‘Mind the Gap’ Assessment – Transport for London chooses TRUSTe Assessment Manager

TfL square

TfL wide

This week, Transport for London confirmed they have chosen TRUSTe as their privacy technology partner and will use TRUSTe Assessment Manager to prepare for the EU General Data Protection Regulation and implement their privacy assurance program.

Transport for London is responsible for keeping a population of 8.4 million Londoners and millions more visitors to the city, on the move through key services (and iconic brands) such as the London Underground, London buses, rail services, river boats and Santander Cycles. They also manage over 580km of roads, operate two road user charging schemes and regulate the taxi and private hire trades. Virtually everyone who visits, lives or works in London will use at least one of these services and with increasing volumes of customer data being collected, privacy is a top priority.

James Newman, Privacy and Data Protection Manager at Transport for London (TfL) said:

I’m delighted that TRUSTe has emerged from a rigorous competitive tender process as the delivery partner for TfL’s new privacy assurance solution. TRUSTe Assessment Manager will now play a key role in TfL’s privacy assurance programme and our ongoing preparations for the implementation of the GDPR.

TRUSTe Assessment Manager transforms how companies assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry and was recently named a 2016 Legaltech Innovation Award Winner for Risk Management.

Find out more here and contact us for a demo today.



Your Path to GDPR Compliance | Step 1

image001 (3)There are a lot of great resources out there summarizing all of the new requirements under the GDPR (see IAPP, other resources).  But once you see the long and dizzying list of new requirements, it’s easy to get overwhelmed.  Fear not, there are ways to tackle it one step at a time.

TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.

While May 25, 2018 – the compliance deadline – may seem like a long way off, many items will likely take your organization considerable time to implement so it’s wise to start the process now.  Everything you put in place ahead of the deadline will enhance your overall privacy program and further your efforts to minimize risk, ensure compliance, build trust, and protect your brand.


GDPR Compliance:  Step 1 – Assess Readiness

The very first thing to do is Assess – Are you impacted?  Where do you stand?  

Are you impacted?

You may be thinking, I don’t need to worry about the GDPR because it doesn’t impact my organization.  We don’t have offices or do business in the EU.  But the GDPR includes a significant increase in scope over prior EU data protection law that makes it “extra-territorial” or beyond just being located or doing business in the EU.

This means, you need to take a closer look.  Specifically, you should ask three threshold questions:

  1. Do you “offer goods or services to EU residents”?
  2. Do you “monitor the behavior of EU residents”?
  3. Are you a “Data Processor” (one who processes the data on behalf of the Data Controller) of EU resident “personal data” (any information relating to an identified or identifiable natural person (“data subject”)?

If you answered, “yes” to any of the above, then you’re impacted and need to start taking steps toward compliance.  Some things to keep in mind:

  • The GDPR protects the personal data of EU residents, which includes anyone physically residing in the EU, even if they are not EU citizens.
  • By including the scope of the GDPR to include “monitoring the behavior of EU residents”, this makes the applicability net as wide as it can get.  Practically every website and app out there tracks digital activities of its visitors.  Even though you may not be actively targeting and monitoring EU residents, if you have a website or app that tracks who visits and an EU resident happens to find their way to your digital property from within the EU, you’re impacted.  Moreover, monitoring of behavior can be applied more broadly and include profiling that leads to actions that analyze or predict personal preferences, attitudes and / or behaviors.  Thus, the GDPR impacts targeted behavioral advertising and other data analytics.
  • The GDPR now extends due diligence obligations and potential liability to Data Processors, not just Data Controllers.  This has major impacts to cloud companies that process data on behalf of others, especially as the definition of “personal data” is now broadened and includes info like IP addresses, cookie strings, and mobile device IDs.


Where do you stand?

Now that you know that you’re impacted, you need a way to self-diagnose.  You could leverage a controls checklist, build one yourself, or take advantage of a free easy-to-use online GDPR readiness assessment tool.  Whatever self-diagnosis path you choose, you need to make sure it includes a fairly comprehensive list of the requirements so you have confidence that your assessment is thorough.

This initial GDPR assessment should guide you through GDPR operational requirements under the following areas, with particular emphasis on what’s new:

  • Transparency (i.e., Privacy Policy).  This centers on the language in your Privacy Policy.  It needs to be in “clear and plain language”, i.e., easily understood by users and not buried under a morass of legalese.  A whole host of new language must also be included, e.g., rights of data subjects, contact details of a Controller’s representative or DPO (Data Protection Officer), among others.
  • Collection and Purpose Limitation.  An assessment should check on whether the info collected is necessary and relevant, with particular scrutiny around information that is sensitive, involves criminal convictions or offenses, or is collection from children under the age of 16.
  • Consent.  The consent requirements under the EU Cookie Directive still apply regarding the use of cookies and similar tracking technology.  In addition, there are consent requirements prior to Data Processing, including details for when you need explicit and informed consent, or when you must provide user controls for preferences and withdrawal of consent.
  • Data Quality.  This centers on steps taken to ensure accuracy of data and processes for deleting or correcting it.  
  • Privacy Program Management.  This is a major area requiring a multitude of operational changes – e.g., documentation of your legal basis for Cross-Border Data Transfers, PIA Programs for new products or “high risk” processing, processing activities requiring the designation of a DPO, and due diligence obligations and contracts for Onward Transfers, to name a few.
  • Security in the Context of Privacy.  This includes requirements on the use of industry-standard encryption technologies for sensitive data, systematic destruction, erasure or anonymization of data, and documentation on security programs.
  • Data Breach Readiness and Response.  A documented privacy and security Incident Response Plan is essential, particularly because there are significant new data breach notification requirements (e.g., controllers must notify supervisory authority within 72 hours).
  • Individual Rights & Remedies.  The GDPR expands individual control with new rights, e.g., the “Right to be Forgotten” (data erasure), “Right to Data Portability” (to transmit data to any other controller), enhanced rights around processing (notice, access, rectification, objection) and filing complaints.


What now?

The GDPR Readiness Assessment, powered by TRUSTe Assessment Manager includes all of the above modules.

GDPR Report ImageThe result includes real-time findings to show what requirements you currently meet, a gap analysis to show what’s not yet covered, and operational recommendations to close the gaps.  This gives you a solid handle on where you currently stand and is critical for the next step in the Path to GDPR Compliance … to be covered in our next blog post Step 2: Build Consensus.

Visit for more information on TRUSTe GDPR Solutions.


Understanding your privacy risk exposure in Latin America – Summit Preview

Screenshot 2016-02-01 20.16.50

Screenshot 2016-05-16 23.03.02Technology is booming in Latin America, and privacy laws and regulations are becoming more complex as well, since more technology generally means more data processing.

Latin America is a region formed by 20 different and independent countries, so getting acquainted with 20 different laws can seem quite an ordeal. Juan Luis Hernandez Conde, Founding Partner at Novus Concilium will address this topic at the upcoming TRUSTe Privacy Risk Summit on June 8th in San Francisco. In this blog post he provides an introduction to the 5 basic principles of LATAM privacy laws.


  1. No “one stop shop”

There is no document such as the GDPR (Europe’s General Data Protection Regulations) applicable to the whole region, although, most of the laws are based on the EU Data Protection Directive 95/46 EC (the EU Directive). In general, most countries have a right of data self-determination in their constitutions, but specifically all the countries can be divided into two teams.

Team one, in which we can find Mexico, Argentina, Uruguay, Costa Rica, and Nicaragua, comprises countries with a detailed framework and even Data Protection Agencies (DPA) to enforce it. Team two, where we can find countries such as El Salvador, Guatemala, Venezuela and Cuba, groups countries who doesn’t have a specific omnibus law regarding data self-determination or a DPA. There are, as well, a set of countries transitioning from team two to team one, for example Brazil and Paraguay.


  1. “Habeas Data”

Habeas Data (which literally means “to show – the controller– has the data”) is a catchy phrase used to refer to data self-determination rights, such as the right to access, rectification, or erasure of personal information. Most of the Latin American countries grant these types of rights to data subjects, and provide detailed legal procedures to enforce them.


  1. Corporate governance and policies

 Some laws require controller companies to develop some corporate structures and privacy policies according to certain legal principles. For example, Mexican Law, requires controllers to appoint a Data Protection Officer in charge of reviewing any Habeas Data complaint complaint made by data subjects.


  1. Information and Consent

The duty of information, plays an important role in the region. In jurisdictions such as Argentina or Colombia, controller companies have a duty to disclose all the details regarding the processing of personal information they gather. Information to be disclosed commonly includes:

  • Personal information gathered,
  • A detailed explanation about what do the controller use the data for,
  • A list of transfers to third parties,
  • The name and address of the legal entity responsible for the database and
  • Procedures to exercise habeas data rights rights, among others.

Consent is paramount in most of the Latin American jurisdictions. Almost every country with an omnibus legislation require it prior to the processing of data in their own unique ways. For example, Mexico and Colombia, allow opt-out consent for general information, but require opt-in consent in special circumstances such as the processing of sensitive data (information regarding sexual orientation, religious views, ethnic origins, health condition, political preferences among others).

Whatever the case, the controller company will be responsible to show the DPA it disclosed the information required by law and that they got consent before processing data.


  1. Rules on data transfers

The general rule is data transfers can only be made with prior consent from data subjects.

However, international data transfers are regulated as well. Some countries require transfers to only be made to countries that show an “adequate level of protection”

Some other countries, such as Mexico, allow international data transfers only if the controller company agrees (by a legal binding document) to process the information under a privacy policy in accordance with Mexican Law principles.

Either case you better double check before transferring data, since fines or even criminal charges (misdemeanors or felonies) may apply if the transfers aren’t done correctly. You don’t want to risk it.



Privacy in Latin America is a complex and continuously evolving subject, which varies depending on the country you are doing business in. Find out more in the Latin America session at the TRUSTe Privacy Risk Summit.




Privacy Risk Summit Preview: Privacy by Design for IoT

Screenshot 2016-05-23 07.56.26

Screenshot 2016-05-23 07.56.26

The Internet of Things (or the Internet of Everything, as some refer to it) is changing the way of the world for businesses, governments and consumers, as devices and services are increasingly connected to the Internet in real-time, 24/7. This allows for the practically ubiquitous collection, storage and sharing of data on an always-on basis, which heralds countless innovations for enterprises and individuals alike.

However, with increased connectivity comes the potential for increased vulnerability—in both the cyber and physical worlds. This is why Privacy by Design is a paramount business practice for companies engaged in the IoT space, as well as a consideration steadily more expected by consumers.  TRUSTe’s Privacy Risk Summit (Wednesday, June 8th in San Francisco), features three sessions devoted to IoT privacy issues. In this second preview blog, Darren Abernethy, Privacy Solutions Manager at TRUSTe offers a brief introduction to Privacy by Design in the IoT context.

The Internet of Things Continues to Grow Exponentially

The IoT is a short-hand term that refers to the interconnected environment in which previously offline, data-siloed objects can now continually communicate information among other objects and people. According to one estimate, the number of IoT-connected devices will number 38.5 billion in 2020, up from 13.4 billion in 2015: a rise of over 285%.

Consumer-focused, “smart home” devices are already a fixture in many retail outlets (think fitness wearables, connected refrigerators, sous-vide precision cookers, smart thermostats and lighting systems, the list goes on), and the next several years are expected to see IoT maturity in areas as diverse as connected cars, smart grids and cities, digital healthcare, agriculture, and various industrial channels. In short, there is no scarcity of interest in the application of IoT connectivity across sectors because of the granular insights that it facilitates.

The Connected World Requires Pre-Conceived Privacy by Design

A recently released survey conducted by Ipsos on behalf of TRUSTe/NCSA found that 89% of respondents say that they avoid companies that do not protect their privacy. This reality—that brand reputation and consumer trust are inextricably linked—is especially true in the IoT context. This is why Privacy by Design, or the practice of building privacy and security controls into a product or service at the outset of the planning process, rather than as an afterthought, is imperative.

There is no statutorily-defined, one-size-fits-all prescriptive list of what constitutes Privacy by Design. Indeed, in the context of IoT devices, Privacy by Design in practice ultimately depends on the types and quantity of information a device collects, the sensitivity of the data, and the overall risk posed to end users. Still, some issues should form the basis of any Privacy by Design assessment throughout product development, and these include:

Data Minimization. Whereas early IoT devices may have focused on collecting information indiscriminately, on a “we’ll find a use for this data later” basis, such an approach will no longer be tolerated by regulators. Most privacy regimes mandate that only data relevant to the purposes for which consent was originally given may be processed. And with the new EU GDPR privacy regulation’s effective date inching closer each day—along with its application to data controllers and processors of fines equaling up to 4% of global turnover for serious infractions—all IoT folks should be mindful to collect only what is necessary to achieve their business goals (and in keeping with their disclosures and public promises).

Perform Privacy and Security Risk Assessments Throughout All Stages of Development These complement an overall risk-based approach that includes, from the start, having a full inventory of the type and variety of personal information collected, as well as end-to-end understandings of data flows for the life cycle of any data. As the FTC has noted: “An evolving inventory serves triple duty: It offers a baseline as your staff and product line change over time. It can come in handy for regulatory compliance. And it can help you allocate your data security resources where they are needed most.” TRUSTe’s SaaS-based Assessment Manager was designed with this in mind, by automating the privacy impact assessment process for companies so that they may efficiently assess privacy risk, produce on-demand compliance/audit reports, and monitor privacy matters on an on-going basis.

Use Security Hygiene Best Practices This entails utilizing security transmission protocols and encryption techniques for personal information in transit and at rest, building in proper authentication controls, training company staff in privacy and data security best practices, limiting permissions, and using secure options as a smart device’s default settings that are changeable later by more advanced or aware end users.

Vet Vendors and Partners Privacy by Design considerations do not end with the device manufacturer, they extend to the partners and service providers associated with the device maker. Accordingly, IoT companies should embed processes to review third party providers’ practices as well as have contractual provisions in place that clarify responsibilities and liabilities before any product or service goes to market.

Transparency and Control IoT companies must be transparent with consumers—in easy to understand language and format—about how their troves of data are collected and used. This means up-front and accurate privacy statements, building in mechanisms for on-going notice and choice (including just-in-time notices), having conspicuous user privacy controls/dashboards, and effective communication—beyond the design phase—of access options, recommended security updates and other manifestations of respect for users’ preferences.

The Future of IoT Privacy by Design

As more devices, platforms and infrastructure connect to the Internet in real-time, the most successful industry participants will be those that regard Privacy by Design as an opportunity to demonstrate that they are worthy of consumers’ trust. Industry self-regulatory frameworks, such as the OTA IoT Trust Framework, are available to help companies to operationalise privacy by design. Time will tell whether this is enough to pre-empt the need (in the eyes of external regulators) for legislation. Also unclear are issues of interoperability in the IoT context, as well as questions of whether a one-time consent by consumers can realistically serve as “informed” consent as connected devices become a perpetual presence in our daily lives. For insights and analyses of these issues and more, be sure to check out next month’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.


Privacy Risk Summit Preview: Cross Device Tracking

Screenshot 2016-02-01 20.16.50

Screenshot 2016-05-16 23.03.02

A topic on the tips of advertisers’ and marketers’ tongues these days is “cross-device tracking,” a unique method of digital advertising that is viewed within the data, analytics and marketing spaces as a game-changer. TRUSTe’s Privacy Risk Summit (Wednesday, June 8th in San Francisco) will feature a panel of industry-leaders devoted to the latest on this subject. In advance of the Summit, Darren Abernethy, Privacy Solutions Manager at TRUSTe offers a brief introduction to cross-device tracking methodologies and some of the cutting edge privacy issues upon which they touch.

What Is Cross-Device Tracking?

 Cross-device tracking is the umbrella term for different techniques used to serve target ads to an individual user on a user’s multiple devices so that messages can be better tailored to the right individual at the right moment. The ads and promotions served to the user across devices, channels and platforms are more effective (i.e., more likely to be engaged with or lead to conversions) because they are informed by that user’s previous interactions on all of the devices, not merely the device or browser currently in use. Cross-device tracking also allows for better “attribution” or the ability to understand purchases, behavior and intent.

How does this work in practice?

As one oversimplified example, a unique user could browse for a particular book on her mobile phone during breakfast, later at the office on her work laptop put a copy of the book into an online retailer’s shopping cart but not purchase it, and then back at home that evening she may receive an advertisement on her personal desktop computer’s browser for other books by that author or even a discount promo code at the retailer’s site where she almost made the afternoon purchase.

This type of connecting the dots to identify and reach a single user across devices is accomplished through two primary methods.

Deterministic and Probabilistic Linking

The first method is deterministic linking (DL), whereby a user self-identifies to a service, such as by logging in, which directly confirms that the multiple devices in use belongs to the same user. Accordingly, if a user logs onto a particular social media site on a smart watch, tablet, mobile app or computer web browser, then any user data collected (clicks, likes, visits, 1st party cookie data, and data from 3rd party websites on which the social media service has widgets/portals) becomes part of that user’s broader “profile,” and can be used to target ads to that user on any device or platform.

The second method is probabilistic linking (PL), whereby statistical modeling, algorithms and/or predictive pattern recognition is applied to a variety of digital technical parameters to infer links between devices. Firms in the PL space often partner with online publishers or ad exchanges and monitor ad request traits such as IP address, device type, geolocation, time of day usage patterns, and installed browser fonts, then correlate that information with other data sources and use proprietary processing to build device graphs that, over time and in the aggregate, can link multiple device, cookie, and mobile IDs to a common user, who is assigned an anonymous identifier.

Privacy Considerations with Cross-Device Tracking

The use of cross-device tracking is a response to consumers’ more fragmented options for accessing the Internet now compared to two decades ago, as well as the inherent limitations of delicate, mobile-deficient and browser-specific cookies traditionally utilized in online behavioral advertising. But does this new means of crossing data streams to gain a holistic view of a consumer along the entire path to purchase give rise to issues for privacy-conscious consumers and businesses?

For instance, can these techniques lead to the collection of unnecessary or superfluous data, at odds with the generally recognized privacy principle of data minimization? Can they lead to the possible triggering of unintended legal regimes, or erroneous inferences that lead to bad ad spend? Should different privacy approaches be utilized for DL versus PL? Is it technically feasible for the industries involved to build an omnibus opt-out mechanism that can be honored across all devices and platforms?

For insights and analyses of these issues and more, including benefits for businesses and consumers and current self-regulatory approaches, be sure to check out our exciting panel at next month’s TRUSTe Privacy Risk Summit. The panel will include perspectives from the brand/advertiser, technology development and product design, go-to-market strategy and of course, privacy and legal challenges. The panel will be moderated by Andy Dale, Senior Counsel at DataXu an advertising technology company engaging in cross-device campaigns. In Andy’s words: “cross-device technology is really about understanding the customer journey and this technology is powerful but needs to be harnessed and utilized within a privacy framework which allows users an ability to understand the practice and make meaningful, choices”.





TRUSTe Assessment Manager Wins 2016 Legaltech News Innovation Award

Screenshot 2016-05-07 22.15.07

Screenshot 2016-05-07 22.15.07

We’re excited to announce that TRUSTe Assessment Manager has been named a 2016 Legaltech Innovation Award Winner for Risk Management. The annual Innovation Award program now in its 15th year, recognizes the best in legal technology leaders, products, and projects across the legal community.

TRUSTe Assessment Manager transforms how legal departments assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry. Previously legal teams relied on manual tools such as spreadsheets, email or retrofitted GRC systems to address the unique nuances of privacy risk management.

TRUSTe Assessment Manager comes pre-loaded with over a dozen templates to address popular use cases, including the EU General Data Protection Regulation, Vendor Risk Management, Breach Notification, and Privacy Impact Assessments.  The Platform is used by hundreds of companies either directly or with assistance from TRUSTe Global Privacy Services team across all industries including pharma, healthcare, technology, and consumer products organizations

Nominations for the Legaltech News Innovation Awards, were made by the publication’s more than 40,000 readers; and a panel of judges comprised of Legaltech News and The Recorder editors selected the winners from hundreds of candidates.

We will be demoing the TRUSTe Assessment Manager platform at Legaltech West Coast in San Francisco on June 13-14. Stop by booth #406 to see the latest privacy compliance tools or join us at our Emerging Technology session, “Counsel’s Toolbox: Innovation in Managing Digital Privacy Risk” on Tuesday the 14th at 11:45am.




TRUSTe-EDAA Ads Research Shortlisted for IAB Europe Research Award

Screenshot 2016-05-08 09.35.59

Screenshot 2016-05-08 09.35.59

The European Advertising Consumer Research Index 2015 provides a comprehensive picture of attitudes and awareness of the European Self-Regulatory Programme for Online Behavioural Advertising (OBA) across 13 European countries surveyed. The study was conducted by Ipsos MORI, on behalf of TRUSTe and the EDAA from 21 October – 13 November 2015 with over 13,000 online adults.

We’re delighted that this joint TRUSTe-EDAA research has been shortlisted for the best use of Research Budget. The IAB Europe Research Awards are now in their sixth year and represent industry recognition for innovative research projects and the contribution they have made to the development of the digital advertising industry.

Winners of the eight categories will be announced at the gala dinner during IAB Europe’s Interact conference tomorrow (12th May) in Lisbon, Portugal. The winning projects will form part of IAB Europe’s expanding libraries of best practice for industry professionals to use in their strategies and daily work.

The finalists were selected from over 130 entries by a Jury consisting of Nick Hiddleston, Research Director Worldwide at ZenithOptimedia and Chairman of the Jury, Paul Hardcastle, Research Director, EMEA at Yahoo!, Ariane Längsfeld, Client Manager – Media & Digital at Millward Brown, Pawel Kolenda, Research Director at IAB Poland and Tuncay Yavuz, IAB Turkey Board Member, Head of Technical Committee on Measurement and Digital Director at OMD Turkey.

Read the full research report here.



Xiaomi Partners with TRUSTe for Privacy Assessment Technology and Certification Services



Xiaomi, the Beijing-based leader in smartphone, electronics and services, is the latest global company to choose the TRUSTe Assessment Manager platform to bring increased efficiencies and scale to their privacy program. Xiaomi will use the platform to perform ongoing Privacy Assessments and PIAs for the MUIU operating system and other services in the quest to bring Privacy by Design into the mobile architecture and product set.

Under the partnership TRUSTe has also assessed and certified that Xiaomi’s mobile operating system MIUI (and its native apps), cloud services and e-commerce websites all abide by TRUSTe’s privacy standards. The company has had a full review of its privacy practices and worked to ensure all mobile applications that collect sensitive information are encrypted, that all payment pages have the proper encryption to protect users’ sensitive information and application permissions are limited to only what was needed to operate on a user’s device.

The certification process helps to ensure Xiaomi is transparent and accountable to the practices outlined in the company’s privacy statement. TRUSTe Assessment Manager enables Xiaomi to maintain these privacy commitments, demonstrate compliance and assess the privacy impact of new product releases. This will simplify the process of maintaining the certification going forward and help Xiaomi achieve various global compliance targets efficiently.

“With this privacy certification, Xiaomi is demonstrating our deep concern for user privacy,” said Baoqiu Cui, Chief Architect at Xiaomi. “User privacy is always our top priority, and the Privacy by Design approach has been incorporated into our product design process. As of today MIUI has over 200 million users, and our e-commerce website has even more. Getting both MIUI and the e-commerce website certified is a huge milestone, not only for the company, but also for our users. With the TRUSTe certification, our users have even greater peace-of-mind knowing their data is well protected.”

“TRUSTe Assessment Manager and Privacy Impact Assessment process can help us meet our privacy compliance requirements much more efficiently. Efficiency is very important for a fast growing product like MIUI, whose developer’s build is released every week and stable build is released every month.” said Baoqiu.

Read further details in our press release here

Older posts «