TRUSTe Assessment Manager Product Series – Part 4

DPMP Blog Image

With the 2.0 release of Assessment Manager, TRUSTe now provides the privacy office with even more control over its privacy program. From the comprehensive privacy dashboard to management of privacy remediation action plans, this five part blog series will highlight the latest updates.

Part 4 – Assessment Remediation and Approval

Assessment Manager 2.0 has new functionality to automatically identify unacceptable answers to each question and flag them in the assessment report for review. This functionality streamlines the assessment review process by quickly surfacing potential issues with actionable recommendations.

When it comes to reporting, your privacy assessment reviewer is able to access the Assessment report at any time to review progress of the Assessment.

Screenshot 2016-03-05 23.10.35

The designated privacy assessment reviewer is notified via e-mail and via their account dashboard when there are possibly issues identified on assessment that need redress (as discussed above).

Screenshot 2016-03-05 23.10.52

When reviewing identified issues the reviewer is able to see the flagged answer and any recommended actions associated with the issue.

Screenshot 2016-03-05 23.11.07

The reviewer is able to take one or more of the following steps:

  • Assign risk to the identified issue
  • Create a new task and assign this to relevant people to remediate the issue
  • Revise the answer after consulting with the respondent
  • Add comments
  • Add attachments

Once the reviewer is satisfied that the issue has been addressed they can close out the issue. When all issues have been closed the project will then be approvable by the privacy reviewer.

If you’re not already using TRUSTe Assessment Manager then click here to find out more and contact your TRUSTe Account Manager to arrange a demo of all the new product features.



CIPL, Hunton & Williams and TRUSTe to Represent U.S. Business on APEC E-Commerce Business Alliance Expert Council



This article was first posted on the Hunton & Williams Privacy & Information Security blog.

During last month’s APEC privacy and e-commerce meetings in Lima, Peru, the APEC E-Commerce Business Alliance (“ECBA”) established its 2nd APEC E-Commerce Business Alliance Expert Council (“Expert Council”). The ECBA Expert Council is comprised of 32 e-commerce experts from government, academia and the private sector in the APEC region. The U.S. members are Markus Heyder, Vice President and Senior Policy Counselor at the Centre for Information Policy Leadership, Manuel “Bing” Maisog, partner at Hunton & Williams, and Joshua Harris, Director of Policy at TRUSTe.

The APEC-ECBA was created in 2001 to (1) promote cooperation between the public and private sectors in the field of e-commerce, (2) provide a forum for information sharing between APEC member economies, and (3) develop e-commerce across different industry sectors. ECBA’s secretariat is based in the China International E-Commerce Center, a quasi-public agency under China’s Ministry of Commerce. The first ECBA Expert Council was formed in 2010 to strengthen and support ECBA’s mission through research, reports, training and other initiatives. ECBA holds annual conferences for the Expert Council and other APEC-based government and private sector stakeholders.

In late June or early July 2016, ECBA will hold its 6th APEC E-Commerce Business Alliance Forum called “Realize Inclusive Trade Through Cross-Border Electronic Commerce.” This three-day event will be held in China, either in Jinjiang, Fujian Province or Mianyang, Sichuan Province.



EDAA Launches New Mobile Principles at First Summit in Brussels


Screenshot 2016-03-09 11.51.47

At the EDAA Summit in Brussels, the European Digital Advertising Alliance announced new Mobile Principles to extend the EDAA Self Regulatory programme for Online Behavioural Advertising to the mobile environment.

Broadly, this move aligns the EDAA with its partner organization in the U.S., the Digital Advertising Alliance (DAA), who released Mobile Guidelines to amend its principles in mid 2013. There are, however two notable difference between the EU and the U.S. framework:

  1. Use of the Icon: In the EDAA Mobile Principles, there is a requirement that the enhanced notice mechanism inside a mobile ad is the Icon or Icon & AdMarker specifically, rather than allowing any conspicuous mark embedded in the ad creative that links to a notice page.
  2. Use of Device Data: In the EDAA Mobile Principles, there is a slight difference in the way that information on a mobile device is classified. In the U.S. DAA guidelines, there is reference to “Personal Directory Data” being used for interest based advertising requiring enhanced notice and choice (i.e.: requiring the Icon). In the EDAA Mobile Principles, that data is redefined as “Personal Device Data” and changed to require enhanced notice and choice. This small change in verbiage means that any ad targeted to a user based information gathered from other applications they have on their device is, according to the EDAA, an Interest Based Ad that requires enhanced notice and choice (i.e. requires the icon)

Point one above closes a small loophole that allows a company in the U.S. not to license the Icon for mobile usage, and instead use a different icon to notify consumers. The main goal of the change in point one is to have the industry normalize on a single symbol for managing consumer privacy, so that consumers are not confused.

Point two above is a much broader change, and it affects most CPI & CPC focused Companies in the ad serving chain. This change means that companies gathering information about other apps on a user’s device will need to serve the icon in ads. Since this is a common practice to understand a user based on the types of application s/he downloads, this may be a major change for the performance advertising side of the industry.

Find out more about how TRUSTe can help you with implementing the new EDAA Mobile Principles here.



TRUSTe Assessment Manager Product Series – Part 3

DPMP Blog Image

With the 2.0 release of Assessment Manager, TRUSTe now provides the privacy office with even more control over its privacy program. From the comprehensive privacy dashboard to management of privacy remediation action plans, this five part blog series will highlight the latest updates.

Part 3 – Answering the Privacy assessment via Assessment Manager

One of the main challenges businesses face when running privacy assessments is getting complete and accurate information from the outset. Assessment Manager 2.0 comes with the ability to provide users with specific instructions at the question level. In addition, the option to attach documentary support to each question ensures that the privacy reviewer gets all the information required to expedite the review process.

Also, from a respondent’s point of view, answering a privacy assessment has never been easier.

The respondent just needs to:

  1. Click the assessment link
  2. Answer the questions (add attachments and comments as needed)
  3. Submit answers – answers are autosaved along the way to ensure no work is lost.

Screenshot 2016-03-05 22.46.19

Greater engagement on your privacy assessments starts today with Assessment Manager 2.0.

If you’re not already using TRUSTe Assessment Manager then click here to find out more and contact your TRUSTe Account Manager to arrange a demo of all the new product features.



March Spotlight: GDPR Accountability, Reviewing TRUSTe-IAPP Research Findings

Screenshot 2016-03-05 19.40.27

Screenshot 2016-03-05 19.40.27

Taylor Wessing EU Data Protection Conference

March 9

Menlo Park

Taylor Wessing’s International Data Protection team is hosting their inaugural US Data Protection Conference this week looking at the latest developments in EU data protection law. This conference, led by Taylor Wessing’s experts from their US, UK, French, and German offices will provide attendees with a 360 degree overview on the General Data Protection Regulation.

Thomas Kranig, President of the Bavarian State Authority on Data Protection, Germany will provide first-hand insights on the changes and challenges the new regulation will impose on international companies. TRUSTe’s Director & General Manager, Consulting, Eleanor Treharne-Jones will speak about the new accountability requirements under the Regulation.

> Request a ticket here


Investment in Privacy Brings Security Results

March 10  9.00am – 10.00am PT

Online Webinar

Is investment in privacy just a tick box compliance exercise or can privacy best practices be shown to also bring security benefits? A new research project commissioned jointly by IAPP and TRUSTe investigated the correlation between investing in privacy and ensuring a strong information security program, reducing the risk of data breach and preparing for response to a potential breach.

In this webinar Chris Babel, CEO TRUSTe and Sam Pfeifle, Publications Director IAPP will review the research findings, explore the value that Infosecurity teams place on different privacy functions and gauge the impact of an cyber-security incident or regulator involvement on privacy investment. Find out from experts working at the intersection of privacy and security the value they place on each function and what this means in practice at their organization.

> Register here


Understanding Privacy’s Value to the IT & Infosec team

March 24  8.00 – 9.00am PT

Online Webinar

Join us for the second in a series of webinars highlighting TRUSTe and IAPP’s joint research as we host highly experienced privacy and security team leaders for a virtual discussion to parse and interpret the results of the survey and to explain what this data means for your organization. You’ll hear about how companies are increasing their infosecurity and privacy investments alike, and gain insight into the questions the survey set out to answer: How do information security and privacy teams work in concert, so that their respective spends can complement one another? Are their priorities aligned? Have firms decided that information privacy investments can enhance information security, and if yes, what privacy functions are valuable in mitigating a data breach?

Chris Babel, CEO, TRUSTe will discuss the survey results with Heidi Salow, Vice President and Senior Privacy Officer, Thomson Reuters and Peter Sand, Executive Director of Privacy, MGM Resorts International.

> Register here




Details of EU-U.S. Privacy Shield Framework Published

Screenshot 2016-03-05 19.20.01

Screenshot 2016-03-05 19.20.01

On February 29, 2016 after more than two years of negotiations the U.S. Department of Commerce released details of how the new EU-U.S. Privacy Shield Program would operate and the European Commission published a draft Decision on the adequacy of the framework. Across 100+ pages the Privacy Shield documentation ends the uncertainty that many businesses have faced since Safe Harbor was invalidated last October and describes in granular detail the measures that organizations wishing to use the Privacy Shield must implement.

Although the core Privacy Shield Principles are similar to the Safe Harbor Privacy Principles, the new Principles go into much greater depth and include seven distinct categories: notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, and recourse, enforcement, and liability.

They also include a number of “Supplemental Principles,” which offer more detailed requirements for specific circumstances, such as the transfer of sensitive data, secondary liability, the role of data protection authorities, human resources data, pharmaceutical and medical products, and publicly available data.

The new arrangement will provide stronger obligations on companies in the U.S. to protect the personal data of Europeans and stronger monitoring and enforcement by the U.S. Department of Commerce and Federal Trade Commission (FTC), including through increased cooperation with European Data Protection Authorities.

New Requirements

Some of the new requirements for companies under the framework include:

  • Increased Transparency: Organizations must now include additional information in their privacy policy to inform individuals. These disclosures include: participation in the Privacy Shield; the availability of a dispute resolution mechanism, contact details, possibility of invoking arbitration and disclosure to national security authorities in law enforcement cases
  • Increased Accountability for Onward Transfers: To transfer personal data to third parties acting as a controller or as an agent, organizations must take steps to ensure that the same levels of privacy protections as the Principles are in place. This can be done through contracts with required statements specifying and limiting the purpose of processing. The Principles are clear that the data controller will be liable if the contracted processor violates the Principles,
  • Individual Complaints: A company has 45-days to respond to individual complaints after which time the individual has a choice of 3 mechanisms – (1) independent Dispute Resolution at no cost to consumer; (2) local Data Protection Authorities (can be used for customer data, must be used for HR data); (3) arbitration as last resort (when still not resolved and individual invokes). EU citizens are now able to pursue legal remedies through private causes of action including those for misrepresentations and similar types of claims in US state courts.

Timing for Adoption

The Privacy Shield Principles will come into effect on the date of final approval of the European Commission’s adequacy determination.

This draft adequacy decision has been published and now must be approved by comitology procedure, which involves insight from the Article 29 Working Party, a binding opinion from the EU Member State representatives, and a formal adoption of the adequacy decision by the EU College of Commissioners. It is anticipated that this final approval process should take a couple of months.

The Privacy Shield may still be subject to future legal challenge but one of the core goals of the negotiators from both the US Government and the European Commission was to produce a sufficiently robust framework that could survive legal challenge.

Next Steps

While regulatory review of the Privacy Shield is underway, companies can now begin analyzing the Privacy Shield principles in light of their own data flows and data protection practices.

Contact your TRUSTe Account representative for a copy of our latest Client Advisory Note “Implementing the EU-U.S. Privacy Shield Framework” and see further details here.



New IAPP/TRUSTe Study: Privacy Brings Security Results

How IT & InfoSec Value Privacy Report cover

How IT & InfoSec Value Privacy Report coverA joint study released today by the IAPP and TRUSTe finds more and more companies are turning to privacy expertise to enhance security results and protect against data breaches. The study – How IT & InfoSec Value Privacy – polled 550 privacy, IT and information security professionals across the globe in December and January.

The findings reveal a significant increase in privacy-related investments, with 42% of firms spending more on privacy technology, outpacing investment in external counsel and auditors. The study also confirms the well-documented extent of the cybersecurity threat as 39% reported an incident in the last two years and increased their information security and privacy investments alike to address the growing threat.

In fact, the study shows that the most important way to protect against cybersecurity risk is through constant communication between the privacy and security teams, many of which are now populated with staff from each discipline. Companies are also using core privacy functions to better understand the extent of their corporate risk, with 41% increasing use of privacy impact assessments and data inventory and classification, and 40% increasing use of data retention policies.

“The study shows a change in the way companies are protecting themselves against cybersecurity threats,” IAPP President and CEO J. Trevor Hughes, CIPP said. “As the threat of cybersecurity breaches increases every day, companies are getting smarter about protecting themselves against this threat, and more are recognizing the importance of security and privacy working hand in hand to mitigate the risk and enhance accountability.”

Chris Babel, CEO TRUSTe and Omer Tene Vice President of Research and Education, IAPP will be discussing the report findings at the RSA 2016 Conference in San Francisco this week in a panel session from 8.00-8.50am North | Room: 133 on Wednesday, March 2

To find out more about how TRUST’s privacy solutions can help strengthen your infosecurity program chat to the team in the North Expo Exhibit Hall, Booth #N3017 or call on 1-888-878-7830.



APEC Data Privacy Subgroup Meeting Wraps in Lima, Peru



Peru hosted the Asia Pacific Economic Cooperation’s Data Privacy Subgroup working meetings from February 22 – February 27 and was attended by TRUSTe CEO Chris Babel and TRUSTe Director of Policy Josh Harris. This year marked one of the largest US delegations in recent years, including representatives from over a dozen US companies and led by US Deputy Secretary of Commerce Ted Dean. The increased interest in the APEC approach to cross border data transfers comes as the fourth economy to join the system, Japan, announced formal endorsement of its accountability agent, JIPDEC.

The meetings kicked off with a one day workshop hosted by TRUSTe, The Centre for Information Policy Leadership, The Information Accountability Foundation, and Information Integrity Solutions. Topics of discussion included implementation of the CBPR system, a status report on CBPR-related activities, CBPR’s role in interoperability and the applicability of big data to the APEC Privacy Framework. Speakers included representatives from Apple, CIPL, DBS Bank, HP, IAF, IBM, IIS, the Internet Society, MasterCard, Nymity, TRUSTe and Walmart and from the governments of Australia, Canada, the New Zealand and the United States.


At the Data Privacy Subgroup formal meeting, Information Integrity Solutions presented the results of an APEC-commissioned report on the benefits of the CBPR system to consumers, economies and businesses.  Businesses specifically noted CBPR’s role in promoting the development of a single approach to global privacy that can help to simplify compliance with the range of regulatory requirements across the region. In addition, certification to a regionally-recognized system of data transfers encourages consumer confidence in the certified companies’ data practices. The report was based on consultations with government, business, and regulators from Japan, Singapore, Mexico, Canada and the United States and identified significant trade benefits as well as internal business benefits.  Based on the findings of this report, APEC economies agreed to develop a coordinated marketing strategy to increase business and consumer awareness of the benefits of the system

It was also formally announced that the Japanese firm JIPDEC has been formally approved to serve as an accountability agent under the CBPR system, joining TRUSTe, named the first accountability agent for APEC Cross Border Privacy compliance in June 2013. In September, Japan passed an amendment to the “Act on the Protection of Personal Information.” Article 24 of the amended law imposes restrictions on the transfer of personal information of Japanese citizens to third parties in foreign countries. Exemptions to these restrictions include when a third party has established a system which meets the Rules of the Commission to “continuously implement equivalent necessary measures.” The draft rules for implementing Article 24 specifically call out a company’s APEC CBPR certification as satisfying this requirement.

The next meeting of APEC’s Data Privacy Subgroup will take place in August, once again in Lima, Peru.

Older posts «

» Newer posts