Today, TRUSTe announced solutions to help companies address the new EU General Data Protection Regulation (GDPR), which brings sweeping changes and tough compliance challenges for any business with EU customers and employees. The package of solutions will help companies meet the stringent new requirements of the GDPR. In addition, as the leading global provider of privacy certifications, TRUSTe will seek to become accredited as a data protection seal provider with the relevant European supervisory authorities. TRUSTe has a long history of helping companies address EU privacy requirements. TRUSTe launched their EU Safe Harbor privacy program in 2000 and has since assessed … Continue reading New Privacy Technology, Resources Simplify EU GDPR Compliance
In order to manage the privacy and operational challenges of implementing Model Contract Clauses (MCC) to maintain compliance with EU data protection laws, TRUSTe has introduced a new Model Contract Clause privacy assessment and partnered with PactSafe and a number of leading law firms. This solution comes after the Oct. 6th ruling by the European Court of Justice, which invalidated the U.S.-EU Safe Harbor framework. “The Safe Harbor Ruling has left many companies rudderless without a clear way to stay compliant with EU rules,” said Chris Babel, CEO of TRUSTe. “While the prospect of a new Safe Harbor 2.0 agreement … Continue reading TRUSTe Expands Offerings and Partners with PactSafe and Leading Law Firms to Help Companies Comply with EU Privacy Rules
The first rule of any technology used in a business is that automation applied to an efficient operation will magnify the efficiency. –Bill Gates
One of the greatest benefits of modern technology is that routine or repeatable work activities can often be done more efficiently with automation. For those who are conducting privacy assessments on a regular basis, and doing it inefficiently with spreadsheets and email, the thought of automating a Privacy Impact Assessment (PIA) must be particularly intriguing. TRUSTe research shows that a typical PIA can take 28 days to complete and involve 175 work hours spread across multiple departments. Surely there’s an opportunity for privacy teams to save time and money. To address the need for automation TRUSTe developed Assessment Manager, a SaaS solution that greatly reduces the time needed to plan, execute and analyze a privacy assessment, and then remediate identified risks.
Is automation right for anyone responsible for privacy?
No. According to Bill Gates, the second rule of technology is that “automation applied to an inefficient operation will magnify the inefficiency.” If you don’t have a solid foundation in place for conducting assessments you’re better off working on the basics before turning to automation. Spend the time (or hire a consultant for) establishing an assessment process, developing controls, designing effective survey templates and training others first.
Once you have a process in place, the answer may still be “no” if the automation solution’s cost far exceeds the potential benefits in terms of time, resource cost and quality. Chances are if you’re only doing (or planning on doing) a couple of assessments per year the ROI won’t be there. You’ll want to expect a future volume of assessment activity for automation to pay off.
How do I determine if automation is right for us?
Unfortunately there isn’t a magic number of privacy assessments where automation instantly becomes a no-brainer because no two companies assess the same or share the same cost structure. If you’re doing a couple per year it may be hard to justify. However if you plan on double-digit assessments next year (there are companies doing several thousand annually!) the math starts working in your favor.
The challenge of quantifying the return on investment (ROI) of privacy automation technology and communicating it with others is a consistent theme we’ve heard over the past couple of years. Consequently we’ve assembled a great set of self-service resources and tools and offered them free of charge on a newly created public microsite.
Today, Oct. 6th, the Court of Justice of the EU (CJEU) ruled that the current U.S.-EU Safe Harbor Program is no longer a valid method for ensuring adequacy under EU Data Protection Directive 95/46/EC for international data transfers. This significant change in data protection law removes an established data transfer compliance mechanism that has been in place since 2000 and relied on by more than 4,000 U.S. companies. This ruling causes a period of uncertainty for businesses until the Department of Commerce and the European Commission can agree and put a new U.S.-EU Safe Harbor framework in place. This morning … Continue reading Next Steps Following the EU Court of Justice Ruling on U.S.-EU Safe Harbor
Thirteen companies settled with the FTC yesterday for falsely claiming they were certified and in compliance with the US-EU or US- Swiss Safe Harbor Framework. Compliance with the US-EU and US-Swiss Safe Harbor Frameworks means companies follow established requirements for meeting adequacy standards to transfer customer or employee data from the European Union or Switzerland to the United States. To be in compliance, companies must self-certify with the Department of Commerce and are required to show compliance with the seven privacy principles. These principles are notice, choice, onward transfer, security, data integrity, access and enforcement. This self-certification needs to be … Continue reading 13 Companies Settle with FTC for False US-EU & US-Swiss Safe Harbor Claims
This week Google announced it will be implementing a new user consent policy. Essentially, this new policy requires all websites serving EU visitors, including those not based in the EU, to comply with the EU Cookie Directive. Google posted the notice on its official AdSense blog.
In 2009 an amendment to an existing EU directive (the so-called Cookie Directive) introduced a requirement that companies provide “clear and comprehensive information” to users about the types of tracking technologies used on websites, including a way for users to “consent” to any cookies which are not “strictly necessary” for the delivery of an online service. The majority of EU Member States have now adopted their own Cookie Laws implementing the requirements of the Cookie Directive.
Here’s what AdSense has to say about this new policy:
Why are we doing this?
European Union data protection authorities requested some changes to current practices for obtaining end user consents. It has always been Google’s policy to comply with privacy laws, so we’ve agreed to make certain changes affecting our own products and partners using Google products.
What do you need to do?
If your websites are getting visitors from any of the countries in the European Union, you must comply with the EU user consent policy. We recommend you start working on a policy-compliant user consent mechanism today. There’s guidance from data protection authorities and IABs across Europe on what is required to comply with relevant laws; the IAB’s IAB Europe Guidance: Five Practical Steps to help companies comply with the E-Privacy Directive is a good place to start.