Jun 28 2016

What the UK Brexit Vote Could Mean for Privacy

Screenshot 2016-06-27 22.25.57

It is early days since the UK voted to leave the EU and there is still plenty of uncertainty along the road ahead. However, when it comes to privacy law, there are some certainties. Ralph O’Brien, Principal Consultant EU at TRUSTe reviews the options.

In the short term the UK Data Protection Act 1998 is still the law of the land, a law that implements the older EU privacy directive EC/46/95 into UK national law. The UK ICO will continue to advise and enforce privacy upon global organisations, and individuals still have the privacy rights afforded by the 1998 Act. Whilst the UK Data Protection Act 1998 and Directive EC/46/95 contain themes and principles that are common to the new privacy paradigm of the General Data Protection Regulation, the GDPR introduces new rights and obligations that are not reflected in current UK law.

In the medium term, the GDPR has been approved by Europe and will be enforceable by May 2018. Even if the UK invokes Article 50 and starts the two year leave count down today, that date will take the UK past that deadline and the GDPR becomes directly enforceable into national law.

In the longer term the UK will need to work out an exit strategy of some kind, including what parts of the EU legacy will continue to apply post leaving the EU, and on what terms it will continue to trade with Europe.

Option 1 – European Free Trade Association Membership and bilateral agreements

The UK could remain membership of the European Free Trade Association (EFTA), but drop its membership of the European Economic Area and EU member state status. The UK would then negotiate a set of agreements bilaterally for specific market segments with the EU to retain access to the EU Single Market (such as Switzerland today). The UK would not be bound by EU legislation as a result, but may be obliged to have certain laws by these agreements. The UK pays no EU fees, but pays fees to the EFTA. In terms of privacy law the UK would continue to be bound by the Data Protection Act 1998, but may be required by the bilateral agreements to pass a revised Data Protection law to bring it into line with EU law (such as the GDPR requirements), or indeed agree to be directly bound by the GDPR itself in order to allow data transfers between the EU and the UK.

Option 2 – European Economic Area Membership (including EFTA)

The UK could leave the EU, but retain memberships of the EFTA and European Economic Area (EEA). This is how Norway, Iceland and Liechtenstein currently deal with the EU. As a member of the EEA, the UK would have to pay membership fees, and be compliant with EU laws, but have no voting rights within the EU. In terms of Privacy law, the GDPR would continue to have direct effect and applicability as if it were an EU member state, however the UK would have no voting rights on future amendments.

Option 3 – Entering into a Customs Union

The UK could follow the Turkish model and form a customs union which allows it to co-operate with the EU in certain trade categories. It would not be required to follow EU trade policy. It would not pay membership fees, or have any right to help shape EU laws. This would be a single agreement, but means for privacy laws the same as the bilateral agreement above.

Option 4 – Free Trade agreement

By taking this option, the UK drops out of the EU single market. It would not pay any membership fees, or have any right to help shape EU laws. It instead negotiates a single free trade agreement with the EU. This is a single agreement, but means for privacy laws the same as the bilateral agreement above.

Option 5 – World Trade Agreement

The UK is already part of the World Trade Agreement, and could rely on this as a basis of trade, with no further ties to the EU. That means it would not be required to adopt EU laws, not contribute to the EU budget or, have any voting rights.

in terms of Privacy law, the GDPR would have no effect, and the UK would continue with its own legislation such as the Data Protection Act 1998. As the Act would be “inadequate” against the GDPR, the UK would have to seek additional assurances should it continue to process data on EU citizens (or market services to them), as such it would have to adopt an agreement similar to the EU-U.S. Privacy Shield or have its laws amended to be regarded as “essentially equivalent” to the GDPR.


In options 1 to 5 above, the UK remains bound by the GDPR or has to pass laws or agreements that ensure similar levels of protection to it. If the UK itself does not have laws or arrangements that ensure its “adequacy” to EU privacy law, then in order to continue to trade they would still need to prove adequacy on a business by business basis. Businesses would then have to individually adopt an international transfer mechanism once the UK pulls away from the EU that ensures adequacy with EU laws, such as Model Contract Clauses, Binding Corporate Rules, Explicit Consent or enact a type of international certification standard such as the EU-U.S. Privacy Shield.

Which ever way the UK turns now, and whatever the future holds for the country, it will continue to trade in a global economy which will have to include processing data and marketing services to EU countries and citizens. Whichever option the UK chooses from this point on, it remains clear that global businesses will have to either comply with, or prove itself adequate or equivalent to the new requirements of the GDPR. If the UK chooses not to do this, the barrier to trade will be untenable to global business and further investment in the country.

The advice to businesses is to proceed on that basis, and continue their GDPR preparedness, as part of their global privacy framework.

Jun 22 2016

Your Path to GDPR Compliance | Step 3

image001 (3)

TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.

Step 3: Develop Plan

In Step 3 of Your Path to GDPR Compliance, we leverage the progress and results from Step 1: Assess Readiness and Step 2: Build Consensus to answer the question, “How do I build a plan that’s prioritized based on risks and accounts for level of effort?”

Several things must happen at this stage to develop an effective plan including:

  • Conducting a risk analysis
  • Conducting a level of effort (LOE) analysis
  • Creating a project plan

By investing the time up front to perform the proper analysis and planning, you can be confident that your GDPR Compliance Program will efficiently and effectively mitigate risk while meeting your company’s business objectives.


A. Conduct Risk Analysis

Under Section 3, Article 35 of the GDPR, a Data Protection Impact Assessment (“DPIA”, which is also commonly known as a Privacy Impact Assessment or “PIA”) is required for any processing that may result in “high risk”.  “The supervisory authority shall establish and make public a list of the types of processing operations that require a DPIA.”

While official public lists from the Data Protection Authorities (“DPAs”) are forthcoming, the following are common questions to begin to identify areas of risk, including “high risk”.  These particularly reflect the more stringent GDPR requirements.

  • Security / Data Protection.  Are the necessary data protection controls in place, e.g., encryption, data loss prevention, enhanced access control, anonymization?
  • Sensitive Data, Genetic and Biometric Data.  Are there stronger security protections in place for this data?  Are there business processes around sensitive data that violate the stated use in the privacy policy? Are processes for gaining explicit consent in place (as required under the GDPR)?
  • International Data Transfers.  Are all transfers protected according to the appropriate data transfer mechanism in place (i.e., under Model Contract Clauses, Binding Corporate Rules, EU-US Privacy Shield if ratified, Consent, or other)?
  • New Products / Processes.  Do new plans require a change in the way you collect, transfer, store, process, use, and dispose of personal data?  Are there newer ways of using geo-location or online unique identifiers that trigger a discrepancy with what is stated in the privacy policy?
  • Vendor Management.  How do the vendors in your data flow manage the personal data?  What stated data privacy and security policies and controls are in place?  Can they be verified?
  • Mergers & Acquisitions.  What data privacy and security processes are in place at the merged or acquired company?  Is there discrepancy between the processes at your organization?  
  • Large Scale Processing:  Are there any profiling processes in place?  Is there systematic monitoring of publicly accessible areas or special categories (i.e., genetic, biometric data, criminal records)?
  • Conversions & System Changes.  Have or will there be conversion of records from paper-based to electronic form?  Or conversion of info from anonymous to identifiable form?  Have or will there be system management changes with new uses or applications of technology?
  • Database Changes.  Have or will there be merging, matching, manipulation of multiple databases with personal data (e.g., between subsidiaries or in M&A context)?  Or incorporation into existing databases of personal data obtained from commercial or public sources?

With gaps identified from the initial GDPR Readiness Assessment in Step 1 and from a deeper dive risk analysis as discussed above, you can build a table of gaps organized by risk level – Low, Medium, and High.

Example Table of Gaps with Risk Level

Gap and Risk Analysis Image

Assessing levels of risk will be highly dependent on the priorities that your organization attributes to certain components.  A strong understanding of the current legal and regulatory environment is also essential to proper risk level determination.  Common risk categories to keep in mind when assigning risk levels are legal, regulatory, political, operational, strategic, market, credit, reputational, event, and country-specific risks.

You can build your own templates for this analysis or leverage those available in data privacy management platforms like the Assessment Manager, with built in workflows to guide you through the process.  


B. Conduct Level of Effort (LOE) Analysis

For each gap, you’ll then need to identify specific remediation actions and estimate Levels of Effort (LOEs) – Low, Medium, and High.  By mapping the Risk Levels to the LOEs of each activity, you can start grouping activities in a Risk / LOE matrix to help visualize your plan’s priorities.

Example Risk / Level of Effort Matrix

Risk to LOE Matrix


C. Build the Project Plan

Armed with the results of the gap, risk and LOE analysis, you can then build a project plan against a timeline for completion.  The plan should take into account:

  • The privacy team’s stated goals – short, mid, long-term
  • Budget and people resources available
  • Prioritization for work on “high risk” areas
  • Sufficient period for activities with higher LOEs and longer implementation times
  • GDPR developments and likely enforcement milestones
  • Ability to leverage other frameworks such as the EU-US Privacy Shield (once ratified) as a way to meet EU data transfer requirements and cover a large percentage of the GDPR requirements at the same time

A GDPR Project Plan will be highly-specific to each organization, but here’s an example of what a prioritized plan may look like as a targeted schedule in Gantt chart format.

Example of a Prioritized GDPR Project Plan

Prioritized Plan Image

TRUSTe provides informational resources to help you develop your organization’s GDPR plan.  Some organizations may find that they could benefit from an outside consultant, with significant in-house experience building complex privacy programs such as the GDPR, to help with the project planning process outlined above.

TRUSTe’s privacy consultants can work with you to conduct the entire process – including a risk analysis, level of effort analysis, and a prioritized project plan – through the GDPR Strategic Priorities Assessment.  TRUSTe’s privacy consultants leverage the power of the Assessment Manager technology platform to guide the GDPR assessment workflow process and track the company’s progress against GDPR requirements.

Once the prioritized plan is in place, you’ll be in solid position to start “Step 4: Implement Programs” to be covered in a subsequent blog post.

Learn More about the TRUSTe Privacy Education Series: Your Path to GDPR Compliance:

Step 1: Assess Readiness Blog >>

Step 2: Build Consensus Blog >>

Step 3: Develop Plan Blog >>

Jun 13 2016

LegalTech West Coast Opens in San Francisco Today


Legaltech is the largest and most important gathering of legal technology professionals anywhere in the world. Attendees include decision-makers from all firm sizes who attend Legaltech to hear directly from the experts and see the latest and most innovative products & services.

TRUSTe Assessment Manager was recently named a 2016 Legaltech Innovation Award Winner for Risk Management. The platform transforms how legal departments assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry. Previously legal teams relied on manual tools such as spreadsheets, email or retrofitted GRC systems to address the unique nuances of privacy risk management.

Stop by booth #406 for a demo of the TRUSTe Assessment Manager platform or join us at our Emerging Technology session, “Counsel’s Toolbox: Innovation in Managing Digital Privacy Risk” on Tuesday the 14th at 1:30pm. We’ll be joined by Privacy Counsel at Autodesk, White & Case, NetSuite, and Symantec.

Find out more here

Jun 10 2016

TRUSTe Privacy Risk Summit 2016 – Highlights

Privacy Risk Summit Highlight

250 privacy professionals converged in San Francisco this week to discuss the challenges they face in managing emerging privacy risks and share strategies for success. They enjoyed a packed day of inspiring keynotes, expert panels and, of course, networking acquiring new ideas and practical advice to take back to the office.

The TRUSTe Privacy Risk Summit brought together over 50 speakers across 24 sessions and 4 parallel tracks. A highly engaged audience was captivated from the start by a culinary-inspired keynote from Hilary Wandall at Merck & Co., Inc. “Deconstructing the Privacy Risk Dish” to a personal and historic perspective on the new EU-U.S. Privacy Shield from Justin Antonipillai, Counselor to the Secretary Penny Pritzker after two years as the co-lead U.S. negotiator with the European Commission.

The TRUSTe Privacy Risk Summit – Highlights

Chris Babel, CEO TRUSTe kicked off the Summit and explained how this event builds on the success of previous TRUSTe events, the EU Data Protection Conference and the IoT Privacy Summits in 2014 and 2015.Screenshot 2016-06-09 08.33.05

Adam Sedgwick and Sean Brooks from NIST were joined by Dan Caprio and Jonathan Litchman Co-Founders of The Providence Group to discuss the NIST CyberSecurity Framework and its role in managing privacy and data risk.

Screenshot 2016-06-10 10.37.10
Lively discussions and networking continued in the halls outside the breakout rooms.

Screenshot 2016-06-09 08.32.11Josh Harris, Director of Policy at TRUSTe and Hilary Wandall AVP & Chief Privacy Officer, Merck & Co., Inc. spoke about an accountability-based approach to global frameworks and local laws.

Screenshot 2016-06-09 08.31.08

Attendees heard from Paul Plofchan about how ADT had used privacy technology to streamline their ongoing privacy risk management and provide visibility to senior leadership.

Screenshot 2016-06-09 08.29.16

Justin Antonipillai delivered the closing keynote on negotiations with the European Commission on the EU-U.S. Privacy Shield.
Screenshot 2016-06-09 08.27.55Thank you to our speakers, sponsors, partners and our team of volunteers from WISP and the University of California, Hastings College of the Law. This event would not have been possible without your support!

Screenshot 2016-06-09 08.22.16

To read about future TRUSTe events, visit our upcoming events page or subscribe to the TRUSTe blog.


Jun 09 2016

Your Path to GDPR Compliance | Step 2

image001 (3)TRUSTe has developed an education series designed to provide you with a path to achieving GDPR compliance.  This multi-part program provides both guidance on what to do, along with options for helping you get it done.

View Step 1: Assess Readiness


Step 2: Build Consensus

In Step 2 of Your Path to GDPR Compliance, we address the most common next question, “what do I need to do to secure stakeholder commitment and resources for execution?”

Building consensus up-front is critical to the success of any privacy program within an organization and is not specific to the GDPR. Fundamental leadership principles and organizational decision-making come into play.

Because the GDPR has such a substantial impact on organizations – with significantly increased obligations, a stepped up regulatory enforcement regime, and potential fines of up to 4% of annual worldwide turnover (or revenue) – a GDPR program merits its own organizational awareness campaign.

In fact, “Awareness” is at the top of the list on the UK ICO’s (“Information Commissioner’s Office”) recently released guidance “Preparing for the General Data Protection Regulation (GDPR): 12 Steps to Take Now.” ICO’s guidance states, “You should make sure that decision makers and key people in your organization are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.”

The guidance goes on to recommend that companies “use the first part of the GDPR’s two-year lead-in period to raise awareness of the changes that are coming”.

To do so, you’ll need to:

  • marshal the evidence to support a compelling business case; and
  • plan and execute your GDPR awareness campaign to secure stakeholder buy-in.



What Evidence Do I Need to Tell the Story and Support a Compelling Business Case for GDPR Compliance?

As the privacy champion, you will have to tap your inherent mastery of the art of persuasion. This means gathering as much ammunition as you need to generate a sense of urgency and persuade key stakeholders that the GDPR warrants a strong compliance program. Below are several key messages that are critical to tell a compelling story, along with a list of helpful evidence to support each proposition.


The GDPR Impacts the Company…Posing Threats and Opportunities

  • An overview of the GDPR and what specific activity makes the company subject to the new regulation
  • Key organizational risks, fines & penalties, regulatory trends and likely enforcement landscape
  • Specific stories of privacy regulation violations and what that meant to the company and to the data subject who experienced the violation
  • Reports illustrating consumer sentiment and impact to business when brand is damaged via privacy violations
  • Benchmark reports and infographics to illustrate the GDPR risk and show that other companies are taking action in response
  • Stories of companies that used its strong privacy posture as competitive advantage


The Company Has Compliance Gaps That Require Remediation

  • The results of the initial GDPR Readiness Assessment to provide a Corporate Scorecard of where the company currently stands, with specifically identified gaps and risks
  • Any internal metrics / reports providing privacy breach incidents in the organization, any past regulatory inquiries or enforcement against the organization, history of the organization’s privacy training


The GDPR Program Proposed and the Level of Effort Required

  • Overview of the activities typically required to build a GDPR Response Program, including best practices and benchmark information from other companies
  • Summary of what it would take to close the gaps, including a rough time and cost analysis of the level of effort (LOE) to make operational changes, including training, monitoring, measuring, tech / process for privacy impact assessments and product development, contract reviews, privacy policy reviews, etc.
  • Proposed overview of how the GDPR program would operate, a rough timeline, methodology, and success metrics by which to measure progress


How Do I Plan and Execute an Effective GDPR Awareness Campaign?

Facilitate an internal kickoff and on-going planning sessions with relevant stakeholders across the organization. This initiative will be easier if you already have a designated privacy task force. If a committee is not already in place, you’ll need to start identifying and reaching out to stakeholders and key influencers. This should include senior leadership and, if possible, the CEO and Board Members. In addition, identify and invite colleagues with influence across functional areas from lines of business, legal, IT, InfoSec, HR, product development, engineering, marketing, and others.

Build and deliver a strong presentation leveraging all of the evidence gathered to tell the story. To be effective, this takes considerable preparation. Rather than go in with a dry recitation of the policy and regulatory requirements, experienced privacy practitioners recommend planning interactive and engaging sessions that may possibly even be considered a fun team-building exercise. Running your presentation by a subset of the group ahead of time to get feedback and tweak accordingly will help get stakeholders on your side before going into the kick-off meeting.

At the outset, it will be important to clearly state the following goals of the kick-off session:

  • Formalize GDPR program team structure / roles / responsibilities
  • Secure commitment that the GDPR program is a prioritized pillar / initiative aligned to the overall organization planning for the next couple years
  • Agree on short, medium and long-term goals of the GDPR program
  • Set measurable objectives with success criteria, key milestones

  • Based on a rough estimate of the level of effort (LOE), secure budget and resources


Schedule on-going planning meetings with a regular cadence to then develop the full plan, implement all required operational changes, and provide a dashboard report on the GDPR program’s progress. These topics will be covered in our next blog post “Step 3: Develop Plan” and remaining steps in the TRUSTe “Your Path to GDPR Compliance” Education Series.


TRUSTe provides informational resources such as GDPR research and infographics that can serve as evidentiary assets in support of your efforts to build consensus. Some organizations may find that they could benefit from an outside consultant, with significant in-house experience building privacy programs such as the GDPR, to help successfully prepare for and guide the important kick-off sessions. TRUSTe provides the GDPR Response Workshop, which is a half to full day of on-site interactive session led by TRUSTe Privacy Consultants custom-tailored to your organization. For more information on TRUSTe On-Site Privacy Workshops, click here to learn more.

Learn More about the TRUSTe Privacy Education Series: Your Path to GDPR Compliance:

Step 1: Assess Readiness Blog >>

Step 2: Build Consensus Blog >>

Step 3: Develop Plan Blog >>

Jun 07 2016

The Privacy Implications of Home Monitoring – Summit Preview

Home Monitoring

The rapid rise of the Internet of Things—always-on devices equipped with sensors and transmitting chips that allow for the continual collection and communication of user-generated data—has begun to transform areas as diverse as connected cars, cooking, smart infrastructure, digital healthcare, agriculture and industrial channels. While each of these domains is sensitive, and necessitates the rigorous application of Privacy/Security by Design, few areas are more private than the inner sanctum of one’s home, which is increasingly becoming “connected” in various ways.

TRUSTe’s Privacy Risk Summit (this Wednesday, June 8th in San Francisco) features a session devoted to the privacy implications of home monitoring presented by Jill Bronfman, Director of the Privacy Tech Project and Adjunct Professor, University of California, Hastings College of the Law. In this final preview in our series, Darren Abernethy, Privacy Solutions Manager at TRUSTe, offers a brief introduction to some of the vulnerabilities and opportunities in the “smart home” space.

How We Arrived Here

The exponential proliferation of Internet of Things (IoT)-connected devices can be explained by the timely melding of various drivers and technological capabilities. The prevalence of low-cost sensors, advanced and inexpensive cloud computing platforms, social media, “big data” analytics, and increased spectral efficiency of wireless technologies and networks have all expedited the creation of more interconnected devices. The fact that these devices generate valuable user data that can be anonymized, aggregated and sold to marketers and other businesses in order to provide insights about customers and prospects, has made a consumer’s behavioral data from inside the home that much more treasured.

First, the Worst Case Scenarios

The Potential for Creepiness

When in the home setting, people are at their most vulnerable. There may be children around, conversations are had that are not meant for public consumption, and generally one’s guard is relaxed in ways it might not be at work or in public. And so, the “creepiness factor” can be high. This is no better reflected than in the chilling recent case of a man hacking a couple’s baby monitor to speak to a 3-year-old boy in his bedroom and control the night-vision-enabled video camera inside. Such a violation of privacy and decency highlights the fact that there will always be people who view connected devices as an attack vector ripe for exploitation.

Exploiting Vulnerabilities

And, aside from the unsettling manipulation of baby monitors, outsiders will no doubt look for ways to compromise connected garage doors and locks in order to gain physical entry into a home, or to demand payment of a ransom before allowing the owner re-entry. Moreover, even if a hacker does not wish to personally engage in further crimes first-hand, it is not hard to fathom a black market where IoT-related vulnerabilities for devices and individuals’ homes can be peddled.

Enter Voice and Facial Recognition

Voice, video and biometric capabilities are likewise becoming components of the smart home experience. Google recently announced its plans to enter the voice-controlled virtual assistant market (a la Amazon’s Echo) with Google Home, which “becomes a hub to run a home network of Internet-connected devices that collect millions, if not billions, of pieces of data—frequently.” Google Home enables two-way conversations, can interact with the Nest smart thermostat and will engage with other smart devices that, collectively, contain data indicating when someone is home or away, and information about an individual’s preferences and more.

Next, the Good News: Good Practices Build Customer Trust

Although no device or service unequivocally can be made 100% safe and impregnable, there are ascertainable steps that any company can take to mitigate the risk of creepiness, 3rd party exploitation and other smart home cybercrime.

As a threshold matter, companies must continually test and be aware of all of the data that a connected home device collects and transmits. When this data is appropriately categorized (e.g., non-PII vs. PII vs. sensitive PII; actively vs. passively collected; persistent identifiers; transmission medium, etc.), inventoried, and secured (e.g., encrypted and/or de-identified), and it is understood with whom the information is shared (vendors, service processors, partners, etc.) over which networks, then companies are better able to ensure security by building in appropriate controls. Ongoing monitoring throughout the lifecycle of a connected device, as well as accurate disclosures to consumers before and throughout usage of a product, are also requisites of building customer trust.

Open Questions at the Hearth of the Connected Home

This relatively nascent frontier of monitoring about and within the home raises as yet unanswered issues for privacy-aware consumers and regulators. These include:

  • What limits, if any, are needed around the granular profiling of individuals from combined IoT-device data collected on a single platform (including, e.g., protected health information or geolocation)?
  • Should a special regulatory status be afforded to data collected in the home?
  • Where do advertisers and marketers fit into the connected home landscape?
  • How can meaningful notice and consent be provided in the IoT home setting?
  • What of unknown or future secondary uses of connected home data?

For insights and analyses of these issues and more, be sure to check out this week’s TRUSTe Privacy Risk Summit, or contact TRUSTe today.


Jun 01 2016

Engaging the Board is First Step Toward Privacy Risk Management – Summit Preview

Privacy Risk Summit

A board of directors cannot properly oversee the risks surrounding an issue it does not understand. Therefore, a key first step in advising the board about privacy and data protection is to educate the board about the company’s current vulnerabilities, its obligations, and the significant exposure and liability the company could face if those vulnerabilities and obligations are not appropriately addressed. In other words, directors should understand the risks and the business dependency on data governed by data protection and privacy regulations and what is on the horizon that could seriously impact the business, before it appears in the news. Four legal experts, from different industries and with different clients suggest ways to approach board education and persuasion when it comes to managing data.

Carly Alameda, Litigation Partner at Farella Braun & Martel LLP

“Even though boards of for-profit companies are often composed of sophisticated business people with a strong understanding of the company and industry they serve, they may not fully appreciate the particular cyber threats that exist. What data or information does the company possess that others may want, where is it, and how is it protected? What systems might be vulnerable to hackers? The board of directors needs to understand the answers to these questions as it applies to their company. Directors need to understand these risks so they can ask the right questions and fulfill their oversight role.”

Tom Widgery, Senior Director of Privacy and Information Governance at SVB Financial Group

“Financial services boards have become much more aware and concerned about data protection and the risks of security vulnerabilities in recent years. After all, it is a rare quarter when there is not a story about a security breach or hacking attempt in the news somewhere these days. Staying ahead of the board and anticipating questions on impacts to your organization from the current headlines is a challenge. The key to helping a financial services board is to latch on to an example that they understand, get their attention and leverage it to discuss the broader privacy implications that can lead to reputational risk.”

K Royal, Assistant General Counsel of Privacy and Compliance at CellTrust Corp.

“The key to being helpful to the board is to frame the concerns in a context to which the board members can relate. For example, when discussing issues around targeted behavioral advertising, the board members engaged with an example of Viagra. Not the one I would want to discuss necessarily, but one that all individuals had seen ads for and understood. What you need to avoid is dire predictions without a near-miss event. Individuals making significant decisions about a company become exhausted when faced with unrelenting risk. On the other hand, many privacy professionals present the ‘sunny’ side of their activities without providing a fair risk-based view. There is always a balance to hit, but mostly, board members want actionable items with a plan and measurable results.”

Olga V. Mack, General Counsel at ClearSlide, Inc.

“The board must have a strong understanding of and involvement with the company’s written plan for how its information will be protected and how the company will respond in the event of a breach. Having a concrete, written plan in place is key to ensuring a company understands the issues, is maximizing its preventative efforts, and can react and put its best foot forward during an attack or breach event. Cyber attacks happen fast, and there may be the need for a company-wide response within hours, or less. The board should ensure the plan is sufficient to facilitate the necessary actions well in advance of any attack.”

For further discussion with Carly Alameda, Tom Widgery, K Royal, and Olga V. Mack please join the “Cyber-heist your Corporate Mindshare: How to Engage the C-suite and Board” panel at 2:35pm on June 8 at the TRUSTe Privacy Risk Summit 2016. Register here.


Jun 01 2016

June Spotlight – Privacy Risk Summit, Legaltech West Coast, AIIM UK

Legaltech Event

Privacy Risk Summit 2016

June 8

San Francisco

The 2016 Privacy Risk Summit will bring together leading privacy practitioners, lawyers, regulators, and academics to address top privacy risks in the year ahead and share strategies for success.

The Summit builds on the success of the EU Data Protection Conference and IoT Privacy Summits to bring you an expanded program with three parallel conference tracks focusing on risks rising from technological and regulatory change and privacy risk management best practices.

TRUSTe is hosting this event. We invite you to join us in San Francisco this summer for a packed day of inspiring keynotes, dynamic panel presentations and interactive workshops.

> Register here


Legaltech West Coast

June 13 – June 14

San Francisco

Legaltech is the largest and most important gathering of legal technology professionals anywhere in the world. Attendees include decision-makers from all firm sizes who attend Legaltech to hear directly from the experts, see the latest and most innovative products & services.

TRUSTe is exhibiting and speaking this event. Stop by booth #406 to see the latest privacy compliance tools or join us at our Emerging Technology session, “Counsel’s Toolbox: Innovation in Managing Digital Privacy Risk” on Tuesday the 14th at 1:30pm. We’ll be joined by Privacy Counsel at Autodesk, White & Case, NetSuite, and Symantec.

> Register here



June 22


The AIIM Forum UK is a free independent event brought to you by AIIM International, to deliver thought leadership, market insights and expert advice through a one-day program of educational seminars and a major showcase of the latest information management innovations.

TRUSTe’s Ralph O’Brien will be speaking on Wednesday, June 22, 4.05 – 5.00pm on the panel discussion, “Europe, Privacy & the New General Data Protection Regulations”. Key discussion points will be the legal requirements and timescales of the GDPR, plus further exploration of provisions such as the ‘Right to be Forgotten’, the ‘Right to object to Automated Processing’ and ‘Privacy by Design’, data portability vs data sharing, information governance, risk management and other commercial impacts that will affect all organizations operating in Europe.

> Register here


Older posts «

» Newer posts