Introductory Concepts

Part 1
Program management and frameworks
In this lecture:
• Program management
• Program management examples
• Project examples
• Organized how?
• Framework
What is program management?
• Oversee, manage multiple projects (that make up a program)
• Provides holistic view of a discrete program within an organization
• Meet organization's strategic, business goals
• Manage change
• Measure performance (via metrics)
• Improve organization's performance
Program Management Examples
• Digital transformation (e.g., modernize IT infrastructure)
• Employee development (e.g., sponsor MBA)
• Health and wellness (e.g., company gym, meals)
• Sustainability (e.g., reduce environmental impact)
• Innovation and R&D
• Customer experience (e.g., enhance service delivery, customer
satisfaction)
Project Examples
• Digital transformation
• Cloud migration
• Data analytics and business intelligence
• Customer Relationship Management (CRM) systems
• Internet of Things (IoT)
• AI and ML
• Cybersecurity enhancements
Organized How?
• Adopt and implement applicable (risk management) framework(s)
What is a framework?
• Guidance and processes for managing a group of related projects
• Help to achieve strategic objectives
• Ensuring projects align, contribute to business goals
• Can include processes, tools, and best practices to facilitate effective
management
Review (1):
Program management
• Oversee, manage multiple
projects (that make up a
program)
• Provides holistic view of a
discrete program within an
organization
Program management examples
• Digital transformation
• Employee development
• Health and wellness
• Sustainability
• Innovation and R&D
• Customer experience
Review (2):

Project examples Organized how?

• Cloud migration • By adopting and implementing
• Data analytics and business applicable risk management
intelligence framework(s)
• Customer Relationship
Management (CRM) systems
• Internet of Things (IoT)
• AI and ML
• Cybersecurity enhancements
Review (3):

What is a framework?
• Guidance and processes for
managing a group of related
projects
Introductory Concepts
Part 2
Privacy program management and governance
In this lecture:
• Privacy program management
• Privacy program’s goals
• How to create a privacy program framework
• What is governance?
• What is a privacy professional?
Privacy Program Management
• Organized approach to protecting PII and the rights of individuals
Privacy Program’s Goals
• Provide an auditable framework
• Comply with legal, regulatory requirements
• Meet client, customer expectations (e.g., promote trust, confidence)
• Prevent and mitigate risk
How to Create a Privacy Framework
• Models exist
• Tailor to organization existing models and applicable laws,
regulations, best practices
• Incorporate
• Program management principles
• Privacy by Design (PbD)
• Privacy by Default
• Privacy program framework: what you learn throughout this course
What is governance?
• System of rules, practices, processes
• How program is directed
• Mechanisms through which objectives achieved, risks managed,
performance optimized
• Balance interests of various stakeholders (e.g., management,
customers, other programs)
What is a privacy professional?
• Any member of a privacy team
• Responsible for implementing privacy program framework
Review (1):

Privacy program management Privacy program’s goals

• Organized approach to • Provide an auditable framework
protecting PII and the rights of • Comply with legal, regulatory
individuals requirements
Review (2):
How to create a privacy program
framework
• Models exist
• Tailor to organization existing
models and applicable laws,
regulations, best practices
What is governance?
• System of rules, practices,
processes
• How program is directed
• Mechanisms through which
objectives achieved, risks
managed, performance optimized
• Balance interests of various
stakeholders (e.g., management,
customers, other programs)
Review (3):

What is a privacy professional?

• Any member of a privacy team
• Responsible for implementing
privacy program framework
 Privacy by Design &
Privacy by Default
Two foundational concepts in privacy and data protection
In this lecture:
• What Privacy by Design?
• Mnemonic device
• Seven PbD principles
• What is Privacy by Default?
What is Privacy by Design?
• AKA “data protection by design”
• Developed by Ann Cavoukian
• Proactive approach to embedding privacy and data protection into
design and operation of IT systems
• Throughout software development life cycle (SDLC)
• Foundational principle of modern data protection regulations (e.g.,
GDPR)
Seven PbD Principles
• Respect for users
• Proactive, preventative, not reactive, remedial
• Default setting
• Embedded into design
• Positive sum, not zero-sum
• End-to-end security
• Transparent
Mnemonic Device
Robot
Pigs
Devour
Enormous
Purple
Eggplant
Tacos
What is Privacy by Default?
• Complements PbD
• Ensures highest level of protection is applied automatically
• Personal data processed with strictest privacy settings by default
Review (1):

What is PbD? Mnemonic device

• Proactive approach to • Robot
embedding privacy and data • Pigs
protection into design and
operation of IT systems • Devour
• Enormous
• Purple
• Eggplant
• Tacos
Review (2):

Seven PbD principles What is privacy by default?

• Respect for users • Personal data processed with
• Proactive, preventative, not strictest privacy settings by
reactive, remedial default
• Default setting
• Embedded into design
• Positive sum, not zero-sum
• End-to-end security
• Transparent
Overview of the Privacy
Governance Life Cycle
Assess, protect, sustain, respond
In this lecture:
• What is the privacy governance life cycle?
• Four stages:
• Assess
• Protect
• Sustain
• Respond
What is the life cycle?
• Provides reusable processes to handle PII throughout data life cycle
• Four stages
• Assess
• Protect
• Sustain
• Respond
Assess (1)
• Goal: determine program gaps (e.g., best practices, policies,
legal/regulatory requirements)
• Models/frameworks against which to assess your program:
• AICPA/CICA Maturity Model
• Generally Accepted Privacy Principles (GAPP)
• Privacy by Design (PbD)
Assess (2)
• Activity: information gathering
• Questions:
• How does the current program compare to existing standards, guidelines?
• Which policies or processes are being implemented? Not being
implemented?
• Do all team members understand how to handle PII in accordance with
applicable policies, procedures, legal, regulatory requirements?
• Are applicable privacy controls implemented and operational?
Protect
• Goal: safeguards personal data
• Activities:
• Implement data life cycle, information security, PbD principles and practices
• Address, define, establish privacy practices
• Embeds systems, practices with technical protections (e.g., access control,
encryption, data loss prevention)
Sustain
• Goal: maintain, improve program performance
• Monitor, audit, communicate privacy management
• Activities:
• Continuous monitoring
• Collaborate cross-functionally (e.g., HR, legal, IT, cybersecurity)
• Identify gaps
• Ensure risk identified, mitigated, reported
• System evaluation
• Meet legal, regulatory, business requirements
Respond
• Goal: reduce risk, increase compliance
• Activities:
• Information requests (e.g., data subject access requests)
• Legal compliance (e.g., audit)
• Incident response planning, handling
• Who to respond to?
• Customers, employees, contractors, regulators
Review:

Governance life cycle Four stages

• Provides reusable processes to • Assess
handle PII throughout data life • Protect
cycle
• Sustain
• Respond
Why do you need a privacy
program?
Accountability and business motivators
In this lecture:
• Accountability
• Business motivators
• Other reasons
Accountability
• Implement correct policies and procedures to protect PII and the
rights of individuals
• Comply with laws, regulations
• Respect for individuals
• Promote trust and transparency
• Capacity to demonstrate compliance (with evidence)
• Take ownership of actions
• Good custodians of personal data
Business Motivators
• Not just laws, regulations
• Consumer trust
• Reputation
Other Reasons
• Promote ethical data-processing throughout organization
• Facilitate global operations (e.g., mergers, acquisitions)
• Identify, mitigate risk (e.g., data breach, lawsuits)
• Competitive differentiator
• Increase data quality, value
Review (1):

Accountability Business motivators

• Implement correct policies and • Consumer trust
procedures to protect PII and • Reputation
the rights of individuals
• Comply with laws, regulations
• Respect for individuals
Review (2):

Other reasons
• Promote ethical data-processing
throughout organization
• Facilitate global operations
• Identify, mitigate risk
• Competitive differentiator
• Increase data quality, value
 Privacy as a Competitive
Differentiator
How does a robust privacy program improve your organization’s brand?
In this lecture:
• Increased trust and loyalty
• Enhanced brand reputation
• Compliance and risk mitigation
Increased Trust and Loyalty
• Cisco 2020 report, “From Privacy to Profit: Achieving Positive Returns
on Privacy Investments”
• For every USD $1 spent, $2.70 returned
Enhanced Brand Reputation
• Apple’s App Tracking Transparency (ATT)
• Within weeks of 2021 feature release, 96% of users had opted out
• Recent surveys:
• 26% consumers had left a brand over data-handling concerns (Marketing
Charts, 2021)
• 73% attracted to brands with greater sense of safety and security (Edelman
Trust Barometer, 2023)
• 88% will buy from trusted brand more often (Marketing Charts, 2024)
Compliance & Risk Mitigation
• Compliance with laws, regulations
• Minimize fines, sanctions, legal actions
• Proactivity protects company, reassures consumers
Examples
• Safegrog’s 2022 B2B Trusted Brands Report
• Good
• Apple
• Adobe
• Under Armour
• Bad
• Meta (e.g., Facebook, Instagram)
• TikTok (e.g., children’s privacy)
Review:
Trust and loyalty
• Cisco 2020 report, “From Privacy to
Profit: Achieving Positive Returns
on Privacy Investments”
• For every USD $1 spent, $2.70
returned
Enhanced brand reputation
• 26% consumers had left a brand
over data-handling concerns
(Marketing Charts, 2021)
• 73% attracted to brands with
greater sense of safety and security
(Edelman Trust Barometer, 2023)
• 88% will buy from trusted brand
more often (Marketing Charts,
2024)
Policy vs. Process vs.
Procedure
How do these terms differ?
In this lecture:
• Policy
• Process
• Procedure
• Example: data breach
What is a policy?
• High-level, overarching guideline/requirement
• Outlines organization’s principles, values, rules
• Framework for decision-making
• “Why” behind decisions and actions
What is a process?
• Series of interrelated tasks that produce a specific outcome
• “What” needs to be done
What is a procedure?
• Detailed, step-by-step instructions
• “How” to perform certain task, process
Data Breach: Policy
• High-level data breach principles
• Immediate reporting of suspected breaches
• Formation of a response team
• Assessment of the breach’s scope and impact
• Notification of affected parties and relevant authorities
• Implementation of corrective measures
• Documentation and review of the incident
Data Breach: Process
• Sequence of actions
• Detection and reporting of the breach
• Initial assessment and containment
• Activation of the response team
• In-depth investigation
• Risk assessment and impact analysis
• Notification and communication
• Remediation and recovery
• Post-incident review and improvement
Data Breach: Procedure
• How to report
• Immediately notify security via dedicated hotline
• Provide a detailed description of the suspected breach, including:
• Date and time of discovery
• Nature of the data potentially compromised
• Systems or applications involved
• Any observed suspicious activities
• Preserve all evidence related to the suspected breach
• Await further instructions from security
• Maintain confidentiality about the incident
Review (1):

Policy Process
• High-level, overarching • Series of interrelated tasks that
guideline/requirement produce a specific outcome
• Outlines organization’s • “What” needs to be done
principles, values, rules
• Framework for decision-making
• “Why” behind decisions and
actions
Review (2):

Procedure
• Detailed, step-by-step
instructions
• “How” to perform certain task,
process
 Privacy Governance
Roadmap
The different stages of developing a privacy governance framework
In this lecture:
• What is governance? (review)
• What is privacy governance?
• Privacy governance roadmap
What is governance? (review)
• System of rules, practices, processes
• How program is directed
• Mechanisms through which objectives achieved, risks managed,
performance optimized
• Balance interests of various stakeholders (e.g., management,
customers, other programs)
What is privacy governance?
• System of rules, practices, processes for managing a privacy program
• Elements:
• Draft, publish vision and mission statements
• Define program scope
• Create a strategy
• Develop a framework
• Structure team
Vision and Mission Create Strategy Structure Team
Statements

Step 1 Step 3 Step 5

Step 2 Step 4
Define Program Develop
Scope Framework
Review (1):

What is governance? What is privacy governance?

• System of rules, practices, • System of rules, practices,
processes processes for managing a privacy
• How program is directed program
Review (2):

Roadmap
• Draft, publish vision and mission
statements
• Define program scope
• Create a strategy
• Develop a framework
• Structure team
US Privacy Laws 101
The United States’ sectoral approach to privacy
In this lecture:
• Sectoral approach
• Finance and banking
• Healthcare
• Children's privacy
• Payment card processing
• Data breach notification laws
Sectoral Approach
• What does “sectoral” mean?
• Laws apply to specific sectors
• E.g., healthcare, finance, education, telemarketing
• Each sector has different regulators
• Department of Education
• Department of Health and Human Services (HHS)
• Federal Trade Commission (FTC)
• Federal Communications Commission (FCC)
Finance and Banking
• Gramm-Leach-Bliley Act (GLBA)
Healthcare
• Health Insurance Portability and Accountability Act (HIPAA)
• Applies to “covered entities”
• Healthcare providers, insurance plans, clearing houses
Children’s Privacy
• Children’s Online Privacy Protection Act (COPPA)
• Regulates collection of data for children under 13
• Regulated by FTC
Payment Card Processing
• Payment Card Industry Data Security Standards (PCI-DSS)
• Governs debit, credit, e-wallet, point of sale (POS)
• Industry standard, not law
• Adopted as part of legal requirements
Data Breach Notification Laws
• No U.S. Federal Government law
• All 50 states have own data breach notification law
• Compromised, unencrypted PII subject to these laws
• Notification required to residents, government bodies, attorneys
general
• Notification thresholds vary
Review (1):

Sectoral approach Finance and banking

• Laws apply to specific sectors • Gramm-Leach-Bliley Act (GLBA)
• E.g., healthcare, finance,
education, telemarketing
Review (2):
Healthcare
• Health Insurance Portability and
Accountability Act (HIPAA)
• Applies to “covered entities”
Children’s privacy
• Children’s Online Privacy
Protection Act (COPPA)
• Regulates collection of data for
children under 13
• Regulated by FTC
Review (3):

Payment card processing Data breach notification laws

• Payment Card Industry Data • No U.S. Federal Government law
Security Standards (PCI-DSS) • All 50 states have own data
• Governs debit, credit, e-wallet, breach notification law
point of sale (POS)
Sectoral Privacy Laws
Ten different sectors to remember
In this lecture:
• Healthcare • Education
• Financial • Video
• Telecommunications • Marketing
• Online • Energy
• Government • Human resources / employment
Healthcare
• Healthcare: protected health information (PHI) (US), special
categories of data (EU)
• May cover: healthcare providers, insurance, clearinghouses, researchers
Financial
• Data confidentiality, terrorism laws (e.g., anti-money laundering)
Telecommunications
• Metadata, geolocation, cooperation with law enforcement
Online
• Publicly available information, web scraping
Government
• Public records, court documents, requesting documentation,
communications
Education
• Public, private schools, universities, clinics that serve students vs.
non-students
Video
• Rental records, streaming services
Marketing
• Online advertising
Energy
• Smart grid, smart home technology
Human Resources
• Employment life cycle (e.g., recruiting, hiring, onboarding),
remote/work-from-home
Review:
• Healthcare • Education
• Financial • Video
• Telecommunications • Marketing
• Online • Energy
• Government • Human resources / employment
U.S. Federal Laws to Know
Part 1
Healthcare and finance
In this lecture:
• Healthcare
• HIPAA
• HITECH
• Finance
• FCRA
• FACTA
• GLBA
Healthcare
• Health Insurance Portability and Accountability Act (HIPAA)
• Regulators: HHS, Office of Civil Rights (OCR)
• Covers: health insurance, medical records, PHI, medical research
• Health Information Technology for Economic and Clinical Health
(HITECH) Act
• Regulators: HHS, OCR
• Covers: electronic health records (EHR), secure IT
Finance (1)
• Fair Credit Reporting Act (FCRA)
• Regulators: FTC, Consumer Financial Protection Bureau (CFPB)
• Covers: consumer reporting agencies (CRAs), credit/consumer reports
• Fair and Accurate Credit Transactions Act (FACTA)
• Regulators: FTC, Federal Reserve, Federal Deposit Insurance Corporation
(FDIC), Office of the Comptroller of the Currency, National Credit Union
Administration
• Covers: consumer protections, identify theft
Finance (2)
• Gramm-Leach-Bliley Act (GLBA)
• Regulators: FTC, banking agencies
• Covers: nonpublic personal information, limits sharing
Review:

Healthcare Finance
• HIPAA • FCRA
• HITECH • FACTA
• GLBA
U.S. Federal Laws to Know
Part 2
Telecommunications, government, and education
In this lecture:
• Telecommunications
• TCPA
• DNC registry
• Government
• The Privacy Act of 1974
• ECPA
• Education
• FERPA
Telecommunications
• Telephone Consumer Protection Act (TCPA)
• Regulator: FTC, FCC, state AGs
• Covers: limits automatic dialing, pre-recorded messages, texts, faxes
• Do Not Call (DNC) Registry
• Regulator: FTC
• Covers: telemarketing opt-out
Government
• The Privacy Act of 1974
• Regulator: Department of Justice (DOJ)
• Covers: PII held by federal agencies in systems of records; FIPPs
• Electronic Communications Protection Act (ECPA)
• Regulator: states, law enforcement
• Covers: wiretapping, eavesdropping, unauthorized access to electronic
communications
Education
• Family Education Rights and Privacy Act (FERPA)
• Regulator: Department of Education
• Covers: PII in education records, directory information
Review (1):

Telecommunications Government
• TCPA • The Privacy Act of 1974
• DNC registry • ECPA
Review (2):

Education
• FERPA
U.S. Federal Laws to Know
Part 3
Marketing, video, and “other”
In this lecture:
• Marketing
• CAN-SPAM
• Video
• VPPA
• “Other”
• FTC Act
• DPPA
• COPPA
Marketing
• Controlling the Assault of Non-Solicited Pornography and Marketing
(CAN-SPAM)
• Regulator: FTC
• Covers: unsolicited commercial email
Video
• Video Privacy Protection Act (VPPA)
• Regulator: private right of action
• Covers: PII in video rental records
“Other”
• Federal Trade Commission (FTC) Act
• Establishes FTC’s rights to investigate and enforce against “unfair or deceptive
acts or practices”
• Drivers Privacy Protection Act (DPPA)
• Regulator: state AGs
• Covers: PII held by Departments of Motor Vehicles (DMVs)
• Children’s Online Privacy Protection Act (COPPA)
• Regulator: FTC
• Covers: children’s PII
Review (1):

Marketing Video
• CAN-SPAM • VPPA
Review (2):

“Other”
• FTC Act
• DPPA
• COPPA
California Consumer Privacy
Act (CCPA)
Basic rights, requirements, and regulator actions
In this lecture:
• Timeline
• Consumer rights
• Organization requirements
• Regulator actions
CCPA signed CCPA CPRA takes
into law enforceable effect

2018 2020 2023

2020 2021 2024

CCPA takes CPRA enacted CPRA
effect enforceable
Consumer Rights
• Request records/data, processing activities of business and third-
parties
• Request erasure, opt-out of sale
• Exceptions: transaction completion, research, free speech, internal analytics
Organization Requirements (1)
• Concerning data subject requests
• Receive requests
• Verify ID
• Respond within 45 days
• Account for disclosures
• Allow opt-out via “Do Not Sell My Personal Information” link
Organization Requirements (2)
• Privacy notice (e.g., what is collected, purposes, etc.)
• Cannot discriminate against consumers that opt out
• Sale of children’s data requires express consent
• By children 16 and over
• By parent for children aged 13-16
• Training and awareness
Regulator Actions
• State AG + California Privacy Protection Agency (CPPA) enforce
• Alleged violation unaddressed within 30 days: USD $7,500
fine/violation
• Unintentional violations: USD $2,500
Review (1):
Consumer rights
• Request records/data, processing
activities of business and third-
parties
• Request erasure, opt-out of sale
Organization requirements
• Processing of data subject requests
• Account for disclosures
• Allow opt-out via “Do Not Sell My
Personal Information” link
• Privacy notice
• Cannot discriminate against
consumers that opt out
• Sale of children’s data requires
express consent
• Training and awareness
Review (2):

Regulator actions
• State AG + California Privacy
Protection Agency (CPPA)
enforce
• Alleged violation unaddressed
within 30 days: USD $7,500
fine/violation
• Unintentional violations: USD
$2,500
California Privacy Rights Act
(CPRA)
Amendments to the CCPA via the CPRA
In this lecture:
• Expanded consumer rights
• New definitions, scope
• New regulatory body
• Additional business obligations
• Compliance and enforcement
Expanded Consumer Rights
• Correct data
• Limit use of sensitive personal information
• Opt-out of sharing
New Definitions, Scope
• Sensitive personal information
• Expanded “business” criteria
• Buy, sell, share PII of 100,000 or more consumers, households, devices
• Increase from 50,000
New Regulatory Body
• California Privacy Protection Agency
Additional Business Obligations
• Contractual requirements (with third parties)
• Privacy by design
Compliance and Enforcement
• Increased penalties: higher penalties for violations involving minors
• Data retention policies: businesses must disclose periods, retain only
as long as needed
Review (1):

Expanded consumer rights New definitions, scope

• Correct data • Sensitive personal information
• Limit use of sensitive personal • Expanded “business” criteria
information
• Opt-out of sharing
Review (2):

New regulatory body Additional business obligations

• California Privacy Protection • Contractual requirements (with
Agency third parties)
• Privacy by design
Review (3):

Compliance and enforcement

• Increased penalties: higher
penalties for violations involving
minors
• Data retention policies:
businesses must disclose
periods, retain only as long as
needed
Global Privacy Laws and
Standards
Common principles and standards
In this lecture:
• Global law frameworks
• OECD, APEC common principles
• Mnemonic device
• What is a standard?
• Privacy standards
Global Law Frameworks
• Organisation for Economic Co-operation and Development (OECD)
• OECD Guidelines for the Protection of Privacy and Transborder Flows of
Personal Data
• Asia-Pacific Economic Cooperation (APEC)
• APEC Privacy Framework
• Constitute basis for many legal, regulatory, standards requirements
OECD, APEC Common Principles
• Accountability
• Collection limitation
• Data quality
• Individual participation
• Purpose specification
• Use limitation
• Safeguards
• Openness/transparency
Mnemonic Device
Angry
Cats
Destroy
Innocent
Pillows
Upsetting
Standing
Owners
What is a standard?
• A set of established guidelines or specifications designed to ensure
quality, safety, interoperability
• Standard development bodies:
• International Organization for Standardization (ISO)
• International Electrotechnical Commission (IEC)
• Institute of Electrical and Electronics Engineers (IEEE)
Privacy Standards
• ISO/IEC 27701: Security techniques for privacy information
management
• ISO/IEC 29134: Guidelines for privacy impact assessment
Review (1):
Global law frameworks
• OECD Guidelines for the Protection
of Privacy and Transborder Flows
of Personal Data
• APEC Privacy Framework
OECD, APEC common principles
• Accountability
• Collection limitation
• Data quality
• Individual participation
• Purpose specification
• Use limitation
• Safeguards
• Openness/transparency
Review (2):

Mnemonic device What is a standard?

• Angry • A set of established guidelines or
• Cats specifications designed to ensure
quality, safety, interoperability
• Destroy
• Innocent
• Pillows
• Upsetting
• Standing
• Owners
Review (3):

Privacy standards
• ISO/IEC 27701: Security
techniques for privacy
information management
• ISO/IEC 29134: Guidelines for
privacy impact assessment
General Data Protection
Regulation (GDPR)
A short introduction to the GDPR
In this lecture:
• What is the GDPR?
• GDPR timeline
• Article 1, Subject-Matter and Objectives
• Article 2, Material Scope
• Article 3, Territorial Scope
What is the GDPR?
• EU/EEA’s comprehensive data protection law
• Global standard
• Provides individuals with greater control over how their personal data
is collected, processed, maintained
• Extraterritorial
GDPR Timeline
• 2012: proposed
• December 2016: EU Parliament, Council agree
• May 2018: enforceable
Article 1
• “Subject-Matter and Objectives”
• Outlines main goals
• Set rules for processing of personal data
• Protect individuals' rights and freedoms regarding personal data
• Ensure free movement of personal data within EU
Article 2
• “Material Scope”
• Defines types of data processing activities covered by the GDPR
• Applies to personal data that is
• Automated
• Part of a filing system
• Does not apply to
• Purely personal or domestic activities
• Certain law enforcement activities
Article 3
• “Territorial Scope”
• Data controller: determines the purpose and means of processing
personal data
• Data processor: processes data on behalf of the data controller
• Applies to
• Any data processing activities conducted within EU, regardless of where data
processor is located
• Organizations outside the EU that offer goods or services to, or monitor
behavior of, individuals within EU
Review (1):

What is the GDPR? GDPR timeline

• EU/EEA’s comprehensive data • 2012: proposed
protection law • December 2016: EU Parliament,
• Global standard Council agree
• Provides individuals with greater • May 2018: enforceable
control over how their personal
data is collected, processed,
maintained
• Extraterritorial
Review (2):

Article 1 Article 2
• “Subject-Matter and Objectives” • “Material Scope”
• Outlines main goals: • Defines types of data processing
• Protect individuals’ rights and activities covered by the GDPR
freedoms regarding personal
data
• Ensure free movement of
personal data within EU
Review (3):

Article 3
• “Territorial Scope”
• Data controller: determines the
purpose and means of
processing personal data
• Data processor: processes data
on behalf of the data controller
 Rights, Requirements, and
Regulators
A brief overview of GDPR rights, requirements, and regulator actions
In this lecture:
• Consumer rights
• Organization requirements
• Regulator actions
Consumer Rights
• Withdraw consent
• Request data
• Request deletion
• Data portability
• Object to automated decision-making (ADM)
Organization Requirements (1)
• Implement PbD, safeguards, including cross-border transfers
• Notify DPAs, consumers of data breach within 72 hours
• DPA: Data Protection Authority
• Obtain consent, parental consent for children under 16
• Record of Processing Activities (RoPA)
• Appoint Data Protection Officer (DPO)
Organization Requirements (2)
• Responsible for third-parties
• DPIAs (new or high-risk processing)
• DPIA: Data Protection Impact Assessment
• Consult with regulators before carrying out some activities
• Demonstrate compliance
• Training and awareness
Regulator Actions
• Ask for RoPA, evidence of compliance
• Impose data-processing bans
• Require breach notification, data deletion
• Suspend cross-border transfers
• Enforce penalties up to 20 million Euros, or 4% annual revenue
Review (1):
Consumer rights
• Withdraw consent
• Request data
• Request deletion
• Data portability
• Object to automated decision-
making (ADM)
Organization requirements
• PbD, RoPA, DPO, DPIAs
• Notify DPAs, consumers of data
breach within 72 hours
• Obtain consent, parental
consent for children under 16
• Responsible for third-parties
• Demonstrate compliance
• Training and awareness
Review (2):

Regulator actions
• Ask for RoPA, evidence of
compliance
• Impose data-processing bans
• Require breach notification, data
deletion
• Suspend cross-border transfers
• Enforce penalties
GDPR & Cross-Border Data
Transfers
Regulations on transferring border to “third countries”
In this lecture:
• Cross-border data transfers
• GDPR Article 45
• Inadequate countries
• Data Transfer Impact Assessment (D/TIA)
• DPA TIA considerations
Cross-Border Data Transfer
• Definition: transmission of personal data to an outside recipient
country or territory
• Many laws require protective assurance measures
• GDPR’s regulations strictest worldwide
• Data may be transferred provided adequate protections in place
Article 45
• “Transfers on the basis of an adequacy decision”
• Data may be transferred based on an “adequacy decision”
• Adequacy decision
• EU determination that third country, territory, international organization,
ensures adequate data protection
• Adequacy = “essential equivalence” (i.e., essentially equivalent to EU
protections)
Inadequate Countries
• Standard Contractual Clauses (SCCs):
• Pre-approved contractual terms between data exporters and importers
• Binding Corporate Rules (BCRs):
• Policies for multinational corporations
• Appropriate safeguards assessed on case-by-case basis
• Code of conduct and certification mechanism
• Derogation (i.e., exemption)
Data Transfer Impact Assessment
• D/TIA
• Evaluates risks associated with transferring data between third
countries
• Includes:
• Map transfer
• Identify, assess methods of transfer
• Implement, monitor safeguards
• Ensure process aligns with business requirements
DPA D/TIA Considerations
• Government access to data
• Intelligence and law enforcement activities
• Safeguards
• Receiving country’s applicable privacy, security, human rights
standards
Review (1):
Cross-border data transfer
• Transmission of personal data to
an outside recipient country or
territory
Article 45
• Adequacy decision: EU
determination that third
country, territory, international
organization, ensures adequate
data protection
• Adequacy = “essential
equivalence” (i.e., essentially
equivalent to EU protections)
Review (2):

Inadequate countries D/TIA

• Standard Contractual Clauses • Evaluates risks associated with
(SCCs) transferring data between third
• Binding Corporate Rules (BCRs) countries
• Appropriate safeguards
• Code of conduct and
certification mechanism
• Derogation
Review (3):

DPA D/TIA considerations

• Government access to data
• Intelligence and law
enforcement activities
• Safeguards
• Receiving country’s applicable
privacy, security, human rights
standards
Brazil’s LGPD
Lei Geral de Proteção de Dados
In this lecture:
• Brazil’s General Data Protection Law
• Consumer rights
• Organization requirements
• Regulator actions
Brazil's General Data Protection Law
• Passed August 2018
• In effect September 2020
• Sanctions not issued until August 2021
Consumer Rights
• Confirm processing
• Access, amend, delete data
• Anonymize, block, delete unnecessary or excessive data, unlawful
processing
• Data portability
• Request sharing details
• Provided option to deny consent, consequences of denial
• Withdraw consent
Organization Requirements (1)
• Implement PbD
• Incident response, remediation program
• Implement, monitor safeguards
• Notify data subjects, regulators of data breaches
• Follow process rules concerning children’s data
Organization Requirements (2)
• Notice of intent to process
• Appoint DPO
• Responsible for third-parties
• Conduct personal data protection impact report (RIPD)
• Demonstrate compliance
• Comply with cross-border transfer requirements
Regulator Actions
• Request evidence of compliance
• Implement sanctions
• Enforce penalties
• I.e., 2% of revenue in Brazil, up to 50 million reais/infraction
Review (1):

Brazil’s LGPD Consumer rights

• Passed August 2018
• In effect September 2020
• Sanctions not issued until August
2021
• Confirm processing
• Access, amend, delete data
• Anonymize, block, delete
unnecessary or excessive data,
unlawful processing
• Data portability
• Request sharing details
• Provided option to deny consent,
consequences of denial
• Withdraw consent
Review (2):
Organization requirements
• Implement PbD
• Incident response, remediation
program
• Implement, monitor safeguards
• Notify data subjects, regulators
of data breaches
• Follow process rules concerning
children’s data
• Notice of intent to process
• Appoint DPO
• Responsible for third-parties
• Conduct personal data
protection impact report (RIPD)
• Demonstrate compliance
• Comply with cross-border
transfer requirements
Review (3):

Regulator actions
• Request evidence of compliance
• Implement sanctions
• Enforce penalties
 PRC’s PIPL
Personal Information Protection Law (PIPL)
In this lecture:
• Personal Information Protection Law (PIPL)
• Fines
PIPL
• Effective November 2021
• Commercial aspects similar to GDPR
• Impacts private sector
• Does not prevent central government from accessing data
PIPL Fines
• General violations: up to RMB 1 million (~ USD $141,000)
• Grave violations: up to RMB 50 million (~ USD $7 million) or 5%
annual revenue
Review:
PIPL
• Effective November 2021
• Commercial aspects similar to
GDPR
• Impacts private sector
• Does not prevent central
government from accessing data
Fines
• General violations: up to RMB 1
million (~ USD $141,000)
• Grave violations: up to RMB 50
million (~ USD $7 million) or 5%
annual revenue
Self-Regulatory Standards
And codes of conduct
In this lecture:
• Standard
• Self-regulatory bodies
• Trust marks
• Codes of conduct
What is a standard? (review)
• A set of established guidelines or specifications designed to ensure
quality, safety, interoperability
PCI-DSS
• Payment Card Industry Data Security Standard (PCI-DSS)
• E.g., organizations that accept, transmit, store cardholder data
associated with Visa, Mastercard, American Express, Discover, JCB
International
Self-Regulatory Bodies
• Direct Marketing Association (DMA)
• Network Advertisers Initiative (NAI)
Trust Marks
• What is a trust mark?
• Logo, badge, or symbol on a website
• Signifies certain security, privacy, or business standard met
• Examples:
• Verisign
• TrustArc
• McAfee
• Paypal
Codes of Conduct
• DMA Guidelines for Ethical Business Practice
• Children Advertising Review Unit (CARU) Advertising Guidelines
• NAI Code of Conduct
• EU Code of Conduct
• Applies to B2B cloud service providers when acting as a processor under
GDPR Article 28
• Outlined in Article 40, Codes of Conduct
Review (1):

What is a standard? PCI-DSS

• A set of established guidelines • Payment Card Industry Data
or specifications designed to Security Standard
ensure quality, safety,
interoperability
Review (2):

Self-regulatory bodies Trust marks

• Direct Marketing Association • Logo, badge, or symbol on a
(DMA) website
• Network Advertisers Initiative • Signifies certain security, privacy,
(NAI) or business standard met
Review (3):

Codes of conduct
• DMA Guidelines for Ethical
Business Practice
• Children Advertising Review Unit
(CARU) Advertising Guidelines
• NAI Code of Conduct
• EU Code of Conduct
Noncompliance Penalties
Fines and other penalties
In this lecture:
• Why issue penalties?
• Who issues penalties?
• Examples
• GDPR penalties
• GDPR tiers
• Non-financial penalties
• CCPA penalties
• Facebook 2019
• Final note
Why issue penalties?
• Accountability
• Enforce behavior
• Encourage behavior modification
• Help organization to prioritize remediations
Who issues penalties?
• Government agency
• Industry regulatory body (e.g., self-regulation)
Example: HIPAA
• HITECH, amended HIPAA privacy and security rules
• Max penalty for breach of PHI: USD $1.5 million/year
• Max fines per violation tier, per calendar year
• Tier 1 (unaware): $100 to 50,000/violation up to 25,000/year
• Tier 2 (CE should have known): $1,000 to 50,000/violation up to 100,000/year
• Tier 3 (willful neglect, remediated within 30 days): $10,000 to 50,000 up to
250,000/year
• Tier 4 (willful neglect, no effort to correct): $50,000/violation up to 1.5
million/year
GDPR Penalty Factors
• Nature, duration, history
• Number of affected individuals
• Severity of damage
• Mitigation
• Intent or negligence
GDPR Tiers
• Tier 1: Higher of up to 20 million Euros, or 4% of total turnover
• Example violations: violation of principles, individual rights, international
transfers, member state responsibilities (more substantive)
• Tier 2: Higher of up to 10 million Euros, or 2% of total turnover
• Typically, administrative in nature
Non-financial Penalties
• Warnings
• Processing restrictions, suspensions, bans, temporary or permanent
• Data erasure
• Requirement to recertify
CCPA Penalties
• CA AG, CPPA enforce
• Violation up to $2,500/violation
• Intentional violation up to $7,500/violation
• Private right of action (for data breaches)
• $100 to 750/incident/consumer
Facebook 2019
• FTC fined USD $5 billion
• Violated 2011 privacy settlement
Final Note
• Compliance
• Is the floor, not the ceiling
• Creates opportunity for program improvement
• Should disrupt business as little as possible
• Balance PbD with business objectives
Review (1):

Why issue penalties? Who issues penalties?

• Accountability • Government agency
• Enforce behavior • Industry regulatory body
• Encourage behavior
modification
Review (2):

Example: HIPAA GDPR penalty factors

• Tier 1 (unaware): $100 to • Nature, duration, history
50,000/violation up to 25,000/year • Number of affected individuals
• Tier 2 (CE should have known): • Severity of damage
$1,000 to 50,000/violation up to
100,000/year • Mitigation
• Tier 3 (willful neglect, remediated • Intent or negligence
within 30 days): $10,000 to 50,000
up to 250,000/year
• Tier 4 (willful neglect, no effort to
correct): $50,000/violation up to
1.5 million/year
Review (3):
Non-financial penalties
• Warnings
• Processing restrictions,
suspensions, bans, temporary or
permanent
• Data erasure
• Requirement to recertify
CCPA penalties
• CA AG, CPPA enforce
• Violation up to $2,500/violation
• Intentional violation up to
$7,500/violation
• Private right of action (for data
breaches)
• $100 to 750/incident/consumer