaged on what is going on.
2. Use methods to track changes and understand what is going on.
3. Consider a Third Party consultant that can advise what changes are affecting your business.
Third Party External Resources
1. Use this Third party to track and monitor external legislation
2. Consider Daily Dashboard from IAPP
Summary
1. Frameworks or a method to understand the regulations and requirements
2. Build the frameworks and then let the processes, procedures, follow.

Page updated

Report abuse