In Part 1 of this blog series, we detailed the four main themes of the International Conference of Data Protection and Privacy Commissioners (ICDPPC) that took place recently in Hong Kong. In addition to attending the events at the conference, the Nymity team also had the opportunity to participate in the CIPL Industry Roundtable, and lead a workshop on “Demonstrating Compliance to Regulators”. Today, we will share some of the insights gleaned from these two key events.
CIPL Industry Roundtable
The Roundtable discussion began with talk about the Cross Border Privacy Rules System (CBPR). Currently, the U.S., Canada, Mexico, Japan, and South Korea are participating. Singapore will be joining, and Taiwan, Philippines, Australia and Vietnam are preparing. TrustArc and JIPDEC have been approved as accountability agents. Currently, there are 22 certified companies, and significant high-level support for the system (including from APEC leaders and the White House), but country-level participation remains a challenge.
There are several incentives for companies to gain certification through the CBPR:
- Visible recognition for customers, partners and DPA’s that the house is in order
- Early adoption is regarded positively, allowing participants to be part of discussion on next steps
- Enables participants to adapt easily to local requirements in multiple markets
- Easier onward transfer: From Japan, certified companies may also transfer to non-APEC countries as long as the CBPR regime applies
- Many countries are introducing DP laws- the CBPR facilitates data flow on common standards, removing some challenges of the law
For CBPR’s to work, it was noted that companies will need to embrace the accountability model. Check-box compliance is absolutely not sufficient; instead, DPA’s should state that seals and certifications should also impact enforcement action.
There is ongoing discussion between the APEC privacy working group and the EU on interoperability between the EU transfer mechanisms and the CBPR’s. So far, work has been done on mutual recognition between BCR’s and CBPR’s, resulting in a referential showing the overlap between the two systems (in the form of a checklist).
The US Department of Commerce is currently considering that CBPR’s could be regarded as a certification and compliance mechanism under article 42/43 of the GDPR. It is possible that a new referential will be developed to demonstrate how GDPR requirements are met under CBPR. Currently, there are no clear contradictions between GDPR, CBPR’s or Privacy Shield. Though there may be some definitions that differ slightly, or processes and procedures that vary, there are no blockages that prevent interoperability.
GDPR implementation is currently working with member states, DPA’s and private stakeholders. Though the GDPR is directly applicable and does not require any transposition at a national level, it nevertheless has an impact on national law, specifying the application of Regulation in specific areas, including employment, public sector, and freedom of expression. The European Commission tries to ensure that no fragmentation takes place at a national level, particularly because the aim of GDPR remains harmonization.
Interpretation of the law is done in cooperation with WP29. The European Commission wants to avoid duplication of work, and as such, the next documents are on DPIA’s (final), data breaches, and profiling (both drafts – available on the WP29 website). Proper European Commission guidance on the GDPR is also in preparation; a study launched on certifications and seals, to be finalized by May 31st, 2018. The main aim of the study is to map the existing certification mechanisms available and provide recommendations on criteria for certifications (Article 42-5), procedure for certifications (Article 43-8), technical standards and possible appropriate safeguards. The study should provide input for implementing and delegating acts.
The Multi-stakeholder expert group guiding the GDPR implementation will meet for first time in October. The EU Commission is promoting convergence with the GDPR system, including independent oversight and recognition of key elements of the fundamental right to data protection. Focus will not only be placed on adequacy, but also on other transfer mechanisms and adoption of Council of Europe Convention 108 across the globe.
The Commission shared their perspective on the Privacy Shield, stating that they consider it to be a big success. It is much faster adopted than the old Safe Harbor mechanism. The first Joint Review took place in mid-September, which is an essential component of lasting success for the Privacy Shield. The Review went well and the European Commission’s report of the review was being drafted at the time. By now, it has been published.
A single standard is generally easier to comply with than multiple standards. But, the GDPR still requires a lot of resources to ensure that all requirements are met. Vendor management continues to be a complicated issue, because a lot of contracts require renegotiation. Larger vendors tend to be relatively easy, because they can offer new standardized contracts. But the challenge remains with smaller vendors, who may not even be aware of the GDPR.
Altogether, the CIPL Roundtable produced a lively debate and plenty of exciting discussion about the challenges and successes of global data privacy regulation.
Nymity Workshop: “Demonstrating Compliance to Regulators”
Nymity’s workshop at the ICDPPC was well attended by commissioners from Asia, Europe, and Africa. The topic was timely, as many organisations continue to question the meaning of “demonstrating compliance”.
Nymity has conducted a great deal of research into the development of new methodology surrounding the demonstration of compliance. This has included open conversation with data protection authorities and regulators, including commissions from Europe, Asia Pacific, and Africa. Our research has led us to recommend the development of a compliance capacity report, which links technical and organisational measures to specific articles of the legislation, and provides evidence of how these measures have been implemented within an organisation.
The workshop provided an excellent platform for discussion with DPA’s regarding the idea of certification. Once an organisation establishes a full privacy program, is there opportunity for the GDPR or CBPR to verify or certify the program? Karolina Mojsezowicz, deputy head of unit for Data Protection in the European Commission was present at the workshop, and stated that they are currently looking into how they can best support effective certification mechanisms. An independent study has been commissioned, that should be ready in May 2018.
One of the main benefits of certification is increased trust from partners and customers, provided that the certification is public. Certification must take into account not only the mechanisms of the privacy program itself, but the many safeguards that are in place in the event of a breach. To know and understand these measures undoubtedly builds trust with stakeholders.
All of the research that Nymity has conducted regarding certification has been used to develop a paper, which can be found by visiting https://www.nymity.com/regulator-projects.aspx. A revised version of the paper will be released in 2018, and Nymity is currently seeking feedback for inclusion in the final draft.
View the Full Webinar for More Information
To learn more about the ICDPPC, and the role Nymity played at the conference, view the full webinar: