The next webinar in the TrustArc Privacy Insight Series “Data Breach Management – Requirements and Best Practice” is next Wednesday, September 19th at 9am PT / 12pm ET / 4pm GMT. Don’t miss this opportunity to learn more about data breach prevention – register today!
The investigations have begun after Dixons Carphone, a UK firm, reported the first major breach of the GDPR Era impacting up to 5.9 million card payments and 1.2 million customer records. It’s safe to say that no company wants to find themselves on the regulatory radar through an incident or breach.
Being proactive can spare your company from possible reputational damage and regulatory fines down the road. This webinar will review:
- Preventative steps you can take
- Guidance on building an incident response plan
- Comprehensive tools to automate and document these processes ensuring you can meet the potential 72 hour reporting window
The TrustArc Privacy Insight Series is a set of live webinars featuring renowned speakers presenting cutting edge research, tips, and tools. Events are free and feature informative discussions, case studies and practical solutions to today’s tough privacy challenges. Over 15,000 privacy professionals registered for our events in 2017!
Can’t make it? Register anyway – we’ll automatically send you an email with both the slides and recording after the webinar!
The GDPR has gained a ton of attention recently as consumers’ inboxes have been packed with emails from companies concerning their privacy policies. While some of these emails may require an action on behalf of the consumer, Hilary noted that most of these emails are simply outlining the new updates to their privacy policies, as a result of the GDPR coming into effect.
On a more general level, Hilary explained that the new regulation requires a number of things: companies will need to ensure they are managing individual rights more broadly (Articles 15-22); companies will need to have much stronger protections in place for being transparent (Articles 5, 12); and they’ll need to inform people about their lawful basis for processing individuals’ data (Articles 13, 14).
So how does this affect companies and consumers in the US? Hilary noted that many of the US companies TrustArc helps are proactively expanding these protections to the US citizens they interact with, even though they are not required to do so under the GDPR. She also explained that it’s unlikely that we will see any large privacy regulations in the US like the GDPR, because of the way our government is structured. The US does not have a single regulator for privacy laws, but instead has sectoral laws, such as healthcare privacy laws, financial privacy laws, and state laws.
Many are asking whether the GDPR is harmful to retail businesses who rely heavily on advertising and marketing. The GDPR allows companies to be innovative in different ways. Businesses should be thinking of privacy as a business strategy instead of just privacy policies or practices. Hilary mentioned the benefits of businesses taking a Privacy by Design (Article 25) approach in the way they interact with customers – making privacy a part of business decision-making and part of technology offerings.
Have additional questions about the changes under GDPR? Schedule a demo of our GDPR Solutions.
Link to video
15 December 2016
By Hilary Wandall
General Counsel & Chief Data Governance Officer, TRUSTe
Yesterday, I shared the first lesson I’ve learned “Be a counselor” over the past 15 years while seeking to navigate the ever-changing privacy terrain in order to help business teams manage data responsibly and effectively. The second lesson I learned first caught me by surprise and then over time convinced me that the methods the business teams I was counseling were seeking to solve their business challenges were in fact the potential answer to a problem I encountered six years into serving as a privacy leader. Before I share my tips on building sustainable solutions, I thought sharing my personal story on how I learned this lesson could provide some helpful context.
I was fortunate to learn how to be a privacy leader from an amazing leader, lawyer, counselor, philosopher and friend. He had the vision and the courage of his convictions to lead us to develop a global privacy and protection policy that would set a baseline standard for governance and protection of data across our business globally. Over two years, he persuaded all areas of the organization on the business value of the approach. Over the next thirteen years, only the proliferation of breach notification laws and a mega-merger would necessitate a few substantive changes to that policy.
The surprise to me was the sustainability of the policy given the frequency with which new privacy laws continued to be enacted. Regardless of how often the laws continued to change, the policy always provided the basis for complying with the substantial majority of any new legal and regulatory requirements. The best evidence of that policy’s sustainability, as evidenced by its ability to address even the latest developments in global privacy standards, is that earlier this year, it ultimately became the basis for the first EU approval of a company’s binding corporate rules (BCRs) that were based on a program previously certified by TRUSTe as compliant with the APEC Cross-Border Privacy Rules (CBPR) system.
While we were able to develop a sustainable policy all of those year ago, we were less fortunate in dealing with the rapidly growing number of initiatives that moved from paper to automation to cloud computing to data analytics. Six years into running a global privacy program primarily off of email, documents and sheets, we made our first attempt at using technology to automating some of our workflows. After piloting a number of approaches over the next five years, we concluded that the only way to really serve the business efficiently and effectively over time was to build an integrated privacy management platform that would allow us and business teams to readily determine the risks of a particular technology or business process at any point in its lifecycle. Put simply – build sustainable solutions. Here are some tips to help you develop your own approach.
2. Build sustainable solutions. Not all organizations are ready to put robust, sustainable solutions in place. Some are only resourced to handle obligations on an initial ad hoc basis. Others are beginning to move up the maturity curve toward repeatable, defined, managed and optimized.
a. Business is not static. Regardless of an organization’s privacy and data governance program maturity, most organizations have data and technology needs that continue to evolve as business needs change and technology improves.
b. Privacy regulation is unlike any other regulatory area. Because data about people can be generated in some many different forms and contexts – from where we go, to what we eat, to how we feel, what we spend and whether we sleep – privacy and data protection requirements can be enforced by many different types of regulators, and in some cases, by private parties as well. In this complex regulatory environment, the privacy leader, as well as others in the business, legal and compliance, need to be able to demonstrate accountability and compliance upon request at any point in time.
c. Good governance and technology solutions. Good governance, clearly documented roles and responsibilities are critical not only to putting a program in place, but also to enabling it to be implemented effectively and to mature over time. Technology solutions support these goals as well. Other business functions that rely on data, such as finance and human resources, have recognized the importance of investments in workflow automation, cloud computing and data analytics. Privacy and data governance programs can be made sustainable through technology solutions that facilitate creating data processing inventory, evaluating of associated risks, documenting mitigating controls, identifying changes, managing potential incidents and demonstrating what is in place and its effectiveness. While this can be a substantial undertaking, investment in modular solutions in ways that are tailored to an individual company’s culture and maturity can enable an organization to manage privacy much more effectively so that the privacy leader can focus on tackling new and emerging issues.
In summary, sustainable solutions such as good governance and technology position the privacy leader well for helping the organization to maximize net data value – a concept we’ll explore further in my final post in this series.
Dave Deasy, SVP Marketing (center) accepting the award on behalf of TRUSTe (Photo credit: Jason Doiy)
We’re excited to announce that TRUSTe Assessment Manager has been named a 2016 Legaltech Innovation Award Winner for Risk Management. The annual Innovation Award program now in its 15th year, recognizes the best in legal technology leaders, products, and projects across the legal community.
TRUSTe Assessment Manager transforms how legal departments assess, analyze, and remediate global data privacy management risks. It was purpose built for privacy teams and developed with the input of global businesses and legal professionals spanning a range of industries. The first dedicated SaaS privacy assessment solution in the market. Assessment Manager brings the benefits of automation to the privacy industry. Previously legal teams relied on manual tools such as spreadsheets, email or retrofitted GRC systems to address the unique nuances of privacy risk management.
TRUSTe Assessment Manager comes pre-loaded with over a dozen templates to address popular use cases, including the EU General Data Protection Regulation, Vendor Risk Management, Breach Notification, and Privacy Impact Assessments. The Platform is used by hundreds of companies either directly or with assistance from TRUSTe Global Privacy Services team across all industries including pharma, healthcare, technology, and consumer products organizations
Nominations for the Legaltech News Innovation Awards, were made by the publication’s more than 40,000 readers; and a panel of judges comprised of Legaltech News and The Recorder editors selected the winners from hundreds of candidates.