1. Key Points for a Privacy Programme for Multinationals Steve Coope

2. Agenda 1)Preparing for the new General Data Protection Regulation (GDRP) whilst not forgetting the rest of the world. 2)Identifying the priority areas of privacy within your business. 3)Leveraging relationships within the business to implement changes. 4)Straightforward policies and the preparation of guidelines. 5)Cross-border transfers of personal data. 6)Data security and data breach management. Steve Coope

3. Preparing for the new EU General Data Protection Regulation (1/2) On December 15th, 2015, the final text of the EU General Data Protection Regulation (GDPR) was agreed. In force 2018. Fines: up to 4% of global turnover. the EU and beyond. New Data Processor obligations. Breach Notification: Businesses will have to provide data breach notification to data protection authorities within 72 hours of spotting an incident. Good news: compliance programs and accountability will be taken into account when applying sanctions. Steve Coope

4. Preparing for the new EU General Data Protection Regulation (2/2)  Consent Must be unambiguous for the processing personal data  Data Protection Officer : must be appointed if - your core activities involve regular and systematic monitoring of data subjects on a large scale or large scale processing of special categories of data -a public authority Steve Coope

5. Preparation Whilst the GDPR won’t be in force until 2018, start preparing now. Know your Personal Data and know your customers’ Personal Data. Be clear on; what personal data is collected, where is it stored, security protection implemented, transparency, minimising risks, customer and supplier relationships, international transfer arrangements. Get support for resources. Educate and raise awareness. Steve Coope

6. Rest of the World Steve Coope

8. US – privacy laws? EU has a data protection framework, no direct equivalent in the US. US has several forms of rules on privacy scenarios. Sector rules; Health Insurance Portability and Accountability Act (HIPPA), Gramm-Leach-Bliley Act for financial information. Federal rules eg. For the collection of child data on-line; Childrens On-line Privacy Protection Act. State rules eg. California Online Privacy Act. Safe Harbor invalidated. Steve Coope

9. US – financial implications EU data protection authorities are vocal, lots of regulatory guidance. EU level of financial powers of enforcement are still limited today (but will change). Heavyweight Federal Trade Commission in the US. High settlements and ongoing lengthy compliance audits. Class Actions; level of damages can be huge. Steve Coope

10. Asia Pacific Changing at a rapid pace. Several countries in last few years now have data privacy laws or IT or consumer laws with privacy effect. Australia (2014). Singapore (2014) Data Privacy Officers mandatory and strong “no call” regime. South Korea (New). Hong Kong (amended existing). India (IT focussed). Steve Coope

11. APAC continued Most have transfer/ cross border protection restrictions. Most have breach notification requirements. A few have national registration requirements; Malaysia, Macao. Steve Coope

12. Leveraging relationships Identify common interests Security IT specialists Quality Steve Coope

13. Privacy programme Straightforward policies and the preparation of guidelines. Rollout training and awareness. Audit, monitor and update. Steve Coope

14. Cross- border transfers of personal data. Transfers of personal data outside of the EEA. Adopt one of the acceptable ways. EU Standard Contractual Clauses. Binding Corporate Rules. Steve Coope

15. Safe Harbor and the new Privacy Shield Steve Coope

16. Data security and data breach management Technical and Organisational Measures. Clear, robust security policies. A policy covering data breaches. Steve Coope

17. Thank you Steve Coope