/ / 0

THE AGE OF SAFE HARBOR IS OVER. 10 Practical Tips to Prepare for the New Privacy Shield Era

March // 21 // 2016

>>>>>>>>>>>>>>>>>>>>>>>>>>>>>

/ / 1

>>>>>>>>>>>>>>

THE AGE OF SAFE HARBOR IS OVER 10 Practical Tips to Prepare for the New Privacy Shield Era

/ / 2

PROGRAM AGENDA

> WELCOME, INTRODUCTIONS AND OPENING REMARKS

> PRIVACY SHIELD GUIDANCE FROM U.S. DEPARTMENT OF COMMERCE > 10 TIPS COMPANIES ARE USING TO TRANSITION TO PRIVACY SHIELD

> LEADING PRACTITIONER ROUNDTABLE

> QUESTIONS & ANSWERS

/ / 3

>>>>>>>>>>>>>>

WELCOME, INTRODUCTIONS AND OPENING REMARKS BRIAN KUDOWITZ, COMMERCIAL PRODUCT DIRECTOR – IP, PRIVACY & DATA SECURITY, TECH & TELECOM, BLOOMBERG BNA

/ / 4

>>>>>>>>>>>>>>

PRIVACY SHIELD GUIDANCE TED DEAN, DEPUTY ASSISTANT SECRETARY FOR SERVICES, INTERNATIONAL TRADE ADMINISTRATION, U.S. DEPARTMENT OF COMMERCE

/ / 5

>>>>>>>>>>>>>>

10 TIPS COMPANIES ARE USING TO TRANSITION TO PRIVACY SHIELD JIM KOENIG, LEADER, PH PRIVACY & CYBER IMPLEMENTATION SOLUTIONS, PAUL HASTINGS LLP

/ / 6

TEN TIPS TO CONSIDER IN TRANSITION TO PRIVACY SHIELD IDEAS OTHERS ARE CONSIDERING . . . STRATEGIC 1. Communicate - Same Principles – Not Same Program.

o Big differences depending on who you are and certain risk factors (below). 2. Consider Biggest Areas of Change - Onward Transfers and Redress.

o Leverage expertise/experience from analogies under GLBA, HIPAA, Safe Harbor, other. 3. Communicate/Budget Privacy Shield as Part of Larger Global Progression.

o GDPR and other laws will require additional investment and internal partnership in the underlying good data hygiene, data management and data use and sharing practices.

4. Consider Certain Risk Factors Specific to Your Company. o Business Needs o Global Footprint o Exposure to EU Citizens, Workforce, Outsourcing and Cloud o Maturity of Privacy Program, Including Redress Program o Sophistication of Vendor Management and State of Contracts o Types and Sensitivity of Data and Data Elements o Target of Consumers and/or Regulators o B2B vs B2C

/ / 7

TEN TIPS TO CONSIDER IN TRANSITION TO PRIVACY SHIELD • 1. Privacy Shield Policy & Compliance

• Draft/Update New Policy • Enhance Underlying Compliance

(redress, opt-in/opt-out, retention, redress)

Workstream 1 1.Notice 2.Choice 3. Access 4. Data Integrity/ Purpose Limit 5. Recourse & Enforcement

• 2. Privacy Shield Scoping/Security/Questionnaire • Review Prior Scoping / Diligence • Document Compliance with Questionnaire

Workstream 2 6. Security

• 3. Contract Addendum • Draft Addendum • Enter into with priority/all vendors

Workstream 3 7. Onward Transfer

• 4. Documentation and Compliance • Draft Gap Assessment Report and Build Binder • Update and Deliver Training

Workstream 4 Certification Preparation

Simplifying Certification into Four Workstreams. Many companies architect key activities as follows:

Certification

under EU-

US Privacy

Shield

/ / 8

TEN TIPS TO CONSIDER IN TRANSITION TO PRIVACY SHIELD IDEAS OTHERS ARE CONSIDERING . . . TACTICAL 5. Confirm Scoping Before Moving Forward.

o Do not just scope EU data. Scope for security, data uses and other types of data. 6. Create Privacy Shield Policy, but Consider Broader Coverage and Delivery.

o Consider policy coverage options – global, enterprise, all data, not just Privacy Shield data. o New provisions under Privacy Shield include (i) Enforcement Body, (ii) New Arbitration

Right, (iii) Government Disclosures and (iv) Onward Transfer Liability. o Consider effectiveness of delivery points – EU Promise.

7. Enhance/Create Vendor Management Program. o New requirements:

o Limitation and Contractual Requirement o Controller Liability Assumed in First Instance

o Update supplier contracts (if not already done) 9-Month Phase-In Timing for Companies Certifying in First 2 Months of Privacy Shield.

o Build policy and infrastructure to support ongoing requirements.

/ / 9

TEN TIPS TO CONSIDER IN TRANSITION TO PRIVACY SHIELD IDEAS OTHERS ARE CONSIDERING . . . TACTICAL 8. Enhance Formalization of Compliance Preparation and Documentation.

o Evidence of compliance subject to DoC /FTC inquiry/review - available upon request. o New monitoring of compliance through detailed questionnaires sent in response to triggers. o Sanctions and removal for persistent failure to comply – New Wall of Shame.

9. Prepare for New Redress Timelines and Process for Misuse of Data. o Lodge a complaint with the company itself – Reply must be within 45 days. o Use alternative dispute resolution. o Individuals can now refer a complaint to their ‘Home’ DPA. o Companies are obligated to cooperate with DPAs for HR Data.

o Advice Given by Panel of DPAs – Generally within a 60-Day Timeframe. o DoC/FTC referrals and other consequences for failure to comply within 25 days.

o Privacy Shield Panel - New Arbitration Mechanism as a Last Resort o Cannot be invoked for HR data and in other circumstances.

10. Do Not Hyperventilate.

o Take advantage of the focus to help your company and be seen as a trusted problem solver.

/ / 10

>>>>>>>>>>>>>>

LEADING PRACTITIONER ROUNDTABLE ► CHRISTINA PETERS, CHIEF PRIVACY OFFICER, IBM ► JOANN STONIER, EVP, CHIEF INFORMATION GOVERNANCE & PRIVACY OFFICER, MASTERCARD ► HILARY WANDALL, AVP, COMPLIANCE AND CHIEF PRIVACY OFFICER, MERCK ► JIM KOENIG, LEADER, PH PRIVACY & CYBER IMPLEMENTATION SOLUTIONS, PAUL HASTINGS (MODERATOR)

/ / 11

PANELISTS

James Koenig, Leader, PH

Privacy & Cyber Implementation

Solutions, Paul Hastings

Christina Peters, Chief Privacy Officer, IBM

JoAnn Stonier, EVP, Chief Information

Governance & Privacy Officer,

MasterCard

Hilary Wandall, AVP, Compliance and

Chief Privacy Officer, Merck

/ / 12

>>>>>>>>>>>>>> QUESTIONS & ANSWERS

/ / 13

QUESTIONS & PRESENTATION COPIES

Jim Koenig +1.610.246.4426 jimkoenig@paulhastings.com