We sometimes see rules on international data transfer are quite rudimentary. They are sometimes too strict and sometimes they are too loose and they are not clear as to what limits are needed for international data flow. #PrivacyNama2021
Conversation
The authority has to be independent. It can only be a neutral arbiter for different interests at stake. It is important to cover public sector under data protection rules. The powers might be too limited. #PrivacyNama2021
1
The obligations are on the parties to assess if there are problems in the country of origin. This is only if there is disproportionate or abusive government access. Only if core safeguards that are not available. #PrivacyNama2021
1
The main principle the court establishes that government access in another country should be enshrined in a legal framework. The situation for the use of model contract clauses is complicated as it requires companies to undertake assessment. #PrivacyNama2021
1
2
If there is a change in jurisprudence, the companies need to adapt. It is a voluntary instrument. There is a liability for ensuring compliance. We have designed them very broadly. They cover 98% of all transfer scenarios. #PrivacyNama2021
1
We cover the reverse situation where the processor is in the EU and the controller is in another country. It has limited scope of obligations. Adequacy means that the level of protection is comparable to our level. We do not differentiate
#PrivacyNama2021
1
We will pay close attention to whether UK's IDTA ensures the continuity of protection. We are hopeful that it will have a similar level. UK's data protection rules are virtually identical. It might change so we will pay attention to it. #PrivacyNama2021
1
Our rules require 2 things: ongoing monitoring of the situation and regular review every 4 years. The main instrument is the review, we are currently carrying out review for Japan's adequacy protection. #PrivacyNama2021
1
We have been in contact with Indian parliament and we have shared certain observations. It is the right way to do it. We had some questions. It is for India to decide sovereignly what is best for the country. #PrivacyNama2021
1
The law is sometimes too strict in allowing data flows. On the other hand, we had the impression that there weren't strict rules when data can flow. They are sometimes too narrow or too broad. #PrivacyNama2021
1
We believe it does not create a problem to expand data protection laws to matters of national security. It is a question of how to draft it. It makes it easier to have regulatory cooperation then. #PrivacyNama2021
On transatlantic data transfers, it is not an easy conversation to have. We are making progress. I am hopeful. It will take some time to work through these things. #PrivacyNama2021
1
LIVE 🔴 | Our third panel is on Adapting To Global Privacy Legislation, a conversation with privacy heads of companies.#PrivacyNama2021
1
Session Chair: Rahul Matthan (Trilegal). Speakers: Justin Weiss (Global Head of Data Privacy, Naspers-Prosus), Idriss Kechida (Chief Privacy Officer, Match Group) and Srinivas Poosarla (Global Chief Privacy Officer and DPO, Infosys) #PrivacyNama2021
1
The world was converging to global privacy legislation after GDPR. We thought country after country will adapt the GDPR legislation. However, all is not well with GDPR in recent years. #PrivacyNama2021
1
Privacy is not just legal requirement. It is a company policy. #IdrissKechida #Match #PrivacyNama2021
1
Legal background is not sufficient to give the skill set to be the chief privacy officer. No aspect of organisation that does not invovle data. They should be excellent communicators. #JustinWeiss #NaspersProsus #PrivacyNama2021
1
One has to look after legal compliance. It requires wide range of skills. I would encourage to think about it from a wide perspective. At the end of the day, you have to do all of these things well #JustinWeiss #NaspersProsus #PrivacyNama2021
1
The role is to provide assurance to the management that data privacy compliance is met. There are additional safeguards by data protection laws. The role is not regulatory. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
It is a techno-legal function. The role continues to remain advisory. We never get into implementing things. The significance of independence is becoming important. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
For privacy, an important aspect is that we do not know the enemy as it is an unknown hacker. Data privacy world, the ones who are adversary, is from within the organisation. The role of CPO is one where you require a balancing act #SrinivasPoosarla #Infosys #PrivacyNama2021
1
There is a great amount of requirement of independence and autonomy. Many organisations do not think privacy strategy. One needs a privacy strategy. It is important for industry which consumes data as raw material. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
You have to embed the strategy with your risk appetite. Some companies won't take that risk. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
Companies think of privacy issues as a risk. When you do that, you might assume, running a privacy program is like running other departments which are risky. #JustinWeiss #NaspersProsus #PrivacyNama2021
1
I do not think the way data protection legislation operates, it is not a check list of yes and nos. It is usually how. The privacy leader has a whole bag of tricks to explain things. It could be suite of data minimisation tools. #JustinWeiss #NaspersProsus #PrivacyNama2021
1
At some point, there are trade-offs. You need to make sure to have sponsorship from the highest level of the organisation. I think CPOs are fortunate depending upon the company they are in #IdrissKechida #NaspersProsus #PrivacyNama2021
1
Do not copy your structure. It depends on where the company is. One needs to ascertain what is legal and compliance. The smaller you are, the less you are able to differentiate the role. That's fine in the beginning of the journey. #IdrissKechida #NaspersProsus #PrivacyNama2021
1
Most countries have data subject rights. The effectiveness lies in listening to these demands. #SrinivasPoosarla #Infosys #PrivacyNama2021
1
No one wants to be under the eyes of the regulator. Companies will comply and solve complaints filed with them because of that. It's not that DPA is shifting burden. - Idriss Kechida (Match Group) #PrivacyNama2021
1
How large must internal data protection teams be for companies? - You could have everything centralized and a massive privacy team or you could have individual teams who are trained to apply the data protection legislation. - Idriss Kechida (Match Group) #PrivacyNama2021
1
Right to be forgotten made a huge impact in Google case. And then GDPR came. It is not absolute right, must be balanced with other factors. - Srinivas Poosarla (Infosys) #PrivacyNama2021
1
Starting point in complying with new data rules: The first step is the CEO themselves and the executive team. You explain to them the full range of activities that will occur. They will do what is necessary to give you resources. Justin Weiss (Naspers-Prosus) #PrivacyNama2021
1
Then you have to have a playbook. Good news is other companies have already done this and there is enough commonality that you can have a Ikea toolkit. - Justin Weiss (Naspers-Prosus) #PrivacyNama2021
1
What occupies the most time for orgs? It is training. Training isn't just once per year. You are in the weed w each dept figuring out what they can do for privacy. So that there can be privacy by design. - Justin Weiss (Naspers-Prosus) #PrivacyNama2021
1
In my team I have privacy counsels and privacy managers that take projects and go through the finish line. This takes time and resources. - Idriss Kechida (Match Group) #PrivacyNama2021
1
What budget should be set aside for data protection teams within companies? - I consider it in categories: at least one person (salary is mid-level lawyer), cost of automation (annual licenses), and costs involved for training. - Justin (Naspers-Prosus) #PrivacyNama2021
1
No straightforward answer in how many people are required or what budget. Consumer facing orgs will need more. If you're constantly adding new features, then risk assessments for privacy is a major cost. Srinivas Poosarla (Infosys) #PrivacyNama2021
1
If we have 100 jurisdictions with 100 different privacy laws? How will companies and products that are global comply? - #PrivacyNama2021
1
1
There are lots of overlap between legislations. My company we go for global standards that map principles of multiple jurisdictions. Only time there are issues is if there is conflicting legislation, which is not often. - Srinivas Poosarla (Infosys) #PrivacyNama2021
1
Ninety percent of what people around the world expect as privacy overlaps. But even if you build something that is global that very same feature might be experienced differently by diff regions. - Justin Weiss (Naspers-Prosus) #PrivacyNama2021
1
Show replies