Dec 01 2016

EU General Data Protection Regulation (GDPR) Series; Build Consensus

GDPR-Guide

For organizations that operate globally, complying with the EU GDPR will likely require significant investment in personnel, process change, and new tools.  In order to meet the compliance deadline, companies are actively preparing now. TRUSTe has developed a four phase process to help guide you on the path to compliance.  During November and December we will provide you with a series of tips to use along your path to compliance.

See Tip No. 2: When Developing a Plan, Consider Risk and Level of Effort

TIP NO. 3: Build Consensus for GDPR Compliance by sharing Business Case for Investing

Approach this process like building any business requirements case by developing a narrative that shows the pros and cons of this investment. You should use these key messaging strategies to establish a compelling story for your GDPR Awareness Campaign. The following examples can be used to get started on making your case:

The GDPR Impacts our Company…Posing Threats and Opportunities

  • Make a list of organizational risks, fines & penalties, and regulatory trends
    • Be sure to include that GDPR non-compliance fines may reach up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year, (whichever is higher)
  • Find examples of what non-compliance would do to your brand in terms of loss of goodwill and general brand damage
  • Show that companies using a strong privacy posture have a competitive advantage – or conversely, how not being GDPR compliant could put you at a competitive disadvantage with clients who expect GDPR compliance

Our Company Has Compliance Gaps That Require Remediation

  • Use your initial GDPR Readiness Assessment results with identified gaps and risks to show where remediation is needed
  • Illustrate gaps with internal history of privacy breaches, regulatory inquiries, or enforcement – either within your company or your industry

Our GDPR Compliance Program Will Require New Investments

  • Illustrate this point with benchmark reports / infographics depicting GDPR risk and action by competitors
  • Be specific – use results of your gap analysis. Include training, PIAs, and policy reviews / changes
  • Include a proposed project overview with timeline, methodology, and metrics

Next week we will provide tips on how to use the business case you’ve created to execute an awareness campaign within your organization, and further build consensus.

If you need support in securing organizational stakeholders’ buy-in, TRUSTe offers a GDPR Workshop, which is the last phase in our GDPR Priorities Assessment. Our expert privacy consultants will review your readiness assessment and plan on site, custom tailored to your organization’s needs. Contact us for more information.

 

Nov 28 2016

Why Companies Need a Privacy Partner

kroyal

K Royal, CIPP/US, CIPP/E, Sr. Privacy Consultant

Companies need a privacy partner, not just a privacy consultant. This is a concept that I have learned with our clients while being a part of the consulting team at TRUSTe. Having been a privacy officer (both as an attorney and a non-attorney) in several industries – healthcare, medical devices, emerging technology and with clients ranging from local government to national, from financial to education in the global realm and specifically within the US sectors – I cannot say that I have seen it all, but I have seen a whole lot of it. No one person can possibly be an expert in all areas of privacy/data protection. However, at TRUSTe we have a team, tools and methodology that can, and that is what is critical to our customers.

Companies need a privacy partner. They need a team that can not only can assess them for the European Union (“EU”) General Data Protection Regulation (“GDPR”) readiness, but can also review their EU/US Privacy Shield compliance needs or review cross border transfer mechanisms in general, such as Binding Corporate Rules (“BCRs”) or Cross Border Privacy Rules (“CBPRs”) in the Asia Pacific. And then, map that to their GDPR requirements or even further, to their HIPAA compliance in the US and even support framework questions, whether HiTrust, the International Organization for Standardization (“ISO”), or the National Institute of Standards and Technology (“NIST”) – or other framework. Further, a privacy partner can review the legal requirements, assess policy application, understand implementation constraints and flexibility, and adjust approach based on client expectations, level of maturity, industry standing, and future considerations.

Being able to partner in this way with companies is a professionally satisfying experience. Every client is different and requires a different set of knowledge, skills, and mindset. At times clients may come to us with one need – to assess Privacy Shield readiness (and over 500 companies have approached TRUSTe for this), but realize during that time that they have multiple needs that are identified and have not been addressed or they simply click with the team and TRUSTe approach and engage us as a partner in several more areas. In that case, are we a serial partner?

I have found that typically we become an ongoing privacy partner. Perhaps we start by building a Privacy Impact Assessment (“PIA”) for EU data use, and then expand that assessment to PIAs for other areas, such as HIPAA in the US, or other geographic-specific needs. It is made possible by keeping the needs of the customer in mind – sure, we’re only building a PIA for HIPAA, but if we add in certain gating questions, then you can use one initial PIA to divert to specific PIAs based on region (or even down to a state) and the personal information involved. We have the technical expertise to build that into the process.

And it’s not all about people. TRUSTe tools make it easier for me to do my job. I also get to help design some of the tools given my industry knowledge. For example, most companies desperately need a data inventory done – we can do it. Also, companies will insist to me that they have no unnecessary cookies on their websites – we can run a test for cookies. But beyond that, companies can use our technology to enhance their own capabilities, such as using our Assessment Manager platform to run their Privacy Impact Assessments (which are required under several privacy regimes).

The really valuable aspect from all of this is that we are not about a single consultant, we are TRUSTe. I have little experience in FERPA, but if the customer I am working with has a FERPA element, I can tap a colleague. As a partner, we engage in frank conversations with the company and truly function as a partner, not as a generic consultant. We have your best interests at heart and look to develop that ongoing relationship that works to your benefit.

Why do companies need a privacy partner? To serve in an ongoing role that tackles the heavy lifting, listens carefully, provides a heads up on overlapping issues in order to fill several requirements with one action, watches for duplication, foresees possibilities for expansion, and is open and frank in addressing who you are as a company, with your needs, constraints, flexibility, timing, maturing, standing, and drivers. We’re not selling you a product (although we can); we are offering you a cost-effective, widely experienced, highly efficient, privacy partner.

 

Nov 23 2016

Cross Border Privacy Rules: Uptake Increases as Heads of State Affirm Commitment

apec_logo

On November 20, the Heads of State for the 21 APEC member economies met in Lima, Peru at the annual APEC Leaders’ meeting.  In their Joint Declaration, APEC Leaders once again recognized “the importance of implementing the APEC Cross-Border Privacy Rules (CBPR) System, a voluntary mechanism whose participants seek to increase the number of economies, companies, and accountability agents that participate in the CBPR System.”  During his press conference in Lima, President Obama specifically called out the group’s endorsement as a way to advance the digital economy and “to protect the privacy of personal information as it crosses borders.”

High-level recognition of and commitment to the CBPR system comes as more APEC economies formulate plans to join.  Last week, Chinese Taipei announced its intention to join the system.  And in a recent readiness survey released in October by the Government of Vietnam, South Korea and the Philippines both indicated they intend to join the system.

For their part, Japan, who joined the system last year, has been finalizing regulations to implement their new data protection law.  The Government of Japan has indicated that it will specifically name the CBPRs as an approved transfer mechanism for data out of Japan.  These regulations are expected to be released by the end of this year.   More information on CBPRs and related trade initiatives can be found on the White House’s APEC outcomes fact sheet.

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. TRUSTe was named the first accountability agent for the system in June 2013. Learn more about obtaining a TRUSTe CBPR certification here.

Nov 18 2016

TRUSTe Blog Top Ranked

Cyber Security 50 transparent_1000x1000px

The TRUSTe blog has been named one of the top blogs for the cyber security industry, based on the following criteria:

  • Google reputation and Google search ranking
  • Influence and popularity on Facebook, Twitter and other social media sites
  • Quality and consistency of posts
  • Feedspot’s editorial team and expert review

Thank you for visiting our blog and sharing our  posts via Facebook, Twitter, and LinkedIn. If you would like to see the complete list of blogs, you can find the list here.

Nov 14 2016

EU General Data Protection Regulation (GDPR) Series; Develop a Plan

 

GDPR-Guide

For organizations that operate globally, complying with the EU GDPR will likely require significant investment in personnel, process change, and new tools.  In order to meet the compliance deadline, companies are actively preparing now. TRUSTe has developed a four phase process to help guide you on the path to compliance.  During November and December we will provide you with a series of tips to use along your path to compliance.

See Tip No. 1: Assess Readiness

TIP NO. 2: When Developing a Plan, Consider Risk and Level of Effort

See Tip No. 3: Build Consensus for GDPR Compliance by sharing Business Case for Investing

Now that the readiness assessment is complete, it is time to conduct a detailed gap analysis and build a plan to address any issues. The items should be prioritized based upon risk and level of effort.

For example, creating a privacy audit program would have both a high risk level and a high level of effort. Building a privacy notice format would have a low risk level and a low level of effort. This chart below provides additional examples:

Screen Shot 2016-11-14 at 8.34.51 AM

Image by TRUSTe

Once your Gap Assessment and Risk Analysis are complete, you can build a project plan for each functional area within the business, along with a timeline for completion. Whatever your team decides, the plan also needs to account for the unexpected. Invest time up front to perform the proper analysis and planning, so that you can be confident your company’s GDPR Compliance Program will efficiently and effectively mitigate risk while meeting business objectives.

Next week we will provide tips on building consensus in your organization.

TRUSTe provides informational resources to help you develop your organization’s GDPR plan.  When guides aren’t enough, some organizations use outside consultants who have significant in-house experience building complex privacy programs such as the GDPR to help with the project planning process outlined above. TRUSTe’s privacy consultants can work with you to conduct the entire process through the GDPR Priorities Assessment.  TRUSTe’s privacy consultants leverage the power of the Assessment Manager technology platform to guide the GDPR assessment workflow process and track the company’s progress against GDPR requirements.

 

 

Nov 10 2016

Majority of Companies Actively Preparing for EU GDPR

A new benchmarking study by IAPP & TRUSTe is available: Preparing for the GDPR: DPOs, PIAs, and Data Mapping. Contrary to many mainstream media reports that indicate a lack of GDPR awareness, more than 90% of organizations have begun preparing for GDPR compliance.

Key Takeaways

  • Over 90% of survey respondents have at least begun preparations for GDPR compliance.
  • EU companies are further along the compliance path with 67% reporting their implementation is underway or completed vs. 42% for the US.
  • 43% of companies report they already conduct data inventory and mapping projects, and another 30% are planning to do so in the next 12 months.  
  • 71% of organizations are currently conducting Data Privacy Impact Assessments.  

Results

Over 73% of respondents have customers or employees in the EU, and 68% stated that their organization must meet GDPR requirements. This result shows how the GDPR has a broad reach and encompasses companies of all sizes and locations. Most companies, over 90%, have begun to prepare which demonstrates that privacy professionals are taking these new requirements seriously. 

Roughly 80% of survey respondents interpreted the GDPR as requiring their organization to appoint a DPO (additional guidance on this requirement is expected to arrive in December). Although conducting privacy assessments is also a requirement under GDPR, many organizations already conduct them as part of their privacy program. The importance of conducting these assessments is illustrated by the fact that 78% of organizations that report the GDPR will not even apply to them still conduct privacy assessments. The following bar chart shows motivations for conducting privacy assessments:

Screen Shot 2016-11-09 at 9.25.49 AM

Image by IAPP & TRUSTe

To complete these assessments, companies are using a mixture of technology plus manual processes. Fewer organizations engage in routine data inventory and mapping for privacy management purposes, and their reasons are shown in the chart below.

Screen Shot 2016-11-09 at 9.31.38 AM

Image by IAPP & TRUSTe

Background

The study included a broad cross section of organizations in the US, EU, Canada, and other jurisdictions such as Asia and the Middle East. Companies of all sizes are represented, ranging from below 1,000 employees to more than 25,000 employees. Industries ranged from software and services to government offices and health care.

Companies gave feedback on overall preparations for the GDPR, along with actions taken on key components including assigning a Data Protection Officer, understanding where and how personal data is used within their organization, and conducting Data Privacy Impact Assessments.    

Download full Study here.

Organizations of all sizes and geographic locations are preparing to meet GDPR requirements. Chances are your organization also has to meet these requirements, so preparations should have started already. TRUSTe has a range of solutions to help you plan and comply with the GDPR: LEARN MORE.

Nov 08 2016

Visit TRUSTe at the IAPP Data Protection Congress in Brussels

IAPP europe

At this week’s IAPP Europe Data Protection Congress, TRUSTe will be at Booth #22 in the exhibit hall showcasing solutions that can help with meeting GDPR requirements. Stop by to receive a demo of our PIA Automation tool and Data Inventory & Mapping solution. Eleanor Treharne-Jones, CIPP/E will also be speaking about two different topics during the conference.

In her first session, Eleanor will speak alongside American Express and eBay on Nov 9th at 16:15 for “The Evolution of PIA Best Practices”. They will evaluate the factors that have helped PIAs evolve, including guidance from various regulatory authorities and companies looking to innovate. Additionally, they will discuss key differences between risk based PIAs and goal based PIAs, as well as how the content of a PIA is driven by a company’s core business. Benchmarking and case studies of how global companies are approaching this topic will also be included.

On November 10th Eleanor will speak alongside Hunton & Williams at 13:30 on “Addressing Risky Processing Under the GDPR: A Practical Approach”. They will share information on risk-based obligations under the GDPR: controller accountability, the role of the DPO, data protection by design, DPIAs, data security, and breach notification. Attending this session will provide clarity around understanding EU data protection and risk assessments.

TRUSTe has several solutions that can help with meeting GDPR requirements. If you cannot make it to the show or don’t get a chance to stop by for a demo, contact us.

Nov 03 2016

EU General Data Protection Regulation (GDPR) Series; Assess Readiness

GDPR-Guide

For organizations that operate globally, complying with the EU GDPR will likely require significant investment in personnel, process change, and new tools.  In order to meet the compliance deadline, companies are actively preparing now. TRUSTe has developed a four phase process to help guide you on the path to compliance.  During November and December we will provide you with a series of tips to use along your path to compliance.

TIP NO. 1: Understand Current Compliance Posture

See Tip No. 2: When Developing a Plan, Consider Risk and Level of Effort

Before beginning to evaluate your organization’s privacy posture against these requirements, check to see whether the GDPR applies to your organization. Speak with knowledgeable people from across your organization to see whether your organization offers goods or services to EU residents, monitors behavior of EU residents, or has employees in the EU. Some departments to speak with are human resources, marketing, procurement, website development, information security, engineering, and legal.

After concluding the GDPR applies to your organization, the first step is assessing readiness. Before you can develop a plan, you need a high level understanding of your current compliance posture. Review a comprehensive list of the requirements using a controls checklist, one that you build yourself, or take advantage of a free easy-to-use online GDPR readiness assessment tool. Whatever tool you use, include the following areas:

  • Transparency (i.e., Privacy Policy)
  • Collection and Purpose Limitation
  • Consent
  • Data Quality
  • Privacy Program Management
  • Security in the Context of Privacy
  • Data Breach Readiness and Response
  • Individual Rights & Remedies

Looking at current operations against new GDPR requirements will allow your team to get a general idea of how much work needs to be done. With the deadline for 2017 budgets fast approaching (or past due), estimate how much budget should be allocated to privacy initiatives such as GDPR compliance as soon as possible. Not only will this assessment provide help determining budget, it will also help see which departments may be impacted the most. Engaging stakeholders from those departments early on in the program will help with the next phases.

Next week we will provide tips on developing a plan. If you would like to learn more about TRUSTe GDPR Readiness Assessment or other GDPR solutions, contact us.

Older posts «