Aug 30 2016

Third Party Alternate Dispute Resolution

Screenshot 2016-08-29 21.00.18Initial Privacy Shield deadlines are just around the corner and EU GDPR compliance isn’t far behind. These fast-approaching dates are stirring up a renewed interest in a solution TRUSTe has been offering for years – alternative privacy dispute resolution. Offering alternative dispute resolution (ADR) gives customers confidence that you are committed to their privacy and helps mitigate unintentional privacy violations that may accompany web page updates or new initiatives.

The impending compliance dates remind us that providing privacy dispute resolution is often more than a consumer-friendly, best practice – it’s a requirement.

When required, companies are generally presented with two options.

  • Refer a complaint directly the local regulator (DPA)
  • Work with third party dispute resolution solution provider

There are clear benefits to going the third party route – and selecting a third party trusted by both business and consumers may be the best way to turn unhappy customers into happy customers.

You will also want a solution that provides privacy expertise, cost certainty and efficient online processing. Our solution checks all of these boxes while processing several thousand customer complaints each year helping thousands of customers maintain privacy compliance. It’s included in most of our certification offerings and can also be selected as a standalone solution. If you need to meet the ADR requirements of Privacy Shield or are simply interested in improving your customer experience, you’ll want to learn more about TRUSTe Dispute Resolution.


  1. TRUSTe collects the customer’s privacy notice that complaints will be assessed against and loads into the Data Privacy Management Platform.
  2. TRUSTe verifies that the customer has posted the required information about, and provided access to, TRUSTe Dispute Resolution.
  3. A consumer must first contact company. If no or unsatisfactory response, individual can file a complaint through TRUSTe.
  4. Complaints can be submitted online identifying the disputed URL or company name. TRUSTe will respond to the individual within 10 days of receiving the complaint.
  5. TRUSTe will review and forward valid, privacy-related complaints that cannot be resolved through consumer education or the company for resolution. Company has 10 business days to respond to the consumer.
  6. TRUSTe then sends a notice of its determination and indicates that it has closed a Dispute Resolution complaint. The consumer (Complainant) or the customer has 14 calendar days to file an appeal.



Aug 17 2016

HIPAA Turns 20

Medical StethoscopeBy Margaret Alston, Senior Privacy Consultant

Among fanfare for the 20th birthday of the Heath Insurance Portability and Accountability Act (HIPAA), we have also seen the largest HIPAA settlement ($5.55 million) – laid at the feet of Advocate Health Care. This last case was on the heels of two July 2016 settlements: $2.75 million with the University of Mississippi Medical Center, and $2.7 million with Oregon Health & Science University. With mandatory breach notification required for the past 7 years, HIPAA compliance risk exposure has increased and HIPAA enforcement is on the rise.

The Federal Trade Commission is paying attention to security as well. In addition to enforcement actions that point to security promises, the FTC has published security guidance – a lessons learned from enforcement actions, if you will. Moreover, even without regulator oversight, the possibility of a data breach brings with it a complex set of state laws and costs associated with notification and possible litigation.

Another trend is the increased responsibility of vendors to health organizations. As enforcement rises and sophistication of health care organizations about HIPAA increases, these “covered entities” under HIPAA expect more from their vendors, most of whom qualify as Business Associates under HIPAA. In turn, Business Associates are required to sign up for HIPAA obligations in a Business Associate Agreement, and then live up to those responsibilities with both direct regulatory compliance risk and liability to the covered entities they support. While early in the life of HIPAA, before the amendments under HITECH in 2009, healthcare organizations may have been more concerned with their own HIPAA compliance than for their vendors’ compliance, now vendors are asked more in-depth questions about how they comply.

With this in mind, the HIPAA anniversary is a great reminder that the security risk assessments and the strong privacy and security programs that HIPAA requires are more important to today’s healthcare businesses and their vendors – not less. In fact, as part of its settlement, Advocate Health Care has agreed to conduct a complete risk assessment and present security plans to HHS for approval. It makes sense, then, that organizations that handle sensitive personal information – such as Protected Health Information (PHI) – would take the same measures on their own.

A first step can be a HIPAA Health Check; a high level gap analysis against HIPAA privacy, security and breach notification requirements compared with current practices and documentation. The purpose of this Health Check is to identify areas in which major program components are either not adequately documented, or may not exist at all. From this high level gap analysis, an organization can consider how to prioritize and address in a reasonable and thoughtful way.

With over 10 significant settlements year to date and commencement of the Phase 2 HIPAA Audit program review of both covered entities and business associates, our 20th year of HIPAA brings with it increasing security and privacy focus and expectations. Fortunately, there are also more resources available to organizations who wish to double down on their compliance and security stance.




Aug 16 2016

Over 500 Companies Working with TRUSTe to Comply with EU-U.S. Privacy Shield

Screenshot 2016-04-13 14.29.02TRUSTe announced today that it is working with over 500 companies to assess and verify compliance with the new requirements for the EU-U.S. Privacy Shield and provide dispute resolution services. In order to meet the spike in demand since the Department of Commerce (DOC) started accepting submissions on August 1st, TRUSTe is using Assessment Manager, the award-winning technology platform to streamline the comprehensive assessment and remediation process companies must complete.

The EU-U.S. Privacy Shield is the new international data transfer framework finalized in July to replace Safe Harbor. The new framework requires that companies meet stronger obligations to protect the personal data of Europeans and introduces stronger monitoring and enforcement by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC).

The framework provides all companies self-certifying by September 30 a nine-month ‘grace period’ to ensure compliance with their third party contracts. TRUSTe’s privacy assessment technology streamlines and documents the process enabling hundreds of companies to get ahead of the pack and self-certify before that date.

Chris Babel CEO, TRUSTe said: “Privacy Shield has created an equivalent of tax season for privacy as hundreds of companies want to benefit from the new Privacy Shield framework and simplify their EU data transfer compliance.

“Our Assessment Manager platform enables us to scale to meet this unprecedented demand and we have started the assessment process with over 500 companies in the last few weeks. After months of negotiations between the U.S. and the EU the volume of companies taking part shows the extent of interest and momentum in the new framework”.

Perry Pappas, SVP, General Counsel and Chief Compliance Officer at WorkWave LLC, stated:

“At WorkWave protecting the privacy and confidential information of our clients is of the utmost importance.  We have found TRUSTe to be an excellent resource in guiding us through what can be a complex area.  TRUSTe provides a streamlined roadmap and process toward certification, their Assessment Manager tool is collaborative and easy to use, and their team is extremely responsive and helpful, from sales through to privacy solutions implementation.”

“At Aria Systems, protecting critical customer data is paramount,” said Jim Alexander, SVP of Customer Operations and Technology, Aria Systems. “Aria is partnering with TRUSTe to verify strict compliance to the EU-US Privacy Shield and our adherence to a broader spectrum privacy and security standards that provide the utmost in protection for our customers and their consumers.”

For more information on TRUSTe’s EU-U.S. Privacy Shield solution packages visit or call on 1-888- 878-7830.

Aug 15 2016

Ten Reasons to Implement the EU-U.S. Privacy Shield

Privacy and Data Protection in Latin America

Hilary Wandall, General Counsel & Chief Data Governance Officer at TRUSTe summarizes the top 10 reasons to implement the new EU-U.S. Privacy Shield even if you’ve implemented or have been working on implementing Model Contractual Clauses (MCCs).

At TRUSTe, we have nearly 20 years of experience working with thousands of companies to assess their privacy practices, and with many others to verify their compliance with regulatory frameworks like APEC CBPR system and the former U.S.-EU Safe Harbor. This work has taught us that there are a number of legal, compliance and business benefits to implementing comprehensive privacy programs to manage international data transfers versus a transactional approach to transfers using MCCs. Below is a list of the top 10 reasons for organizations to self-certify their adherence to the EU-U.S. Privacy Shield:

  1. Speed Unlike transfers on the basis of MCCs, transfers on the basis of Privacy Shield do not require prior authorization from or notification to 65% of EU data protection authorities, which can delay a project that relies on MCCs for data transfers by weeks to months.
  2. Less paperwork While organizations must stand ready to demonstrate compliance with both Privacy Shield and MCCs, transfers on the basis of Privacy Shield do not require updates to and new signatures on contractual clauses each time a business process or data flow changes.
  3. Better recourse options – Instead of limiting individuals to bringing legal claims for breach of the MCCs, Privacy Shield provides individuals with opportunities to raise concerns directly with the certified organization, with independent dispute resolution providers, like TRUSTe, as well as new options, such as the independent arbitration panel and ombudsperson.
  4. Executive Support – Like its predecessor, Privacy Shield drives corporate sponsorship of privacy programs by requiring a corporate officer of the certifying organization to:
    1. annually sign a statement verifying the company’s self-assessment of compliance, if compliance verification is done in house; and
    2. sign a self-certification submission annually, subject to criminal enforcement under the U.S. False Statements Act for compliance misrepresentations, including a persistent failure to comply.
  5. SustainabilitySince it requires annual compliance verification and self-certification, Privacy Shield drives ongoing organizational engagement to demonstrate compliance better than MCCs that may be sitting in organizational filing cabinets once signed.
  6. Risk of existing MCC invalidationSince the ECJ’s Schrems decision of 2015, the EU adequacy decisions regarding certain MCCs have been called into question. At the end of May 2016, the Irish Office of the Data Protection Commissioner applied to the Irish High Court for a referral to ECJ to determine the legal status of data transfers under the MCCs. Privacy Shield certification mitigates the risk of data transfers based on existing MCCs being invalidated overnight like the U.S.-EU Safe Harbor.
  7. APEC CBPR Readiness – the governance and privacy principles necessary to comply with Privacy Shield are similar to the requirements for APEC CBPR certification. Organizations that operate in APEC member economies can leverage their Privacy Shield compliance to demonstrate readiness for APEC CBPR certification.
  8. EU BCR Readiness – the principles necessary to comply with Privacy Shield are similar to the data protection safeguards necessary for organizations seeking EU BCR approval. Organizations interested in EU BCR approval can leverage their Privacy Shield compliance as a starting point for their binding corporate rules, which will also require establishment of additional accountability, program governance and enforceability mechanisms.
  9. EU GDPR Readiness the principles necessary to comply with Privacy Shield are similar to many of the data protection safeguards necessary for GDPR compliance. Organizations that operate or do business in the EU can leverage their Privacy Shield compliance as a starting point for the additional obligations they will have under GDPR, such as additional accountability and program governance, broader individual rights, privacy by design and default, PIAs and breach notification.
  10. Adequacy Readinessin our policy and regulatory affairs work around the globe, we often hear “adequacy” referred to as the gold standard for privacy and data protection compliance. Since Privacy Shield is the first of the next generation adequacy frameworks determined to provide adequacy post-Schrems, we believe it provides organizations with the best readiness assessment currently available for future data transfer adequacy requirements, such as transparency regarding government access, accountability for onward transfers and broad mechanisms for individual recourse.

For more information about TRUSTe’s Privacy Shield solutions see here or call 1-888- 878-7830.

Aug 03 2016

Benefit of Early Privacy Shield Adoption

EU-US Privacy ShieldOn August 1, 2016 the U.S. Department of Commerce (DOC) started accepting self-certifications for compliance with the Privacy Shield Principles.  A number of companies have already started the process to self-certify with the DOC to take advantage of the grace period offered to early adopters of the Principles to get contracts with third parties updated.

The grace period works like this – if a company self-certifies to Privacy Shield within the first two months of the DOC accepting certifications (August 1 – September 30), those companies will be given an additional nine (9) months to get their contracts with third parties updated to meet Privacy Shield requirements.  So if a company certifies to Privacy Shield on September 1st, they have nine (9) months from that date to get their third party contracts updated.  During that time, the Notice and Choice Principles apply to transfers to third parties. The grace period only applies to the Accountability for Onward Transfer Principle.  The company needs to be in full compliance with the remaining Principles to self-certify. 

Companies self-certifying Privacy Shield compliance with the DOC after September 30th will need to be in full compliance with all the Principles including Accountability for Onward Transfer and must be able to provide a copy of the privacy provisions in their contracts to the DOC upon request.  This means, a company must have all their ducks in a row (including updating contracts) before they self-certify.

For more information on TRUSTe’s Privacy Shield Solutions visit EU-U.S. Privacy Shield Solutions or call on 1-888-878-7830.

Aug 01 2016

Leading Chief Privacy Officer Hilary Wandall Joins TRUSTe

Screenshot 2016-07-31 20.05.01

TRUSTe’s thrilled to announce that Hilary Wandall, Associate Vice President, Compliance and Chief Privacy Officer at the global pharmaceutical company, Merck & Co. Inc., has joined TRUSTe as General Counsel and Chief Data Governance Officer. In this role, Hilary will use her extensive global privacy knowledge and operational experience to help TRUSTe further expand their market leading privacy technology and service offerings. She will be a member of the TRUSTe Executive Team and also direct strategic legal, regulatory and privacy related initiatives to help TRUSTe scale its internal business operations.

In 22 years at Merck, Hilary served as Chief Privacy Officer for the past 12 years. During that time, she led the development and continuous improvement of a world-class privacy program supporting Merck’s ongoing global business development, including a worldwide corporate merger, while concurrently holding complementary roles as a corporate attorney and then as a compliance officer. She led Merck’s initiative to become the first health care company and second multinational to achieve APEC Cross Border Privacy Rules (CBPR) certification and the first company to achieve CBPR certification of its entire privacy program. Earlier this year, she completed a follow-on project for Merck to become the first company to demonstrate EU-APEC privacy interoperability in practice by obtaining EU Binding Corporate Rules (BCR) approval based on an existing APEC CBPR-certified program.

As Associate Vice President, Compliance and Chief Privacy Officer Hilary also developed and implemented a quantitative privacy risk management program integrated with a global automated privacy impact assessment and designed and led the global implementation of a novel comprehensive compliance program for the worldwide animal health business. Since 2014, Hilary has served on the Executive Committee of the Board of Directors of the International Association of Privacy Professionals, and in 2016 was elected Board Chairman.

Trevor Hughes, President and CEO of the International Association of Privacy Professionals (IAPP) recognized Hilary’s privacy experience, saying  “There are few people in the world who share such depth and breadth in the field of privacy.  Hilary Wandall has brought innovation and leadership to the profession, and will undoubtedly continue her record of success going forward.”

Jules Polonetsky, CEO, Future of Privacy Forum said “Hilary is one of the most respected figures in the privacy community, as a leader in corporate compliance as well as a trusted advisor for policymakers and regulators. TRUSTe has really pulled off a coup in bringing her into a leadership role at the organization.”

Commenting on her new appointment, Hilary Wandall said:

“TRUSTe has been an exceptional partner in developing innovative solutions for bridging technology and policy to manage privacy effectively on a global scale. I am delighted to join the TRUSTe team at this pivotal time to help develop innovative solutions to address the increasingly complex legal, regulatory and data risk management challenges that privacy and data protection stakeholders are facing around the world.”

Hilary holds a Juris Doctor and a Master of Business Administration from Temple University, a Master of Bioethics from the University of Pennsylvania and a Bachelor of Science in Biology from Moravian College.


Jul 29 2016

APEC Cross Border Privacy Rules Advancing in Asia

Global Data TransfersOver the last three weeks, privacy-focused events in China, South Korea and Singapore have highlighted the growing momentum of APEC’s Cross Border Privacy Rules (CBPR) system in the region.

  • On June 29, China’s Ministry of Commerce, Foreign Ministry, General Administration of Customs and the China International Electronic Commerce Centre (CIECC) hosted the 6th APEC E-Commerce Business Alliance (ECBA) Forum in Jinjiang, Fujian province, China. The U.S. representatives to the ECBA are TRUSTe’s Director of Policy, Josh Harris, Markus Heyder, Vice-President of the Centre for Information Policy Leadership and Manuel Maisog, partner at Hunton & Williams, Beijing.   In his keynote address, APEC Secretariat Executive Director Alan Bollard emphasized the regional economic benefits to the free flow of data and encouraged government officials in attendance to join the CBPR system. At the closing of the forum, the ECBA released the Jinjiang Proposal, as drafted by ECBA members, which encouraged all APEC economies to participate in the CBPR system.
  • On July 13, the Korea Internet and Security Agency (KISA) hosted the 5th International Conference on Information Security in Seoul, South Korea where TRUSTe Policy Director Josh Harris and Professor Choi Kyoung Jin of Gachon University discussed the potential implementation of the CBPR system in South Korea.
  • On July 18, the Centre for Information Policy Leadership along with the Asia Pacific Economic Cooperation hosted a joint workshop, “Enabling Legal Compliance and Cross-Border Data Transfers with the APEC Cross-Border Privacy Rules (CBPR)” in Singapore. CBPR-certified companies, including Apple, Cisco, HP and Merck along with TRUSTe joined Singapore’s Assistant Privacy Commissioner Zee Kin Yeong in discussing the advancement of the regional system.
  • Finally, on July 19, the International Association of Privacy Professionals hosted the IAPP Asia Privacy Forum 2016 in Singapore. Panel discussions included “Preparing for and Executing CBPRs”, moderated by Ken Chia, Principal, Baker & McKenzie. Panelists included Grace Guinto, Digital Trust Manager at PwC, Australia, Professor Hiroshi Miyashita, Chuo University and New Zealand Assistant Privacy Commissioner Blair Stewart.

The increased focus on CBPRs in Asia comes as Japan recently put forward JIPDEC as the country’s first ‘Accountability Agent’ under the CBPR system. Japan’s Ministry of Economy Trade and Industry has confirmed that CBPR-certification will serve as a basis for transfer of personal data out of Japan under the implementing guidelines for Japan’s recently-reformed privacy law. TRUSTe has been an APEC-endorsed Accountability Agent since 2013. More information on CBPRs can be found at


Jul 12 2016

TRUSTe Announces Comprehensive Set of Privacy Shield Solutions

Screenshot 2016-04-13 14.29.02

Following formal adoption today of the EU-U.S. Privacy Shield, TRUSTe has announced a full set of solutions for companies to address the assessment, verification and dispute resolution requirements in the new framework. TRUSTe will help companies to review compliance with the new Privacy Shield principles for transfers of customer and HR data out of the EU, prior to self-certification with the Department of Commerce. Companies choosing to use TRUSTe technology for handling customer disputes will be entitled to display a new “Powered by TRUSTe – Privacy Feedback Button”.

The EU-U.S. Privacy Shield is the new international data transfer framework published in February to replace Safe Harbor. The new framework requires that companies meet stronger obligations to protect the personal data of Europeans and introduces stronger monitoring and enforcement by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC). TRUSTe will amend its certification standards to reflect the changes. The Department of Commerce is expected to start accepting submissions to the program from August 1.

TRUSTe Solutions for EU-U.S. Privacy Shield

TRUSTe is offering three separate packages to support companies in assessing and verifying that their data protection practices are compliant with the Privacy Shield principles ahead of self-certification with the U.S. Department of Commerce. The Assessment Package and Verification Package can include customer data, HR/employee data or both.

In addition, TRUSTe provides a Dispute Resolution Package, which helps companies to efficiently manage privacy inquiries from customers, and addresses the dispute handling requirements of the EU-U.S. Privacy Shield Framework.

Companies that use TRUSTe technology and tools to manage privacy related questions or concerns will be entitled to display the new “Powered by TRUSTe Privacy Feedback Button” on their digital Privacy Policy page and links to a mechanism for consumers to submit questions or feedback.

Screenshot 2016-07-12 07.53.16

The TRUSTe assessment and verification solutions for EU-U.S. Privacy Shield are managed by a team of privacy professionals using our proprietary assessment methodology and powered by TRUSTe Assessment Manager. This award-winning SaaS-based privacy technology platform provides interactive compliance reviews, centralized on-demand reporting and searchable audit trails.

For more information on TRUSTe’s EU-U.S. Privacy Shield solutions visit or call on 1-888-878-7830.



Older posts «