Dec 15 2016

The Privacy Leader as Business Enabler – Part 2. Build Sustainable Solutions.

15 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe

Yesterday, I shared the first lesson I’ve learned “Be a counselor over the past 15 years while seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. The second lesson I learned first caught me by surprise and then over time convinced me that the methods the business teams I was counseling were seeking to solve their business challenges were in fact the potential answer to a problem I encountered six years into serving as a privacy leader. Before I share my tips on building sustainable solutions, I thought sharing my personal story on how I learned this lesson could provide some helpful context.

I was fortunate to learn how to be a privacy leader from an amazing leader, lawyer, counselor, philosopher and friend. He had the vision and the courage of his convictions to lead us to develop a global privacy and protection policy that would set a baseline standard for governance and protection of data across our business globally. Over two years, he persuaded all areas of the organization on the business value of the approach. Over the next thirteen years, only the proliferation of breach notification laws and a mega-merger would necessitate a few substantive changes to that policy.

The surprise to me was the sustainability of the policy given the frequency with which new privacy laws continued to be enacted. Regardless of how often the laws continued to change, the policy always provided the basis for complying with the substantial majority of any new legal and regulatory requirements. The best evidence of that policy’s sustainability, as evidenced by its ability to address even the latest developments in global privacy standards, is that earlier this year, it ultimately became the basis for the first EU approval of a company’s binding corporate rules (BCRs) that were based on a program previously certified by TRUSTe as compliant with the APEC Cross-Border Privacy Rules (CBPR) system.

While we were able to develop a sustainable policy all of those year ago, we were less fortunate in dealing with the rapidly growing number of initiatives that moved from paper to automation to cloud computing to data analytics. Six years into running a global privacy program primarily off of email, documents and sheets, we made our first attempt at using technology to automating some of our workflows. After piloting a number of approaches over the next five years, we concluded that the only way to really serve the business efficiently and effectively over time was to build an integrated privacy management platform that would allow us and business teams to readily determine the risks of a particular technology or business process at any point in its lifecycle. Put simply – build sustainable solutions. Here are some tips to help you develop your own approach.

2.  Build sustainable solutions. Not all organizations are ready to put robust, sustainable solutions in place. Some are only resourced to handle obligations on an initial ad hoc basis. Others are beginning to move up the maturity curve toward repeatable, defined, managed and optimized.

a.  Business is not static. Regardless of an organization’s privacy and data governance program maturity, most organizations have data and technology needs that continue to evolve as business needs change and technology improves.

b.  Privacy regulation is unlike any other regulatory area. Because data about people can be generated in some many different forms and contexts – from where we go, to what we eat, to how we feel, what we spend and whether we sleep – privacy and data protection requirements can be enforced by many different types of regulators, and in some cases, by private parties as well. In this complex regulatory environment, the privacy leader, as well as others in the business, legal and compliance, need to be able to demonstrate accountability and compliance upon request at any point in time.

c.  Good governance and technology solutions. Good governance, clearly documented roles and responsibilities are critical not only to putting a program in place, but also to enabling it to be implemented effectively and to mature over time. Technology solutions support these goals as well. Other business functions that rely on data, such as finance and human resources, have recognized the importance of investments in workflow automation, cloud computing and data analytics. Privacy and data governance programs can be made sustainable through technology solutions that facilitate creating data processing inventory, evaluating of associated risks, documenting mitigating controls, identifying changes, managing potential incidents and demonstrating what is in place and its effectiveness. While this can be a substantial undertaking, investment in modular solutions in ways that are tailored to an individual company’s culture and maturity can enable an organization to manage privacy much more effectively so that the privacy leader can focus on tackling new and emerging issues.

In summary, sustainable solutions such as good governance and technology position the privacy leader well for helping the organization to maximize net data value – a concept we’ll explore further in my final post in this series.


Dec 14 2016

The Privacy Leader as Business Enabler – Part 1. Be a Counselor.

Hilary current
14 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe

Part 1. Be a Counselor.

Last Thursday I had the honor of delivering a firestarter session at the IAPP Practical Privacy Series in Washington D.C. I had been asked to speak about re-envisioning the role of a privacy leader as a business enabler – rather than a leader who solely focuses on providing compliance, policy and/or legal guidance, and it inspired me to share three invaluable lessons I’ve learned over the past 15 years while seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. Based on the kind feedback I received from participants, I am sharing highlights from the session in a three part blog series.

  1. Be a counselor. Regardless of an organization’s maturity in governing data, protecting data, or implementing a privacy program, business teams need to focus on delivering business results. They may feel that they don’t have time to worry about privacy regulations and processes that detract them from that focus. What they need is a counselor – someone who helps them think through their business needs for the data and the business risks associated with not governing and protecting the data effectively and sustainably. How can you be a counselor? Follow these tips to get started.
    1. Have a conversation. Seek to understand what the business wants to do with the data: What are their goals? What do they want to achieve? What data do they believe are needed for that purpose? Do they think they might want to do with the data in the future? Based on your discussions with them about the value of the data to them, help them understand the risks associated with not protecting the data.
    2. Transparent communications. Help them envision transparency tools, such as notice, choice and account management for individual rights like access and correction, to meet broader communications objectives for projects. For example, a newsletter might be a vehicle to deliver a required privacy notice as well as a mechanism to invite the recipient to consent to additional other types of interactions with the organization.
    3. Choose the best vendors. Business teams often will be guided for expense management reasons to select vendors primarily based on cost. Often, however, the lowest cost vendors are ill equipped to support the risk management and regulatory obligations for which the business is responsible. Worse yet, some business teams don’t realize that their data responsibilities and liability don’t end when the data are in the hands of the vendor. Guiding the business to select vendors that appropriately balance cost and mitigate risk will help prevent data breaches and other liability problems that can obliterate any immediate cost savings.

If you found this guidance helpful, I hope you’ll return for the other two parts in this series.

Dec 12 2016

TRUSTe Privacy Risk Summit 2017 – Special Event Launch Pricing!

Screen Shot 2016-12-12 at 9.09.55 AM

One of the best ways to mitigate risk is to know what technological and regulatory change will bring ahead of time. This risk-based approach aligns with the GDPR approach to privacy management.

The 2017 Privacy Risk Summit is set to carry on TRUSTe’s reputation for high quality education programs that help privacy professionals plan for future changes. Past events have brought together EU regulatory experts and Silicon Valley business leaders to discuss the impact of the EU GDPR and how organizations could navigate the global privacy requirements. Whenever there are sweeping changes, such as when IoT took off, TRUSTe is there to help navigate those changes.

Join the 2017 Privacy Risk Summit to learn from 30+ speakers who will be sharing privacy risk management best practices. In addition to being inspired by these keynote speakers, you will also have the opportunity to participate in interactive workshops.

See recaps of previous events here:

If you are interested in attending this year, take advantage of special event launch pricing here.



Dec 08 2016

Why you should know where your data is: two practical use cases

Internet Concept of global business and major air routes based on real data. Highly detailed planet Earth at night, surrounded by a luminous network, 3d render.

Why you should know where your data is: two practical use cases

The General Data Protection Regulation (GDPR) includes a wide range of privacy related requirements which will impact all areas of a company, including legal, compliance, information security, marketing, engineering, and HR. These changes will require companies to have a clear understanding of where their data is in order to ensure GDPR compliance.

Use Case 1: A data subject requests a copy of their data.

GDPR Requirement

Article 15 grants data subjects the right of access giving individuals a right to obtain confirmation as to whether personal data is being processed about them or to request a copy of that data.


Your organization collects data about its customers so that it can provide suggestions to enhance the customer experience. If a customer requests a copy of their data, will you know where to find it? If they ask additional questions about their data, will you be able to answer them?

Use Case 2: A global business transaction.

GDPR Requirement

Article 46 allows for data transfers to non-EU countries by way of mechanisms that provide appropriate safeguards. Appropriate safeguards include: Binding Corporate Rules (BCRs), Model Contract Clauses (MCCs), also known as Standard Contractual Clauses (SCCs), and legally binding documents and enforceable instruments between public authorities or bodies. What about privacy shield?


Your organization is about to close a global deal where Personal Information data will need to be transferred out of the EU to the US based on a subsidiary who uses a vendor in Asia to process that data. Are any measures in place to ensure your team will not overlook certain requirements as the data travels across countries?


Screen Shot 2016-12-02 at 1.00.45 PM

Data inventory and mapping allows organizations to pinpoint exactly where data is located and stored, and draws the connections between complicated data flows. Having an easily accessible, centralized inventory will allow organizations to quickly identify which assets or systems manage the processing of the individual’s data, making it more efficient to investigate and respond to that individual’s access request (Use Case 1). Additionally, having a holistic picture of where data is and where data goes will allow for mapping which jurisdictional requirements apply throughout the data lifecycle (Use Case 2).

If you need help with your data mapping efforts, TRUSTe offers a solution. Learn more.


Dec 07 2016

EU General Data Protection Regulation (GDPR) Series; Build Consensus – Awareness Campaign


For organizations that operate globally, complying with the EU GDPR will likely require significant investment in personnel, process change, and new tools.  In order to meet the compliance deadline, companies are actively preparing now. TRUSTe has developed a four phase process to help guide you on the path to compliance.  During November and December we will provide you with a series of tips to use along your path to compliance.

See Tip No. 3: Build Consensus for GDPR Compliance by sharing Business Case for Investing

TIP NO. 4: Build Consensus for GDPR Compliance by executing an awareness campaign

Now that you’ve developed the business case for investing in GDPR compliance, you need to involve key teams that you will work with to execute your compliance program. Key teams to involve are: information security, compliance, human resources, marketing, procurement, accounting, website development, and legal.

Start by facilitating an internal kickoff with these teams and then turn that into ongoing planning sessions with relevant stakeholders across the organization. Include representatives throughout the company including colleagues at executive and board levels.

Use the business case you prepared in the last step to show them why GDPR compliance makes business sense for your organization. Deliver engaging presentations leveraging all of the evidence you gathered to tell the story. At the outset, it will be important to clearly state the following goals of the kick-off session:


  • Formalize GDPR program team structure / roles / responsibilities
  • Establish the GDPR program as a priority initiative
  • Agree on short, medium, and long-term goals of the GDPR program
  • Set measurable objectives with success criteria, key milestones
  • Secure budget and resources based on Level of Effort estimates



If your company already has a Privacy Working group, this campaign would be an add-on to that existing process. If your company does not have this working group, build one! It will provide ongoing value for years to come. Schedule on-going planning meetings with a regular cadence to develop the full plan, implement all required operational changes, and provide a dashboard report on the GDPR program’s progress.

Next week we will provide tips on how to start implementing your plan.

If you need support in launching an awareness campaign, TRUSTe offers a GDPR Workshop, which is the last phase in our GDPR Priorities Assessment. Our expert privacy consultants will review your readiness assessment and plan on site, custom tailored to your organization’s needs. Contact us for more information.

Dec 01 2016

EU General Data Protection Regulation (GDPR) Series; Build Consensus


For organizations that operate globally, complying with the EU GDPR will likely require significant investment in personnel, process change, and new tools.  In order to meet the compliance deadline, companies are actively preparing now. TRUSTe has developed a four phase process to help guide you on the path to compliance.  During November and December we will provide you with a series of tips to use along your path to compliance.

See Tip No. 2: When Developing a Plan, Consider Risk and Level of Effort

TIP NO. 3: Build Consensus for GDPR Compliance by sharing Business Case for Investing

See Tip No. 4: Build Consensus for GDPR Compliance by executing an awareness campaign

Approach this process like building any business requirements case by developing a narrative that shows the pros and cons of this investment. You should use these key messaging strategies to establish a compelling story for your GDPR Awareness Campaign. The following examples can be used to get started on making your case:

The GDPR Impacts our Company…Posing Threats and Opportunities

  • Make a list of organizational risks, fines & penalties, and regulatory trends
    • Be sure to include that GDPR non-compliance fines may reach up to 20,000,000 EUR or 4% of total worldwide annual turnover of the preceding year, (whichever is higher)
  • Find examples of what non-compliance would do to your brand in terms of loss of goodwill and general brand damage
  • Show that companies using a strong privacy posture have a competitive advantage – or conversely, how not being GDPR compliant could put you at a competitive disadvantage with clients who expect GDPR compliance

Our Company Has Compliance Gaps That Require Remediation

  • Use your initial GDPR Readiness Assessment results with identified gaps and risks to show where remediation is needed
  • Illustrate gaps with internal history of privacy breaches, regulatory inquiries, or enforcement – either within your company or your industry

Our GDPR Compliance Program Will Require New Investments

  • Illustrate this point with benchmark reports / infographics depicting GDPR risk and action by competitors
  • Be specific – use results of your gap analysis. Include training, PIAs, and policy reviews / changes
  • Include a proposed project overview with timeline, methodology, and metrics

Next week we will provide tips on how to use the business case you’ve created to execute an awareness campaign within your organization, and further build consensus.

If you need support in securing organizational stakeholders’ buy-in, TRUSTe offers a GDPR Workshop, which is the last phase in our GDPR Priorities Assessment. Our expert privacy consultants will review your readiness assessment and plan on site, custom tailored to your organization’s needs. Contact us for more information.


Nov 28 2016

Why Companies Need a Privacy Partner


K Royal, CIPP/US, CIPP/E, Sr. Privacy Consultant

Companies need a privacy partner, not just a privacy consultant. This is a concept that I have learned with our clients while being a part of the consulting team at TRUSTe. Having been a privacy officer (both as an attorney and a non-attorney) in several industries – healthcare, medical devices, emerging technology and with clients ranging from local government to national, from financial to education in the global realm and specifically within the US sectors – I cannot say that I have seen it all, but I have seen a whole lot of it. No one person can possibly be an expert in all areas of privacy/data protection. However, at TRUSTe we have a team, tools and methodology that can, and that is what is critical to our customers.

Companies need a privacy partner. They need a team that can not only can assess them for the European Union (“EU”) General Data Protection Regulation (“GDPR”) readiness, but can also review their EU/US Privacy Shield compliance needs or review cross border transfer mechanisms in general, such as Binding Corporate Rules (“BCRs”) or Cross Border Privacy Rules (“CBPRs”) in the Asia Pacific. And then, map that to their GDPR requirements or even further, to their HIPAA compliance in the US and even support framework questions, whether HiTrust, the International Organization for Standardization (“ISO”), or the National Institute of Standards and Technology (“NIST”) – or other framework. Further, a privacy partner can review the legal requirements, assess policy application, understand implementation constraints and flexibility, and adjust approach based on client expectations, level of maturity, industry standing, and future considerations.

Being able to partner in this way with companies is a professionally satisfying experience. Every client is different and requires a different set of knowledge, skills, and mindset. At times clients may come to us with one need – to assess Privacy Shield readiness (and over 500 companies have approached TRUSTe for this), but realize during that time that they have multiple needs that are identified and have not been addressed or they simply click with the team and TRUSTe approach and engage us as a partner in several more areas. In that case, are we a serial partner?

I have found that typically we become an ongoing privacy partner. Perhaps we start by building a Privacy Impact Assessment (“PIA”) for EU data use, and then expand that assessment to PIAs for other areas, such as HIPAA in the US, or other geographic-specific needs. It is made possible by keeping the needs of the customer in mind – sure, we’re only building a PIA for HIPAA, but if we add in certain gating questions, then you can use one initial PIA to divert to specific PIAs based on region (or even down to a state) and the personal information involved. We have the technical expertise to build that into the process.

And it’s not all about people. TRUSTe tools make it easier for me to do my job. I also get to help design some of the tools given my industry knowledge. For example, most companies desperately need a data inventory done – we can do it. Also, companies will insist to me that they have no unnecessary cookies on their websites – we can run a test for cookies. But beyond that, companies can use our technology to enhance their own capabilities, such as using our Assessment Manager platform to run their Privacy Impact Assessments (which are required under several privacy regimes).

The really valuable aspect from all of this is that we are not about a single consultant, we are TRUSTe. I have little experience in FERPA, but if the customer I am working with has a FERPA element, I can tap a colleague. As a partner, we engage in frank conversations with the company and truly function as a partner, not as a generic consultant. We have your best interests at heart and look to develop that ongoing relationship that works to your benefit.

Why do companies need a privacy partner? To serve in an ongoing role that tackles the heavy lifting, listens carefully, provides a heads up on overlapping issues in order to fill several requirements with one action, watches for duplication, foresees possibilities for expansion, and is open and frank in addressing who you are as a company, with your needs, constraints, flexibility, timing, maturing, standing, and drivers. We’re not selling you a product (although we can); we are offering you a cost-effective, widely experienced, highly efficient, privacy partner.


Nov 23 2016

Cross Border Privacy Rules: Uptake Increases as Heads of State Affirm Commitment


On November 20, the Heads of State for the 21 APEC member economies met in Lima, Peru at the annual APEC Leaders’ meeting.  In their Joint Declaration, APEC Leaders once again recognized “the importance of implementing the APEC Cross-Border Privacy Rules (CBPR) System, a voluntary mechanism whose participants seek to increase the number of economies, companies, and accountability agents that participate in the CBPR System.”  During his press conference in Lima, President Obama specifically called out the group’s endorsement as a way to advance the digital economy and “to protect the privacy of personal information as it crosses borders.”

High-level recognition of and commitment to the CBPR system comes as more APEC economies formulate plans to join.  Last week, Chinese Taipei announced its intention to join the system.  And in a recent readiness survey released in October by the Government of Vietnam, South Korea and the Philippines both indicated they intend to join the system.

For their part, Japan, who joined the system last year, has been finalizing regulations to implement their new data protection law.  The Government of Japan has indicated that it will specifically name the CBPRs as an approved transfer mechanism for data out of Japan.  These regulations are expected to be released by the end of this year.   More information on CBPRs and related trade initiatives can be found on the White House’s APEC outcomes fact sheet.

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. TRUSTe was named the first accountability agent for the system in June 2013. Learn more about obtaining a TRUSTe CBPR certification here.

Older posts «

» Newer posts