How to document.
Create a spreadsheet with a tab for each applicable law
Identify all the applicable laws by industry, regulation, or
Categories
General Laws/Regulations per region
GDPR
Argentina
State/Provincial Laws
CCPA
Health/Privacy Laws
HIPAA
Financial
Online (COPPA) - don’t scrape unnecessary records of people online
Communication
Information
Education
FERPA - Schools that receive federal funds for students
US Specific Concerns
Federal Privacy Act
GLB - Financial records and anti terrorism
FERPA Educadtion records abot minors
FTC - Federal Trade Commission
CAN-SPAM
Fair Credit Reporting Act
Video - protect movie rental purchasing records
Marketing - new area
Energy - smart grid technology
Self Regulation - Industry standards and codes of conduct
PCI-DSS
Trust (Verisign, Trustmark)
Children’s Advertising Revenue Unit
Global Privacy Laws
Europe
GDPR
OECD
Transborder privacy and the protection of personal data flows - transborder
APEC
Member economies undertake commitments on a regular basis
Bermuda
Brazil - LGPD
Canada PIPEDA
Chile
China - Cybersecurity law of the people of China
Many more….
GDPR
Overview
Every working professional needs to know this
Article 1 Subject - Matter objectives
Subject’s personal data and data flows is under control
Every Day your data is under control
Free movement not restricted nor prohibited
Article 2 Scope
Applies to all personal data processed under automated means
Article 3 Territorizl Scope
All data with controller or processor in EU
All data subjects that are a member of the EU
Commonalities in International Privacy Laws
Privacy managers must know the similarities and differences in the different privacy laws.
Audit protocols
Contractual requirements
Expectations
Cross Border data transfers
When - HR Data may flow cross the borders from Japan to US which is a cross border data
Russia - Doesn’t allow cross border transfer of data
How do you decide whether Cross Border Transfer is allowed:
Adequacy - Must have level of protection equivalent to EU Level
Appropriate Safequards
Binding Corporate Rules - create rules for handing personal data
Standard Clauses
Codes of Conduct
Terms may change from one region to another
Organizational Balance and Support
Compliance should be the baseline
Compliance allows you to improve the business and other aspects of personal data management.
Data Inventory
Data Access Controls
Understand Penalties for Non Compliance With Laws and Regulations
HIPAA Violation Penalties based on HITECH penalties
GDPR
4% of annual revenue or 20M whichever is greater
Examples
Use high profile breaches to support the budget you need to support it.
Scope Oversight Authorities - Limit on Data Protection Authorities
China has limit on fines and penalties
Refer on criminal penalties
Singapore
Hong Kong
Thailand Indonesia
EU
Canada
Other Privacy Related Matters to Consider
Frameworks provide the high level detail of necessary to understand the regulation but other things need to be considered.
Monitoring laws and regulations
Regular monitor the laws and regulations to stay engaged on what is going on.
Use methods to track changes and understand what is going on.
Consider a Third Party consultant that can advise what changes are affecting your business.
Third Party External Resources
Use this Third party to track and monitor external legislation
Consider Daily Dashboard from IAPP
Summary
Frameworks or a method to understand the regulations and requirements
Build the frameworks and then let the processes, procedures, follow.