Data Security and Privacy Webinar:
This page does not include all of the takeaways from the webinar. For full value, request access to the webinar recording by emailing info@mappinc.com
Major Topics:
Data Security & Privacy Legal Landscape in the US
Federal Privacy Laws – FTC Fair Information Practices and Principles
- Notice and Awareness
- Choice and Consent
- Access and Participation
- Integrity and Security
- Enforcement and Redress
California Consumer Privacy Act (CCPA)
Requirements of CCPA service providers
- Update contracts with service providers
- Update your privacy policy
- Enable consumer requests
- Implement employee training
Impactful Foreign Laws and Regulations
GDPR in the EU – Data protection principles
- Lawfulness – requires a legal basis for processing
- Consent
- Performance of Contracts
- Compliance with Legal Obligations
- Protection of Vital Interests
- Performance of Tasks Carried Out in the Public Interest
- Legitimate Interests of the Controller
- Purpose Limitation – reusing data
- The new purpose must be compatible
- Links between the original and new purpose
- The context in which the data was collected
- Nature of the data
- Consequences of new processing
- Existence of appropriate safeguards
- Transparency – how and why the data is being used
- Certain information
- Plain Language
- Provided at the time the data is collected
GDPR in the EU – Rights of the Data Subject
- Right of Access – Access to the data afterward
- Right to Rectify – allows for the subject to change or correct
- Right to Erasure (the Right to be Forgotten) – erasure of the data
- Right to Restriction of Processing – restrict processing based on conditions
- Right to Data Portability – have it transmitted to a different controller
- Right to Object – allows to object to the data processing, the controller has to suspend all of the processing until it can prove the data was collected with integrity
- Breach Notification – A controller has to alert the authorities within 72 hours of being aware of a breach, as well as the data subjects without undue delay
GDPR in the EU – Sanctions
- Warnings for first and non-intentional non-compliance
- Audits
- 20 million Euro or 4% of annual worldwide turnover, whichever is greater.
Internal Control Mechanisms and Guiding Principles
Keys to a Successful Compliance Program
- Identify the Types of Information Collected and Processed
- Become familiar with all kinds of records in your company
- Involve key stakeholders
- Survey the Legal and Regulatory Landscape
- Understand the US Industry-specific laws
- Understand the size of your organization, nature and location of the business, and the type of data being collected
- Gather and Examine Existing Internal Policies
- Data retention and destruction policies
- Privacy policies
- Data security policies
- Data breach notice plans
- Employee training materials
- Acceptable use policies
- Internal monitoring processes
- Assemble an Information Security Team and Assess Risks
- Determine who will be responsible for compliance
- Buy-in from decision-makers
- Obtain input from across your organization
- Generate a list of risks associated with noncompliance
- Identify mitigation methods
- Design and Implement Solutions Using a Privacy-By-Design Approach
- Consider the entire data lifecycle
- Possible actions include:
- Develop a system for monitoring and tracking network access
- Design effective employee policies and procedures
- Develop an incident response plan
- Conduct regular audits