TrustArc Blog

TrustArc à la Française – IAPP Data Protection Intensive: France 2019 Recap

February 21, 2019

From February 11-13, 2019, TrustArc was très content to again engage in discussions with regulators, global privacy experts, partners and customers old and new along the banks of the Seine in Paris.  

This began with an IAPP Knowledgenet titled “Recent News in International Data Transfers,” which featured Florence Raynal, Head of the Department of European and International Affairs at the French CNIL, and Olivier Proust, a partner at FieldFisher law firm.  The event, held at Vivendi’s global headquarters next to the Arc de Triomphe, saw a wide-ranging discussion of tremendous interest to the question-posing audience.  

Topics included:

  • The recent European Commission-Japan adequacy decision and reciprocal data transfer pact (see here for information about TrustArc’s APEC Cross-Border Privacy Rules (CBPR) and Privacy Recognition for Processors (PRP) certifications);
  • Current events in global data protection laws, such as in South Korea and Brazil;
  • The development of codes of conduct, including the EU Cloud Code of Conduct, and certifications under the GDPR;
  • The California Consumer Privacy Act (see here for TrustArc’s CCPA offerings) and the possibility of a federal privacy law in the United States; and
  • Data controller and processor contracts, extraterritoriality and Article 27 representatives.

IAPP DPI Conference.  Avec plaisir TrustArc exhibited, sponsored and partook in the IAPP’s Data Protection Intensive conference, which welcomed visitors from across the EEA and beyond.  A bilingual event with dual French and English tracks, the conference covered all bases.

Insights gleaned from the sessions’ panelists and during conversations in the margins of the conference included:

  • First-hand discussions of the importance of data mapping, inventorying and record-keeping; raising workforce awareness and training (including for IT and HR departments); and real-world examples of the ways in which robust data governance is business-enabling;
  • Means of mitigating risk when working with data processors under the GDPR, such as through a risk-based due diligence approach to vendor assessments; using data flow mapping to recognize areas of possible co-controller relationships; cascading obligations onto subprocessors; and the limits of cyber-risk insurance;
  • The use of online training games by data protection officers (DPOs) to engage employees to help identify a company’s third parties; and the necessity of KPIs and reporting dashboards for DPOs to oversee an organization’s data processing activities to further accountability;
  • Practical means for identifying and mitigating high risk for purposes of data protection impact assessments (see here for more information about TrustArc’s algorithm-powered, risk-calculating Intelligence Engine)–and determinations of when DPIAs are not necessary;
  • Enforcement priorities in the form of a push by regulators to investigate consumer-initiated complaints, and a lack of tolerance for not providing notifications in the event of obvious data breaches; and
  • Tips on operationalizing GDPR Article 25 Data Protection by Design and by Default through defining technical and organizational measures for a company; how to be mindful of context when determining risk; and thinking through the entire lifecycle of data, including data retention periods.

For more information about how TrustArc can provide its more than two decades of experience to assist your organization with privacy compliance technology solutions, tailored consulting engagements or organizational certifications/verifications/validations, contact TrustArc today.  Merci beaucoup!