TrustArc is excited to participate in the upcoming webinar on “How to Avoid a CCPA Data Subject Request Denial of Service Attack” on Thursday, December 5 at 11am PT. TrustArc SVP of Products & Engineering Michael Lin will join Evident Chief Product Officer & Co-Founder Nathan Rowe and Integris VP of Global BD & EMEA Operations Drew Schuil to discuss demonstrating compliance through DSR fulfillment automation with identity verification.
Companies that are flooded with thousands of DSRs all at once are at greater risk for a denial of service (DoS) attack that can overwhelm CSR and IT staff. In this scenario, manual processes reach a breaking point, in which businesses can’t safely respond to requests within the required timelines (usually 30 to 45 days depending on the regulation). With CCPA right around the corner, there’s no time like the present to start thinking about your company’s plans to circumvent DoS attacks and streamline DSR processes, which, according to the new regulations, must now include identity verification prior to fulfilling each request.
Join a lively panel discussion with experts from TrustArc, Integris Software, and Evident, and get ready to pose your toughest DSR fulfillment questions live as they explain:
- Why you must address data subject rights as a big data problem
- How to automate identity verification of DSAR requests
- The critical components of DSR lifecycle management
- The importance of privacy- and security-by-design
Each registrant will receive a copy of the white paper, “Solving DSAR’s Big Data Problem – Four Recommendations Plus the One Thing You Should Never Do.” Can’t make the webinar? Don’t worry. Register now, and we’ll send you the recording.
In partnership with the IAPP, TrustArc recently completed a Survey on Privacy Program Metrics, which looked to establish some baseline metrics by which privacy programs around the world can benchmark themselves. The survey contained 27 questions, including demographic questions, and a total of 496 people took the survey.
Some sample questions we set out to answer with the survey were: How many business processes are organizations mapping? How many reports are they creating in order to comply with Article 30 of the EU’s General Data Protection Regulation? How many privacy or data protection impact assessments are necessary? How many incidents rise to the level of breach reporting? Are people being overwhelmed by subject access requests?
The largest group of respondents works in the U.S. (39 percent), followed by the European Union, excluding the U.K. (32 percent), the U.K. (12 percent), and Canada (8 percent). Respondents were evenly distributed throughout the range of company sizes, with organizations that employ 25,001 people or more representing 25 percent of survey respondents, followed next by organizations that employ 1-250 people (23 percent).
In this 4 part blog post series we will share highlights on the following key takeaways from the report:
- Data inventory is becoming a standard privacy management practice
- DPIAs are the most common type of privacy assessments
- Individual rights / data subject access rights (DSAR) requests impacting most organizations
- Data breach notification requirements impacting larger companies
Key Takeaway #1: Data inventories are becoming a standard privacy management practice crucial to privacy compliance
One of the most important steps to design and build a data privacy program is to create an inventory of all of the business processes within a company. If a company does not know the type of data they collect and how it’s shared, processed and stored; or the data inflows and outflows, it is difficult t o know if they meet the requirements of the privacy frameworks that impact their business. It is also difficult to know where data resides in order to be able to efficiently respond to data subject access requests.
As privacy regulations become broader in scope, requiring companies to demonstrate how they reduce and manage risk, the importance of building and maintaining a data inventory is increasing. The EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) are two examples of regulations which rely heavily on a comprehensive data inventory to support risk management, compliance reporting and responding to individual rights and data subject access rights requests.
Our survey results showed that 83% of respondents have created a data inventory of their business processing activities, which is a significant increase from the 43% of respondents who reported engaging in routine inventory and mapping exercises two years ago. We also found that 20% of respondents are using specialized data inventory and mapping software, which is up from 10% two years ago.
TrustArc Data Flow Manager
Data Flow Manager, part of the TrustArc Privacy Platform, is a dedicated privacy data mapping system which can help build and manage a data inventory, data flow maps, and compliance reporting such as GDPR Article 30.
Data Flow Manager is based on the business process approach which TrustArc recommends based on extensive experience developing and building GDPR and CCPA compliance programs for companies of all sizes around the world.
Data Flow Manager provides a three-step wizard driven workflow which guides users through the process of entering all of the information required to build a business process record. There is also an option to bulk upload information from an existing data inventory.
Data Flow Manager also offers the TrustArc Intelligence Engine which automatically analyzes a company’s privacy risk based on GDPR high-risk principles. The automation can save up to 75% of the time it would take to analyze the risk manually and is integrated with TrustArc Assessment Manager which provides automation for managing DPIAs, PIAs, and other privacy risk assessments.
Data Flow Manager also provides a streamlined way to generate visual representations of data throughout the lifecycle.
If you would like to learn more about Data Flow Manager, contact us!
To read the full report, download it here.