Preparing for New Breach Notification Requirements in Canada

Screenshot 2016-04-27 16.45.36

Screenshot 2016-04-27 16.45.36

In these times of uncertainty regarding privacy must-dos (read GDPR and Privacy Shield), Canada offers us another set of rules to prepare for in the Digital Privacy Act. Passed in June 2015, much of the Digital Privacy Act is already defined and in place. One main component though, the breach notification rule, is under consultation and still somewhat of an unknown. Despite some level of uncertainty, it is still possible to prepare for compliance.

The April TRUSTe Client Advisory Note was prepared by Margaret Alston CIPP/G/C/M from the TRUSTe Privacy Consulting Group and reviews the key changes in the Act which include:

  • Definition of “valid consent.”
  • Compliance Agreements as an enforcement option for Commissioners
  • Broadening of allowable public disclosures by the Commissioner
  • Scope of PIPEDA – including but not limited to the exclusion of business contact information
  • Exceptions to consent requirements, such as for fraud prevention purposes
  • Extension of time limits for court applications from 45 days to 1 year
  • Breach notification, reporting, and record keeping (not yet in effect)

The Advisory then covers in more detail how companies can prepare now for the new data breach notification changes.

If you would like to review this latest Client Advisory Note then look out for your copy on e-mail today or contact TRUSTe on 1-888-878-7830.



Privacy Shield Moves to Next Phase of European Regulatory Approval While Article 29 WP Calls for Improvements

Privacy Shield logo

Screenshot 2016-04-13 14.29.02

Today the European Data Protection Authorities (the Article 29 Working Party) published their official opinion on the proposed adequacy decision by the European Commission on the EU-U.S. Privacy Shield. The opinion acknowledges the improvements in the new framework but asks for clarification in a number of areas to address their ongoing concerns.

The opinion is not binding but is an important step in the approval process for the new international data transfer framework published in February to replace Safe Harbor. The EU-U.S. Privacy Shield framework is the product of two years of intensive negotiations and represents the commitment of the EU and the U.S. Government to securing the vital transatlantic data flows which are such an integral part of the information economy.

 Path to EU Regulatory Approval

Before the Framework can come into effect a draft adequacy decision from the European Commission must be approved by a European “comitology” procedure, which involves (i) insight from the Article 29 Working Party, (ii) a binding opinion from the EU Member State representatives, and (iii) formal adoption of the adequacy decision by the EU College of Commissioners.

Article 29’s opinion recognizes the significant improvements in the new privacy shield arrangement, but remains concerned that it does not go far enough to align with EU privacy law. The opinion asked for clarification in a number of areas including in relation to ongoing concerns around national security. As a result regulators were not yet in a position to confirm that the current draft adequacy decision ensures a level of protection that is essentially equivalent to that in the EU.

While the opinion of the Article 29 Working Party is important it is not binding, and the European Commission is now in a position to proceed with the adoption of a comitology Commission decision based on Article 25.6 of the Directive. The next step in the adoption process is a review and issuance of a binding opinion by the Article 31 Committee made up of representatives from the EU Member States. It is anticipated that this final approval process will be completed by June 2016.

How TRUSTe can help?

While regulatory review of the Privacy Shield is underway, TRUSTe continues to provide guidance to companies as they analyze the Privacy Shield principles in light of their own data flows and data protection practices.

Find our more on our website here or contact us for further details on 1-888-878-7830.




Managing Information Security Risks – New Assessment Template Available



You can’t have privacy without investing in information security. Personal data breaches cause harm to the individual, damage to reputation, and erosion of customer trust. They are also the number one cause of regulator attention, fines and investigations.

Today, TRUSTe released a further template for its Assessment Manager, in addition to the suite of privacy management templates already available. The template addresses information security issues and is based on the requirements of ISO/IEC 27001:2013, and utilizes that framework to increase security management and management assurance. In addition, our experienced consultants have added a series of recommended actions to help business’ implement the standard effectively.

ISO/IEC 27001:2013 is the de facto international information security management standard, designed for businesses that want to create a governance framework surrounding information security that ensures appropriate risk management and sustainable continual improvement. Its methodology is designed to allow both for adoption as a governance framework to establish, implement, operate, monitor and improve security, and for businesses that require external third party accredited certification. The standard is increasingly used in bids and tenders, and as a basis to evaluate suppliers and vendors.

If you need to achieve ISO 27001 compliance, or simply want to adopt or assess yourself against the best practice security management framework, enquire about TRUSTe’s Assessment Manager here.



IAPP & TRUSTe Partner to Offer New GDPR Assessment Solution

Screenshot 2016-03-30 21.14.36

Screenshot 2016-03-30 21.14.36

The EU General Data Protection Regulation (GDPR) introduces strict new requirements for all companies that do business in Europe, whether located there or not, and is backed by potential fines of up to 4% of global revenue or €20 million euros. Recent research found that 43% of companies were looking for privacy technology solutions to help them comply with the GDPR and a third (33%) were looking for help in assessing their corporate risk exposure.

Today, the IAPP and TRUSTe, launched a new comprehensive online assessment tool to help companies prepare to meet the requirements of the new European General Data Protection Regulation (GDPR). The IAPP GDPR Readiness Assessment is powered by TRUSTe Assessment Manager and available for free to IAPP’s 25,000 global members.

Announcing the new solution at the Global Privacy Summit 2016 IAPP President and CEO J. Trevor Hughes, CIPP, said:

“It is time to get to work on the tough tasks of understanding and, eventually, complying with the GDPR. Every company doing business in the European Union has some challenges ahead. This tool will help companies understand those challenges.”

The IAPP GDPR Readiness Assessment is available via a special single user version of TRUSTe Assessment Manager created for IAPP members.  The assessment consists of more than 60 questions mapped to key requirements of the GDPR.  On completion of the assessment, users will be provided with a gap analysis report summarizing their responses along with recommended remediation steps for any areas that are not consistent with the GDPR requirements.

Screenshot 2016-03-30 21.16.12

The GDPR Readiness Assessment is easy to implement, with no software to download. IAPP members can activate their free account at iapp.org/truste-gdpr or visit the TRUSTe Booth (#36) at the IAPP Global Privacy Summit for a demo and to speak with one of our privacy consultants.

To find out more about TRUSTe Assessment Manager click here.



April Spotlight: IAPP Global Summit; Preparing for GDPR Compliance

Screenshot 2016-03-30 20.52.15

Screenshot 2016-03-30 20.52.15

IAPP Global Privacy Summit 2016

April 4 – April 6

Washington DC

In the privacy sphere, amidst increasing risk, evolving regulatory requirements and rising customer expectations, there’s strength in numbers. Enter the IAPP Global Privacy Summit, drawing us in, taking a spotlight to the challenges of our time. Here, we grow our knowledge, make surprising, valuable connections and, most importantly, advance the privacy conversation together.

TRUSTe will be exhibiting at booth #36 and Chris Babel, CEO of TRUSTe will be speaking on the Little Big Stage on Wednesday, April 6th at 1:55pm.

> Register here


Preparing for the GDPR – The Compliance Countdown Begins

April 14 – 9.00am – 10.00am PT

Online Webinar

The introduction of the European General Data Protection Regulation (GDPR) has been heralded as the most significant change in global privacy regulations for the last 20 years. But now the talking is over and the legislation is agreed, the compliance countdown begins. What does this mean for your business?

This webinar will review the final text of the GDPR and explain the key things you need to know to comply from data breach notification, to consent and international data transfers. Register now to get a clear roadmap for GDPR compliance within your organization.

> Register here


IAPP Europe Data Protection Intensive

April 20 – April 21


The IAPP Europe Data Protection Intensive is the leader in education on the practical application of privacy and data protection today. Focused on the issues impacting you now and in the coming year, this is where you’ll find the knowledge and how-to skills you need to excel in 2016.

TRUSTe will be exhibiting at booth #9 – come by to see a demo of the new GDPR Readiness Assessment Template available in TRUSTe Assessment Manager.

> Register here


6th European Data Protection Days

April 25 – 26


The 6th European Data Protection Days 2016 will take place at a particularly interesting time. 2015 was a historic year for data protection and privacy professionals around the world. After almost four years of drafting and negotiating and more than 3,000 amendments, the final text of the EU General Data Protection Regulation was agreed by the European Parliament, Counsel and Commission. The European Court of Justice declared in its landmark decision that the Commission’s US Safe Harbor decision is invalid. The ruling has created legal uncertainty for companies that relied on Safe Harbor to legitimize data transfers from Europe to the U.S. – and they urgently await final regulatory agreement on the new data transfer framework (EU-U.S. Privacy Shield) The EDPD Conference will provide you with all the important news and updates for your international data protection business at a high level.

TRUSTe will be exhibiting and Ralph O’Brien, Principal Consultant (EU) at TRUSTe will be speaking on Tuesday, April 26th at 5:00pm about “Global frameworks and local laws – assessing privacy risk in an evolving world”.

> Register here




Merck Successfully Concludes First APEC-based BCR Approval

new_APEC Seal


On March 1st, Merck & Co. Inc. (Merck) formally concluded their Binding Corporate Rules (BCR) approval process with the Belgian Data Protection Authority, becoming the 82nd company to achieve the compliance landmark. But in a global first, Merck based its BCR application on its APEC Cross Border Privacy Rules (CBPR) certification. This work was facilitated by Merck’s use of a common referential developed by the Article 29 Working Party and APEC’s Data Privacy Sub Group in 2014 to facilitate interoperability between companies seeking certification under both systems.  In October 2013, TRUSTe certified Merck as the first health-care company and the second multinational company under the CBPR system.

The value of this approach is that we were able to obtain both CBPR and BCR approvals while maintaining the substance and structure of our existing global privacy program. The practical effect is that we gained greater efficiency in how we manage cross-border data transfer and global data processing without adding complexity to how we operate”, said Hilary Wandall, Chief Privacy Officer.

As was reported in a recent review of CBPR benefits by Information Integrity Solutions, the first phase of Merck’s BCR approval took less than three months, while the mutual recognition phase took an additional nine months.   In addition to the time for completion of the EU cooperation procedure and transition between the approval phases, the entire approval process was approximately three months faster than the 18 month average.   Most importantly, because Merck based its BCR approval on its previously-approved CBPR certification, a broadly BCR-compliant global privacy program was already in place. As a result, according to Merck’s internal estimates, the total cost of its BCR was approximately 90% less than it would have otherwise been.

When announcing the referential’s endorsement in March 2014, Isabelle Falque-Pierrotin, Chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party called it a “very political and symbolic act” for companies seeking to obtain both BCR and CBPR certification. FTC Chairwoman Edith Ramirez noted that “[i]nteroperability is absolutely critical”, adding that “[w]ithout the ability to work across systems, we simply can’t effectively protect the privacy of consumer data, and that’s why as part of the U.S. delegation to the APEC data privacy subgroup, the FTC has been actively involved, along with the Department of Commerce, in developing the CBPRs and also working on this referential.” Earlier this month, Article 29 affirmed that work on the BCR-CBPR project would be a key component of its 2016-2018 workplan.

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. TRUSTe was named the first accountability agent for the system in June 2013. You can learn more about Merck’s work on interoperability here. To learn more about obtaining a TRUSTe CBPR certification click here.


TRUSTe Assessment Manager Product Series – Part 5

DPMP Blog Image

With the 2.0 release of Assessment Manager, TRUSTe now provides the privacy office with even more control over its privacy program. From the comprehensive privacy dashboard to management of privacy remediation action plans, this five part blog series has highlighted the latest updates.

Part 5 – TRUSTe Assessment Templates

Earlier in this series we showed how easy it is to create your own assessment template within Assessment Manager, but you can also get started with assessments immediately using TRUSTe Assessment templates.

Your Assessment Manager is preloaded with a set of different types of assessments that you can use out of the box today.  In Q4, 2015 we added two templates around Model Contractual Clauses [MCC] to help companies understand what it means to operationalize MCC. We have also recently added an assessment template to help companies prepare for the new requirements EU General Data Protection Regulation (GDPR).

TRUSTe Templates

Our team of privacy experts is working on additional key privacy compliance assessments to address the recent changes in relation to international data transfers and the announcement of the EU-U.S. Privacy Shield requirements.

If you’re not already using TRUSTe Assessment Manager then click here to find out more and contact your TRUSTe Account Manager to arrange a demo of all the new product features.



When Should You Start the Privacy Shield Process?

Privacy Shield logo

The draft of the new EU-U.S. Privacy Shield (“Privacy Shield”) framework covering EU data transfers has formally been released, providing details on what will be required once final EU ratification is complete (currently anticipated in June). The #1 question companies ask is “when should I start the Privacy Shield process?”

Built into the program is a strong incentive to “sign-on” for Privacy Shield Self-Certification with the Department of Commerce (DOC) within the first two months it becomes operational. Doing so will provide a company with an extra nine months to implement certain requirements, particularly more complex and time consuming contract and process changes around managing onward data transfers to sub-contractors (controllers and processors). Companies that hesitate and don’t sign-on within the first two months will fail to gain the nine-month advantage and must be fully in compliance with requirements immediately upon submission.

Privacy Shield Timeline

In the meantime, there are several months available now for companies to get operational updates in place so they can be ready to sign-on with Privacy Shield within the first two months and gain “first-mover advantage”. There is a long list of new requirements and companies should start now to allow sufficient time for implementation. The following are the three key areas that have the most business impact and potentially the longest timelines for implementation:

1. Get Contracts in Place to Meet Increased Accountability Obligations for Onward Transfers to Sub-Contractors

2. Ensure Audit Trail & Dispute Resolution Mechanisms Meet Stronger Oversight & Enforcement Requirements

3. Update Privacy Policies for Increased Transparency Obligations

Download our brief for an overview of the Privacy Shield timeline, a review of the strategic options, and detailed requirements to guide operational implementation in these top 3 areas.

Older posts «