Risk-Based Approach

Subscribe to Risk-Based Approach

On October 22, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP co-hosted a workshop in Brussels on “Can GDPR Work for Health Scientific Research?” (the “Workshop”) with the European Federation of Pharmaceutical Industries and Associations (“EFPIA”) and the Future of Privacy Forum (“FPF”) to address the challenges raised by the EU General Data Protection Regulation (“GDPR”) in conducting scientific health research.

Continue Reading CIPL Co-Hosts Workshop on GDPR and Scientific Health Research

In connection with its hearings on data security, the Federal Trade Commission hosted a December 12 panel discussion on “The U.S. Approach to Consumer Data Security.” Moderated by the FTC’s Deputy Director for Economic Analysis James Cooper, the panel featured private practitioners Lisa Sotto, from Hunton Andrews Kurth, and Janis Kestenbaum, academics Daniel Solove (GW Law School) and David Thaw (University of Pittsburgh School of Law), and privacy advocate Chris Calabrese (Center for Democracy and Technology). Lisa set the stage with an overview of the U.S. data security framework, highlighting the complex web of federal and state rules and influential industry standards that result in a patchwork of overlapping mandates. Panelists debated the effect of current law and enforcement on companies’ data security programs before turning to the “optimal” framework for a U.S. data security regime. Among the details discussed were establishing a risk-based approach with a baseline set of standards and clear process requirements. While there was not uniform agreement on the specifics, the panelists all felt strongly that federal legislation was warranted, with the FTC taking on the role of principal enforcer.

Continue Reading Lisa Sotto, Head of Hunton’s Privacy and Cybersecurity Practice, Kicks Off FTC Data Security Panel

The Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP recently submitted formal comments to the U.S. Department of Commerce’s National Telecommunications and Information Administration (“NTIA”) in response to its request for public comments on developing the administration’s approach to consumer privacy.

Continue Reading CIPL Responds to NTIA Request for Comment on Developing the Administration’s Approach to Consumer Privacy

On March 20, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth LLP issued a factsheet outlining relevant GDPR provisions for negotiations surrounding the proposed ePrivacy Regulation (the “Factsheet”). Continue Reading CIPL Issues Factsheet on Key Issues Relating to the Relationship Between the Proposed ePrivacy Regulation and the GDPR

On January 29, 2018, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP submitted formal comments to the Article 29 Working Party (the “Working Party”) on its Guidelines on Transparency (the “Guidelines”). The Guidelines were adopted by the Working Party on November 28, 2017, for public consultation. Continue Reading CIPL Submits Comments to Article 29 WP’s Proposed Guidelines on Transparency

On May 27, 2017, the National Information Security Standardization Technical Committee of China published draft guidelines on cross-border transfers pursuant to the new Cybersecurity Law, entitled Information Security Technology – Guidelines for Data Cross-Border Transfer Security Assessment (the “Draft Guidelines”). The earlier draft, Measures for the Security Assessment of Outbound Transmission of Personal Information and Critical Data (the “Draft Measures”), requires network operators to conduct “security assessments” when they propose to transfer personal information and “important information” to places outside of China. These “security assessments” are essentially audits of the cybersecurity circumstances surrounding the proposed transfer that are intended to produce an assessment of the risk involved. If the assessment indicates that the risk is too high, the transfer must be terminated. Continue Reading China Releases Draft Guidelines on Cross-Border Data Transfers Pursuant to the Cybersecurity Law

On December 21, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP issued a white paper on Risk, High Risk, Risk Assessments and Data Protection Impact Assessments under the GDPR (the “White Paper”). The White Paper sets forth guidance and recommendations concerning the interpretation and implementation of the EU General Data Protection Regulation’s (“GDPR’s”) provisions relating to risk and risk assessment, which will become applicable on May 25, 2018. While risk assessments already are required under the EU Data Protection Directive, the GDPR broadens the relevance of risk and risk assessment by explicitly and comprehensively incorporating a risk-based approach to data protection. Continue Reading CIPL Issues White Paper on High Risk and DPIAs under the GDPR

On October 20, 2016, the Centre for Information Policy Leadership (“CIPL”) at Hunton & Williams LLP hosted a side workshop at the International Conference of Data Protection & Privacy Commissioners focused on transparency and risk assessment, entitled “The Role of Risk Assessment and Transparency in Enabling Organizational Accountability in the Digital Economy.” The workshop was led by Bojana Bellamy, CIPL’s President, and featured contributions from many leaders in the field, including the UK ICO, Belgium and Hong Kong’s Privacy Commissioners, and counsel and privacy officers from several multinational companies. Continue Reading CIPL Hosts Workshop on Transparency and Risk Assessment

In September, the Centre for Information Policy Leadership (“CIPL”) held its second GDPR Workshop in Paris as part of its two-year GDPR Implementation Project. The purpose of the project is to provide a forum for stakeholders to promote EU-wide consistency in implementing the GDPR, encourage forward-thinking and future-proof interpretations of key GDPR provisions, develop and share relevant best practices, and foster a culture of trust and collaboration between regulators and industry.   Continue Reading CIPL and its GDPR Project Stakeholders Discuss DPOs and Risk under GDPR

Recently, the National Privacy Commission (the “Commission”) of the Philippines published the final text of its Implementing Rules and Regulations of Republic Act No. 10173, known as the Data Privacy Act of 2012 (the “IRR”). The IRR has a promulgation date of August 24, 2016, and went into effect 15 days after the publication in the official Gazette. Continue Reading Final Rules for the Data Privacy Act Published in the Philippines