Jun 01 2016

Engaging the Board is First Step Toward Privacy Risk Management – Summit Preview

Privacy Risk Summit

A board of directors cannot properly oversee the risks surrounding an issue it does not understand. Therefore, a key first step in advising the board about privacy and data protection is to educate the board about the company’s current vulnerabilities, its obligations, and the significant exposure and liability the company could face if those vulnerabilities and obligations are not appropriately addressed. In other words, directors should understand the risks and the business dependency on data governed by data protection and privacy regulations and what is on the horizon that could seriously impact the business, before it appears in the news. Four legal experts, from different industries and with different clients suggest ways to approach board education and persuasion when it comes to managing data.

Carly Alameda, Litigation Partner at Farella Braun & Martel LLP

“Even though boards of for-profit companies are often composed of sophisticated business people with a strong understanding of the company and industry they serve, they may not fully appreciate the particular cyber threats that exist. What data or information does the company possess that others may want, where is it, and how is it protected? What systems might be vulnerable to hackers? The board of directors needs to understand the answers to these questions as it applies to their company. Directors need to understand these risks so they can ask the right questions and fulfill their oversight role.”

Tom Widgery, Senior Director of Privacy and Information Governance at SVB Financial Group

“Financial services boards have become much more aware and concerned about data protection and the risks of security vulnerabilities in recent years. After all, it is a rare quarter when there is not a story about a security breach or hacking attempt in the news somewhere these days. Staying ahead of the board and anticipating questions on impacts to your organization from the current headlines is a challenge. The key to helping a financial services board is to latch on to an example that they understand, get their attention and leverage it to discuss the broader privacy implications that can lead to reputational risk.”

K Royal, Assistant General Counsel of Privacy and Compliance at CellTrust Corp.

“The key to being helpful to the board is to frame the concerns in a context to which the board members can relate. For example, when discussing issues around targeted behavioral advertising, the board members engaged with an example of Viagra. Not the one I would want to discuss necessarily, but one that all individuals had seen ads for and understood. What you need to avoid is dire predictions without a near-miss event. Individuals making significant decisions about a company become exhausted when faced with unrelenting risk. On the other hand, many privacy professionals present the ‘sunny’ side of their activities without providing a fair risk-based view. There is always a balance to hit, but mostly, board members want actionable items with a plan and measurable results.”

Olga V. Mack, General Counsel at ClearSlide, Inc.

“The board must have a strong understanding of and involvement with the company’s written plan for how its information will be protected and how the company will respond in the event of a breach. Having a concrete, written plan in place is key to ensuring a company understands the issues, is maximizing its preventative efforts, and can react and put its best foot forward during an attack or breach event. Cyber attacks happen fast, and there may be the need for a company-wide response within hours, or less. The board should ensure the plan is sufficient to facilitate the necessary actions well in advance of any attack.”

For further discussion with Carly Alameda, Tom Widgery, K Royal, and Olga V. Mack please join the “Cyber-heist your Corporate Mindshare: How to Engage the C-suite and Board” panel at 2:35pm on June 8 at the TRUSTe Privacy Risk Summit 2016. Register here.

 

Jun 01 2016

June Spotlight – Privacy Risk Summit, Legaltech West Coast, AIIM UK

Legaltech Event

Privacy Risk Summit 2016

June 8

San Francisco

The 2016 Privacy Risk Summit will bring together leading privacy practitioners, lawyers, regulators, and academics to address top privacy risks in the year ahead and share strategies for success.

The Summit builds on the success of the EU Data Protection Conference and IoT Privacy Summits to bring you an expanded program with three parallel conference tracks focusing on risks rising from technological and regulatory change and privacy risk management best practices.

TRUSTe is hosting this event. We invite you to join us in San Francisco this summer for a packed day of inspiring keynotes, dynamic panel presentations and interactive workshops.

> Register here

 

Legaltech West Coast

June 13 – June 14

San Francisco

Legaltech is the largest and most important gathering of legal technology professionals anywhere in the world. Attendees include decision-makers from all firm sizes who attend Legaltech to hear directly from the experts, see the latest and most innovative products & services.

TRUSTe is exhibiting and speaking this event. Stop by booth #406 to see the latest privacy compliance tools or join us at our Emerging Technology session, “Counsel’s Toolbox: Innovation in Managing Digital Privacy Risk” on Tuesday the 14th at 1:30pm. We’ll be joined by Privacy Counsel at Autodesk, White & Case, NetSuite, and Symantec.

> Register here

 

AIIM Forum UK

June 22

London

The AIIM Forum UK is a free independent event brought to you by AIIM International, to deliver thought leadership, market insights and expert advice through a one-day program of educational seminars and a major showcase of the latest information management innovations.

TRUSTe’s Ralph O’Brien will be speaking on Wednesday, June 22, 4.05 – 5.00pm on the panel discussion, “Europe, Privacy & the New General Data Protection Regulations”. Key discussion points will be the legal requirements and timescales of the GDPR, plus further exploration of provisions such as the ‘Right to be Forgotten’, the ‘Right to object to Automated Processing’ and ‘Privacy by Design’, data portability vs data sharing, information governance, risk management and other commercial impacts that will affect all organizations operating in Europe.

> Register here

 

May 27 2016

‘Mind the Gap’ Assessment – Transport for London chooses TRUSTe Assessment Manager

TfL wide

This week, Transport for London confirmed they have chosen TRUSTe as their privacy technology partner and will use TRUSTe Assessment Manager to prepare for the EU General Data Protection Regulation and implement their privacy assurance program.

Transport for London is responsible for keeping a population of 8.4 million Londoners and millions more visitors to the city, on the move through key services (and iconic brands) such as the London Underground, London buses, rail services, river boats and Santander Cycles. They also manage over 580km of roads, operate two road user charging schemes and regulate the taxi and private hire trades. Virtually everyone who visits, lives or works in London will use at least one of these services and with increasing volumes of customer data being collected, privacy is a top priority.

James Newman, Privacy and Data Protection Manager at Transport for London (TfL) said:

I’m delighted that TRUSTe has emerged from a rigorous competitive tender process as the delivery partner for TfL’s new privacy assurance solution. TRUSTe Assessment Manager will now play a key role in TfL’s privacy assurance programme and our ongoing preparations for the implementation of the GDPR.

TRUSTe Assessment Manager transforms how companies assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry and was recently named a 2016 Legaltech Innovation Award Winner for Risk Management.

Find out more here and contact us for a demo today.

 

May 26 2016

Your Path to GDPR Compliance | Step 1

image001 (3)There are a lot of great resources out there summarizing all of the new requirements under the GDPR (see IAPP, other resources).  But once you see the long and dizzying list of new requirements, it’s easy to get overwhelmed.  Fear not, there are ways to tackle it one step at a time.

TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.

While May 25, 2018 – the compliance deadline – may seem like a long way off, many items will likely take your organization considerable time to implement so it’s wise to start the process now.  Everything you put in place ahead of the deadline will enhance your overall privacy program and further your efforts to minimize risk, ensure compliance, build trust, and protect your brand.

 

Step 1 – Assess Readiness

The very first thing to do is Assess – Are you impacted?  Where do you stand?  

Are you impacted?

You may be thinking, I don’t need to worry about the GDPR because it doesn’t impact my organization.  We don’t have offices or do business in the EU.  But the GDPR includes a significant increase in scope over prior EU data protection law that makes it “extra-territorial” or beyond just being located or doing business in the EU.

This means, you need to take a closer look.  Specifically, you should ask three threshold questions:

  1. Do you “offer goods or services to EU residents”?
  2. Do you “monitor the behavior of EU residents”?
  3. Are you a “Data Processor” (one who processes the data on behalf of the Data Controller) of EU resident “personal data” (any information relating to an identified or identifiable natural person (“data subject”)?

If you answered, “yes” to any of the above, then you’re impacted and need to start taking steps toward compliance.  Some things to keep in mind:

  • The GDPR protects the personal data of EU residents, which includes anyone physically residing in the EU, even if they are not EU citizens.
  • By including the scope of the GDPR to include “monitoring the behavior of EU residents”, this makes the applicability net as wide as it can get.  Practically every website and app out there tracks digital activities of its visitors.  Even though you may not be actively targeting and monitoring EU residents, if you have a website or app that tracks who visits and an EU resident happens to find their way to your digital property from within the EU, you’re impacted.  Moreover, monitoring of behavior can be applied more broadly and include profiling that leads to actions that analyze or predict personal preferences, attitudes and / or behaviors.  Thus, the GDPR impacts targeted behavioral advertising and other data analytics.
  • The GDPR now extends due diligence obligations and potential liability to Data Processors, not just Data Controllers.  This has major impacts to cloud companies that process data on behalf of others, especially as the definition of “personal data” is now broadened and includes info like IP addresses, cookie strings, and mobile device IDs.

 

Where do you stand?

Now that you know that you’re impacted, you need a way to self-diagnose.  You could leverage a controls checklist, build one yourself, or take advantage of a free easy-to-use online GDPR readiness assessment tool.  Whatever self-diagnosis path you choose, you need to make sure it includes a fairly comprehensive list of the requirements so you have confidence that your assessment is thorough.

This initial GDPR assessment should guide you through GDPR operational requirements under the following areas, with particular emphasis on what’s new:

  • Transparency (i.e., Privacy Policy).  This centers on the language in your Privacy Policy.  It needs to be in “clear and plain language”, i.e., easily understood by users and not buried under a morass of legalese.  A whole host of new language must also be included, e.g., rights of data subjects, contact details of a Controller’s representative or DPO (Data Protection Officer), among others.
  • Collection and Purpose Limitation.  An assessment should check on whether the info collected is necessary and relevant, with particular scrutiny around information that is sensitive, involves criminal convictions or offenses, or is collection from children under the age of 16.
  • Consent.  The consent requirements under the EU Cookie Directive still apply regarding the use of cookies and similar tracking technology.  In addition, there are consent requirements prior to Data Processing, including details for when you need explicit and informed consent, or when you must provide user controls for preferences and withdrawal of consent.
  • Data Quality.  This centers on steps taken to ensure accuracy of data and processes for deleting or correcting it.  
  • Privacy Program Management.  This is a major area requiring a multitude of operational changes – e.g., documentation of your legal basis for Cross-Border Data Transfers, PIA Programs for new products or “high risk” processing, processing activities requiring the designation of a DPO, and due diligence obligations and contracts for Onward Transfers, to name a few.
  • Security in the Context of Privacy.  This includes requirements on the use of industry-standard encryption technologies for sensitive data, systematic destruction, erasure or anonymization of data, and documentation on security programs.
  • Data Breach Readiness and Response.  A documented privacy and security Incident Response Plan is essential, particularly because there are significant new data breach notification requirements (e.g., controllers must notify supervisory authority within 72 hours).
  • Individual Rights & Remedies.  The GDPR expands individual control with new rights, e.g., the “Right to be Forgotten” (data erasure), “Right to Data Portability” (to transmit data to any other controller), enhanced rights around processing (notice, access, rectification, objection) and filing complaints.

 

What now?

The GDPR Readiness Assessment, powered by TRUSTe Assessment Manager includes all of the above modules.

GDPR Report ImageThe result includes real-time findings to show what requirements you currently meet, a gap analysis to show what’s not yet covered, and operational recommendations to close the gaps.  This gives you a solid handle on where you currently stand and is critical for the next step in the Path to GDPR Compliance … to be covered in our next blog post Step 2: Build Consensus.

Visit https://www.truste.com/business-products/gdpr-privacy-solutions/ for more information on TRUSTe GDPR Solutions.

May 25 2016

Understanding your privacy risk exposure in Latin America – Summit Preview

Screenshot 2016-05-16 23.03.02Technology is booming in Latin America, and privacy laws and regulations are becoming more complex as well, since more technology generally means more data processing.

Latin America is a region formed by 20 different and independent countries, so getting acquainted with 20 different laws can seem quite an ordeal. Juan Luis Hernandez Conde, Founding Partner at Novus Concilium will address this topic at the upcoming TRUSTe Privacy Risk Summit on June 8th in San Francisco. In this blog post he provides an introduction to the 5 basic principles of LATAM privacy laws.

 

  1. No “one stop shop”

There is no document such as the GDPR (Europe’s General Data Protection Regulations) applicable to the whole region, although, most of the laws are based on the EU Data Protection Directive 95/46 EC (the EU Directive). In general, most countries have a right of data self-determination in their constitutions, but specifically all the countries can be divided into two teams.

Team one, in which we can find Mexico, Argentina, Uruguay, Costa Rica, and Nicaragua, comprises countries with a detailed framework and even Data Protection Agencies (DPA) to enforce it. Team two, where we can find countries such as El Salvador, Guatemala, Venezuela and Cuba, groups countries who doesn’t have a specific omnibus law regarding data self-determination or a DPA. There are, as well, a set of countries transitioning from team two to team one, for example Brazil and Paraguay.

 

  1. “Habeas Data”

Habeas Data (which literally means “to show – the controller– has the data”) is a catchy phrase used to refer to data self-determination rights, such as the right to access, rectification, or erasure of personal information. Most of the Latin American countries grant these types of rights to data subjects, and provide detailed legal procedures to enforce them.

 

  1. Corporate governance and policies

 Some laws require controller companies to develop some corporate structures and privacy policies according to certain legal principles. For example, Mexican Law, requires controllers to appoint a Data Protection Officer in charge of reviewing any Habeas Data complaint complaint made by data subjects.

 

  1. Information and Consent

The duty of information, plays an important role in the region. In jurisdictions such as Argentina or Colombia, controller companies have a duty to disclose all the details regarding the processing of personal information they gather. Information to be disclosed commonly includes:

  • Personal information gathered,
  • A detailed explanation about what do the controller use the data for,
  • A list of transfers to third parties,
  • The name and address of the legal entity responsible for the database and
  • Procedures to exercise habeas data rights rights, among others.

Consent is paramount in most of the Latin American jurisdictions. Almost every country with an omnibus legislation require it prior to the processing of data in their own unique ways. For example, Mexico and Colombia, allow opt-out consent for general information, but require opt-in consent in special circumstances such as the processing of sensitive data (information regarding sexual orientation, religious views, ethnic origins, health condition, political preferences among others).

Whatever the case, the controller company will be responsible to show the DPA it disclosed the information required by law and that they got consent before processing data.

 

  1. Rules on data transfers

The general rule is data transfers can only be made with prior consent from data subjects.

However, international data transfers are regulated as well. Some countries require transfers to only be made to countries that show an “adequate level of protection”

Some other countries, such as Mexico, allow international data transfers only if the controller company agrees (by a legal binding document) to process the information under a privacy policy in accordance with Mexican Law principles.

Either case you better double check before transferring data, since fines or even criminal charges (misdemeanors or felonies) may apply if the transfers aren’t done correctly. You don’t want to risk it.

 

Conclusion

Privacy in Latin America is a complex and continuously evolving subject, which varies depending on the country you are doing business in. Find out more in the Latin America session at the TRUSTe Privacy Risk Summit.

 

 

May 23 2016

Privacy Risk Summit Preview: Privacy by Design for IoT

Screenshot 2016-05-23 07.56.26

The Internet of Things (or the Internet of Everything, as some refer to it) is changing the way of the world for businesses, governments and consumers, as devices and services are increasingly connected to the Internet in real-time, 24/7. This allows for the practically ubiquitous collection, storage and sharing of data on an always-on basis, which heralds countless innovations for enterprises and individuals alike.

However, with increased connectivity comes the potential for increased vulnerability—in both the cyber and physical worlds. This is why Privacy by Design is a paramount business practice for companies engaged in the IoT space, as well as a consideration steadily more expected by consumers.  TRUSTe’s Privacy Risk Summit (Wednesday, June 8th in San Francisco), features three sessions devoted to IoT privacy issues. In this second preview blog, Darren Abernethy, Privacy Solutions Manager at TRUSTe offers a brief introduction to Privacy by Design in the IoT context.

The Internet of Things Continues to Grow Exponentially

The IoT is a short-hand term that refers to the interconnected environment in which previously offline, data-siloed objects can now continually communicate information among other objects and people. According to one estimate, the number of IoT-connected devices will number 38.5 billion in 2020, up from 13.4 billion in 2015: a rise of over 285%.

Consumer-focused, “smart home” devices are already a fixture in many retail outlets (think fitness wearables, connected refrigerators, sous-vide precision cookers, smart thermostats and lighting systems, the list goes on), and the next several years are expected to see IoT maturity in areas as diverse as connected cars, smart grids and cities, digital healthcare, agriculture, and various industrial channels. In short, there is no scarcity of interest in the application of IoT connectivity across sectors because of the granular insights that it facilitates.

The Connected World Requires Pre-Conceived Privacy by Design

A recently released survey conducted by Ipsos on behalf of TRUSTe/NCSA found that 89% of respondents say that they avoid companies that do not protect their privacy. This reality—that brand reputation and consumer trust are inextricably linked—is especially true in the IoT context. This is why Privacy by Design, or the practice of building privacy and security controls into a product or service at the outset of the planning process, rather than as an afterthought, is imperative.

There is no statutorily-defined, one-size-fits-all prescriptive list of what constitutes Privacy by Design. Indeed, in the context of IoT devices, Privacy by Design in practice ultimately depends on the types and quantity of information a device collects, the sensitivity of the data, and the overall risk posed to end users. Still, some issues should form the basis of any Privacy by Design assessment throughout product development, and these include:

Data Minimization. Whereas early IoT devices may have focused on collecting information indiscriminately, on a “we’ll find a use for this data later” basis, such an approach will no longer be tolerated by regulators. Most privacy regimes mandate that only data relevant to the purposes for which consent was originally given may be processed. And with the new EU GDPR privacy regulation’s effective date inching closer each day—along with its application to data controllers and processors of fines equaling up to 4% of global turnover for serious infractions—all IoT folks should be mindful to collect only what is necessary to achieve their business goals (and in keeping with their disclosures and public promises).

Perform Privacy and Security Risk Assessments Throughout All Stages of Development These complement an overall risk-based approach that includes, from the start, having a full inventory of the type and variety of personal information collected, as well as end-to-end understandings of data flows for the life cycle of any data. As the FTC has noted: “An evolving inventory serves triple duty: It offers a baseline as your staff and product line change over time. It can come in handy for regulatory compliance. And it can help you allocate your data security resources where they are needed most.” TRUSTe’s SaaS-based Assessment Manager was designed with this in mind, by automating the privacy impact assessment process for companies so that they may efficiently assess privacy risk, produce on-demand compliance/audit reports, and monitor privacy matters on an on-going basis.

Use Security Hygiene Best Practices This entails utilizing security transmission protocols and encryption techniques for personal information in transit and at rest, building in proper authentication controls, training company staff in privacy and data security best practices, limiting permissions, and using secure options as a smart device’s default settings that are changeable later by more advanced or aware end users.

Vet Vendors and Partners Privacy by Design considerations do not end with the device manufacturer, they extend to the partners and service providers associated with the device maker. Accordingly, IoT companies should embed processes to review third party providers’ practices as well as have contractual provisions in place that clarify responsibilities and liabilities before any product or service goes to market.

Transparency and Control IoT companies must be transparent with consumers—in easy to understand language and format—about how their troves of data are collected and used. This means up-front and accurate privacy statements, building in mechanisms for on-going notice and choice (including just-in-time notices), having conspicuous user privacy controls/dashboards, and effective communication—beyond the design phase—of access options, recommended security updates and other manifestations of respect for users’ preferences.

The Future of IoT Privacy by Design

As more devices, platforms and infrastructure connect to the Internet in real-time, the most successful industry participants will be those that regard Privacy by Design as an opportunity to demonstrate that they are worthy of consumers’ trust. Industry self-regulatory frameworks, such as the OTA IoT Trust Framework, are available to help companies to operationalise privacy by design. Time will tell whether this is enough to pre-empt the need (in the eyes of external regulators) for legislation. Also unclear are issues of interoperability in the IoT context, as well as questions of whether a one-time consent by consumers can realistically serve as “informed” consent as connected devices become a perpetual presence in our daily lives. For insights and analyses of these issues and more, be sure to check out next month’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.

May 17 2016

Privacy Risk Summit Preview: Cross Device Tracking

Privacy Risk Summit 2016

A topic on the tips of advertisers’ and marketers’ tongues these days is “cross-device tracking,” a unique method of digital advertising that is viewed within the data, analytics and marketing spaces as a game-changer. TRUSTe’s Privacy Risk Summit (Wednesday, June 8th in San Francisco) will feature a panel of industry-leaders devoted to the latest on this subject. In advance of the Summit, Darren Abernethy, Privacy Solutions Manager at TRUSTe offers a brief introduction to cross-device tracking methodologies and some of the cutting edge privacy issues upon which they touch.

What Is Cross-Device Tracking?

 Cross-device tracking is the umbrella term for different techniques used to serve target ads to an individual user on a user’s multiple devices so that messages can be better tailored to the right individual at the right moment. The ads and promotions served to the user across devices, channels and platforms are more effective (i.e., more likely to be engaged with or lead to conversions) because they are informed by that user’s previous interactions on all of the devices, not merely the device or browser currently in use. Cross-device tracking also allows for better “attribution” or the ability to understand purchases, behavior and intent.

How does this work in practice?

As one oversimplified example, a unique user could browse for a particular book on her mobile phone during breakfast, later at the office on her work laptop put a copy of the book into an online retailer’s shopping cart but not purchase it, and then back at home that evening she may receive an advertisement on her personal desktop computer’s browser for other books by that author or even a discount promo code at the retailer’s site where she almost made the afternoon purchase.

This type of connecting the dots to identify and reach a single user across devices is accomplished through two primary methods.

Deterministic and Probabilistic Linking

The first method is deterministic linking (DL), whereby a user self-identifies to a service, such as by logging in, which directly confirms that the multiple devices in use belongs to the same user. Accordingly, if a user logs onto a particular social media site on a smart watch, tablet, mobile app or computer web browser, then any user data collected (clicks, likes, visits, 1st party cookie data, and data from 3rd party websites on which the social media service has widgets/portals) becomes part of that user’s broader “profile,” and can be used to target ads to that user on any device or platform.

The second method is probabilistic linking (PL), whereby statistical modeling, algorithms and/or predictive pattern recognition is applied to a variety of digital technical parameters to infer links between devices. Firms in the PL space often partner with online publishers or ad exchanges and monitor ad request traits such as IP address, device type, geolocation, time of day usage patterns, and installed browser fonts, then correlate that information with other data sources and use proprietary processing to build device graphs that, over time and in the aggregate, can link multiple device, cookie, and mobile IDs to a common user, who is assigned an anonymous identifier.

Privacy Considerations with Cross-Device Tracking

The use of cross-device tracking is a response to consumers’ more fragmented options for accessing the Internet now compared to two decades ago, as well as the inherent limitations of delicate, mobile-deficient and browser-specific cookies traditionally utilized in online behavioral advertising. But does this new means of crossing data streams to gain a holistic view of a consumer along the entire path to purchase give rise to issues for privacy-conscious consumers and businesses?

For instance, can these techniques lead to the collection of unnecessary or superfluous data, at odds with the generally recognized privacy principle of data minimization? Can they lead to the possible triggering of unintended legal regimes, or erroneous inferences that lead to bad ad spend? Should different privacy approaches be utilized for DL versus PL? Is it technically feasible for the industries involved to build an omnibus opt-out mechanism that can be honored across all devices and platforms?

For insights and analyses of these issues and more, including benefits for businesses and consumers and current self-regulatory approaches, be sure to check out our exciting panel at next month’s TRUSTe Privacy Risk Summit. The panel will include perspectives from the brand/advertiser, technology development and product design, go-to-market strategy and of course, privacy and legal challenges. The panel will be moderated by Andy Dale, Senior Counsel at DataXu an advertising technology company engaging in cross-device campaigns. In Andy’s words: “cross-device technology is really about understanding the customer journey and this technology is powerful but needs to be harnessed and utilized within a privacy framework which allows users an ability to understand the practice and make meaningful, choices”.

 

 

 

May 12 2016

TRUSTe Assessment Manager Wins 2016 Legaltech News Innovation Award

Screenshot 2016-06-26 08.55.59

Dave Deasy, SVP Marketing (center) accepting the award on behalf of TRUSTe  (Photo credit: Jason Doiy)

We’re excited to announce that TRUSTe Assessment Manager has been named a 2016 Legaltech Innovation Award Winner for Risk Management. The annual Innovation Award program now in its 15th year, recognizes the best in legal technology leaders, products, and projects across the legal community.

TRUSTe Assessment Manager transforms how legal departments assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry. Previously legal teams relied on manual tools such as spreadsheets, email or retrofitted GRC systems to address the unique nuances of privacy risk management.

TRUSTe Assessment Manager comes pre-loaded with over a dozen templates to address popular use cases, including the EU General Data Protection Regulation, Vendor Risk Management, Breach Notification, and Privacy Impact Assessments.  The Platform is used by hundreds of companies either directly or with assistance from TRUSTe Global Privacy Services team across all industries including pharma, healthcare, technology, and consumer products organizations

Nominations for the Legaltech News Innovation Awards, were made by the publication’s more than 40,000 readers; and a panel of judges comprised of Legaltech News and The Recorder editors selected the winners from hundreds of candidates.

 

 

 

Older posts «

» Newer posts