GDPR Signature Block Made Easy

Gdpr signature block

okay good morning all for those of you that have joined welcome thank you for joining early my name is preston buchady i'm a consultant with ip governance usa and today we're going to be talking about the gdpr and what north american organizations need to know about data privacy not just a rehash of the old common topics of gdpr but actually an investigation into some new information right the recent court case from shrims around data transfers to the eu we're going to talk about some of these issues and again emphasize why north american organizations need to be paying attention to this law and paying attention to this issue as people overseas create more confusion and chaos and headaches around the legal ways to transfer and deal with personal data so if you don't mind we'll just wait a couple more minutes i know that in today's virtual age people are often going from one zoom meeting to the next so we'll give folks a couple more minutes to perhaps grab a coffee refill tea or use the restroom before jumping on this call and we'll get started talking about the gdpr and what north american organizations need to know so bear with us a couple more minutes i appreciate those of you who have joined we'll get started here shortly [Music] um okay thank you all for joining again my name is preston v katie i'm a consultant with it governance usa and today we're here to talk about the gdpr recent news out of european courts and why north american organizations need to comply with this law so in turn what they need to know about data privacy right what they need to know about changing regulations either in the eu or here in the united states and how we can stay on top of this topic keep abreast of legal issues reduce our liability and get back to business as usual right so today that's what we're here to talk about we'll do a brief refresher on the gdpr before diving into some more recent topics around shrimps and some u.s laws around data privacy but as a brief introduction again my name is preston buchady i'm a consultant with it governance with a background in law so i've actually got my law degree although my goal today unlike a lawyer is to try to hopefully give you guys some useful advice that you can take and apply to your own business model so you can learn how these laws work what they require from you and what you need to do to comply so you see various other things i teach courses at it governance do a lot of my time spent on actual consultancy and implementation of information security programs whether those are certified programs under iso 27001 or just more generally working on compliance stuff have certainly worked on the gdpr and new us laws like the ccpa to no end with that being said we've also got a brief word from our sponsor here right now it governance is the entity that's hosting this conversation for us today so it wouldn't be fair for me to skip forward too much without saying what it governs can provide and offer right and i.t governance really prides itself on a history of consultancy in the information security space you know going back years with some of the first original implementations of iso 27001 and expanding that onward as this world has greatly increased because as you all know in your personal lives we've used more technology certainly more since the 90s the early 2000s the use of technology has proliferated the use of data across those different technological tools has proliferated and as a result global societies whether in your country in this country or perhaps everywhere around the world are starting to create new laws around how that technology and how the data is meant to be used so our goal always is to try to teach you how to fish so that you can help protect data and do things compliantly wherever you are so today's agenda first like i said we'll do a brief refresher on the gdpr i don't want to spend too much time on that because frankly the law is a couple of years old and if you've come to this webinar asking yourself do i need to comply with gdpr you're probably in the wrong class and you need to go back to the beginner level this is really more for the advanced students that are out there that already know some of the basics around data privacy law because really what we want to talk more about right is that schrems ii decision that came out recently and how that impacts legal data transfers between the eu and third party countries like the united states from there we're going to look and say okay well if we have to deal with this gdpr thing how does that make my life easier over here right because guess what for those in the advanced class you should know this by now every single state in the united states has a data breach notification law and increasingly these states are coming out with privacy and cyber security laws like the new york shield act or like the california consumer privacy act potentially the cpra or the ccpa 2.0 that will go to ballot in california this november so there's a lot of changing laws in this space and my goal over the course of today's conversation is to hopefully show you that if you have to deal with the gdpr start to take steps to deal with it compliantly today right don't stick your head in the sand and wait for guidance from the courts there are concrete cheap and easy steps you can take today to reduce your liability and if you do that it might help cover some bases here in the united states as well so that's what we're going to get started to talk about and of course as always if you have any questions don't hesitate to email them over you see here our email address you can also post things in the chat on the go to meetings tool and i can get to those if we get a ton of questions we'll send those out later along with recordings and copies of the slides in case you guys have questions in the future or want to discuss anything with me personally because guess what i'm a nerd on this and i'd love to bore you to death with more data privacy law and discussion so first like i said brief refresher what is the gdpr well it's a european-based regulation so it applies across the eu and it governs how businesses have to collect process and store personal data so you see there from the slide what it actually has done is given individuals greater rights right more actual control in the way that their information is used i was reading a study this morning and in the united kingdom it's estimated that for one human being approximately 30 companies have data on that person right so think about that you your data is just alone today at 30 different companies and that's before you get on amazon start buying stuff that's before you get on your next zoom call that's before your kids browse facebook on the computer at home right so our data has spread everywhere and the purpose of this regulation is to try to balance the scales between consumer and company right we've got these companies collecting this data using it for a million different reasons in my experience no offense to the sales and marketing sometimes they don't even know what the data is being used for right they're collecting all this data and they're using it storing it saving it but it might not be accurate it might not be of value it might be out of date right so this law has put in place a bunch of different requirements on companies and what i often tell clients here is for those of us coming from an american mindset you would expect the law to have certain clear requirements right almost like a checklist that's not the gdpr right the gdpr is not a prescriptive list of things you can and cannot do with personal data it's more of a programmatic model for data compliance right so again it's not necessarily saying do this and don't do that it's saying that you have to incorporate a risk-based approach to data protection you have to understand the risks that your activities pose to individuals and their rights and freedoms as a human being in line with the data you use you also have to think about the risk as a company right what types of data are you dealing with there's a fundamentally different balance between a facebook that collects and processes millions of data elements versus a small storefront that's operating in more of a local jurisdiction that maybe only handles a couple thousand pieces of data right so a lot of times it comes down to the three v's as i call them volume velocity and variety of data that's what the gdpr is getting you to do it saying as a company we want you to sit and think about what personal data are we collecting now how much do we have and how much do we need let's start to understand where it goes who we give it to what else they do with it where it's stored if it's stored securely all that kind of stuff right so again i'm not trying to bore you with the details of the gdpr because if you have not heard the gdpr actually took effect in 2018 so again if you're just wondering what the heck am i doing you're a couple of years behind and that's not a problem stick with us we can hopefully bring you up to speed the first question for a company to try to figure out is hey does this law actually apply to me right always always a critical question when it comes to legal liability because oftentimes people will get suckered in assuming they have to do work on these issues but the first question is do you even fall jurisdiction to the law with the gdpr it's a pretty simple analysis the two things for you to think about number one are you doing business in the eu because guess what to be blunt if you're physically there somebody can come knock on your door right so you have to deal with the laws if you're physically there or if you're registered in doing business there the other way that this law will apply to you is if you're processing the data of eu residents so long story short if you are either physically located in the eu or you deal with the data of europeans you are going to need to confront the gdpr whether in full or in part so again pull your head out of the sand stop pretending that this won't happen to you because it will and it is and start to prepare for what this law means for you right so the other big question that people often ask under the gdpr there are questions around this idea of an eu representative i don't mean to say that we're all going to focus on registration rules under the gdpr here again there's tons of different rules and requirements from the gdpr and that's not necessarily the purpose of today's presentation but this is one that confuses a lot of folks for uh those operating abroad you'll remember on the past slide i just said that the law applies to you even if you are not physically in europe right even if you are located in denver colorado like i am if you're processing the data of eu residents you've got to deal with this law right you are dealing with their economic market their data as a result you must comply with their rules one of those rules is that you have to have a local point of contact right and that hopefully makes sense to everybody here in the united states it's the same thing as a doing business or registered address right so for most corporate organizations here in the states where is your technical legal representative in delaware right a lot of companies are registered in delaware even though they might not physically have an office there so this is kind of that same idea right the idea is even if you don't have a physical office over in europe you should have some sort of local point of contact right a phone number that people can pick up somebody who knows the language and the culture and they can for lack of a better word handle all of your issues for you now that's not to say that this person is responsible solely for gdpr compliance you see that bullet on the last list there right this is really a representative of the organization almost like a local mouthpiece right they are able to spread the word on how you deal with data privacy laws in turn they are able to take customer feedback complaints uh any sort of findings or actions from regulatory authorities they're basically like boots on the ground right they're your local point of contact they help hold the records but they are not solely responsible for compliance oftentimes an area that trips up american businesses right because as a part of this requirement as a part of this law you have to have some sort of local point of contact so it's whether you physically do business there or if you don't having some sort of representative who can serve as an intermediary between customers data subjects regulators and other corporate entities now this is an increasingly sticky subject under the gdpr this idea of a dpo or data protection officer i think this originally started under the gdpr as a way for companies to help monitor their compliance right sort of having an internal objective party who's sitting there worrying about data privacy issues right so less of a compliance manager or a general counsel but more of a privacy expert who can advise the organization on their requirements under data privacy laws like the gdpr and in turn monitor that compliance so that if the company is not following the law right they're taking steps that actually subvert privacy the dpo has requisite levels of executive authority reporting to senior management that they can step in and actually fix that issue right so again this is not like simply staffing a compliance associate or putting another hat on one of your existing employees the data protection officer as required under the gdpr actually has certain requirements they need to be independent they need to have an executive level of reporting and what's been interesting the case law on this topic has increasingly shown that the data protection officer should actually ideally be someone outside your organization if possible and the reason goes back to that level of objectivity right having a layer of checks and balances the idea is that if your data protection officer is your employee well they might look around and say hey i'm doing a great job there's no privacy issues as a matter of fact i deserve a raise i'm doing such a good job right well we want to avoid those situations we want to have a level of objective risk management across the organization like any good corporate entity we don't want to rely too much on the personalities of our staff we want to rely on good business judgment and so increasingly courts in the eu in germany france and in other places are saying that your data protection officer should actually exist as someone outside the corporate entity not simply a member of ministerial staff but either an executive senior manager who sits at a level of reporting that they can work directly with the c-suite or an outside party who is totally outside the lines of your corporate structure and therein can demonstrate that objectivity and independence right because it's a separate company that's working with you as a partner but they don't necessarily have to listen to you when you tell them what to wear right and that's the idea we don't want a situation wink wink not not facebook we don't want a situation where employees are doing something that violates privacy laws and senior managers are either unaware or tacitly accepting what's going on right we want that data protection officer to be able to step in and have the power and authority to say hey wait a minute this isn't right and something else needs to be happened it needs to be fixed so you see there the bottom point kind of very much in direct contrast to the last slide whereas your eu representative is really just a local point of contact and they are not responsible for gdpr compliance the dpo is more on the hook for that issue right and certainly that makes sense by virtue of the title they are the data protection officer and as a result they are the main point of contact for all data protection issues including breach reporting working with supervisory authorities and any sort of responses you may send to data subjects right data subject access requests requests for deletion requests to restrict processing etc so that was just a brief brief overview of the gdpr again my goal is not to get too much into the weeds on the gdpr just reminding american organizations that hey look this law probably applies to you there's some procedural hoops you need to jump through but the biggest thing on our radar as americans this year under gdpr is this guy max trends and his recent court case so for those that aren't aware let me kind of paint the picture for you years ago the u.s and the eu had a data transfer agreement called safe harbor and under that framework the two regional entities were allowed to transfer and process personal data there was a agreement right so this framework had some formalized rules but basically that's how it worked people could transfer data under safe harbor well in 2014 a guy by the name of edward snowden quit his job at the cia or nsa i can't remember exactly and he basically told the whole world hey guess what guys if your data is going to the united states there's a lot of creepy people like me that can have potential access to that data and i don't think that's right in turn europeans didn't think it was right either and that's ultimately what has led us to the discussion today some of those revelations are were the genesis of gdpr and they also led to the original invalidation of safe harbor so this guy named max schrems considers himself a privacy advocate a bit of a a champion of privacy rights over in the eu he filed a lawsuit under the safe harbor agreement and ultimately that agreement was invalidated it was found that hey this is not good enough it actually doesn't protect european data when it's in the united states we need something new the new thing they created was privacy shield and you see there it came about in july 2018 just in time for gdpr and it was the same basic idea it was a data transfer framework that helped to govern the transfer handling sharing and use of eu residents personal data while that data was in the united states basically what happened guys is the eu course sat down and dreamed up a data transfer framework and they said if data is transferred according to these rules it should have adequate protection while it's in the united states right and so even though the surveillance program in the united states may create issues for data here and there ultimately if it is processed under the terms of this privacy shield agreement it should have an adequate level of protection it should be protected just as much as we would expect it to have in the eu and so the ftc here in the united states monitored and administered the privacy shield right if you wanted to participate you signed up on their website you had to jump through some hoops pay a small fee but ultimately it wasn't that big of a deal until there was this little election a couple years ago found out that uh facebook was sharing some data in a way they maybe shouldn't have and so all these europeans started wondering hey wait a minute what does this deal with this privacy shield all of these agreements used to be in place it doesn't look like we're getting this protection and so ultimately mr schrems turned around and he filed another suit this time he was actually focusing on standard contract clauses so keep that phrase in your mind sccs right so max schrems is complaining about sccs and that ultimately worms its way through the european courts it started in ireland where a bunch of companies the u.s tech companies have their legal headquarters overseas so the court case was filed in ireland it routed all the way up to the cjeu the court of justice for the european union right the top of the food chain and that court came out with a ruling here a little bit a while ago about july august and here's what the court said they said we know that we were called to investigate the validity of standard contract clauses but frankly we're not going to do that what we're going to do is we're going to look at this privacy shield thing and what they came to determine is that current data practices in the united states mostly in use today for national security and surveillance are incompatible with the rights and freedoms of european citizens when it comes to privacy right privacy a actual right for europeans iterated in their constitution a little bit different here in the us we've got a little different approach and so what the european said is hey look these fisa courts where data can be requested and sequestered and no one else can participate these nsa surveillance programs these executive orders that allow the executive branch of the us government to basically subpoena data without anyone's knowledge or feedback that is not cool with us anymore and you can see as iterated on my slide they've basically said that the lack of rights that european citizens have in those arrangements right the fundamental point being they don't have an ability to really stand up and understand what's going on with their data they don't have a way to push back they don't have any method of redress well that means that ultimately that these europeans don't have a good level of protection right if data from european citizens is going to be transferred to the united states even if it's transferred under privacy shield it's not going to be protected the same way it would be in europe so data in the united states is treated in a fundamentally different way as it would be in europe as a result we've got a disconnect we've got a discord and so as a result if data is transferred to the united states under privacy shield it does not receive an adequate level of protection and therein privacy shield is invalid right because they basically said even if you transfer data under privacy shield that doesn't mean the us government isn't going to spy on it so privacy shield was invalidated now in my mind i told you all just a second ago keep this phrase in your mind right scc's standard contract clauses will you remember that that was the point of the court case we didn't come here to talk about privacy shield we came to talk about standard contract clauses so mr mack schrums was probably scratching his head but the court addressed the issue and they said look we know that you asked us about standard contract clauses and we know that we actually replied and gave you an answer on privacy shield here's where we stand on standard contract clauses ultimately there is the same issue because if you transfer data to the united states no matter how you do it it's not going to receive an adequate level of protection however that doesn't mean that individual parties to a contract cannot boost the contract to help ensure an adequate level of protection right so again in my opinion my distilling of this court ruling they basically said if you transfer data to the united states it's not going to receive the same level of protection as it would in the eu and as a result that data transfer is invalid you cannot do it certainly cannot do it under privacy shield that's invalid and not good enough you may be able to do it by virtue of a contract but the two parties to the contract are going to have to sit down and kind of hash out this issue right how is the data recipient in the united states going to ensure an adequate level of protection right so ultimately at the end of the day those of us in the americas how are we going to get around section 702 of the fisa courts how are we going to get around executive order one two three three three right if the fbi comes knocking what am i gonna tell them so as a result i'm sure some of you are scratching your heads i think many of us have been doing the same thing for quite a while right this has left us in a bit of legal uncertainty because the courts have basically said there are no particularly strong bulletproof ways to transfer data from the eu to the united states you certainly cannot use privacy shield you probably cannot use contracts unless you do more work but we don't know what that extra work means or what it looks like so everybody's kind of stuck in this weird waiting room and what's worse is that the courts know that right and so far there has been a great amount of complexity and uncertainty on this topic european courts have indicated that they will honor the ruling of the cj eu and that they will start to prosecute american companies that are transferring data by virtue of privacy shield or standard contract clauses on the flip side the ftc here in the united states has released statements saying that the privacy shield is still valid and that all of the requirements to participate in that program still apply so if you have privacy shield you may not wish to let it lapse although others would argue what's the point of maintaining it because you can't use it in europe right it's a lot of confusing chaos we don't really know what's going on when i see governance we've sat down and tried to think about some options for you and this is the point of this slide right so this is me just kind of talking about how do we address this issue of transferring data between the eu and us well you see here on the bottom left of my graphic i'm trying to indicate that maybe your approach is to challenge the government right and certainly some companies here in the united states have done that like microsoft in the past the idea being that hey europe you can transfer your data to us and if we are ever met with one of these requests for data that you have indicated you're not a fan of right fisa court warrants executive orders what have you we will actually stand our ground and refuse to give data to the us government so in that way hey if you give data just to us it will be adequately protected we promise that we will not give it to other people without bringing you into that conversation so that's an option right and uh i can't see anyone's faces on this call but many of you are presumably wincing or shrugging your shoulders a bit right i would argue unless you've got a couple billion dollars in the bank you're probably not going to be in a very strong bargaining position in that argument right it's going to be you versus the united states government and statistically speaking you're probably going to lose right if they got al capone if they've gotten everybody else i don't think you're enough of a mastermind to outsmart them it may be an option for you but it's certainly not a long-term solution now compare that on the bottom right right i've indicated that maybe notching up on the privacy scale although perhaps not doing much by way of actual security you could continue relying on standard contract clauses with the addition of some extra safeguards right so you could basically take the court's lame advice that they've offered today and try to bolster your contractual positioning so that you go back to these parties in europe and say hey look if you transfer data just to us according to terms of this contract we will protect it and here's how the uncertainty there is what's going to be good enough right and that's sort of the issue you can start to put in place safeguards today there's certainly some guidance and rulings from courts like i said in germany and france there's some steps you could take but in my opinion that's only as good enough as the latest and greatest lawsuit right the next time a company with standard contract clauses finds themselves on cnn right the next time facebook or google has a data breach you can bet money that max shrims is going to come after those companies and a matter of fact he already has so max shrims has a non-profit organization uh you know sort of an advocacy rights organization called noyb none of your business and he has already filed suit against 101 companies here in the united states that are continuing to process data internationally by virtue of standard contract clauses and you've heard the names of some of these companies facebook google and others especially the work they do in an advertising space around like buttons and cookies and analytics much of that data is shared internationally by virtue of company contracts that have standard contract clauses and so the shrims organization has already filed suit against 101 of those companies to basically say you saw the court ruling and you're not doing anything about it what's the deal here and a lot of those cases are being set up through the irish courts the irish court system is also being hammered to pursue this more vigorously because like i just said many american tech companies have their legal headquarters in ireland and so advocacy groups like noyb and many others across europe have been starting to hammer the irish data protection commissioner and say hey this is really all falling into your backyard you need to step up and do more here so you can start to expect more vigorous litigation and more aggressive enforcement of these rules certainly in the jurisdictions we're familiar with like germany france belgium and others but now increasingly in ireland as well and then we've got this brexit issue in the uk right that's throwing in a nice layer of complexity on an already crazy year so now on the top left i discuss encrypted access control my idea here is as we go up and to the right we are getting actual security and actual privacy we're not just putting words in a contract but we're actually putting technical controls in place and so some of the thinking is that well one of the ways you can ensure adequate safeguards of european data is actually building in technological safeguards right and so the logic for me is that you either do full-blown into end encryption right up there in the top right that's what i've wrote that for into end encryption so that really the only people who see the data are the customers at issue right the europeans and everybody else as the data sits in transit on your systems or at rest on your servers it's inaccessible to your team your personnel or to us government personnel who may wish to access that data maybe dialing the notch back a little bit is some kind of access control where encryption is still used to provide a level of protection but there's different access rules so that it's clear about which ends of the tunnel can actually see the contents of the data in the tunnel right and so ultimately my point with this slide for those attending this webinar i'm not saying this is the end-all be-all solution what i'm trying to demonstrate here is that the courts have left us in a position of legal uncertainty that does not mean that we can simply sit around and do nothing though because doing nothing is the worst we can do that's going to indicate to the world that we have basically read the rules and we are choosing to openly ignore them so you've got to do something right you've got to do something to demonstrate you are taking steps in this space well some of the quick and easy steps you can start to take now is updating your contract paperwork the question is with what how much time is that going to take and that often ends up leading to rounds of negotiations with that other contracting party on the flip side you can look at technological controls to build in that adequate level of protection of course that's going to engender a discussion with your it team and your data ops team around how is this affecting our data and our functionality of our tools but there ultimately are steps you can take today and to sit on this webinar or any of the other webinars that have been released about mac shrimps and to walk away with thinking nah there's not much i can do i'm just going to wait until the court tells me more it's probably not going to be me that's the worst thing you can do and i'm saying that as a as an attorney i'm saying that as a friend i'm saying that as a business advisor you gotta start doing something because simply sitting around and doing nothing will look worse if you are brought into a suit whether it is you directly by virtue of one of your customers over in europe or whether it's through one of your service providers or your key vendors soon you are going to have to live in this world right like i said at the beginning of the call this is going to apply to everyone eventually so there are steps we can start taking now and what's even better for us in the united states is that u.s data privacy law is a couple steps behind where it is in europe so the more steps you start taking today to deal with european privacy laws the better you will be positioned to comply with local laws in your own state you see here in the top yellow we've got rules like the new york department of financial services cyber security rule right it's got requirements around the ciso a cyber sec program some designated roles and responsibilities well that overnight overlaps nicely with the sarbanes-oxley act right around different access controls and disaster reporting for public companies we've got state breach laws so every state in the usa has a breach notification law that has differing definitions of what data is at issue how long you have to comply who you need to tell whether it is a news agency or the attorney general or the customers directly we've also got this california consumer privacy act right the big sexy one here in the united states that we've all been focusing on recently very very gdpr-esque it's not a straight copy but you can tell that the authors of the ccpa learned a thing or two from the authors of the gdpr and so there are similar sorts of rights and requirements around risk-based approach to data protection actually giving rights to data subjects things around a right to access data a right to have data deleted now this only applies to businesses in california but again by virtue of the economic market in the united states by virtue of the network of suppliers and service delivery parties that you are presumably doing business with right you may have data up on an aws bucket up in the cloud on azure you may have email provided by different service providers msps what have you these rules the requirements are going to start to flow their way through the supply chain and so you see how all of this overlaps with the gdpr that is not by casual mistake that's because the authors of the gdpr sat down and thought about this years ago they tried to make a rule that would incorporate new technologies and try to build rights into those new technologies naturally legislators around the world are learning from that experience and for those of you that are on the call that have joined us internationally don't think you're off the hook here brazil and india are two big examples of countries that have national privacy laws very similar to the gdpr and there are new laws coming out every day so i'm going to kind of dial down into the ccpa because that's really my bread and butter i have read that law to know in backwards and forwards in fact i read it so much i wrote a book on it because i wanted to help make it a little bit more sensible and easier to digest so what is the ccpa it's the california consumer privacy act and it came about in 2018 much like the gdpr through kind of a funky and weird legislative history but it's the rule today it actually came into force in january of this year and it has started to be enforced since this summer so again if you're sitting there going ccpa what is this i never heard of it you're a couple of months behind the party but we're glad you've joined us we're happy to show you how it's not rocket science but it is complicated and it takes a little bit of effort to sort through all the rules and requirements so much like the gdpr there are jurisdictional limits on what type of business actually must comply with this law and like i said similar to the gdpr it's going to involve a little bit of territory if you are physically located in california you got to comply if you are collecting the data of california residents you've got to comply the issue for most people is they're going to say well i'm sure there are some california residence data in my database but i don't know exactly how many and who and where specifically to deal with these rules well in that case you might have to do it with everybody in your database right because this will technically only applies to the data of california residents but unless you can apply it specifically and maybe more of a technical headache than it's worth so what is required what do you need to do with these people and their data similar to the gdpr you need to understand what you're doing with their information right what data do you collect who do you give it to why are you using it how is it being stored where does it go so understand those data flows and then start to build security across those flows make sure everything is adequately protected and build in place a mechanism to respond to verifiable consumer access requests or using the parlance of gdpr data subject access requests right so people call in or they email in and they say can i get a copy of my data where is it stored can i have my data deleted you've got all the ways to actually respond to those compliantly and to that end you've got to facilitate a broader number of consumer rights most of which directly relate to transparency so it's basically about telling people what you do with their data so that they can deal with you or not so how are these two laws related from a theoretical level they're very similar and that they both expanded the scope of what's at issue right they broaden the scope of the type of data we're worried about the type of processing activities that we worry about they broaden the scope of consumer rights so like i said really sort of level set that balance and scale a bit more in the favor of consumers for those of us that are consumers that's good but for those of us that are running a business that can sometimes put us at odds because now we've got to deal with all these consumer rights and requests right and we have to manage them all sensibly in a cost-effective way and so to that end much like the gdpr there are various notice requirements under this gcpa where we have to have a privacy policy posted online that says certain stuff so in summary right there's a lot of areas of overlap between the gdpr and ccpa you see some of them on the slide but the main high level takeaway guys is that there's a lot of overlap between the gdpr and invariably what other local law you have to deal with because the gdpr is broad it's expansive it's all inclusive right it's like a resort in mexico once you're in you're in well everybody else is starting to pay attention all of these other laws are picking up from lessons learned both good and bad from the seats from the gdpr and they're building them into their own laws the issue for us in the united states the existential crisis that we all face is that there is not just one of these laws that you have to deal with right there's 50. and until the federal government can get its act together and release one common set of laws across the entire country we're left to deal with a patchwork or almost like a quilt of data privacy laws all over the country and all over the globe now i'm optimistic in the federal government i like to think that they would release a law on that but it's certainly been a busy year and we haven't even reached the election so my hopes aren't that high and i know i'm speaking to other attorneys and cyber security experts around the country we've sort of lost a lost faith that a law would come out this year so maybe in 2021 we will see a usa version of the gdpr until then we are left with all of these different state laws that have all of these different requirements there are common themes and it's easy for a privacy expert like me to pick up on those themes but the question is how do you pick up on those themes and how do you build a compliance program that captures the themes deals with local issues and sets you up for success in the future if anything were to change right and that's kind of like i said the core issue is that all of these states have differing little nuances whether it comes to their financial penalties the timing requirements of who and where and how to report or even how they define personal information one of the new uh exciting ones out of new york earlier this year is that they redefined their definition of covered information and they sort of split out the difference between personal information and sensitive information right so you can sort of see some other states adopting that approach where some set of rules and requirements will apply broadly to personal info and then we'll have more strict requirements around sensitive info like credit card details or biometric data so again always new developments in this space constantly constantly growing and changing and you can certainly expect to see this as a topic probably in your local state races if you're having some this november you may remember like i said earlier today california is actually having something called the ccpa 2.0 go to ballot this fall so it's not an enhanced version of the ccpa it's actually a wholly different version with different requirements and an adapted enforcement style and that's going to go to voters this fall so if that gets passed by the california california voters we're going to have a whole new conversation on the ccpa come december and january so more to come on this topic if you're sitting there wincing please don't be scared because there are nerds like me that get excited by this stuff and we spend all day doing it because that's all we want to do so how can i help you right i.t governance has a variety of tools and technology in this space so one of the key things that we're really good at is conducting gap analysis work we've been working with the gdpr and especially with european and british entities for years now going back before this even registered on the usa radar so we've got a good sensible program for conducting gap analysis work where we can quickly tell you here's where you are today in terms of legal compliance and from there we can give you an action plan or a project plan to actually get compliance right so of course there's training to educate you on this topic there's no shortage of written material and white papers that can help educate you personally or evangelize this message across your organization but really like i said the gap analysis is often one of our first key steps here and i'm told that for anyone that's joining us today on the webinar so the lucky group that's here if you inquire about a gap analysis you will actually get five percent off the price as just for participating in this webinar and this is really kind of the end result of that gap analysis work right so this is a sample one that i prepared but what we do is we go through ten key areas of compliance whether it's gdpr whether it's ccpa or whether it's privacy laws generally right we can do specifics or all of them will go through and analyze your company posture your current project status your current program and will determine that level of compliance and give you a score with actual iterated points that you can go through and fix to boost your score and what's more as we put those points into a project timeline like you see here below a little bit of a gantt chart to help indicate which areas you would be best focused on in terms of your energy and attention and resourcing and which areas we can help you with to drive you towards a path to compliance usually trying to get that wrapped up in a period of two to three months right so it's really trying to understand hey what do you need to do to comply with the law here is a list of action items if you're interested here's where i t governance can help and here's the way we would suggest rolling out this action plan in order to get you compliant concrete steps you can take today right you'll remember at the beginning of the webinar i said that the gdpr is not really like a u.s law right it's sort of soft it's squishy it doesn't give us a list of things to what a list of things to do and it's more of a model on how to comply well i've spent enough time doing this along with other folks at it governance and we've put together an actual iterated list so that you can tackle it with some bullet points and give some action items to team members to go and get compliant as easily and quickly as possible to that end like i said i'm not just here to do the fishing for you i also want to teach you how to fish so there are tools and technologies that we can offer that you can pick up and use yourself right if you fancy yourself a fisher grab a pole and hit the lake with me i'll show you how to use them and we can teach you how to fish so we can do some of the data mapping automatically behind the scenes with a data mapping tool there are gdpr and ccpa privacy compliance toolkits to help put together things like privacy policies the public notices the subject access request responses and procedures and what's more is once you reach a level of maturity in this space right once you've gone through that project and you've determined that you think you are compliant you're ready to go you can start to assess yourself more fully and ratchet things up button things down on the rest of your it security space so that even if you are ready for the gdpr sccpa today you will be ready for the law in idaho tomorrow or rhode island next week right or connecticut or florida or texas or washington or wherever it is so with that that's pretty much the end of my scheduled agenda and topics for conversation i'm opening the microphone now to questions and comments so if you've got questions please do send them in and i'll go through and address them and get started here one of the first ones i've already received just to get us thinking is what is the realistic likelihood of getting in trouble under the gdpr ah the million dollar question so i appreciate the person who sent that in uh you ultimately cut to the chase here right what is the chance that you're actually gonna get in trouble if you sat here listen to this and said you know what i'm gonna ignore it i can't necessarily give you a percentage right i can't necessarily tell you how likely it is that you're going to get hit it's kind of similar to saying hey we're about to climb over the trenches in world war one i can't tell you how likely it is you're going to be shot but i can tell you there's bullets flying everywhere and what i would tell you from my experience now doing this work for a number of years is that don't necessarily focus on the idea that you are going to get caught or not caught i find that to be a very american sort of cultural approach to legal compliance the idea the risk is not getting caught the risk is getting caught with your pants down right because i can tell you realistically what are the chances that a european court sends a regulator over to your office it's probably pretty slim what's more likely to happen is that one of your business partners is going to come to you asking questions about this and you will not be in a position to respond best case scenario you look foolish worst case scenario you actually hurt your business in terms of a lost bid a customer or supplier who pulls a contract or even potential liability coming directly from end users and data subjects right if you don't have a canned response ready to go they might just turn around and refer you to a regulatory authority in the eu and then it's not a matter of that regulatory authority hunting you down they already got a complaint sitting in their inbox saying hey go look at these people right so what i always tell people again is don't try to focus on what you think the risk is in terms of getting caught think about the risk in terms of getting caught with your pants down all of you that have participated in the webinar today your business professionals running a professional organization and to that end you want that organization to run smoothly efficiently and like i just said professionally right you want to make sure that all your keys are crossed and your eyes are dotted and so as more and more european companies customers and suppliers are asking about this so that they can protect themselves from legal liability they're going to start to ask their american partners with increasing levels of scrutiny and due diligence and you need to be prepared so whether like i said that's signing up for an rfp filling out bid paperwork perhaps you are in the process of going through a corporate acquisition and uh there's a little bit of due diligence coming from you it could also be that you are being requested by your own shareholders and business partners to comment on this because as is often the case when there is landmark legal rulings companies that have the money that have the wherewithal and that have the foresight often get out in front of these issues and they start to protect themselves and draw a moat of liability around them so they start to reach out to their suppliers and partners and say i'm sure you've heard of this issue tell us what you're doing to protect us in that space so like i said by the time you receive that questionnaire you are already expected to have an answer it's not going to be appropriate to say well give us a couple months and we'll get back to you right you want to make sure you know what you're doing today what's your plan going to be tomorrow and then you can get back to focusing on the things that keep the lights running right the sales and marketing activities that ultimately pay the bills here so that was a good question i appreciate that one coming in that's always often what people want to know is how likely am i going to be caught i i can't really tell you but i can certainly tell you that your partners and your customers are going to ask you presumably long before regulators and the problem is you want to make sure that you give them good happy answers because they could turn around and call the regulators on your behalf so i don't know if there are any more questions from the audience i don't see any more in my chat feature here if there are feel free to send them in but if not i appreciate everyone for joining this morning i know we're coming off labor day weekend and it's a bit brisk and cold in different parts of the states but that does not mean that we can shut our minds off to this issue there are constant updates coming from european regulators whether in local jurisdictions or at the regional level and so as a result there will be continual news in this space i see there are more questions so bear with me okay okay so i see a question here that says what is your company working on behalf of a government agency uh i'm not sure i understand the question so if whoever sent that question perhaps you can elaborate more and we could just discuss that and i'm not quite sure what you're asking out there some other questions are coming here what about companies that sell everything about you for example white pages uh the companies that tell you criminal activity salary etc ah great question great question um so with that i mean ultimately that's gonna be a problem for compliance for those companies so what you'd have to consider is how are they collecting this data from europeans and how are they transferring it to the united states certainly those types of companies collect and process a lot of data so their compliance plan is a little bit longer and more complicated right the question i think i'm trying to read into the question perhaps too deeply because ultimately in theory it's not a problem for a company to collect data about someone and post that on the internet right in theory that can be fine as long as that activity is done compliantly the question for all of us right now is how do we sort of engage this u.s eu transfer and those companies are pretty much fundamentally in the same boat as many of the rest of us right kind of looking at contracts or perhaps encryption other technological tools to build up that adequate level of protection okay okay so i've got some follow-up here referring to the slide of all the overlaps this one doesn't this full disclosure of cell processors occurs all the way down the supply chain this limit competitive advantage ah interesting for example if a supplier company offers a service for the customer as the data controller aha interesting yes great question so whoever sent that in with the follow-up that's a great question and i'll try to summarize it for the group here so ultimately the question is um you know under the gdpr data controllers are required to work with data processors and in turn everybody in sort of a data supply chain is supposed to be on the same page about service providers so as an example if i give my data to mario kart limited mario kart limited should explain here's all the sub processors where your data in turn will go right well someone's going to go to aws and some is going to go to oracle and some is going to go to marketo and some is going to go to whoever right and so the question is ultimately doesn't that fundamental practice of having to sort of explain or or detail all of these subprocessors doesn't that hurt competitive advantage because basically as an example is well worded here let's say a supplier company offers a service directly to consumers does that supplier really have to offer the consumer a copy of all of the agreements of all of the sub processors that would sort of normally be behind the curtain yes and no yes and no the issue that you need to focus on there is transparency and notification and different companies have come up with different unique strategies to kind of get at that issue and so what i would say in that space is again you you sort of need to advise data subjects of where their data is going to go and what party may receive it but as it relates to creating a straight sort of list of those service providers that's probably more than you may be required to do and it also depends on who you give that list to right i'm not necessarily saying that list needs to be publicly posted on the website as an example just as an example here and i'm not commenting on the on the benefits or the pros or cons but just as an example some companies will do it this way they will hand you a contract and as a part of that contract will be a piece of paper stapled with all of the service providers and so hey if you give your data to us here's everywhere else it's going to go now how do we manage changes to that list we're not going to send you a new piece of paper we're going to post it on a portal that you can access only you and that will be updated it will always be live and up to date so you know hey maybe once every 60 or 90 days check that if there's any changes or problems you reach out to us but if we don't hear anything we will assume you are fine with it just one potential style to approach that problem but yes i think i see the point of the question and that's sort of the weird thing with gdpr like i said there's these requirements there's they're very like schematic elements around transparency notification uh access they don't necessarily spell out specifically how to cross the compliance bar and so what we have to do you me everybody we've got to come up with creative ways that meet the compliance requirements and ultimately meet the legal need right for transparency without giving up too much transparency that it hurts our business and we're explaining basically how things work how our tools work and how a competitor could reverse engineer those tools so hopefully that response kind of answered a question a bit i see here some comments around the class audio see another question what actions are the regulators what actions the regulators are required to undertake in asian countries for gdpr compliance that's a great question keep in mind gdpr is a european rule that will only applies to european countries so the question that is left on everyone's mind hey is this finding applied to the united states what about all these other countries that have similar data regimes right what about australia the uk some people have questioned germany certainly countries like china thailand malaysia and singapore i'm rattling off others at this point um that's a question for all of us i think ultimately to me this court ruling from shrimps ii has indicated that transferring data to countries that do not have adequate levels of protection will now be looked at with more scrutiny so it doesn't matter if you are in the united states or uruguay actually uruguay may be at that example because they may have adequacy but regardless of whether you're in the united states asia africa europe we're going to start to look at these things in more detail okay another question here i wanted to ask in the new normal of covid19 pandemic if companies decide to take temperature and use a thermodetector that also scans the face does the company need to update their privacy policy i would say yes and on that topic specifically there have been a lot of regulators that have released specific guidance on temperature taking and like employee safety on bringing people back in the office so what i would point you to there right without getting too much into the weeds on this call is to look at your local jurisdictional authority in europe and see what kind of guidance they've released because i know paying attention to the news headlines over the course of this year there is a lot of updates on that and i would say if i was you i wouldn't update your company privacy policy i would create a covet 19 health privacy policy right and then that way your your main policy on your website is kind of more static whereas this one is maybe more subject to change like you said in the new normal depending on the processes that that are going on right taking temperatures thermal scans what have you yep great question great question like i said yeah because this person asked about consent again um my best advice for you would be to check out your local regulatory authority in the eu some of them like the french i believe even have some templates and tools available to kind of help you along if you are in that position where you're trying to bring folks back into the physical office you have to take their temperature or other health related data keep in mind that's personal data right so all of these same rules are going to apply to that activity it's just kind of different because this is not really normal it's not the way we do it all the time right it's more hopefully a temporary thing until we kind of smash this covet on the head right so if there are no other questions and i'm just scanning if there are no other questions i appreciate everyone's attention and interest happy to talk to you about this in more issue in more detail like i said don't hesitate to reach out to us you can find us on all the main social media channels you can also reach out to me directly my contact information is located on the slide somewhere and so i'm happy to talk to folks in more detail or depth about these issues um yeah and that's really all i've got to say so again thank you all for joining much appreciated the time especially and your patience as we go through these contexts questions and this sticky chaotic topic right there's going to be more in this space coming from us we are actually hoping to have a webinar series over the course of the fall where we will be working with our counterparts in the eu and the uk to discuss what does this look like from their side of the fence and how seriously are they taking it do a little bit of america versus europe so stay tuned there be sure to check out my linkedin page for any updates and of course feel free to find me there comment accordingly and let me know what you thought of the presentation thank you all for joining your time is appreciated and with that enjoy the rest of your week and stay compliant keep data private and stay safe thank you you