Sep 15 2016

TRUSTe Launches Data Inventory 2.0

TRUSTe announced today at the Privacy.Security.Risk Conference the availability of Data Inventory 2.0 to help businesses prepare to meet privacy regulations including the EU General Data Protection Regulation (GDPR) and minimize data governance risk across their enterprise. The solution combines TRUSTe’s Data Inventory and Classification service, introduced in 2015, along with the new TRUSTe Data Inventory Manager and other technology tools to generate detailed insights into complex data flows.

Screenshot 2016-09-15 07.10.48

The IAPP-EY Annual Privacy Governance Report (2015) indicated Data Inventory and Mapping was a top priority on the privacy roadmap for nearly half (47%) of respondents. In order to fully assess privacy and compliance risks, companies need to understand how customer and employee data in their organization is used. This includes knowing what data is collected; where it is stored; who it is shared with; and how long it is retained. For a large enterprise, this can entail hundreds of websites, systems and vendors – and dozens of data types – creating a complex and often overwhelming task for businesses to manage.

TRUSTe Data Inventory 2.0 solves this challenge by providing a comprehensive solution that streamlines the process into three phases:

  1. Comprehensive enterprise-wide review of customer and HR data flows guided by TRUSTe’s privacy consultants and proven methodology. Process is enhanced by data discovery powered by TRUSTe website and mobile app scanning tools.
  2. Data is categorized by type and recorded into the new TRUSTe Data Inventory Manager, a centralized / interactive database providing a secure and efficient way to store, search, and sustain information.
  3. Visual summary of data flows are created and delivered as part of an in-depth report and high level summary to provide an enhanced way to analyze and act upon the findings.

The output is a comprehensive, actionable and sustainable data inventory and visual data flows that are easy to share across the organization and update to reflect changing business activities.

Data Inventory 2.0 is available today standalone or integrated with TRUSTe Assessment Manager to seamlessly conduct PIAs and privacy risk assessments on assets identified in the data inventory. Pricing varies based on company size and engagements can often be completed in 8 weeks or less. For more information visit or call 888-878-7830.



Sep 08 2016

TRUSTe Assessment Manager Passes 1,000 Company Milestone; Version 3.0 Released

Screenshot 2016-09-05 15.56.11

With more than 1,000 companies now using TRUSTe Assessment Manager to assess and manage privacy compliance risk, TRUSTe announced today that version 3.0 of the award-winning solution is now available.  The Assessment Manager 3.0 release introduces a host of new features including support for TRUSTe managed assessments,  increased collaboration, enhanced reporting, an expanded privacy template library, and streamlined project workflow.  The new features enable businesses of all sizes and privacy maturity to address emerging privacy challenges including Privacy Shield, the General Data Protection Regulation (GDPR), and vendor risk.

Marcus Morissette, eBay Global Privacy Officer and Privacy Counsel said: “eBay is dedicated to meeting the privacy expectations of both our employees and consumers.  We know that the privacy landscape is a fast-moving one which is why we selected TRUSTe Assessment Manager as the foundation of our enterprise PIA process to stay ahead of business change and meet the needs of the EU GDPR.  TRUSTe has one of the most advanced PIA solutions on the market – it’s specifically built for privacy teams. We’re excited about the organizational awareness Assessment Manager is creating and the continued evolution of the solution.”

Launched in March 2015, Assessment Manager is a SaaS technology solution and part of the comprehensive TRUSTe Data Privacy Management Platform, providing privacy professionals with solutions to manage all phases of their privacy program, from assessing risk to remediating gaps, to ongoing monitoring and compliance reporting.

Assessment Manager 3.0 supports new TRUSTe managed assessment delivery options in addition to the standard self-service option, providing additional flexibility for organizations who want guidance managing their assessments.  The managed assessment option combines the powerful, easy-to-use Assessment Manager technology with the TRUSTe team of privacy experts and proven methodology to deliver a solution that can be tailored to meet any client need.  The option has proven attractive to smaller organizations who don’t have the resources to staff a privacy team as well as larger organizations who need help jumpstarting their program.

Sean Cohen, COO of AWeber said, “We develop and run web-based tools that help businesses grow by staying in touch with customers and prospects through opt-in email. Aligning with the requirements of Privacy Shield is critical for our business which is why we’ve worked with TRUSTe to prepare for our filing.  As champions of smarter and more efficient ways to exchange information, we appreciate how Assessment Manager was able to enhance the assessment experience and streamline our communication with our Privacy Solutions Manager.”

Assessment Manager is being used by companies across a range of industries, including Tech, Pharma, CPG, Healthcare, Oil and Gas, Insurance, and many more.  A sampling of clients includes ADT, eBay, Merck, Rackspace, Transport for London and Xiaomi.

Assessment Manager 3.0 is available today starting at $1,000 per month.  For more information visit or call 888- 878-7830.

Sep 01 2016

Enforcing the Russian Localization Law

Screenshot 2016-09-01 11.13.59

The Russian Data Localization Law came into effect a year ago today on September 1st, 2015. On February 12th, 2016 the Ministry of Telecom and Mass Communications of the Russian Federation (MinComSvyaz) issued Guidance that addresses the comments received from public, and provided guidance on how to comply with the Law.

Since the Russian Data Localization Law came into effect last September 302 inspections have been conducted to check compliance and Roskomnadzor (the Russian Data Protection Authority) has reported that the inspections revealed few minor infractions and indicated that they expect violations would be corrected promptly and that no fines would be imposed on the offending companies. Roskomnadzor has published the list of the planned audit for 2016. According to the list the next subjects will include Microsoft, Hewlett-Packard and Samsung in addition to any unplanned audits. The results of the inspections will be published and discussed.

The September TRUSTe Client Advisory Note was prepared by Maria Elterman J.D., CIPP/US and provides an overview of the MinComSvyaz guidance including: scope of application, definition of Personal data, cross-border data transfers, timing and enforcement. The Advisory also includes a list of 5 steps to help your company comply with the Russian Data Localization Law.

If you would like a copy of this latest Client Advisory Note then look out for your copy via e-mail today or contact TRUSTe at 1-888-878-7830.

Aug 31 2016

September Spotlight: IAPP Privacy Security Risk; Changing Role of the CPO

Screenshot 2016-08-29 21.12.39

IAPP Privacy. Security. Risk. 2016

September 13-16

San Jose

San Jose is home to the upcoming IAPP Privacy.Security.Risk (P.S.R.) conference once again. The conference brings together attendees from privacy, technology and security backgrounds to focus on today’s innovations and challenges of data protection. TRUSTe will be participating in different ways throughout the conference:

Come say hello at Booth #8 and demo new exciting products and services, including Privacy Shield compliance offerings.

Stop by Tanq Lounge at the Marriott on Wednesday, Sept 14 from 7-9pm (limited space, must be a conference attendee) to visit with fellow attendees.

Hear from TRUSTe’s Josh Harris, Director of Policy, TRUSTe alongside representatives from IBM, Information Integrity Solutions and the Department of Commerce on “APEC Privacy Framework and CBPRs: Ready for the Spotlight” on Friday, Sept 16 – 9:30am.

> Register here


Changing Role of the CPO in Today’s Privacy Ecosystem

September 22 – 9.00am – 10.00am PT

Online Webinar

The Chief Privacy Officer (CPO) is now center stage with responsibility for driving an important strategic agenda within the enterprise. Recent IAPP research claimed there would need to be 28,000 more Data Protection Officers in Europe to meet the new GDPR requirements.

This webinar will provide insight into changing role of the CPO by examining questions such as:

  1. What will this new role look like?
  2. How will these new requirements impact the qualities, experience and responsibilities of the CPO within the enterprise?
  3. What do you need to do to make sure you’re ready to be a CPO in the new privacy landscape?

Join this webinar to hear from Hilary Wandall, General Counsel at TRUSTe and other current CPOs on how their roles have changed and what they see as they future need as well as industry experts who will talk about the tools, training and experience essential for success.

> Register here

Aug 30 2016

Third Party Alternate Dispute Resolution

Screenshot 2016-08-29 21.00.18Initial Privacy Shield deadlines are just around the corner and EU GDPR compliance isn’t far behind. These fast-approaching dates are stirring up a renewed interest in a solution TRUSTe has been offering for years – alternative privacy dispute resolution. Offering alternative dispute resolution (ADR) gives customers confidence that you are committed to their privacy and helps mitigate unintentional privacy violations that may accompany web page updates or new initiatives.

The impending compliance dates remind us that providing privacy dispute resolution is often more than a consumer-friendly, best practice – it’s a requirement.

When required, companies are generally presented with two options.

  • Refer a complaint directly the local regulator (DPA)
  • Work with third party dispute resolution solution provider

There are clear benefits to going the third party route – and selecting a third party trusted by both business and consumers may be the best way to turn unhappy customers into happy customers.

You will also want a solution that provides privacy expertise, cost certainty and efficient online processing. Our solution checks all of these boxes while processing several thousand customer complaints each year helping thousands of customers maintain privacy compliance. It’s included in most of our certification offerings and can also be selected as a standalone solution. If you need to meet the ADR requirements of Privacy Shield or are simply interested in improving your customer experience, you’ll want to learn more about TRUSTe Dispute Resolution.


  1. TRUSTe collects the customer’s privacy notice that complaints will be assessed against and loads into the Data Privacy Management Platform.
  2. TRUSTe verifies that the customer has posted the required information about, and provided access to, TRUSTe Dispute Resolution.
  3. A consumer must first contact company. If no or unsatisfactory response, individual can file a complaint through TRUSTe.
  4. Complaints can be submitted online identifying the disputed URL or company name. TRUSTe will respond to the individual within 10 days of receiving the complaint.
  5. TRUSTe will review and forward valid, privacy-related complaints that cannot be resolved through consumer education or the company for resolution. Company has 10 business days to respond to the consumer.
  6. TRUSTe then sends a notice of its determination and indicates that it has closed a Dispute Resolution complaint. The consumer (Complainant) or the customer has 14 calendar days to file an appeal.



Aug 17 2016

HIPAA Turns 20

Medical StethoscopeBy Margaret Alston, Senior Privacy Consultant

Among fanfare for the 20th birthday of the Heath Insurance Portability and Accountability Act (HIPAA), we have also seen the largest HIPAA settlement ($5.55 million) – laid at the feet of Advocate Health Care. This last case was on the heels of two July 2016 settlements: $2.75 million with the University of Mississippi Medical Center, and $2.7 million with Oregon Health & Science University. With mandatory breach notification required for the past 7 years, HIPAA compliance risk exposure has increased and HIPAA enforcement is on the rise.

The Federal Trade Commission is paying attention to security as well. In addition to enforcement actions that point to security promises, the FTC has published security guidance – a lessons learned from enforcement actions, if you will. Moreover, even without regulator oversight, the possibility of a data breach brings with it a complex set of state laws and costs associated with notification and possible litigation.

Another trend is the increased responsibility of vendors to health organizations. As enforcement rises and sophistication of health care organizations about HIPAA increases, these “covered entities” under HIPAA expect more from their vendors, most of whom qualify as Business Associates under HIPAA. In turn, Business Associates are required to sign up for HIPAA obligations in a Business Associate Agreement, and then live up to those responsibilities with both direct regulatory compliance risk and liability to the covered entities they support. While early in the life of HIPAA, before the amendments under HITECH in 2009, healthcare organizations may have been more concerned with their own HIPAA compliance than for their vendors’ compliance, now vendors are asked more in-depth questions about how they comply.

With this in mind, the HIPAA anniversary is a great reminder that the security risk assessments and the strong privacy and security programs that HIPAA requires are more important to today’s healthcare businesses and their vendors – not less. In fact, as part of its settlement, Advocate Health Care has agreed to conduct a complete risk assessment and present security plans to HHS for approval. It makes sense, then, that organizations that handle sensitive personal information – such as Protected Health Information (PHI) – would take the same measures on their own.

A first step can be a HIPAA Health Check; a high level gap analysis against HIPAA privacy, security and breach notification requirements compared with current practices and documentation. The purpose of this Health Check is to identify areas in which major program components are either not adequately documented, or may not exist at all. From this high level gap analysis, an organization can consider how to prioritize and address in a reasonable and thoughtful way.

With over 10 significant settlements year to date and commencement of the Phase 2 HIPAA Audit program review of both covered entities and business associates, our 20th year of HIPAA brings with it increasing security and privacy focus and expectations. Fortunately, there are also more resources available to organizations who wish to double down on their compliance and security stance.




Aug 16 2016

Over 500 Companies Working with TRUSTe to Comply with EU-U.S. Privacy Shield

Screenshot 2016-04-13 14.29.02TRUSTe announced today that it is working with over 500 companies to assess and verify compliance with the new requirements for the EU-U.S. Privacy Shield and provide dispute resolution services. In order to meet the spike in demand since the Department of Commerce (DOC) started accepting submissions on August 1st, TRUSTe is using Assessment Manager, the award-winning technology platform to streamline the comprehensive assessment and remediation process companies must complete.

The EU-U.S. Privacy Shield is the new international data transfer framework finalized in July to replace Safe Harbor. The new framework requires that companies meet stronger obligations to protect the personal data of Europeans and introduces stronger monitoring and enforcement by the US Department of Commerce (DOC) and the Federal Trade Commission (FTC).

The framework provides all companies self-certifying by September 30 a nine-month ‘grace period’ to ensure compliance with their third party contracts. TRUSTe’s privacy assessment technology streamlines and documents the process enabling hundreds of companies to get ahead of the pack and self-certify before that date.

Chris Babel CEO, TRUSTe said: “Privacy Shield has created an equivalent of tax season for privacy as hundreds of companies want to benefit from the new Privacy Shield framework and simplify their EU data transfer compliance.

“Our Assessment Manager platform enables us to scale to meet this unprecedented demand and we have started the assessment process with over 500 companies in the last few weeks. After months of negotiations between the U.S. and the EU the volume of companies taking part shows the extent of interest and momentum in the new framework”.

Perry Pappas, SVP, General Counsel and Chief Compliance Officer at WorkWave LLC, stated:

“At WorkWave protecting the privacy and confidential information of our clients is of the utmost importance.  We have found TRUSTe to be an excellent resource in guiding us through what can be a complex area.  TRUSTe provides a streamlined roadmap and process toward certification, their Assessment Manager tool is collaborative and easy to use, and their team is extremely responsive and helpful, from sales through to privacy solutions implementation.”

“At Aria Systems, protecting critical customer data is paramount,” said Jim Alexander, SVP of Customer Operations and Technology, Aria Systems. “Aria is partnering with TRUSTe to verify strict compliance to the EU-US Privacy Shield and our adherence to a broader spectrum privacy and security standards that provide the utmost in protection for our customers and their consumers.”

For more information on TRUSTe’s EU-U.S. Privacy Shield solution packages visit or call on 1-888- 878-7830.

Aug 15 2016

Ten Reasons to Implement the EU-U.S. Privacy Shield

Privacy and Data Protection in Latin America

Hilary Wandall, General Counsel & Chief Data Governance Officer at TRUSTe summarizes the top 10 reasons to implement the new EU-U.S. Privacy Shield even if you’ve implemented or have been working on implementing Model Contractual Clauses (MCCs).

At TRUSTe, we have nearly 20 years of experience working with thousands of companies to assess their privacy practices, and with many others to verify their compliance with regulatory frameworks like APEC CBPR system and the former U.S.-EU Safe Harbor. This work has taught us that there are a number of legal, compliance and business benefits to implementing comprehensive privacy programs to manage international data transfers versus a transactional approach to transfers using MCCs. Below is a list of the top 10 reasons for organizations to self-certify their adherence to the EU-U.S. Privacy Shield:

  1. Speed Unlike transfers on the basis of MCCs, transfers on the basis of Privacy Shield do not require prior authorization from or notification to 65% of EU data protection authorities, which can delay a project that relies on MCCs for data transfers by weeks to months.
  2. Less paperwork While organizations must stand ready to demonstrate compliance with both Privacy Shield and MCCs, transfers on the basis of Privacy Shield do not require updates to and new signatures on contractual clauses each time a business process or data flow changes.
  3. Better recourse options – Instead of limiting individuals to bringing legal claims for breach of the MCCs, Privacy Shield provides individuals with opportunities to raise concerns directly with the certified organization, with independent dispute resolution providers, like TRUSTe, as well as new options, such as the independent arbitration panel and ombudsperson.
  4. Executive Support – Like its predecessor, Privacy Shield drives corporate sponsorship of privacy programs by requiring a corporate officer of the certifying organization to:
    1. annually sign a statement verifying the company’s self-assessment of compliance, if compliance verification is done in house; and
    2. sign a self-certification submission annually, subject to criminal enforcement under the U.S. False Statements Act for compliance misrepresentations, including a persistent failure to comply.
  5. SustainabilitySince it requires annual compliance verification and self-certification, Privacy Shield drives ongoing organizational engagement to demonstrate compliance better than MCCs that may be sitting in organizational filing cabinets once signed.
  6. Risk of existing MCC invalidationSince the ECJ’s Schrems decision of 2015, the EU adequacy decisions regarding certain MCCs have been called into question. At the end of May 2016, the Irish Office of the Data Protection Commissioner applied to the Irish High Court for a referral to ECJ to determine the legal status of data transfers under the MCCs. Privacy Shield certification mitigates the risk of data transfers based on existing MCCs being invalidated overnight like the U.S.-EU Safe Harbor.
  7. APEC CBPR Readiness – the governance and privacy principles necessary to comply with Privacy Shield are similar to the requirements for APEC CBPR certification. Organizations that operate in APEC member economies can leverage their Privacy Shield compliance to demonstrate readiness for APEC CBPR certification.
  8. EU BCR Readiness – the principles necessary to comply with Privacy Shield are similar to the data protection safeguards necessary for organizations seeking EU BCR approval. Organizations interested in EU BCR approval can leverage their Privacy Shield compliance as a starting point for their binding corporate rules, which will also require establishment of additional accountability, program governance and enforceability mechanisms.
  9. EU GDPR Readiness the principles necessary to comply with Privacy Shield are similar to many of the data protection safeguards necessary for GDPR compliance. Organizations that operate or do business in the EU can leverage their Privacy Shield compliance as a starting point for the additional obligations they will have under GDPR, such as additional accountability and program governance, broader individual rights, privacy by design and default, PIAs and breach notification.
  10. Adequacy Readinessin our policy and regulatory affairs work around the globe, we often hear “adequacy” referred to as the gold standard for privacy and data protection compliance. Since Privacy Shield is the first of the next generation adequacy frameworks determined to provide adequacy post-Schrems, we believe it provides organizations with the best readiness assessment currently available for future data transfer adequacy requirements, such as transparency regarding government access, accountability for onward transfers and broad mechanisms for individual recourse.

For more information about TRUSTe’s Privacy Shield solutions see here or call 1-888- 878-7830.

Older posts «

» Newer posts