Benchmarking GDPR Privacy Operations – New IAPP / TrustArc research report reveals how companies are managing compliance

In partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish some baseline metrics by which privacy programs around the world can benchmark themselves. The survey contained 27 questions, including demographic questions, and a total of 496 people took the survey.

Some sample questions we set out to answer with the survey were: How many business processes are organizations mapping? How many reports are they creating in order to comply with Article 30 of the EU’s General Data Protection Regulation? How many privacy or data protection impact assessments are necessary? How many incidents rise to the level of breach reporting? Are people being overwhelmed by subject access requests?

The largest group of respondents works in the U.S. (39 percent), followed by the European Union, excluding the U.K. (32 percent), the U.K. (12 percent), and Canada (8 percent). Respondents were evenly distributed throughout the range of company sizes, with organizations that employ 25,001 people or more representing 25 percent of survey respondents, followed next by organizations that employ 1-250 people (23 percent).

In this 4 part blog post series we will share highlights on the following key takeaways from the report:

  1. Data inventory is becoming a standard privacy management practice
  2. DPIAs are the most common type of privacy assessments
  3. Individual rights / data subject access rights (DSAR) requests impacting most organizations
  4. Data breach notification requirements impacting larger companies

Key Takeaway #1: Data inventories are becoming a standard privacy management practice crucial to privacy compliance

One of the most important steps to design and build a data privacy program is to create an inventory of all of the business processes within a company. If a company does not know the type of data they collect and how it’s shared, processed and stored; or the data inflows and outflows, it is difficult t o know if they meet the requirements of the privacy frameworks that impact their business. It is also difficult to know where data resides in order to be able to efficiently respond to data subject access requests.

As privacy regulations become broader in scope, requiring companies to demonstrate how they reduce and manage risk, the importance of building and maintaining a data inventory is increasing. The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two examples of regulations which rely heavily on a comprehensive data inventory to support risk management, compliance reporting and responding to individual rights and data subject access rights requests.

Our survey results showed that 83% of respondents have created a data inventory of their business processing activities, which is a significant increase from the 43% of respondents who reported engaging in routine inventory and mapping exercises two years ago. We also found that 20% of respondents are using specialized data inventory and mapping software, which is up from 10% two years ago.

TrustArc Data Flow Manager

Data Flow Manager, part of the TrustArc Privacy Platform, is a dedicated privacy data mapping system which can help build and manage a data inventory, data flow maps, and compliance reporting such as GDPR Article 30.

Data Flow Manager is based on the business process approach which TrustArc recommends based on extensive experience developing and building GDPR and CCPA compliance programs for companies of all sizes around the world.

Data Flow Manager provides a three-step wizard driven workflow which guides users through the process of entering all of the information required to build a business process record. There is also an option to bulk upload information from an existing data inventory.

Data Flow Manager also offers the TrustArc Intelligence Engine which automatically analyzes a company’s privacy risk based on GDPR high-risk principles. The automation can save up to 75% of the time it would take to analyze the risk manually and is integrated with TrustArc Assessment Manager which provides automation for managing DPIAs, PIAs, and other privacy risk assessments.

Data Flow Manager also provides a streamlined way to generate visual representations of data throughout the lifecycle.

If you would like to learn more about Data Flow Manager, contact us!

To read the full report, download it here.


Privacy Insight Series Upcoming Webinar: Data Breach Management – Requirements and Best Practices

The next webinar in the TrustArc Privacy Insight Series “Data Breach Management – Requirements and Best Practice” is next Wednesday, September 19th at 9am PT / 12pm ET / 4pm GMT.  Don’t miss this opportunity to learn more about data breach prevention – register today!

The investigations have begun after Dixons Carphone, a UK firm, reported the first major breach of the GDPR Era impacting up to 5.9 million card payments and 1.2 million customer records.  It’s safe to say that no company wants to find themselves on the regulatory radar through an incident or breach.

Being proactive can spare your company from possible reputational damage and regulatory fines down the road.  This webinar will review:

  • Preventative steps you can take
  • Guidance on building an incident response plan
  • Comprehensive tools to automate and document these processes ensuring you can meet the potential 72 hour reporting window

The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 15,000 privacy professionals registered for our events in 2017!

Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar!

72 Hours Notice: GDPR Incident Response Management – Webinar Recap

As part of the TrustArc Privacy Insight Series Webinars, Ashley Slavik, Senior Counsel & Data Protection Officer, Veeva Systems Inc. and K Royal, Consulting Director, TrustArc, discussed how companies can plan for and respond to a data breach in compliance with the GDPR. Ashley and K gave best practices, suggested tools, and tips for addressing GDPR Article 33 and Article 34. This blog post will give a brief summary; you can listen to the entire webinar and download the slides here.

Before going into data breach requirement details, our speakers discussed the different notification requirements for Controllers and Processors and gave examples of each. Then, they went over documentation requirements throughout the lifecycle of an event.

After making the determination that a breach has occurred, there are various practical responses a company can use. Ashley and K discussed several of them, and also discussed how to achieve operational effectiveness.

A few general tips our speakers provided were:

  • Identifying a lead supervisory authority where your European headquarters are would be helpful, depending upon what makes the most legal sense for your company
  • Do not call an incident a “breach” until the person with the authority to make that determination has evaluated the incident
  • Incident plans should accommodate all possible scenarios
  • Do a simulation exercise, as suggested by Andrea Jelinek, Article 29 Data Protection Working Party (WP29) Chair

TrustArc offers GDPR Implementation assistance, such as building and testing a data breach incident response plan. Our expert consultants can help create an effective response program, create customized incident response process flows, customize record keeping tools, develop a retention schedule and procedures for recording keeping, and go through a mock incident to test and refine the process. Find out more here.

What’s In Store for 2018? GDPR, Breaches and Stolen Retinas

Privacy in 2018 – What’s
in Store

By Darren Abernethy,  Senior Global Privacy Manager, J.D., FIP, CIPP-A/C/E/M/US/T 


This year, the upcoming GDPR deadline has consumed the enterprise security and privacy agenda as companies scramble to adopt new technologies and processes in order to become compliant by May 25, 2018. Virtually every survey gauging the readiness of privacy professionals in both the U.S and in Europe has revealed that for many companies, it is going to be a challenge to comply. For example, failure to comply with the GDPR 72-hour breach notification rule is deemed the riskiest by respondents on both sides of the Atlantic, and more than 80% of US privacy professionals and almost 70% of UK privacy professionals expect GDPR spending to be at least $100,000.


In 2018, the challenge to comply with GDPR and protect personal customer and employee information will involve new technologies but as businesses increasingly become data-driven to gain competitive advantage, new types of threats and risks will present themselves. I see four areas where I predict we’ll see privacy and security move to the forefront to help win new business deals, maintain the trust of customers and break new ground in areas such as IoT and biometrics.


Privacy Compliance as Collateral in M&A

As a pre-condition to mergers and acquisitions, more and more companies are requesting that the other side, including its third-party vendors, demonstrate compliance with privacy standards such as the GDPR. To safeguard business assets and brands, demonstrable transparency and accountability for protecting personal information will become increasingly critical to ensure successful business deals and partnerships. In 2018, we’ll see an increase in granular requests for visibility into a corporate transactional partner’s entire information life cycle.


Biometrics, or When an Eye Ball Scan is Stolen

In 2018, we’ll see less emphasis on traditional passwords and more on ways to achieve security via 2-factor authentication techniques involving biometric solutions like voice recognition, facial scans and fingerprints. For security vendors, the storage and record-keeping stakes are higher to protect biometric data because unlike  a credit card number that can be canceled and reissued, you can’t replace a person’s facial structure with a new one once a facial scan is compromised.


Automated IoT Attacks and More Clarity Around Voice Data

With more connected devices come more threat vectors and machine learning-based attacks. To mitigate those risks, we’ll see increased regulation in 2018 around internet connected devices to better control the growing number of intelligent and automated attacks. With companies increasingly using IoT and AI in services like customer support, we’ll also see renewed regulatory discussions on how to best develop policies around consumer voice data and ensuring compliance before collecting it.


Cyber Insurance Requisites–Can Faulty Protection Be a Pre-Existing Condition?  

The number of data breaches this year, and their massive commercial impact, will cause companies to increasingly adopt cyber insurance in 2018 to reduce the costs of breaches. In turn, cyber insurance companies will require that companies demonstrate a whole new level of data privacy and security to qualify for insurance plans. The more commonplace breaches become, the higher the bar will be  to obtain approved insurance, which may play itself out in the form of providing vendor assessments, incident response plans, implemented policies and employee trainings, and data processing audit trails.


Time will tell what the new year has in store for security and privacy professionals, but one thing is for sure. As an industry, we must ensure enterprises have the processes and technologies necessary to secure their perimeters and to derive the business value they need from the massive amounts of data they now collect, all while remaining compliant with regulations and industry policies. This challenging mission is ample motivation to keep driving the industry forward.


TrustArc has purpose built technology that encompasses proven methodology to help companies deal with these new challenges in 2018. To learn more about how our solutions can help your company, click here.

Preparing for New Breach Notification Requirements in Canada

Screenshot 2016-04-27 16.45.36

In these times of uncertainty regarding privacy must-dos (read GDPR and Privacy Shield), Canada offers us another set of rules to prepare for in the Digital Privacy Act. Passed in June 2015, much of the Digital Privacy Act is already defined and in place. One main component though, the breach notification rule, is under consultation and still somewhat of an unknown. Despite some level of uncertainty, it is still possible to prepare for compliance.

The April TRUSTe Client Advisory Note was prepared by Margaret Alston CIPP/G/C/M from the TRUSTe Privacy Consulting Group and reviews the key changes in the Act which include:

  • Definition of “valid consent.”
  • Compliance Agreements as an enforcement option for Commissioners
  • Broadening of allowable public disclosures by the Commissioner
  • Scope of PIPEDA – including but not limited to the exclusion of business contact information
  • Exceptions to consent requirements, such as for fraud prevention purposes
  • Extension of time limits for court applications from 45 days to 1 year
  • Breach notification, reporting, and record keeping (not yet in effect)

The Advisory then covers in more detail how companies can prepare now for the new data breach notification changes.

If you would like to review this latest Client Advisory Note then look out for your copy on e-mail today or contact TRUSTe on 1-888-878-7830.