Webinar Recap: Assessing Risk: How Organizations Can Proactively Manage Privacy Risk

As part of the TrustArc Privacy Insight Series, TrustArc SVP, Privacy Intelligence and General Counsel, Hilary Wandall, TrustArc Director, EU Policy & Strategy, Paul Breitbarth, and TrustArc SVP, Products and Engineering, Michael Lin presented the webinar “Assessing Risk: How Organizations Can Proactively Manage Privacy Risk” last week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.

As organizations begin to ramp up their privacy programs to encompass data processing and data management activities, risk management becomes an increasingly important topic. In this webinar, the panelists discussed:

Risk management relating to privacy for an organization and individual. Main organizational risks from a privacy perspective are; data security, changing legal frameworks, international data flows, and enforcement action and court cases. For individuals, privacy risks are centered on data processing sensitivity, such as the volume of data being processed and shared, the individuals involved in data processing, unnecessary data processing, unexpected secondary data uses, among other risks. 

Third-party risks in today’s climate. With the global pandemic of COVID-19 that has forced many people to shelter in place, working from home is subjected to risk management. There is a need to understand risks from third-party technologies and third-party providers. How data privacy is maintained within a home environment such as how printed documents are handled, computer devices used while working, and data storage and clearing are additional third-party risks that need to be considered. Risk management has also ignited regulatory changes on data usage, cross-border data transfers, and video conferencing. 

Focusing resources on highest areas of risk. There is an on-going balancing test between risk and consequences of that risk with severity and likelihood of that risk to occur. How to prioritize resources effectively is to identify the highest risk areas and tackle those immediately. Risks with high severity and high likelihood of occurring should be prioritized for prevention, protection and recovery measures.  

Risk reporting to management and the board. Board of directors are responsible for risk oversight and governance, which is critical to organizational strategy. Key areas of risks for the board of directors are Governance Risks, Business Management Risks, Critical Enterprise Risks, Emerging Risks and Board Approval Risks. Specific privacy topics reported to the board of directors and management are data breaches, status of compliance with GDPR, privacy program key performance indicators, progress on privacy initiatives, privacy litigations, and more. Accountability is also important in risk reporting to demonstrate compliance, a structured review process, and detailed management reporting. 

Tools and best practices to manage, automate and continuously monitor both company and third-party risk. Five key pillars in managing risks are Identify, Assess, Analyze, Remediate and Ongoing Monitoring. Other tools for consideration include being able to automate these processes wherever possible, drive a holistic view of the vendor, ease of use with a streamlined user experience, and managing services and consulting to build your program. 

TrustArc Risk Profile empowers privacy leaders to identify high risk business activities, conduct the appropriate risk evaluation, and calculate the risk at the business activity level to understand risk across the organization. To learn more, click here

Join us for the next webinar in the Privacy Insight Series: “EMEA Quarterly Update: Two Years Later” with TrustArc Director, EU Policy and Strategy, Paul Breitbarth, and TrustArc Senior Privacy Researcher, Jadene Young joined by Hunton Andrews Kurth LLP President, Centre for Information Policy Leadership, Bojana Bellamy on April 29th, 2020 at 7:00am PT. Register for the webinar here.


Serious Privacy Podcast – Privacy on the Front Lines: A View from LA

While the US reports 22 million new people unemployed in four weeks, parts of Europe are slowly opening up again after the peak of the Corona-virus seems to have been reached. That doesn’t mean however the end of mandatory working from home is already in sight. From a privacy perspective, the discussion now also seems to have turned to mobile apps that could possibly be used to contain the spread of COVID-19. This has even caused Apple and Google to cooperate, to build in new functionality into their operation systems to assist contact monitoring. But obviously lots of data still is required, which requires proper protections to be put in place. This is one of the many topics we discussed with Lillian Russell, Chief Privacy Officer for the County of Los Angeles. 

As someone who manages privacy in one of the largest metropolitan areas (third largest economy in the world) and who crosses every area of privacy in existence, Lilly brings an experienced and insightful voice to our current events. During this frank and unscripted conversation, we touched on a variety of hard topics, such as the challenges in a multigenerational workforce who is suddenly cast into an unfamiliar work environment.  We were curious how people are managing those “water cooler conversations” that are so important to relationships and informal problem-solving.

We also learned from Lilly her favorite privacy control and why. Of course, “favorite” depends on the circumstances – she is a lawyer. In discussing the rapid evolution of data collection and use we are experiencing, Lilly pondered “Is this redefining privacy in a way we did not anticipate?” We think so. Privacy is certainly more top of mind for the general public than we have typically seen. Listen on your favorite podcast platform or stream the episode below. 



Introducing the TrustArc-Nymity Privacy and Data Governance Accountability Framework™


Managing a cross-border privacy program can be a challenge when your organization needs to comply with a multitude of privacy laws, each with their own specificities. Many organisations have therefore decided to use a compliance framework as the backbone of their privacy program. This has the advantage that a standard set of criteria can be used to build out the program, which in return are mapped to the various legal requirements. 

In 2013, Nymity started the development of its Privacy Management Accountability Framework™ (PMAF), that is currently being used by thousands of companies around the world. It was originally developed for communicating the status of the privacy program and to demonstrate accountability. It was designed to report on any privacy program, no matter how it is structured. TrustArc on their turn developed the TrustArc Privacy and Data Governance Framework (P&DG Framework), that is embedded deep in its intelligence and operational software solutions as well as the TRUSTe assurance programs. With the two companies combining their forces since November 2019, the joint teams have worked hard to integrate the two respective frameworks, resulting in today’s launch of the TrustArc-Nymity Privacy and Data Governance Accountability Framework™ (the Framework). 

The Core: Three Pillars

The core of the new integrated Frameworks is formed by three pillars: Build, Implement and Demonstrate. These three pillars align with the main phases of developing an accountable privacy program that supports compliance with applicable laws and regulations as they evolve over time. 

  • Build: Design, establish, and manage a program to ensure effective governance, risk management, policies, processes, and accountability.
  • Implement: Define data needs, identify data processing risks, ensure the data processing is lawful, manage data flows and third parties, address individual rights, provide data security, data quality, and transparency.
  • Demonstrate: Monitor, evaluate, and report on compliance, control effectiveness, risk, and maturity.

Neither is a one-off exercise though – each requires continuous review for changed operational practices and legal requirements. This also means that, for example, the demonstration of part of the program can lead to the realization that additional controls or privacy management activities will need to be implemented to ensure ongoing compliance.

Standards & Controls

One part of the integrated Framework is based on standards and controls, that will help organisations develop and mature their privacy programs. The 16 standards and 55 operational controls align with key privacy laws, regulations, and other external standards to support all  phases of building out and managing a privacy program, and enabling it to be integrated with other organizational governance, risk, and compliance programs. The operational controls guide organizations on how to build and implement their privacy program and demonstrate accountability to both internal and external stakeholders. The P&DG (Controls-Based) Framework is designed to be flexible in allowing organizations to use the P&DG Framework at any point in its privacy program development and maturity.

Privacy Management Categories and Activities

The other part of the Framework is based on Privacy Management Categories and Activities. This is the part that so far has been publicly known as the Nymity Privacy Management Accountability Framework™ and also aligns 13 Privacy Management Categories with key privacy laws, regulations, regulatory frameworks and other external standards to align privacy management activities that are required across jurisdictions. The integration ensures the PMAF can henceforth also be used in combination with the P&DG Framework , but it does not change its content. The thousands of organisations around the world using the Nymity Framework as a basis for their privacy program can continue to do so. The additional mapping, including to the three pillars Build, Implement and Demonstrate, will mainly assist those organisations that have not yet based their privacy program on a framework to get started. 

The Integrated Frameworks rely upon the three pillars in combination with thirteen privacy management categories, that identify the main elements of a privacy program. The 139 underlying privacy management activities subsequently help organisations to identify what needs to be done, in order to develop a compliant privacy program. These activities together form a menu from which organisations can select what is applicable and/or relevant to them. 

Using the Framework

The Framework can be used at no cost by any organization that wants to develop a structured privacy program. A framework-based privacy program is regarded by many as a strong accountability tool, since it also allows organizations to tell the story behind their privacy program. Which are the choices that were made, how were the policies and procedures developed and how do these link to the evidence of compliance that is available throughout the organization: the Framework provides a common language for privacy management.

Building a program based on a framework, instead of on the basis of a single law, allows development of policies and procedures on the basis of common data protection and privacy concepts that extend across hundreds of laws and regulations around the world. These can subsequently be aligned with the legal requirements in various jurisdictions, which will in many situations only be different when it comes to specific details. For example, the scope and exercise of individual rights under the CCPA and the GDPR are largely aligned, albeit that some terminology used to describe them and the timeframes for compliance are different. However, that does not need to have an impact on the steps to take within an organization to verify the identity of a requestor and finding out which data is available about them before providing a response. 

A framework-based approach can be implemented at any stage of a privacy program. Even if your privacy program is well-advanced, it can easily be mapped to the TrustArc-Nymity Privacy and Data Governance Accountability Framework™, which in turns allows for easy compliance checks to privacy and data protection laws around the world, both today and as they change in the future. 

Software Integration

The TrustArc-Nymity Privacy and Data Governance Accountability Framework™ is fully integrated in the various modules of the TrustArc platform. Our operational and intelligence solutions, including the Data Inventory Hub and the Assessment Manager, as well as the Privacy and Risk Profiles, rely upon the Framework to assist organisations documenting their compliance requirements and identifying gaps and other risks. Planner and Benchmarks help organisations to keep track of the privacy program itself, including the necessary regular reviews. Finally, our knowledge solutions, including Operational Templates & Resources, will provide organisations with the relevant building blocks to further develop their privacy programs.

The Privacy and Data Governance Framework™ is available to download at no cost here. If you would like to hear more about the background of the Framework and how it can be used on a daily basis as part of your privacy programme, please watch our webinar “Privacy Frameworks: The Foundation for Every Privacy Program”.


Serious Privacy Podcast – “Brazil: Privacy on the Ground”


The California attorney general has announced the enforcement of the California Consumer Privacy Act will go ahead as planned later this year, despite the global COVID-19 crisis. However, in Brazil, the Senate on April 3rd adopted legislation to postpone the entry into force of the Lei Geral de Proteção de Dados Pessoais (LGPD) until 1 January 2021. Enforcement is not foreseen until August next year. But postponed or not, the new omnibus data protection legislation in Brazil will have a major impact on companies doing business in the largest country in Latin America. Reason enough to invite two Brasileiros to our program to learn all about the LGDP and the culture of privacy in Brazil. 

Join us to hear Rodrigo Dias de Pinho Gomes and Fabricio da Mota Alves discuss the evolution of the LGPD and concerns around its enforcement. In addition, we also touch on judicial ability to rule on cases with personal data implications and the concern about privacy among the population. Listen on your favorite podcast platform or stream the episode below. 

Webinar Recap: COVID-19 – What are the Potential Impacts on Data Privacy?


As part of the TrustArc Privacy Insight Series, TrustArc SVP, Privacy Intelligence and General Counsel, Hilary Wandall joined by Morrison & Foerster LLP Partner, Privacy and Data Security Christine Lyon, and Crosley Law Offices, LLC Co-Director, CLEAR Principal Stanley Crosley presented the webinar “COVID-19 – What are the Potential Impacts on Data Privacy?” this week. This blog post will give a brief summary of that webinar; you can listen to the entire webinar and download the slides here.

In these unprecedented times, the coronavirus pandemic has disrupted lives, changing the way we work and communicate with one another. The panelists discussed: 

  • The potential impact to data privacy during this pandemic. Regulators have had to respond quickly to privacy issues pertaining to COVID-19 such as considering the legal basis for processing sensitive personal data relating to COVID-19, appropriate data sharing, data security considerations, and other challenges. 
  • Regulatory measures for protecting employees, students, customers and patients. Regulations that offer guidance to employers on how they are to handle employee health information are the Americans with Disabilities Act (ADA), EEOC “Pandemic Preparedness in the Workplace”, and Families First Coronavirus Response Act (FFCRA). For educational institutions, the Family Educational Rights and Privacy Act (FERPA) provides guidance to educators on how to respond appropriately to COVID-19 and sharing of information to public health departments. For protecting customers and patients, the Health Insurance Portability and Accountability Act (HIPAA) and CARES Act offer guidance on data security. Links to these resources are available in the webinar slides.
  • The need to contain this virus which could involve tracking the virus using surveillance tools, which undoubtedly impacts privacy. Location data can be collected to monitor physical distancing and digital contact tracing. It is important for organizations to balance the value of this data to the organization and how this data benefits society as a whole, as well as, mitigating risks. 

Stay informed of COVID-19 updates and how it relates to data privacy with special resources and guidance provided through Research & Alerts – a solution designed to provide complete and instant insight into privacy compliance with global regulatory updates. Contact TrustArc today to see if you qualify for free access to Research & Alerts.

Join us for the next webinar in the Privacy Insight Series: “Privacy Frameworks: The Foundation for Every Privacy Program” with TrustArc Director, EU Policy and Strategy, Paul Breitbarth, Director, Privacy Intelligence Development, Joanne Furtsch, and Director of Research, Meaghan McCluskey on April 15th, 2020 at 9:00am PT. Register for the webinar here.

Serious Privacy Podcast: Tech Talk – Innovation during COVID-19


The times of Corona are far from behind us, so this week on Serious Privacy, we discussed a medical topic: what is the relationship between technological innovation and pharma? How can they work together to facilitate new ways of working? And why do innovation and quick thinking really count in a pandemic like we have now? Listen to the new episode now.

Companies that were global in nature and already using virtual practices had to quickly reconsider the tools and partnerships they had in place. In addition, companies strengthened relationships with clients using tech, but are letting clients dictate their critical needs.

“Healthcare professionals are getting more quality information at the time they want, at the place they want, in the way they want.”

Listen to hear Ashley Slavik of Veeva and Jennifer Couture of Alexion discuss the innovation they have seen over the past month – everything from how tech helps companies enhance their business activities to working with colleagues in new ways. Ashley discussed how Europe thanks healthcare workers and Jennifer shares how water cooler conversations can still happen. In this episode of Serious Privacy, we bring profound insights and tricks to make every day better.

If you’re interested in learning more about how COVID-19 has affected privacy, listen to Serious Privacy’s two-part series on COVID-19, where we talk about the virus with a number of guests, discussing employee privacy, the collection of health data and the latest regulator guidance. Listen to part 1 and part 2 here.

Stay informed of COVID-19 updates and how it relates to data privacy with special resources and guidance provided through Research & Alerts – a solution designed to provide complete and instant insight into privacy compliance with global regulatory updates. Contact TrustArc today to see if you qualify for free access to Research & Alerts.