Merck Successfully Concludes First APEC-based BCR Approval

new_APEC Seal


On March 1st, Merck & Co. Inc. (Merck) formally concluded their Binding Corporate Rules (BCR) approval process with the Belgian Data Protection Authority, becoming the 82nd company to achieve the compliance landmark. But in a global first, Merck based its BCR application on its APEC Cross Border Privacy Rules (CBPR) certification. This work was facilitated by Merck’s use of a common referential developed by the Article 29 Working Party and APEC’s Data Privacy Sub Group in 2014 to facilitate interoperability between companies seeking certification under both systems.  In October 2013, TRUSTe certified Merck as the first health-care company and the second multinational company under the CBPR system.

The value of this approach is that we were able to obtain both CBPR and BCR approvals while maintaining the substance and structure of our existing global privacy program. The practical effect is that we gained greater efficiency in how we manage cross-border data transfer and global data processing without adding complexity to how we operate”, said Hilary Wandall, Chief Privacy Officer.

As was reported in a recent review of CBPR benefits by Information Integrity Solutions, the first phase of Merck’s BCR approval took less than three months, while the mutual recognition phase took an additional nine months.   In addition to the time for completion of the EU cooperation procedure and transition between the approval phases, the entire approval process was approximately three months faster than the 18 month average.   Most importantly, because Merck based its BCR approval on its previously-approved CBPR certification, a broadly BCR-compliant global privacy program was already in place. As a result, according to Merck’s internal estimates, the total cost of its BCR was approximately 90% less than it would have otherwise been.

When announcing the referential’s endorsement in March 2014, Isabelle Falque-Pierrotin, Chairwoman of the French Data Protection Authority (CNIL) and president of the Article 29 Working Party called it a “very political and symbolic act” for companies seeking to obtain both BCR and CBPR certification. FTC Chairwoman Edith Ramirez noted that “[i]nteroperability is absolutely critical”, adding that “[w]ithout the ability to work across systems, we simply can’t effectively protect the privacy of consumer data, and that’s why as part of the U.S. delegation to the APEC data privacy subgroup, the FTC has been actively involved, along with the Department of Commerce, in developing the CBPRs and also working on this referential.” Earlier this month, Article 29 affirmed that work on the BCR-CBPR project would be a key component of its 2016-2018 workplan.

The CBPR system was endorsed by APEC member economies in 2012 for businesses established in the APEC region that collect and transfer personally identifiable information from consumers. TRUSTe was named the first accountability agent for the system in June 2013. You can learn more about Merck’s work on interoperability here. To learn more about obtaining a TRUSTe CBPR certification click here.


TRUSTe Assessment Manager Product Series – Part 5

DPMP Blog Image

With the 2.0 release of Assessment Manager, TRUSTe now provides the privacy office with even more control over its privacy program. From the comprehensive privacy dashboard to management of privacy remediation action plans, this five part blog series has highlighted the latest updates.

Part 5 – TRUSTe Assessment Templates

Earlier in this series we showed how easy it is to create your own assessment template within Assessment Manager, but you can also get started with assessments immediately using TRUSTe Assessment templates.

Your Assessment Manager is preloaded with a set of different types of assessments that you can use out of the box today.  In Q4, 2015 we added two templates around Model Contractual Clauses [MCC] to help companies understand what it means to operationalize MCC. We have also recently added an assessment template to help companies prepare for the new requirements EU General Data Protection Regulation (GDPR).

TRUSTe Templates

Our team of privacy experts is working on additional key privacy compliance assessments to address the recent changes in relation to international data transfers and the announcement of the EU-U.S. Privacy Shield requirements.

If you’re not already using TRUSTe Assessment Manager then click here to find out more and contact your TRUSTe Account Manager to arrange a demo of all the new product features.



When Should You Start the Privacy Shield Process?

Privacy Shield logo

The draft of the new EU-U.S. Privacy Shield (“Privacy Shield”) framework covering EU data transfers has formally been released, providing details on what will be required once final EU ratification is complete (currently anticipated in June). The #1 question companies ask is “when should I start the Privacy Shield process?”

Built into the program is a strong incentive to “sign-on” for Privacy Shield Self-Certification with the Department of Commerce (DOC) within the first two months it becomes operational. Doing so will provide a company with an extra nine months to implement certain requirements, particularly more complex and time consuming contract and process changes around managing onward data transfers to sub-contractors (controllers and processors). Companies that hesitate and don’t sign-on within the first two months will fail to gain the nine-month advantage and must be fully in compliance with requirements immediately upon submission.

Privacy Shield Timeline

In the meantime, there are several months available now for companies to get operational updates in place so they can be ready to sign-on with Privacy Shield within the first two months and gain “first-mover advantage”. There is a long list of new requirements and companies should start now to allow sufficient time for implementation. The following are the three key areas that have the most business impact and potentially the longest timelines for implementation:

1. Get Contracts in Place to Meet Increased Accountability Obligations for Onward Transfers to Sub-Contractors

2. Ensure Audit Trail & Dispute Resolution Mechanisms Meet Stronger Oversight & Enforcement Requirements

3. Update Privacy Policies for Increased Transparency Obligations

Download our brief for an overview of the Privacy Shield timeline, a review of the strategic options, and detailed requirements to guide operational implementation in these top 3 areas.


TRUSTe Assessment Manager Product Series – Part 4

DPMP Blog Image

With the 2.0 release of Assessment Manager, TRUSTe now provides the privacy office with even more control over its privacy program. From the comprehensive privacy dashboard to management of privacy remediation action plans, this five part blog series will highlight the latest updates.

Part 4 – Assessment Remediation and Approval

Assessment Manager 2.0 has new functionality to automatically identify unacceptable answers to each question and flag them in the assessment report for review. This functionality streamlines the assessment review process by quickly surfacing potential issues with actionable recommendations.

When it comes to reporting, your privacy assessment reviewer is able to access the Assessment report at any time to review progress of the Assessment.

Screenshot 2016-03-05 23.10.35

The designated privacy assessment reviewer is notified via e-mail and via their account dashboard when there are possibly issues identified on assessment that need redress (as discussed above).

Screenshot 2016-03-05 23.10.52

When reviewing identified issues the reviewer is able to see the flagged answer and any recommended actions associated with the issue.

Screenshot 2016-03-05 23.11.07

The reviewer is able to take one or more of the following steps:

  • Assign risk to the identified issue
  • Create a new task and assign this to relevant people to remediate the issue
  • Revise the answer after consulting with the respondent
  • Add comments
  • Add attachments

Once the reviewer is satisfied that the issue has been addressed they can close out the issue. When all issues have been closed the project will then be approvable by the privacy reviewer.

If you’re not already using TRUSTe Assessment Manager then click here to find out more and contact your TRUSTe Account Manager to arrange a demo of all the new product features.



CIPL, Hunton & Williams and TRUSTe to Represent U.S. Business on APEC E-Commerce Business Alliance Expert Council



This article was first posted on the Hunton & Williams Privacy & Information Security blog.

During last month’s APEC privacy and e-commerce meetings in Lima, Peru, the APEC E-Commerce Business Alliance (“ECBA”) established its 2nd APEC E-Commerce Business Alliance Expert Council (“Expert Council”). The ECBA Expert Council is comprised of 32 e-commerce experts from government, academia and the private sector in the APEC region. The U.S. members are Markus Heyder, Vice President and Senior Policy Counselor at the Centre for Information Policy Leadership, Manuel “Bing” Maisog, partner at Hunton & Williams, and Joshua Harris, Director of Policy at TRUSTe.

The APEC-ECBA was created in 2001 to (1) promote cooperation between the public and private sectors in the field of e-commerce, (2) provide a forum for information sharing between APEC member economies, and (3) develop e-commerce across different industry sectors. ECBA’s secretariat is based in the China International E-Commerce Center, a quasi-public agency under China’s Ministry of Commerce. The first ECBA Expert Council was formed in 2010 to strengthen and support ECBA’s mission through research, reports, training and other initiatives. ECBA holds annual conferences for the Expert Council and other APEC-based government and private sector stakeholders.

In late June or early July 2016, ECBA will hold its 6th APEC E-Commerce Business Alliance Forum called “Realize Inclusive Trade Through Cross-Border Electronic Commerce.” This three-day event will be held in China, either in Jinjiang, Fujian Province or Mianyang, Sichuan Province.



EDAA Launches New Mobile Principles at First Summit in Brussels


Screenshot 2016-03-09 11.51.47

At the EDAA Summit in Brussels, the European Digital Advertising Alliance announced new Mobile Principles to extend the EDAA Self Regulatory programme for Online Behavioural Advertising to the mobile environment.

Broadly, this move aligns the EDAA with its partner organization in the U.S., the Digital Advertising Alliance (DAA), who released Mobile Guidelines to amend its principles in mid 2013. There are, however two notable difference between the EU and the U.S. framework:

  1. Use of the Icon: In the EDAA Mobile Principles, there is a requirement that the enhanced notice mechanism inside a mobile ad is the Icon or Icon & AdMarker specifically, rather than allowing any conspicuous mark embedded in the ad creative that links to a notice page.
  2. Use of Device Data: In the EDAA Mobile Principles, there is a slight difference in the way that information on a mobile device is classified. In the U.S. DAA guidelines, there is reference to “Personal Directory Data” being used for interest based advertising requiring enhanced notice and choice (i.e.: requiring the Icon). In the EDAA Mobile Principles, that data is redefined as “Personal Device Data” and changed to require enhanced notice and choice. This small change in verbiage means that any ad targeted to a user based information gathered from other applications they have on their device is, according to the EDAA, an Interest Based Ad that requires enhanced notice and choice (i.e. requires the icon)

Point one above closes a small loophole that allows a company in the U.S. not to license the Icon for mobile usage, and instead use a different icon to notify consumers. The main goal of the change in point one is to have the industry normalize on a single symbol for managing consumer privacy, so that consumers are not confused.

Point two above is a much broader change, and it affects most CPI & CPC focused Companies in the ad serving chain. This change means that companies gathering information about other apps on a user’s device will need to serve the icon in ads. Since this is a common practice to understand a user based on the types of application s/he downloads, this may be a major change for the performance advertising side of the industry.

Find out more about how TRUSTe can help you with implementing the new EDAA Mobile Principles here.



TRUSTe Assessment Manager Product Series – Part 3

DPMP Blog Image

With the 2.0 release of Assessment Manager, TRUSTe now provides the privacy office with even more control over its privacy program. From the comprehensive privacy dashboard to management of privacy remediation action plans, this five part blog series will highlight the latest updates.

Part 3 – Answering the Privacy assessment via Assessment Manager

One of the main challenges businesses face when running privacy assessments is getting complete and accurate information from the outset. Assessment Manager 2.0 comes with the ability to provide users with specific instructions at the question level. In addition, the option to attach documentary support to each question ensures that the privacy reviewer gets all the information required to expedite the review process.

Also, from a respondent’s point of view, answering a privacy assessment has never been easier.

The respondent just needs to:

  1. Click the assessment link
  2. Answer the questions (add attachments and comments as needed)
  3. Submit answers – answers are autosaved along the way to ensure no work is lost.

Screenshot 2016-03-05 22.46.19

Greater engagement on your privacy assessments starts today with Assessment Manager 2.0.

If you’re not already using TRUSTe Assessment Manager then click here to find out more and contact your TRUSTe Account Manager to arrange a demo of all the new product features.



March Spotlight: GDPR Accountability, Reviewing TRUSTe-IAPP Research Findings

Screenshot 2016-03-05 19.40.27

Screenshot 2016-03-05 19.40.27

Taylor Wessing EU Data Protection Conference

March 9

Menlo Park

Taylor Wessing’s International Data Protection team is hosting their inaugural US Data Protection Conference this week looking at the latest developments in EU data protection law. This conference, led by Taylor Wessing’s experts from their US, UK, French, and German offices will provide attendees with a 360 degree overview on the General Data Protection Regulation.

Thomas Kranig, President of the Bavarian State Authority on Data Protection, Germany will provide first-hand insights on the changes and challenges the new regulation will impose on international companies. TRUSTe’s Director & General Manager, Consulting, Eleanor Treharne-Jones will speak about the new accountability requirements under the Regulation.

> Request a ticket here


Investment in Privacy Brings Security Results

March 10  9.00am – 10.00am PT

Online Webinar

Is investment in privacy just a tick box compliance exercise or can privacy best practices be shown to also bring security benefits? A new research project commissioned jointly by IAPP and TRUSTe investigated the correlation between investing in privacy and ensuring a strong information security program, reducing the risk of data breach and preparing for response to a potential breach.

In this webinar Chris Babel, CEO TRUSTe and Sam Pfeifle, Publications Director IAPP will review the research findings, explore the value that Infosecurity teams place on different privacy functions and gauge the impact of an cyber-security incident or regulator involvement on privacy investment. Find out from experts working at the intersection of privacy and security the value they place on each function and what this means in practice at their organization.

> Register here


Understanding Privacy’s Value to the IT & Infosec team

March 24  8.00 – 9.00am PT

Online Webinar

Join us for the second in a series of webinars highlighting TRUSTe and IAPP’s joint research as we host highly experienced privacy and security team leaders for a virtual discussion to parse and interpret the results of the survey and to explain what this data means for your organization. You’ll hear about how companies are increasing their infosecurity and privacy investments alike, and gain insight into the questions the survey set out to answer: How do information security and privacy teams work in concert, so that their respective spends can complement one another? Are their priorities aligned? Have firms decided that information privacy investments can enhance information security, and if yes, what privacy functions are valuable in mitigating a data breach?

Chris Babel, CEO, TRUSTe will discuss the survey results with Heidi Salow, Vice President and Senior Privacy Officer, Thomson Reuters and Peter Sand, Executive Director of Privacy, MGM Resorts International.

> Register here



Older posts «

» Newer posts