image

Breakout Sessions

 

Use these links to jump to the topic you’re interested in:

 

For session times and to view a complete conference schedule, visit the At-A-Glance.

 

  CONVERSATIONS IN PRIVACY

 

Current and Future Trends in a Digital World

Siobhan MacDermott, Chief Policy Officer, AVG Technologies 
Erika Mann, Managing Director, Public Policy, Facebook
Aurélie Pols, CVO, Mind Your Privacy
Florian Stahl, CIPP/IT
, Lead Consultant Information Security, msg systems ag

Privacy faces new business challenges on a daily basis, induced by rapid technological evolution as legislation pains at keeping up to date. Many of these digital developments, like analytics, big data, mobile, social networks and other future trends remain misunderstood by businesses, legislators and citizens for various reasons, leading to the proposal of the EU General Data Protection Regulation (GDPR). This session explores some of these topics from a privacy and business perspective, including the influence of the GDPR. Specifically, we’ll look at social networks, with their often non-transparent business model to optimise the sale of contextual advertising by analyzing user behavior. It appears that people with higher levels of education tend to understand the related privacy issues better and avoid posting sensitive information or abstain from using social networks as a whole, which results in a kind of discrimination. Additionally, we’ll put digital analytics best practices, big data feeds and flows between tools and continents, mainly linked to cloud computing, in parallel with legislation, and show which steps to undertake for legal compliance, how to train for data protection and how to assure minimal liability now and in the future.

Presentation

International Data Transfers: A Dialogue with Peter Hustinx

Interviewer: Christopher Kuner, Senior Counsel, Wilson Sonsini Goodrich & Rosati
Peter Hustinx, European Data Protection Supervisor

Peter Hustinx has dealt with the regulation of international data transfers over several decades as Dutch data protection commissioner, chair of the Article 29 Working Party and European data protection supervisor. Christopher Kuner, who has dealt with the subject as a lawyer, academic and writer, will engage in a dialogue with Hustinx to discuss what lessons he has learned and where he sees the regulation of international data transfers headed both in the reform of EU data protection law and worldwide. You can even join the conversation during the Q&A portion of the discussion.

What you’ll take away:

  • Insights into where regulation of international data transfers is headed in the future

Through the Regulators’ Lens

Moderator: Wim Nauwelaerts, Partner, Hunton & Williams LLP
Willem Debeuckelaere, Chairman, Belgian Data Protection Authority
Billy Hawkes
, Data Protection Commissioner of Ireland
Nataša Pirc Musar
, Information Commissioner for the Republic of Slovenia
Wojciech Rafał Wiewiórowski
, Polish Inspector General, Personal Data Protection

The proposed regulation envisages a very different role for DPAs, with much stronger enforcement powers. How will the role of the DPA change? Will DPAs adopt a stronger enforcement focus, or will they continue their focus on education and guidance? What particular issues do DPAs expect to focus their enforcement activities on in the next three years?

What you’ll take away:

  • Compare and contrast differing approaches to enforcement across the EU
  • Highlight areas that regulators regard as “hot” enforcement topics

The Two Faces of Big Data and Marketing Intelligence

Moderator: Sachiko Scheuing, CIPP/E, European Privacy Officer, Acxiom Corporation
Mathilde Fiquet
, Policy Advisor, Federation of European Direct and Interactive Marketing (FEDMA)
Andreas Krisch
, President, European Digital Rights Association (EDRi)

EU Commission Vice President Viviane Reding said in a recent speech that ‘big data is potentially big business’ but it ‘can only work if people have confidence that their data is safe’. Join this interactive debate between representatives of the marketing industry and the European Digital Rights association, and separate the myths from reality.

 

  DATA GOVERNANCE, ACCOUNTABILITY AND PbD

 

Change Management from Mere Privacy Compliance to Business Strategy

Peter Katko, Partner, Head of IP/IT Law, Ernst & Young Law GmbH
Stefan Weiss, CIPP/US, Global Data Protection Officer, Swiss Reinsurance Company Ltd.

Companies often see privacy more as an administrative burden than as a source of value and competitive advantage. The speakers will share their experience and trigger a debate on how to convince management and employees that moving from compliance to strategy is not only possible but also advisable.

What you’ll take away:

  • Food for thought on shifting from compliance to strategy

Presentation

Customer Data at Risk—Why Simple Compliance is Not Enough!

Daniel Hallen, CEO, Dahamoo
Florian Stahl, CIPP/IT, Lead Consultant Information Security, msg systems ag

The amount of customer data within corporations has increased significantly in the past years due to the collection of more details about customers and cheaper storage space. Also, more sophisticated tools have made it easy to extract enormous value out of it (big data). As a result, the 'value at risk' is the largest ever, and so is the complexity of systems and business dynamics. Although companies have deployed control frameworks and risk management systems, we’ve found that these measures too often fail to protect customer data and detect vulnerabilities in real-life scenarios. Come learn about a new practice called Helicopter Assessment that is apt to assess customer data security in a more efficient and flexible (helicopter-like) way than traditional, top-down compliance approaches or popular management systems. We will show outcomes of real-life Helicopter Assessments, explain findings in detail and give anonymised examples of privacy incidents and their causes.

Presentation

Privacy Essentials for SMEs


Sietske de Groot, Senior Advisor EU and International Affairs, Federation of Small Business
Rosemary Jay, Senior Attorney, Hunton & Williams LLP
David Smith, Deputy Commissioner, Information Commissioner’s Office (UK)

Small and medium enterprises (SMEs) play a crucial role in the economies of Europe. Many SMEs collect vast quantities of data, sometimes sensitive data, yet do not have resources or corporate compliance structures that larger organisations, more sophisticated privacy programmes, do. So how do SMEs address privacy in a practical way? What do regulators expect? How will the landscape change under the proposed regulation? Come find out in this illuminating discussion.

What you’ll take away:

  • Practical compliance tips from others in similar-sized organisations

Presentation

Timing, Strategy and Tools for BCR Implementation

Daniela Fabian Masoch, Global Head Data Privacy, Novartis International AG
Fabrice Naftalski, CIPP/E, Partner, Ernst & Young, société d'avocats
Florence Raynal, Head of International and European Services, CNIL

Here, you’ll gain the unique perspectives and firsthand experiences of a regulator, a global data privacy officer from a multinational and a BCR data protection expert as they explore the challenges of BCR implementation. You’ll learn best practices for a successful implementation process, including information on reasonable timeframes, guidelines to meet DPA expectations when performing BCR related audit, existing and future referentials to perform BCR audits (e.g., from the Article 29 Working Party, professional organisations, etc.), approaches to favor or to avoid, identification of the right in-house stakeholders, risks to prevent and more.

What you’ll take away:

  • Guidelines and tools for performing a BCR implementation audit
  • Clarification on data protection authority expectations
 

  EMPLOYEE PRIVACY

 

Background Checks: Balancing Business Risk and Data Privacy/Protection

Vivienne Artz, Managing Director, IP and O&T Law Group, Citigroup, Inc.
Traci Canning, CIPP/US, CIPP/E, CIPP/IT, SVP/Managing Director, First Advantage Europe
Maxime Pigeon, Partner, Osborne Clarke

Background checks. Vetting. Pre-employment screening. Such terms seem counter to the principles of privacy. As businesses implement risk management strategies across their organisations, how can they ensure that data privacy and data protection are not left behind?

Presentation 1, Presentation 2, Presentation 3

BYOD Do’s and Don’ts

Richard Cumbley, TMT Partner, London, Linklaters LLP
Achim Klabunde, Head of Sector IT Policy, European Data Protection Supervisor (EDPS)
Krys O’Meara, Global Privacy & Security Counsel, Vodafone

Bring Your Own Device (BYOD) schemes, whereby employees may use their personal devices for professional purposes, are becoming increasingly common. Join an expert panel to discuss the key privacy implications and issues of BYOD schemes in the EU, such as the right for employers to monitor the use/content of personal devices, the ability to erase content at a distance in cases of device loss/theft and the potential liability for employers towards employees as a result. More generally, we will address the consequences of the mixing of private and professional data and the technical and organisational measures companies should take when implementing BYOD, including appropriate policies.

What you’ll take away:

  • Be better equipped to roll out BYOD schemes
  • An understanding of pitfalls and best practices

Internal and External Investigations: The Data Protection Challenge

Ann Bevitt, Partner, Morrison & Foerster LLP
Monika Tomczak-Górlikowska, Associate, Miller Canfield

Maintaining data protection compliance presents many problems for organisations dealing with internal and external investigations regarding their handling of employee data. Whether dealing with internal investigations into employee wrongdoing or external requests from regulators, organisations face myriad considerations, including: cross-border challenges; employee monitoring; disclosure to third parties; what notice, consents and registrations may be needed; and other obligations, such as consulting with works counsels.

What you’ll take away:

  • The challenges cross-border investigations present and how you can mitigate them
  • DPA notice, consents and approval requirements

Presentation

 

  EU DATA PROTECTION REFORM AND APPLICABLE LAW

 

EU Data Protection Reform: State of Play on Key Issues

Moderator: Isabelle Falque-Pierrotin, President, CNIL
Ralf Bendrath, Senior Policy Advisor to Jan Philipp Albrecht MEP, European Parliament
Marie-Hélène Boulanger, Head of the Data Protection Unit, European Commission
Seamus Carroll, Head of Data Protection Unit, Ireland's Department of Justice and Equality

CNIL President Isabelle Falque-Pierrotin will moderate stakeholders of the trilogue negotiations on the EU Data Protection Regulation. This lively discussion will touch on the state of play of the negotiations, provide an overview of the positions of the European Parliament, Commission and Council of the European Union, and explore how any compromise solutions have been reached and must be interpreted. The session will focus on the most direct practical consequences of the data protection reform for businesses and privacy professionals, with particular attention to accountability obligations, the role of DPOs, obligations toward data subjects, controls and sanctions.

What you’ll take away:

  • Update on EU regulation status
  • An awareness about the complexity of the debate
  • Insight and food for thought on the coming evolutions in the data protection field

Regulating Information and Network Security: From Theory to Practice

Rosa Barcelo, Policy Coordinator (Privacy, Trust and Related Aspects), European Commission
Jan de Blauwe, Chief Information and Security Officer, BNP Paribas Fortis
Tom De Cordier, Counsel, Allen & Overy LLP

During this session, you’ll hear directly from a senior representative of the EU Commission on the current status of the commission’s proposal for a directive on network and information security. Then, the chief information security officer at one of the world's leading banks will discuss how his organisation deals with network and information security and how it plans to address the challenges resulting from new initiatives in this area (including the draft directive on network and information security and the draft general data protection regulation). During the Q&A, you can direct questions to the panel and share your own thoughts on this rapidly evolving topic.

What you’ll take away:

  • A status update on these legislative initiatives and their passage through the legislative process
  • Insight into how to put new network and information security requirements into practice in a multinational corporate environment

Presentation

To Be or Not To Be a Data Controller or Processor, That Is the Question

Jonathan D. Avila, CIPP/US, CIPP/E, VP, Chief Privacy Officer, Wal-Mart Stores Inc.
Sue Gold, Partner, Osborne Clarke
Michelle Levin
, EMEA Privacy Counsel, Aon UK Limited

With complex outsourcing and international group set-ups, it is not easy to determine whether an entity is a controller, processor or both! Come explore some of the practical challenges in identifying the respective roles both intragroup and with third parties, how to document respective roles and how to determine the applicable law presently and under the future regulation, including breach notifications, expanding responsibilities for processors and documenting respective roles where there are joint controllers.

What you’ll take away:

  • Insight on determining controller and processor roles
  • A better understanding of the potential impact of the new regulation on defining controllers and processors

Handout, Presentation 1, Presentation 2, Presentation 3

 

  MARKETING AND BIG DATA

 

The 5 Keys to Marrying Up Big Data and Privacy by Design

Ronald Koorn, EMEA Privacy Partner, KPMG Netherlands
Joris Lindenhovius, Manager, KPN Data Institute

In this informative session, we’ll explore the current and possible types of big data initiatives in which personal profiling takes place and discuss how to overcome or limit the privacy impacts, from both EU and U.S. perspectives. We’ll ask five crucial questions: (1) Which parts of EU legislation and regulation are applicable to big data? (2) What privacy effects are caused by big data projects (identified by using PIA)? (3) How can specific privacy requirements be derived? (4) Which contractual, technical or procedural solutions can be used to meet these requirements? (5) How do we realise and maintain a privacy-compliant state for big data? Using two case studies from different industry sectors, we’ll explore and illustrate the answers to these questions, and you’ll have the opportunity to discuss your own challenges and the solutions you’ve tried.

What you’ll take away:

  • An understanding of the main requirements and potential solutions for privacy-compliant data analytics
  • Insight on the technical solutions (e.g., anonymisation and pseudonymisation)

Presentation 1, Presentation 2

Big Data: The Truth Shall Set You Free

Simon Hania, Chief Privacy Officer, TomTom
Alex van der Wolk, Attorney, De Brauw Blackstone Westbroek

Without a doubt, a trending topic in privacy is big data analysis. Companies are discovering the potential of analysing large amounts of data, from finding correlations and inferences previously unknown to making predictions about general trends or individual behaviour. Regulators, however, are looking critically at this practice. The EP’s proposals regarding the new privacy regulation are aimed at limiting big data applications. The Article 29 Working Party is also fierce in its requirements but seems to provide a little more leeway. But is all analysis of big data always as disruptive as it seems? Join us as we provide an overview of the potential applications of big data analysis and look at best practices for implementing such programmes. Based on hands-on experiences with implementation and recent discussions with the Dutch data protection authority following enforcement, we will discuss the truth about big data, providing specific examples of how analysis applications can be made possible.

What you’ll take away:

  • Best practices for implementing analysis programmes
  • Insight on making a big data analysis programme privacy compliant

Presentation 1, Presentation 2

The Naked Customer—Maximisation of Customer Data vs. Data Privacy

Manuela G. Czowalla, General Counsel, Oliver Schrott Kommunikation GmbH
Sergej Schlotthauer, CEO, Board of Directors, EgoSecure
Katharina A. Weimer, Associate, Reed Smith

Don’t miss this chance to explore the permissible maximum use of personal data obtained in e-commerce scenarios, including profile building, data sale, targeted advertising and other topics with an expert panel.

What you’ll take away:

  • Anticipation of the hurdles when doing e-business in Europe

Presentation

 

  ONLINE AND MOBILE PRIVACY

 

Anticipating Explicit Consent: How Companies Are Preparing for the New Regulation with Better Consent Mechanisms for Advanced Data Uses

Moderator: Christopher Docksey, Director, European Data Protection Supervisor
Iain Bourne, Group Manager (Policy Delivery), UK Information Commissioner’s Office
Nicholas Crown, CIPP/IT, Director of Product Strategy, UnboundID
Stephen John Deadman, Group Privacy Officer and Head of Legal - Privacy, Security and Content Standards, Vodafone Group Services Limited
Richard Szostak, Member of the Cabinet of Viviane Reding, European Commission

The new regulation is almost certain to include stricter requirements for collecting consent. Even if we don’t see the proposals for explicit consent come into force, consumers, regulators and advocates are demanding that companies improve transparency and customer controls over data use. What does consumer research tell us about consent? What are companies doing to adapt to this new environment? And what can we learn from emerging best practices? Vodafone will present extensive consumer research done over the last year in markets throughout Europe, Asia and the Middle East on this topic, and unveil a new customer permissions interface designed to address consumer needs and stay ahead of regulation.

What you’ll take away:

  • Best practices for transparency and consent mechanisms that can comply with new regulation

Presentation 1, Presentation 2

 

  PRIVACY AND TECHNOLOGY

 

CPOs and CSOs: Bridging the Gap

Klaas Bruin, Corporate Privacy Officer, KLM Royal Dutch Airlines
Bruno Rasle, Délégué général, AFCDP
Herwig Thyssens, Privacy Officer, SWIFT

There is no data privacy without data security. Privacy officers and security managers may have different profiles and missions, but they must collaborate in order to achieve their goals. This session proposes to explore the potential and necessary synergies between the roles of CPOs and CSOs, including in areas such as the drafting of policies, the development of prevention processes and tools (DLP, IDS, etc.), security breaches and audit. The panel will share real-life examples of how CPOs and CSOs work together and address privacy compliance, and share tips on which tools and processes they have developed.

What you’ll take away:

  • Eye-opening experience sharing on bridging the gap between two different professions
  • Key areas of cooperation between privacy and security specialists

Presentation

A Data Protection Pro’s Introduction to Encryption

Bavo Van den Heuvel, CIPP/E, Cranium bvba

Want to better understand your IT team and the technologies used to protect data? Come learn some basic cryptographic technologies and their underlying mechanisms. In this informative session geared toward those working outside of the IT department, you’ll learn the basics of digital signature, file encryption and https, as well as symmetrical and asymmetrical keys, hashes and certificates.

What you’ll take away:

  • An introduction to cryptography, and why it’s a cornerstone in many exchanges of personal data
  • Insight on the role of symmetrical and asymmetrical keys and hashing
  • An understanding of pitfalls and best practices

Presentation

Wearable Technology: Separating Fact from Fiction

Jan-Keno Janssen, Tech Journalist, German PC Magazine
Yann Padova, Senior Counsel, Baker & McKenzie SCP
Karin Retzer, Partner, Morrison Foerster LLP

Wearable technologies are creating quite a stir in data privacy circles worldwide—but is all this noise well founded? What are these technologies actually capable of? Do they really push privacy to the brink or are we only witnessing just another technology-driven change in social culture? Join a panel of experts sharing firsthand insights into the privacy issues around leading-edge wearable devices. A former DPA head will touch on regulatory aspects of wearable computing devices, a tech journalist will share firsthand insight into how people react to their use and a lawyer experienced in counseling tech start-ups will present practical ideas about how tech companies can develop solutions around wearable computing devices and yet stay clear of privacy issues.

 

  ADDITIONAL EXPERTISE

 

Building Trust with Privacy by Design

Alexander Hanff, Privacy Consultant, StartMail.com

Here, we’ll focus on the principles of Privacy by Design and how to use privacy as a competitive differentiator. With potential changes to the EU data protection regime, it is critical that organisations innovate and find ways to build revenues with privacy-embracing products/services and to move away from the “risk management” attitude of the last two decades. Since early summer and the revelations of Edward Snowden, consumer trust is at an all-time low, and we are starting to see concerns within industry as well, with catastrophic predictions for reduced revenues in the cloud and SaaS sector. The European Parliament and Commission are both re-evaluating the data protection and Safe Harbour agreements currently in place with other countries, particularly the US; and the rest of the world is watching to see how Europe deals with the current privacy and security crisis. But the focus is not just external: There is a great deal of pressure internally, as it has been disclosed that many EU member states have been facilitating or cooperating with foreign agencies to bypass existing restrictions in EU regulations. As such, it is now critical to rebuild trust in secure communications by lifting the bar on best practices and implementing more of the principles of Privacy by Design. We need to start utilising strong encryption as a foundation to all communications, whether they are e-commerce, IP telephony, e-mail or cloud services. We need to move away from using privacy as currency and embrace emerging privacy-enhancing technologies.

Presentation

Disruptive Technologies: Can the Legislators Keep Up?

Yves Le Roux, Principal Consultant CA Technologies and EMEA Advisory Board Member, (ISC)2

Information security is falling victim to the disruptive changes introduced by the latest trends in information technology: bring your own device (BYOD), cloud computing and social networking. Today, a corporation’s systems development, and therefore that of its technical security controls, is slipping away from the carefully planned IT strategy. This is occurring as European governments and the EU are making great efforts to recognise and control information security risk. The EU, with its release of a new cybersecurity strategy, part of its digital agenda for economic growth, is working to set a framework for all. This development should move us forward with better awareness, driving consumer and corporate accountability. It does make for a very challenging management landscape, however, as new expectations for compliance become increasingly difficult and in some cases perhaps technically impossible to achieve. While regulators have recognised that the preservation of the EU’s values around privacy come under threat in the increasingly socially networked marketplace, there is little appreciation that specific measures—including the ‘right to be forgotten’ and the requirement to inform of intent before gathering personal information—may well be impossible to track let alone enforce. Come look at both the advancement of technology, particularly the prevalence of BYOD, cloud computing and social networking, and the lag in technical controls as we illuminate the compliance risk that is developing alongside EU expectations. During an audience discussion, we’ll ask you to share your perspectives on the legal implications.

Presentation

The EU and APEC: A Roadmap for Global Interoperability?

Moderator: John Kropf, CIPP/US, CIPP/G, Deputy Counsel for Privacy and Information Governance, Reed Elsevier
Malcolm W. Crompton, CIPP/US, Managing Director, Information Integrity Solutions Pty Ltd.
Joshua Harris, Policy Advisor, U.S. Department of Commerce
Florence Raynal, Head of International and European Services, CNIL

The Asia Pacific Economic Cooperation (APEC) member economies have made steady progress with the Cross Border Privacy Rules (CBPR), a system designed to create consistent privacy protections for individuals regardless of where their personal information is processed across the APEC region. EU Binding Corporate Rules (BCRs) are increasingly used by multinationals for their international transfers and as a baseline for their global compliance and accountability programmes. APEC member economies and EU data protection authority representatives met in Jakarta last January at the APEC Summit to exchange on both systems. Here, you’ll get an early look at where the CBPR and BCR systems share similarities, where there are potential gaps and how the two might work together to connect two of the world's largest economic powers. We will also discuss some business case scenarios where interoperability will be significant.

Handout 1, Handout 2, Presentation

Evolving Skill Requirements in Cyberspace?

Some 25 years ago, when (ISC)2 first came together as a consortium of not-for-profit organisations with common interests, founders were driven by a need to document the skills required to secure information systems in increasingly networked technical environments. Five years ago, (ISC)2 asked a sample of its now 90,000 members, most holding the CISSP denoting them as Certified Information Systems Security Professionals, whether their jobs were more about risk management or technology. The results were split down the middle, illustrating the diversification of roles between management and operational functions that was taking place at the time. Today, many use the terms IT security and data or information security interchangeably, while still others refer to cybersecurity, and the scope of concern has graduated from networked environments to a ‘connected world’. Job roles and career choices are proliferating. Understanding current skill requirements can be as challenging as tracking the threat and technology landscapes that define them. This session looks at how professional practices have evolved to ensure relevancy, maximise opportunity and maintain a secure corporate posture in cyberspace. Drawing on research commissioned by (ISC)2 since 2004, we’ll discuss professional trends, including reporting structures, job titles, training demand, the impact of technologies and more.

What you’ll take away:

  • Whether the right skills are being developed for the current and future needs
  • Understanding the basics/constants and managing the pace of change
  • How to manage skills and team development in a dynamic environment
  • Interfaces with other professions: legal, privacy, project management, risk management, etc.

Have You Been NSA’d? Government Access and the New EU Regulation

Moderator: Omer Tene, VP and Head of Research & Education, IAPP
Jacob Appelbaum, Freelance Journalist, Photographer, Developer and Researcher, The Tor Project
Stewart Baker, Partner, Steptoe & Johnson LLP, Former General Counsel, National Security Agency
Ralf Bendrath
, Senior Policy Advisor to Jan Philipp Albrecht MEP, European Parliament
Stephen Deadman, Group Privacy Officer and Head of Legal for Privacy, Security and Content Standards, Vodafone Group 

With revelations concerning the scope and reach of NSA surveillance, privacy has elevated from a regulatory to a geopolitical issue. The U.S. argues that surveillance is necessary to thwart terrorist plots and cybersecurity threats, even as it reviews the legality of its government’s activities. The EU Parliament’s LIBE committee is proposing strict legislation restricting data flows absent assurances that data privacy will only be compromised with overview and authorisation by European regulators. Global businesses feel trapped between a rock and a hard place, having to negotiate increasingly conflicting legal regimes. This session will feature a discussion between a former general counsel for the NSA, a senior policy advisor to the EU Parliament’s rapporteur and a business representative.

How to Build Your Data Breach Toolkit

Moderator: William Long, Partner, Sidley Austin LLP 
Bill Hardin
, Co-Chair Global Data Privacy and Incident Response, Navigant
Udo Helmbrecht
, Executive Director, ENISA

Join data privacy experts to learn how to build a data security policy and plan in your organisation, and the practical steps you’ll need to take when dealing with a security incident. You’ll leave with expert tips on mitigating and investigating a breach, as well as an overview of international data breach notification obligations.

What you’ll take away:

  • Tips for building a data security breach plan for your organisation
  • Practical advice on how to manage a data security breach
  • An overview of the obligations to notify data security breaches

Presentation 1, Presentation 2, Presentation 3

Managing Risks with Privacy Impact Assessment

Moderator: Bojana Bellamy, CIPP/E, President of Centre for Information Policy Leadership, Hunton & Williams
Steve Wood
, Head of Policy Delivery, Information Commissioner’s Office
David Wright, Managing Partner, Trilateral Research & Consulting

The UK Information Commissioner's Office (ICO) has launched a public consultation concerning a new code of practice on conducting privacy impact assessments (PIAs), which is intended to replace the ICO’s existing PIA Handbook. This session will present the framework for the draft code as well as some of the preliminary results of the consultation, closing on 5 November 2013. It will feature a study commissioned by the ICO on how to better integrate PIAs with project management and risk management practices. The study included a survey of 829 organisations (companies, government departments and local authorities), case studies, analyses of publicly available PIA reports and analyses of 19 different project and risk management processes. The ICO produced the first PIA guidance in Europe in 2007, and has been a major influence on the provision for PIA in the European Commission’s proposed data protection regulation.

Handout, Presentation 1, Presentation 2

Making the Change: Developing Successful Privacy Training and Awareness Campaigns

Richie Evans, CIPP/E, Manager, Enterprise Risk Services, Deloitte & Touche LLP

Recent research has shown that the principle cause of data breaches is a lack of training and human error. So are organisations doing enough to tackle the problem? This session will explore the delicate balance between trust and control that organisations need to strike when designing a privacy training and awareness programme, as well as highlighting some common pitfalls and pointers for success. The talk will explain why training and awareness in itself is only one step on the journey to cultural change and why Deloitte advocates a holistic approach when tackling this issue with clients. We’ll conclude the session by talking about a recent training and awareness programme conducted and the important lessons learned in doing so.

What you’ll take away:

  • How to design and execute a successful cultural change programme
  • The pitfalls to avoid and what factors are essential for success
  • Prioritisation of the culture change activities
  • Factors that influence risk culture and their relevance for privacy
  • Innovative ways of engagement

Presentation

Monitoring Patients: The Cloud and Collection of Health Data

Dodd Joseph Gray, Vice President Legal, EMEAC, St. Jude Medical Inc.
Pierre-Yves Lastic, Associate Vice-President, Chief Privacy Officer, Sanofi
Cynthia O’Donoghue, Partner, Reed Smith

In the age of personalised medical care, how can patients be monitored via the cloud, and how can each of the parties involved ensure compliance, including the health clinic, physician and cloud provider? And, what about the patients’ data? Join us to explore these questions and many others.

Privacy in the Age of Cloud Computing

Moderator: Tanguy Van Overstraeten, Global Head of Data Protection and Privacy at Linklaters
Nicolas Dubois, Policy Officer, Data Protection Unit, DG Justice, European Commission
Jean Gonié, Director of Privacy, EMEA, Microsoft
John Howie, Chief Operating Officer, Cloud Computing Alliance (CSA)

This session will address the privacy issues surrounding cloud computing technology. A panel of experts will discuss topics such as transfer compliance schemes, especially in light of the ubiquitous nature of the cloud, as well as user control over data in the cloud. The session will also analyse the impact of the proposed draft regulation on cloud computing, including new transfer solutions (e.g., BCR for processors), or the need for privacy impact assessments and challenges created by new data subject rights (e.g., portability in the cloud).

Presentation

Retail Tracking: Big Brother or Just Smart Stores?

Paula Barrett, Head of Privacy & Information Law, Eversheds LLP

Visitors to stores in the online world have become accustomed to activity around a virtual store being analysed by the retailer, to check out how the site works and enhance it. The latest frontier in privacy, however, is when that concept is flipped back into the ‘real world’. Retailers, shopping centres, airports and others are finding ways of performing analytics, using technology such as wi-fi networks or facial recognition, putting them on at least a par with their e-tail counterparts. But how does this fit within our existing privacy rules and those proposed? Or is this another example of the rules not keeping pace? How would you deal with the privacy impact assessment in a practical way if faced with this scenario? Is it just analogous to online tracking or potentially more intrusive and risky? Come to this thought-provoking discussion to find out more.

What you’ll take away:

  • An understanding of how some of the tools being used work
  • Suggestions on how to undertake a privacy impact assessment for retail tracking
  • Thoughts on how to address some of the privacy challenges that arise

Safe Harbour: Lessons Learned and Prospects

Caitlin Fennessy, CIPP/US, Administrator of Safe Harbor, International Trade Administration, U.S. Department of Commerce
Jan Ostoja-Ostaszewski
, Data Protection Unit, Directorate General Justice, European Commission
Florence Raynal
, Head of International and European Services, CNIL
Hugh Stevenson
, Deputy Director, Office of International Affairs, U.S. Federal Trade Commission

Come hear views from the U.S. and EU on the Safe Harbor Framework, as the framework turns 13 and marches forward. Experts from the U.S. and EU will discuss the day-to-day operation of the Safe Harbor program, practical aspects (dispute resolution issues, enforcement cooperation and noteworthy actions) and recent improvements to the program. The panel will also offer insights on critical issues as technologies advance and enforcement actions continue.

Presentation

Transitioning between Data Transfer Mechanisms: Challenges and Opportunities

Cédric Burton, CIPP/E, Senior Associate, Wilson Sonsini Goodrich & Rosati
Ulrika Dellrud, CIPP/E
, Corporate Privacy Officer, Novartis International AG
Caroline Louveaux
, Senior Managing Counsel, Privacy and Data Protection, MasterCard Europe
Isabelle Vereecken
, Legal Advisor, Belgian Privacy Commission

Many companies are currently evaluating their compliance programmes and in particular their data transfer strategies in light of the upcoming new EU data protection legal framework, the political climate around data transfers, the uncertainty around existing adequacy decisions and data transfer mechanisms such as Safe Harbor and standard contractual clauses. In that context, many businesses are considering updating their compliance programmes and moving from one mechanism to another to get prepared for the future. Here, we will discuss whether changing data transfer mechanisms is timely and explore the challenges and opportunities related to transitioning between data transfer mechanisms, such as moving from Safe Harbor or standard contractual clauses to binding corporate rules. We will also provide concrete practical tips and guidelines on how to prepare and smoothly approach such a project.

What you’ll take away:

  • Insights on whether updating your data transfer strategy is timely
  • An overview of the challenges and opportunities raised when transitioning between data transfer mechanisms
  • Practical tips and guidelines on how best to approach such a project

Translating Regulations into Policies: What the EU General Data Protection Regulation Means to Your Collaboration Initiatives

Ralph T. O’Brien, CIPP/E, EMEA Compliance Solutions Specialist, AvePoint UK Ltd.

The past decade has produced an unprecedented accumulation of data. Organisations in general and business models in particular increasingly rely upon confidential data such as intellectual property, market intelligence and customers’ personal information. Increasingly, organisations don’t even know what data their users are creating or where it is and receive little assurance about how key data is managed. Maintaining the privacy and confidentiality of this data, as well as meeting the requirements of a growing list of related compliance obligations, are top concerns for government organisations and the enterprise alike as they journey toward collaboration internally and externally—but with the appropriate controls in place. There is some data you want everyone to access, and some you wish to tightly limit and review. A balance must be achieved. Addressing these challenges requires a cross-disciplinary effort involving a varied list of players—human resources, information technology, legal, business units, finance and others—to jointly devise solutions that address privacy, accessibility and confidentiality in a holistic way. Data governance is one such approach that addresses many aspects of data management, including information privacy and security as well as compliance. Come explore some of the industry and societal security trends, hear an overview of the collaborative environments and learn what challenges you may face as a compliance professional during migration, implementation and ongoing usage.

What you’ll take away:

  • Understand how the updated regulation and the promulgation of big data affect your collaboration initiatives
  • Learn what you can do now to begin incorporating the new regulation into a multi-user big data environment and your governance and compliance policies to avoid non-compliance later
  • Hear real-world examples of how organisations have begun to successfully implement compliance policies across today’s enterprise social and collaboration platforms

Use of Metadata and Online Content: Balancing Conflicting Agendas

Moderator:  Stephanie Faber, Of Counsel, Squire Sanders
Cornelia Kutterer, Director of Regulatory Policy, Microsoft EMEA
Osvaldo Saldías, Project Manager: Global Constitutionalism and the Internet, Humboldt Institute for Internet and Society (Berlin)
Patrick Walshe, Director of Privacy-Public Policy, GSMA

Recent revelations about the extent to which some governments collect, store and monitor telephone and Internet traffic data, location data and web logs have cast an interesting light (or shadow) over concerns surrounding the use of these same types of data by the private sector. This session will focus on (1) customer expectations of privacy in this area, (2) forms of consent for data profiling using communications and Internet customer data, (3) potential differences in the regulation of communications providers versus online providers and their use of customer data, (4) Balkanization of the “global cloud”, and (5) prospects for interoperable U.S. and EU data protection regimes applicable to these activities. We will discuss how to balance consumer, business, law enforcement and national security agendas and explore the potential impact of recent developments on the data protection landscape.

What you’ll take away:

  • Insight into the differing rules that apply under the E-Privacy and General Data Protection Directives with regard to the processing of Internet traffic data, location data and web logs
  • An understanding of the potential policy and commercial implications arising from law enforcement and national security access to metadata and online content

What Consumers Think about Privacy and How It Impacts Businesses

Dave Deasy, Vice President Marketing TRUSTe

Online privacy has topped the media agenda on both sides of the Atlantic this summer. What impact has this had on consumer opinion and the actions individuals take to protect their privacy online? This session will share insights from independent research conducted by Harris Interactive in the UK and the U.S. examining what consumers think about online privacy both on web and mobile. The research is part of an ongoing research programme enabling clear comparisons across continents and examination of key trends year on year. The topics include: What consumers think about targeting and behavioural advertising; who consumers hold responsible for protecting their privacy; who they trust; what precautions consumers take to manage their privacy online; and what businesses can do to manage consumer perceptions.

Presentation

Where Trade and Data Protection Meet: Challenges and Opportunities

Moderator: Christopher Wolf, Director, Global Privacy and Information Management Practice, Hogan Lovells US LLP
Giovanni Buttarelli, Deputy European Data Protection Supervisor
Hugo Paemen, Former EU Ambassador to the United States
Daniel Weitzner, Director, MIT Decentralized Information Group, MIT Computer Science and Artificial Intelligence Lab

The ongoing EU-U.S. Transatlantic Trade and Investment Partnership (TTIP) talks and the pending EU Data Protection Regulation make a discussion of the relationship between trade agreements and data protection timely and relevant. Join us to explore (1) the potential progress the trade talks can make in fostering cross-border interoperability and mutual recognition of data protection regimes, and (2) the relationship between the pending EU regulation, pending proposals for privacy law reform in the U.S. and trade principles.

What you’ll take away:

  • The relationship between trade law and data protection/privacy laws
  • The status of TTIP talks insofar as cross-border interoperability of data protection/privacy regimes are concerned
  • The potential data protection/privacy opportunities and challenges of trade arrangements

Presentation