Nov 01 2016

November Event Spotlight: IAPP Europe; The New AdTech Playbook – Accountability & the GDPR

nov 1 blog


IAPP Europe Data Protection Congress 2016

November 9 – November 10


The IAPP Data Protection Congress is where you’ll find thought leadership, a thriving professional community and unrivaled education with more than 40 sessions on the top privacy issues organisations are facing today, including the GDPR.

Visit TRUSTe in the exhibit hall at Booth #22 and hear TRUSTe’s Eleanor Treharne-Jones, CIPP/E speak alongside American Express and eBay on Nov 9th at 16:15 for “The Evolution of PIA Best Practices” and TRUSTe’s Hilary Wandall, CIPM, CIPP/E speak alongside Hunton & Williams on Nov 10th at 13:30 for “Addressing Risky Processing Under the GDPR: A Practical Approach”.

> Register here


Understanding new EU Guidance on DPIA/PIA requirements

November 10 @ 9:00 am – 10:00 am

Online Webinar

Whether you call them Data Protection Impact Assessments or just PIAs, they are an indispensable way to gauge the potential impact of projects, systems, programs, products or services on the data an organization holds. Having a good understanding of what DPIA/PIAs are, how to implement them and who needs to be involved can be the key to embedding privacy in the heart of your organization. And of course they are now a requirement for certain types of processing under the GDPR.

Make sure to save your seat for this webinar as we will:

  1. Review PIA best practices
  2. Review latest compliance guidance from the EU regulators
  3. Provide a range of tips and tools to help streamline and embed the process in your organization

Join this webinar and hear from TRUSTe’s Beth Sipula and Kellogg’s Paul Iagnocco to get the latest information, tips and tools on how to use DPIA/PIAs for new EU requirements.

> Register here


TRUSTe & DAA present: The New AdTech Playbook – Accountability & the GDPR

November 15

New York

Join the Digital Advertising Alliance & TRUSTe for an afternoon discussion to learn about the latest developments in the AdTech industry and how companies are addressing the recent self-regulation & GDPR updates. Hear from industry experts on how to mitigate risk and protect your brand surrounding these new AdTech challenges.

Panels include, “Enforced! Keeping Pace with Industry Self-Regulation Initiatives for Interest-Based Advertising Consumer” and “Is the AdTech Industry ready for the GDPR?”. Speakers include: Chris Babel, TRUSTe • Jon Brescia, Advertising Self-Regulatory Council, Council of Better Business Bureaus • Senny Boone, DMA • Jason W. Koye, Esq. CIPP US/E, Senior Counsel, Annalect, a division of Omnicom Media Group • Lou Mastria, CIPP, CISSP, Digital Advertising Alliance • Michael A. Signorelli, Venable LLP • Leigh Freund, Network Advertising Initiative.

> Request an invite here (space limited)



Oct 26 2016

Key Takeaways from Building a Privacy Governance Program Webinar

Last week we had Michelle Fleury, Sr. Director of Supply Chain Operations at Cisco, and Patrick Curry, Director of Privacy and Compliance at McKesson US discuss how to build a privacy governance program.  They discussed some privacy and security challenges that organizations face today. Specifically, they discussed how data isn’t kept in one place due to the proliferation of networked devices, causing organizations to struggle with where to start securing their enterprises.

Moreover, organizations may have diverse strategic considerations, such as legal obligations, customer expectations, competitive differentiators, and the risk landscape. To meet these strategic considerations while securing the enterprise, (1) use guiding principles to get through the complexity, and (2) get started now.

(1) Use Guiding Principles.

One such guiding principle is a requirement of the EU GDPR – Privacy By Design. Our panelists shared that getting the business involved very early will help ensure that privacy is included and built in from the beginning. Connect with them so that they understand the privacy team’s goals.

(2) Get Started Now.

While the initial program will have to be improved upon, these steps are a starting point:

  • Form a multi disciplinary team including privacy and security
  • Inventory your data
  • Assess your organization’s data protection maturity
  • Choose a program framework and set goals
  • Collect and connect capabilities and processes
  • Id and prioritize most significant gaps
  • Follow an Agile approach
  • Get the word out: people are as important as the technology

If you would like to listen to the webinar, it is available on demand here. To learn more about TRUSTe Privacy Solutions, powered by privacy experts and leading technology, contact us.

Oct 21 2016

500th Company Posted to Privacy Shield Framework

TRADE-IntThe International Trade Administration (ITA) announced that the 500th company was posted to the EU-US Privacy Shield Framework list on Tuesday, October 18th. It’s a tremendous accomplishment, and there are still more to come. More than 1,500 companies have submitted self-certifications, providing strong endorsement of the new framework.

The ITA press release stated:

WASHINGTON – The EU-U.S. Privacy Shield Framework today achieved a milestone with the posting of the 500th company to the Framework list since it began accepting certifications on August 1, 2016. The U.S. Department of Commerce’s International Trade Administration manages the newly created Privacy Shield program, and conducts a robust review of each submission before finalizing a company’s certification and placing it on the publicly available Privacy Shield list.

With our partners in Europe, we have created in Privacy Shield a framework that both strongly protects privacy and facilitates trade, said Acting Assistant Secretary of Commerce for Industry and Analysis Ted Dean. “The pace of the Privacy Shield program’s growth is a testament to the critical need for this data transfer mechanism, which underpins almost $300 billion in digitally deliverable services traded across the Atlantic each year.”

In total, more than 1,500 companies have submitted self-certifications to the site since the new Framework launched, and additional certifications are being reviewed each day.

Organizations interested in self-certifying, exporters, and other stakeholders can visit for more information.

To learn more about TRUSTe Privacy Shield assessment and verification, contact us.

Oct 12 2016

Round II of EU Cookie Compliance Inspections


By Helen Huang, Senior Product Manager

In September 2014, the French Data Protection Authority, CNIL conducted a “cookie sweep” to review compliance with the EU Cookie Directive and published a combined analysis from 8 DPAs, including the Czech Republic, Denmark, France, Greece, The Netherlands, Slovenia, Spain, and the UK. The “cookie sweep” involved the CNIL conducting onsite and remote inspections to evaluate compliance with the latest EU cookie standards. The 2014 cookie sweep findings showed that many companies’ websites did not comply because insufficient notice and valid consent were being given to and/or sought from visitors. Many websites subsequently put in place compliance solutions as enforcement and possible fines continue to be very real. Details about the results of the initial sweep can be found here.

With the upcoming expanded and stricter consent requirements under the General Data Protections Regulation – the GDPR, as well as anticipated amendments to the EU Cookie Directive, it is worth paying closer attention to the actions and next steps needed to come into compliance with EU regulations.

On July 27, 2016, the CNIL announced a new round of cookie sweeps and cookie enforcement actions that will focus on specific industries: Ad Tech, Social Media and Analytics companies. The French Data Protection Authority recognizes the complexity of the online advertising ecosystem, and holds both publishers and their processors responsible for activity on a website.

Publishers should provide more information on the ad tech, social media and analytics partners they work and share data with, the nature of data collected and processed by them and the rights of the data subjects to object.

In terms of next steps, publishers partners should also “(i) assess their current cookie compliance strategy, (ii) update their publisher terms (where required) and (iii) equip publishers with actionable tool kits containing for instance FAQs, template end-user wording and means to object.” With CNIL as the lead DPA, companies should still expect different degrees of strictness and various ways to implement the consent mechanism in each EU member state.

When developing your cookie compliance strategy, one of the most critical requirements is to provide proper Notice, Consent, and Choice to visitors. Launched in 2011, TRUSTe Cookie Consent Manager has continued to keep pace with evolving laws and regulations, and has been enhanced to tackle the complex landscape and varying requirements of the EU countries. TRUSTe has deployed hundreds of cookie consent solutions for many of the world’s most recognized brands, enabling them to comply with the EU Cookie Directive. Click here to see a live demo and learn more about why TRUSTe Cookie Consent Manager is the trusted data privacy solution.

If you have any questions about consent requirements under the EU Cookie Directive or GDPR, please contact TRUSTe to learn more about how we can help.


Oct 10 2016

3 More Misconceptions about Privacy Shield



Last week we gave you the facts to dispel three common misconceptions about Privacy Shield. This week we are including three more.

1. Model Contractual Clauses (MCCs) & Standard Contractual Clauses (SCCs) are easier than certifying for Privacy Shield.

While your company may have invested in MCCs or SCCs when Safe Harbor was nullified, your work does not stop there.  You need to continue updating your contracts on an ongoing basis to ensure continuing compliance.  Sabina Jausovec Salinas, Corporate Counsel at Rackspace and Debbie Bromson, Head of Global Privacy at Jazz Pharmaceuticals spoke about why they chose Privacy Shield for their organizations; the webcast recording is available here.

2. MCCs / SCCs are the safest way to go.

The continuing validity of MCCs is now being considered by the European Court of Justice (ECJ). Privacy Shield was drafted by US and European officials specifically to ensure it met the requirements as laid out in the ECJ’s Schrems decision. Many companies who have MCCs / SCCs in place view Privacy Shield as an added layer of protection against new legal action.

3. Privacy Shield Compliance = GDPR Compliance.

While the principles necessary to comply with Privacy Shield are similar to many of the data protection safeguards necessary for GDPR compliance, Privacy Shield only addresses one of the many components of the GDPR (i.e., International Data Transfer) as depicted in this image.



Even with a Privacy Shield certification, you still need to address the remaining components of the GDPR, including DPO Appointment, Consent, PIAs, and many more.


TRUSTe offers several Privacy Shield Compliance Solutions and GDPR Solutions. To schedule a consultation and learn how Privacy Shield Certification can help your organization, contact us.




Oct 06 2016

3 Misconceptions about Privacy Shield

Privacy Shield logo

Here are 3 Misconceptions about Privacy Shield and the facts you should know.

1. I missed the deadline to certify for Privacy Shield.

Although the deadline to qualify for the onward transfer requirements grace period ended September 30th, it is not too late to certify. While there is no deadline to self-certify, if you have clients and/or employees in Europe, you will need to make use of one of the recognized transfer mechanisms to process that data outside of Europe.

In addition to these regulatory obligations, your company may start to face pressure from clients or business partners to get the certification. Just as many companies required their suppliers and partners to be Safe Harbor certified, expectations around Privacy Shield are likely to be the same.  Privacy Shield provides a visible way for companies to demonstrate their compliance with EU data transfer rules.

2. The grace period for onward transfer covered the bulk of Privacy Shield requirements.

Onward transfer is only one of many Privacy Shield requirements. Companies still have to ensure all of the other requirements are met, such as: notice, choice, security, data integrity & purpose limitation, access, recourse, and enforcement & liability.  So while you missed the grace period, it only addressed one portion of the overall requirements.

3. Privacy Shield is only for my customer data.

If you have employees in the EU, you also need to consider Privacy Shield for your HR data. This is a separate certification which you can add at any time to your existing listing with the Department of Commerce. Currently, over 300 companies are on the Privacy Shield list, many of which are using this approach to facilitate compliance with customer and HR data requirements.

TRUSTe offers a comprehensive Privacy Shield Assessment and Verification program. To schedule a consultation and learn how Privacy Shield can help your organization, contact us.

Sep 30 2016

October Events Spotlight: DMA Annual Event; Privacy + Security Forum

oct-spotlight-blog-image&Then – The DMA Annual Event

October 16-18

Los Angeles

Powered by DMA – &THEN is a reinvention of our Annual Conference – a place for today’s empirically-driven, creatively-inspired marketers to convene, connect, and find new ways to create demand. It will deliver the global marketing experience for a new generation of digital, data-driven marketers. &THEN it will challenge everything you know about marketing, from the way you learn about it, to the way you apply it at a higher level.

Hear from TRUSTe’s Dave Deasy, SVP of Marketing, TRUSTe alongside representatives from Warner Bros, DemandMedia and DAA speak about “Responsible Data Collection in an Age of Consumer Skepticism” on Tuesday, October 18 at 12pm.

> Register here


Building a Privacy Governance Program

October 21 – 9:00am – 10:00am PT

Online Webinar

The proliferation of networked devices is bringing tremendous opportunity to business and consumers alike. Many organizations are struggling with where to start with securing their enterprise — so some don’t, or worse yet, take expensive action that has little impact.

Consumers freely share their personal information with businesses, governments, individuals and on social media platforms expecting progressive, personalized services while demanding and deserving privacy and control of their personal information.

Make sure to save your seat for this webinar to learn how to:

  • Put security and privacy into the context of your operations – despite their natural tensions
  • Integrate them into an effective data protection program focused on trust, transparency and accountability
  • Examine case studies from two companies from very diverse sectors

Join this webinar and hear from Michelle Fleury of Cisco and Patrick Curry of McKesson U.S. Pharmaceutical to explore the essential common elements of an effective data protection program and some tips for getting your program up and running quickly.

> Register here


Privacy + Security Forum

October 24-26

Washington DC

Privacy and security often exist in separate silos. Even privacy and security professionals who work down the hall from each other might rarely speak to each other. The Privacy + Security Forum breaks down the silos of privacy and security by bringing together seasoned thought leaders. We must break down these silos because privacy and security are interrelated, and we cannot successfully achieve one without the other.

Visit us in the exhibit hall and hear from TRUSTe on “The Role of Data Protection Officers under the GDPR” on Wednesday, October 26 at 8:50am and TRUSTe’s Hilary Wandall, GC and Chief Data Governance Officer, TRUSTe on “Ethics in an Automated and Trackable World” at 2:10pm.

> Register here


Sep 21 2016

Didn’t make it to IAPP P.S.R. 2016? Here’s the Recap

Screen Shot 2016-09-21 at 7.15.14 AMIf you were at IAPP’s Privacy Security Risk conference last week in San Jose, then you enjoyed presentations from keynote speakers ranging from Gerhard Eschelbeck, VP of Security and Privacy at Google to Monica Lewinsky, Social Activist and Writer. The daily sessions gave you both high level overviews and practical tips for dealing with GDPR, Privacy Shield, and cybersecurity challenges.

If you didn’t attend, our experts at TRUSTe are here to help direct you to resources that can help. We’ve been working extremely hard over the past few months to develop solutions and put together teams that will help your company adapt to the ever-changing privacy landscape. Specifically, our new developments include:

  • Data Inventory 2.0: Our expert consulting team leverages our powerful technology to assess, inventory, and map the data your company collects. Your team is given a searchable, sustainable, and secure repository to conduct ongoing compliance and risk management.
  • Assessment Manager 3.0: This powerful solution will make conducting privacy and data protection risk assessments streamlined and cost effective. Depending upon your company’s needs, you may choose from self-service or TRUSTe Managed Service options.
  • Consulting Team: We have 10+ consultants across four continents, who have extensive privacy and industry experience covering the globe.
  • Legal, Policy & Regulatory Team: Former Merck attorney and CPO Hilary Wandall leads this team that has over 45 years of experience. They have built maturing privacy programs, driven regulatory interoperability, and operationalized privacy technology solutions.
  • EU Privacy Shield Solutions: Powered by our TRUSTe Assessment Manager technology, our TRUSTe Global Privacy Services team can help navigate you through the compliance process.
  • GDPR Solutions: TRUSTe has developed a four step path to compliance, with tailored solutions for each step of the way.
  • GDPR Readiness Assessment: Developed in partnership with the IAPP, our team helps your company distill where you fall short of GDPR compliance, and what you need to do to become compliant.

If you would like to speak to our team for help finding which solutions can benefit your company, contact us.


Older posts «

» Newer posts