Jul 29 2016

APEC Cross Border Privacy Rules Advancing in Asia

Global Data TransfersOver the last three weeks, privacy-focused events in China, South Korea and Singapore have highlighted the growing momentum of APEC’s Cross Border Privacy Rules (CBPR) system in the region.

  • On June 29, China’s Ministry of Commerce, Foreign Ministry, General Administration of Customs and the China International Electronic Commerce Centre (CIECC) hosted the 6th APEC E-Commerce Business Alliance (ECBA) Forum in Jinjiang, Fujian province, China. The U.S. representatives to the ECBA are TRUSTe’s Director of Policy, Josh Harris, Markus Heyder, Vice-President of the Centre for Information Policy Leadership and Manuel Maisog, partner at Hunton & Williams, Beijing.   In his keynote address, APEC Secretariat Executive Director Alan Bollard emphasized the regional economic benefits to the free flow of data and encouraged government officials in attendance to join the CBPR system. At the closing of the forum, the ECBA released the Jinjiang Proposal, as drafted by ECBA members, which encouraged all APEC economies to participate in the CBPR system.
  • On July 13, the Korea Internet and Security Agency (KISA) hosted the 5th International Conference on Information Security in Seoul, South Korea where TRUSTe Policy Director Josh Harris and Professor Choi Kyoung Jin of Gachon University discussed the potential implementation of the CBPR system in South Korea.
  • On July 18, the Centre for Information Policy Leadership along with the Asia Pacific Economic Cooperation hosted a joint workshop, “Enabling Legal Compliance and Cross-Border Data Transfers with the APEC Cross-Border Privacy Rules (CBPR)” in Singapore. CBPR-certified companies, including Apple, Cisco, HP and Merck along with TRUSTe joined Singapore’s Assistant Privacy Commissioner Zee Kin Yeong in discussing the advancement of the regional system.
  • Finally, on July 19, the International Association of Privacy Professionals hosted the IAPP Asia Privacy Forum 2016 in Singapore. Panel discussions included “Preparing for and Executing CBPRs”, moderated by Ken Chia, Principal, Baker & McKenzie. Panelists included Grace Guinto, Digital Trust Manager at PwC, Australia, Professor Hiroshi Miyashita, Chuo University and New Zealand Assistant Privacy Commissioner Blair Stewart.

The increased focus on CBPRs in Asia comes as Japan recently put forward JIPDEC as the country’s first ‘Accountability Agent’ under the CBPR system. Japan’s Ministry of Economy Trade and Industry has confirmed that CBPR-certification will serve as a basis for transfer of personal data out of Japan under the implementing guidelines for Japan’s recently-reformed privacy law. TRUSTe has been an APEC-endorsed Accountability Agent since 2013. More information on CBPRs can be found at https://www.truste.com/business-products/apec-accountability/.


Jul 12 2016

TRUSTe Announces Comprehensive Set of Privacy Shield Solutions

Screenshot 2016-04-13 14.29.02

Following formal adoption today of the EU-U.S. Privacy Shield, TRUSTe has announced a full set of solutions for companies to address the assessment, verification and dispute resolution requirements in the new framework. TRUSTe will help companies to review compliance with the new Privacy Shield principles for transfers of customer and HR data out of the EU, prior to self-certification with the Department of Commerce. Companies choosing to use TRUSTe technology for handling customer disputes will be entitled to display a new “Powered by TRUSTe – Privacy Feedback Button”.

The EU-U.S. Privacy Shield is the new international data transfer framework published in February to replace Safe Harbor. The new framework requires that companies meet stronger obligations to protect the personal data of Europeans and introduces stronger monitoring and enforcement by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC). TRUSTe will amend its certification standards to reflect the changes. The Department of Commerce is expected to start accepting submissions to the program from August 1.

TRUSTe Solutions for EU-U.S. Privacy Shield

TRUSTe is offering three separate packages to support companies in assessing and verifying that their data protection practices are compliant with the Privacy Shield principles ahead of self-certification with the U.S. Department of Commerce. The Assessment Package and Verification Package can include customer data, HR/employee data or both.

In addition, TRUSTe provides a Dispute Resolution Package, which helps companies to efficiently manage privacy inquiries from customers, and addresses the dispute handling requirements of the EU-U.S. Privacy Shield Framework.

Companies that use TRUSTe technology and tools to manage privacy related questions or concerns will be entitled to display the new “Powered by TRUSTe Privacy Feedback Button” on their digital Privacy Policy page and links to a mechanism for consumers to submit questions or feedback.

Screenshot 2016-07-12 07.53.16

The TRUSTe assessment and verification solutions for EU-U.S. Privacy Shield are managed by a team of privacy professionals using our proprietary assessment methodology and powered by TRUSTe Assessment Manager. This award-winning SaaS-based privacy technology platform provides interactive compliance reviews, centralized on-demand reporting and searchable audit trails.

For more information on TRUSTe’s EU-U.S. Privacy Shield solutions visit www.truste.com/privacy-shield or call on 1-888-878-7830.



Jul 08 2016

Privacy Shield Close to Adoption following Endorsement from EU Member States

Screenshot 2016-04-13 14.29.02

Today the EU-U.S. Privacy Shield cleared one of the final hurdles on the path to regulatory approval as representatives from EU Member States voted to support the new EU data transfer framework. The “Article 31” Committee is made up of representatives from the EU Member States and their endorsement is binding. The vote today was overwhelmingly positive with just Austria, Croatia, Slovenia, and Bulgaria abstaining.

This is the vital last step before formal adoption of the new international data transfer framework published in February to replace Safe Harbor. The EU-U.S. Privacy Shield framework is the product of two years of intensive negotiations and represents the commitment of the EU and the U.S. Government to securing the vital transatlantic data flows which are such an integral part of the information economy.

In a press statement this morning Vice-President Ansip and Commissioner Jourová from the European Commission said:

Today Member States have given their strong support to the EU-U.S. Privacy Shield, the renewed safe framework for transatlantic data flows. Both consumers and companies can have full confidence in the new arrangement, which reflects the requirements of the European Court of Justice.”

Path to EU Regulatory Approval

Before Privacy Shield could be up and running a draft adequacy decision from the European Commission had to be approved by a European “comitology” procedure, which involved (i) insight from the Article 29 Working Party (formed of EU regulators), (ii) a binding opinion from the EU Member State representatives, and (iii) formal adoption of the adequacy decision by the EU College of Commissioners.

In April the Article 29 Working Party asked for clarification in a number of areas to address their ongoing concerns. Now according to Commission officials the revised draft includes a number of additional clarifications and improvements on U.S. mass surveillance powers, the role of the “ombudsperson” who will adjudicate complaints from EU citizens about their data, and the onward transfer of EU citizens’ data to other companies. The final text places the obligation on the third party to tell the company on the Privacy Shield register when they cannot offer sufficient protection to EU citizens’ data.

Formal Adoption expected by July 12

After today’s positive vote the final stage in the EU Regulatory approval process is formal adoption by the EU Commissioners which is expected to take place on Monday July 11 with an official announcement and copy of the final text on Tuesday, July 12. The Department of Commerce is expected to start accepting submissions to the program in August.

How TRUSTe can help?

Once the EU-U.S. Privacy Shield is formally adopted TRUSTe will amend its certification standards to reflect the new framework and support companies in assessing and verifying that their data protection practices are compliant with the Privacy Shield principles and ready for self-certification with the U.S. Department of Commerce.

TRUSTe has a range of solutions to address both customer and HR / employee data transfer components of the EU-U.S. Privacy Shield. For more information on TRUSTe’s EU Data Transfer solutions visit www.truste.com/privacy-shield or call on 1-888-878-7830.


Jun 29 2016

NEW! Summer/Fall Privacy Insight Webinar Series

Blog_gen_H2-2016-v1As the privacy landscape gets increasingly complicated, you need constant access to key insights to stay on top.

The Summer / Fall schedule for the Privacy Insight Series is a set of six live webinars featuring renowned speakers, and cutting edge research, tips, and tools. This program will continue to provide the perfect opportunity to gain insights from leading privacy practitioners on the key trends impacting data privacy management in 2016 and beyond.

Each event is free to attend and will feature informative discussions, case studies and practical solutions to today’s tough privacy challenges.

Check out the Summer / Fall schedule below:

July 21                                                         

Validating Vendor Assessments: Preparing for Privacy Shield

With many global companies working with thousands of vendors to process HR and customer data, this webinar will tackle important questions such as:

  • How can they take a prioritized approach to risk management?
  • What are current best practices?
  • How can they ensure compliance with Privacy Shield within the projected timelines?

Register today >>


August 18

Brazil & Beyond: Privacy Trends in Latin America

Latin America is comprised of a multiplicity of languages, cultures and privacy laws. Given the absence of any omnibus regional law or EU-like set of directives, companies must assess their business models and data monetization strategies in the context of each country’s framework. Join this webinar to get:

  • A comprehensive approach of the evolution and general principles inside the different LATAM privacy regulations for both customer and employee data
  • A focus on consent, duty of information, habeas data and the right to be forgotten as applied in the region

Register today >>


September 22

Changing Role of the CPO in todays Privacy Ecosystem

The Chief Privacy Officer is now center stage with responsibility for driving an important strategic agenda within the enterprise. Recent IAPP research claimed there would need to be 28,000 more Data Protection Officers in Europe to meet the new GDPR requirements. Join this webinar to get insight into changing role of the CPO by examining questions such as:

  • What will this new role look like?
  • How will these new requirements impact the qualities, experience and responsibilities of the CPO within the enterprise?
  • What do you need to do to make sure you’re ready to be a CPO in the new privacy landscape?


October 20

Building a Privacy Governance Program

The proliferation of networked devices is bringing tremendous opportunity to business and consumers alike. Many organizations are struggling with where to start with securing their enterprise — so some don’t, or worse yet, take expensive action that has little impact. Join this webinar to learn how to:

  • Put security and privacy into the context of your operations – despite their natural tensions
  • Integrate them into an effective data protection program focused on trust, transparency and accountability
  • Examine case studies from two companies from very diverse sectors


November 17

DPIAs, PIAs, Understanding new EU Guidance on ‘Risky Processing’

Whether you call them Data Protection Impact Assessments or just PIAs, they are an indispensable way to gauge the potential impact of projects, systems, programs, products or services on the data an organization holds. Having a good understanding of what DPIA/PIAs are, how to implement them and who needs to be involved can be the key to embedding privacy in the heart of your organization. And of course they are now a requirement for certain types of processing under the GDPR. Join this webinar to:

  • Review PIA best practices
  • Review latest compliance guidance from the EU regulators
  • Provide a range of tips and tools to help streamline and embed the process in your organization


December 8

Metrics for Success: Quantifying the Value of the Privacy Function

As we look towards 2017 and the future of the privacy profession being able to better quantify, risk, level of effort, value to the organization will be essential to privacy’s ongoing upward trajectory. Join this webinar to:

  • Review current best practices
  • Provide takeaways and new years’ resolutions for when you’re back at your desk


Jun 28 2016

Going for Olympic Gold Data Practices in Latin America

Screenshot 2016-06-28 09.54.55

Latin America is in the summer spotlight with the hosting of the International Olympic Games in Brazil and the 100th anniversary of the Copa América futbol tournament, making this a timely moment to take stock of where data privacy regimes stand in Latin America.

Powered by new education initiatives and increased investment in telecom network infrastructure, Internet usage in Latin America is burgeoning. Public-private partnerships, evolving finance laws, and an explosion in mobile broadband adoption has led to an environment in which, since 2008, Internet usage has more than doubled. Observers estimate that sixty percent of Latin Americans will have Internet access in 2016.

However, before an organization seeks to establish its presence in Latin America, it would do well to recognize that the vast region is not a monolith. On the contrary, the region is comprised of a multiplicity of languages, cultures and privacy laws. Given the absence of any omnibus regional law or EU-like set of directives, companies must assess their business models and data monetization strategies in the context of each country’s framework.

Screenshot 2016-06-26 11.28.21

The July TRUSTe Client Advisory Note was prepared by Darren Abernethy J.D., CIPP/US, CIPM, Privacy Solutions Manager at TRUSTe, and provides an overview of some of the key privacy themes and differences across the region for enterprises considering their involvement in these developing markets.

Key themes and requirements covered in the Advisory include:

  • Data Protection Authority (DPA) registration requirements
  • Adequacy and cross-border data transfers
  • Recent DPA enforcement actions
  • Asia-Pacific Economic Cooperation (APEC) Cross Border Privacy Rules
  • Data security & data breach notification requirements
  • Appointment of a Data Protection Officer (DPO)
  • The “Right To Be Forgotten” (RTBF)

The Advisory also includes a list of key takeaways for companies seeking to comply with Latin American privacy requirements.

If you would like a copy of this latest Client Advisory Note then look out for your copy via e-mail today or contact TRUSTe at 1-888-878-7830.


Jun 28 2016

What the UK Brexit Vote Could Mean for Privacy

Screenshot 2016-06-27 22.25.57

It is early days since the UK voted to leave the EU and there is still plenty of uncertainty along the road ahead. However, when it comes to privacy law, there are some certainties. Ralph O’Brien, Principal Consultant EU at TRUSTe reviews the options.

In the short term the UK Data Protection Act 1998 is still the law of the land, a law that implements the older EU privacy directive EC/46/95 into UK national law. The UK ICO will continue to advise and enforce privacy upon global organisations, and individuals still have the privacy rights afforded by the 1998 Act. Whilst the UK Data Protection Act 1998 and Directive EC/46/95 contain themes and principles that are common to the new privacy paradigm of the General Data Protection Regulation, the GDPR introduces new rights and obligations that are not reflected in current UK law.

In the medium term, the GDPR has been approved by Europe and will be enforceable by May 2018. Even if the UK invokes Article 50 and starts the two year leave count down today, that date will take the UK past that deadline and the GDPR becomes directly enforceable into national law.

In the longer term the UK will need to work out an exit strategy of some kind, including what parts of the EU legacy will continue to apply post leaving the EU, and on what terms it will continue to trade with Europe.

Option 1 – European Free Trade Association Membership and bilateral agreements

The UK could remain membership of the European Free Trade Association (EFTA), but drop its membership of the European Economic Area and EU member state status. The UK would then negotiate a set of agreements bilaterally for specific market segments with the EU to retain access to the EU Single Market (such as Switzerland today). The UK would not be bound by EU legislation as a result, but may be obliged to have certain laws by these agreements. The UK pays no EU fees, but pays fees to the EFTA. In terms of privacy law the UK would continue to be bound by the Data Protection Act 1998, but may be required by the bilateral agreements to pass a revised Data Protection law to bring it into line with EU law (such as the GDPR requirements), or indeed agree to be directly bound by the GDPR itself in order to allow data transfers between the EU and the UK.

Option 2 – European Economic Area Membership (including EFTA)

The UK could leave the EU, but retain memberships of the EFTA and European Economic Area (EEA). This is how Norway, Iceland and Liechtenstein currently deal with the EU. As a member of the EEA, the UK would have to pay membership fees, and be compliant with EU laws, but have no voting rights within the EU. In terms of Privacy law, the GDPR would continue to have direct effect and applicability as if it were an EU member state, however the UK would have no voting rights on future amendments.

Option 3 – Entering into a Customs Union

The UK could follow the Turkish model and form a customs union which allows it to co-operate with the EU in certain trade categories. It would not be required to follow EU trade policy. It would not pay membership fees, or have any right to help shape EU laws. This would be a single agreement, but means for privacy laws the same as the bilateral agreement above.

Option 4 – Free Trade agreement

By taking this option, the UK drops out of the EU single market. It would not pay any membership fees, or have any right to help shape EU laws. It instead negotiates a single free trade agreement with the EU. This is a single agreement, but means for privacy laws the same as the bilateral agreement above.

Option 5 – World Trade Agreement

The UK is already part of the World Trade Agreement, and could rely on this as a basis of trade, with no further ties to the EU. That means it would not be required to adopt EU laws, not contribute to the EU budget or, have any voting rights.

in terms of Privacy law, the GDPR would have no effect, and the UK would continue with its own legislation such as the Data Protection Act 1998. As the Act would be “inadequate” against the GDPR, the UK would have to seek additional assurances should it continue to process data on EU citizens (or market services to them), as such it would have to adopt an agreement similar to the EU-U.S. Privacy Shield or have its laws amended to be regarded as “essentially equivalent” to the GDPR.


In options 1 to 5 above, the UK remains bound by the GDPR or has to pass laws or agreements that ensure similar levels of protection to it. If the UK itself does not have laws or arrangements that ensure its “adequacy” to EU privacy law, then in order to continue to trade they would still need to prove adequacy on a business by business basis. Businesses would then have to individually adopt an international transfer mechanism once the UK pulls away from the EU that ensures adequacy with EU laws, such as Model Contract Clauses, Binding Corporate Rules, Explicit Consent or enact a type of international certification standard such as the EU-U.S. Privacy Shield.

Which ever way the UK turns now, and whatever the future holds for the country, it will continue to trade in a global economy which will have to include processing data and marketing services to EU countries and citizens. Whichever option the UK chooses from this point on, it remains clear that global businesses will have to either comply with, or prove itself adequate or equivalent to the new requirements of the GDPR. If the UK chooses not to do this, the barrier to trade will be untenable to global business and further investment in the country.

The advice to businesses is to proceed on that basis, and continue their GDPR preparedness, as part of their global privacy framework.

Jun 22 2016

Your Path to GDPR Compliance | Step 3

image001 (3)

TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.

Step 3: Develop Plan

In Step 3 of Your Path to GDPR Compliance, we leverage the progress and results from Step 1: Assess Readiness and Step 2: Build Consensus to answer the question, “How do I build a plan that’s prioritized based on risks and accounts for level of effort?”

Several things must happen at this stage to develop an effective plan including:

  • Conducting a risk analysis
  • Conducting a level of effort (LOE) analysis
  • Creating a project plan

By investing the time up front to perform the proper analysis and planning, you can be confident that your GDPR Compliance Program will efficiently and effectively mitigate risk while meeting your company’s business objectives.


A. Conduct Risk Analysis

Under Section 3, Article 35 of the GDPR, a Data Protection Impact Assessment (“DPIA”, which is also commonly known as a Privacy Impact Assessment or “PIA”) is required for any processing that may result in “high risk”.  “The supervisory authority shall establish and make public a list of the types of processing operations that require a DPIA.”

While official public lists from the Data Protection Authorities (“DPAs”) are forthcoming, the following are common questions to begin to identify areas of risk, including “high risk”.  These particularly reflect the more stringent GDPR requirements.

  • Security / Data Protection.  Are the necessary data protection controls in place, e.g., encryption, data loss prevention, enhanced access control, anonymization?
  • Sensitive Data, Genetic and Biometric Data.  Are there stronger security protections in place for this data?  Are there business processes around sensitive data that violate the stated use in the privacy policy? Are processes for gaining explicit consent in place (as required under the GDPR)?
  • International Data Transfers.  Are all transfers protected according to the appropriate data transfer mechanism in place (i.e., under Model Contract Clauses, Binding Corporate Rules, EU-US Privacy Shield if ratified, Consent, or other)?
  • New Products / Processes.  Do new plans require a change in the way you collect, transfer, store, process, use, and dispose of personal data?  Are there newer ways of using geo-location or online unique identifiers that trigger a discrepancy with what is stated in the privacy policy?
  • Vendor Management.  How do the vendors in your data flow manage the personal data?  What stated data privacy and security policies and controls are in place?  Can they be verified?
  • Mergers & Acquisitions.  What data privacy and security processes are in place at the merged or acquired company?  Is there discrepancy between the processes at your organization?  
  • Large Scale Processing:  Are there any profiling processes in place?  Is there systematic monitoring of publicly accessible areas or special categories (i.e., genetic, biometric data, criminal records)?
  • Conversions & System Changes.  Have or will there be conversion of records from paper-based to electronic form?  Or conversion of info from anonymous to identifiable form?  Have or will there be system management changes with new uses or applications of technology?
  • Database Changes.  Have or will there be merging, matching, manipulation of multiple databases with personal data (e.g., between subsidiaries or in M&A context)?  Or incorporation into existing databases of personal data obtained from commercial or public sources?

With gaps identified from the initial GDPR Readiness Assessment in Step 1 and from a deeper dive risk analysis as discussed above, you can build a table of gaps organized by risk level – Low, Medium, and High.

Example Table of Gaps with Risk Level

Gap and Risk Analysis Image

Assessing levels of risk will be highly dependent on the priorities that your organization attributes to certain components.  A strong understanding of the current legal and regulatory environment is also essential to proper risk level determination.  Common risk categories to keep in mind when assigning risk levels are legal, regulatory, political, operational, strategic, market, credit, reputational, event, and country-specific risks.

You can build your own templates for this analysis or leverage those available in data privacy management platforms like the Assessment Manager, with built in workflows to guide you through the process.  


B. Conduct Level of Effort (LOE) Analysis

For each gap, you’ll then need to identify specific remediation actions and estimate Levels of Effort (LOEs) – Low, Medium, and High.  By mapping the Risk Levels to the LOEs of each activity, you can start grouping activities in a Risk / LOE matrix to help visualize your plan’s priorities.

Example Risk / Level of Effort Matrix

Risk to LOE Matrix


C. Build the Project Plan

Armed with the results of the gap, risk and LOE analysis, you can then build a project plan against a timeline for completion.  The plan should take into account:

  • The privacy team’s stated goals – short, mid, long-term
  • Budget and people resources available
  • Prioritization for work on “high risk” areas
  • Sufficient period for activities with higher LOEs and longer implementation times
  • GDPR developments and likely enforcement milestones
  • Ability to leverage other frameworks such as the EU-US Privacy Shield (once ratified) as a way to meet EU data transfer requirements and cover a large percentage of the GDPR requirements at the same time

A GDPR Project Plan will be highly-specific to each organization, but here’s an example of what a prioritized plan may look like as a targeted schedule in Gantt chart format.

Example of a Prioritized GDPR Project Plan

Prioritized Plan Image

TRUSTe provides informational resources to help you develop your organization’s GDPR plan.  Some organizations may find that they could benefit from an outside consultant, with significant in-house experience building complex privacy programs such as the GDPR, to help with the project planning process outlined above.

TRUSTe’s privacy consultants can work with you to conduct the entire process – including a risk analysis, level of effort analysis, and a prioritized project plan – through the GDPR Strategic Priorities Assessment.  TRUSTe’s privacy consultants leverage the power of the Assessment Manager technology platform to guide the GDPR assessment workflow process and track the company’s progress against GDPR requirements.

Once the prioritized plan is in place, you’ll be in solid position to start “Step 4: Implement Programs” to be covered in a subsequent blog post.

Learn More about the TRUSTe Privacy Education Series: Your Path to GDPR Compliance:

Step 1: Assess Readiness Blog >>

Step 2: Build Consensus Blog >>

Step 3: Develop Plan Blog >>

Jun 13 2016

LegalTech West Coast Opens in San Francisco Today


Legaltech is the largest and most important gathering of legal technology professionals anywhere in the world. Attendees include decision-makers from all firm sizes who attend Legaltech to hear directly from the experts and see the latest and most innovative products & services.

TRUSTe Assessment Manager was recently named a 2016 Legaltech Innovation Award Winner for Risk Management. The platform transforms how legal departments assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry. Previously legal teams relied on manual tools such as spreadsheets, email or retrofitted GRC systems to address the unique nuances of privacy risk management.

Stop by booth #406 for a demo of the TRUSTe Assessment Manager platform or join us at our Emerging Technology session, “Counsel’s Toolbox: Innovation in Managing Digital Privacy Risk” on Tuesday the 14th at 1:30pm. We’ll be joined by Privacy Counsel at Autodesk, White & Case, NetSuite, and Symantec.

Find out more here

Older posts «

» Newer posts